/ip firewall filter remove [/ip firewall filter find chain=crb_forward] ### служебные серверы достуны всегда /ip firewall filter add chain=crb_forward comment=return_service_net src-address-list=crb_service_net action=return /ip firewall filter add chain=crb_forward comment=return_service_net dst-address-list=crb_service_net action=return ### можно не блокировать неавторизованных пользователей, в переходный период интеграции @@@ if skip_noauth == '1' /ip firewall filter add chain=crb_forward comment=drop_no_auth src-address-list=!crb_auth_list dst-address-list=!crb_auth_list action=return @@@ endif ### разрешаем кабинет всегда /ip firewall filter add chain=crb_forward comment=cabinet_accept_dst dst-address={{cabinet_ip}} /ip firewall filter add chain=crb_forward comment=cabinet_accept_src src-address={{cabinet_ip}} ### разрешаем dns всегда /ip firewall filter add chain=crb_forward comment=redirect_dns_accept protocol=udp port=53 action=accept ### блокируем неавторизованных пользователей /ip firewall filter add chain=crb_forward comment=drop_no_auth src-address-list=!crb_auth_list dst-address-list=!crb_auth_list action=drop ### разрешаем сайты доступные при блокировке админом /ip firewall filter add chain=crb_forward comment=trust_blocked_accept_dst dst-address-list=crb_trust_blocked_list action=accept /ip firewall filter add chain=crb_forward comment=trust_blocked_accept_src src-address-list=crb_trust_blocked_list action=accept ### блокируем тех кого заблокировал админ /ip firewall filter add chain=crb_forward comment=blocked_drop_dst dst-address-list=crb_blocked_list action=drop /ip firewall filter add chain=crb_forward comment=blocked_drop_src src-address-list=crb_blocked_list action=drop ### разрешаем сайты доступные при отрицательном балансе /ip firewall filter add chain=crb_forward comment=trust_negbal_accept_dst dst-address-list=crb_trust_negbal_list action=accept /ip firewall filter add chain=crb_forward comment=trust_negbal_accept_src src-address-list=crb_trust_negbal_list action=accept ### блокируем тех у кого отрицательный баланс /ip firewall filter add chain=crb_forward comment=negbal_drop_dst dst-address-list=crb_negbal_list action=drop /ip firewall filter add chain=crb_forward comment=negbal_drop_src src-address-list=crb_negbal_list action=drop ### разрешаем всем остальным весь инет /ip firewall filter add chain=crb_forward comment=default_accept action=accept ### создаем первым правило jump из основного forward в crb_forward /ip firewall filter remove [/ip firewall filter find jump-target=crb_forward] /ip firewall filter add chain=forward action=jump jump-target=crb_forward place-before=0 ### Правила для ipv6 /ipv6 firewall filter add action=return chain=crb_forward comment=return_service_net src-address-list=crb_service_net /ipv6 firewall filter add action=return chain=crb_forward comment=return_service_net dst-address-list=crb_service_net /ipv6 firewall filter add action=accept chain=crb_forward comment=redirect_dns_accept port=53 protocol=udp /ipv6 firewall filter add action=drop chain=crb_forward comment=drop_no_auth dst-address-list=!crb_auth_list src-address-list=!crb_auth_list /ipv6 firewall filter add action=accept chain=crb_forward comment=trust_blocked_accept_dst dst-address-list=crb_trust_blocked_list /ipv6 firewall filter add action=accept chain=crb_forward comment=trust_blocked_accept_src src-address-list=crb_trust_blocked_list /ipv6 firewall filter add action=drop chain=crb_forward comment=blocked_drop_dst dst-address-list=crb_blocked_list /ipv6 firewall filter add action=drop chain=crb_forward comment=blocked_drop_src src-address-list=crb_blocked_list /ipv6 firewall filter add action=accept chain=crb_forward comment=trust_negbal_accept_dst dst-address-list=crb_trust_negbal_list /ipv6 firewall filter add action=accept chain=crb_forward comment=trust_negbal_accept_src src-address-list=crb_trust_negbal_list /ipv6 firewall filter add action=drop chain=crb_forward comment=negbal_drop_dst dst-address-list=crb_negbal_list /ipv6 firewall filter add action=drop chain=crb_forward comment=negbal_drop_src src-address-list=crb_negbal_list /ipv6 firewall filter add action=accept chain=crb_forward comment=default_accept ### создаем первым правило jump из основного forward в crb_forward /ipv6 firewall filter remove [/ip firewall filter find jump-target=crb_forward] /ipv6 firewall filter add chain=forward action=jump jump-target=crb_forward place-before=0