Our CCR2004-1G-12S+2XS Ethernet Router has some ports opened to the public.
Every 30 days in average, my web server is inaccessible from the internet.
When this happens, internet access from the inside works. Rebooting the router fixes the problem.
According to this viewtopic.php?t=186424,
I've also set TCP Established Timeout to 2h5m
Code: Select all
set tcp-established-timeout=2h5mCode: Select all
# 2024-04-20 03:13:01 by RouterOS 7.13
# software id = **ELIDED**
#
# model = CCR2004-1G-12S+2XS
# serial number = **ELIDED**
/ip firewall address-list
add list=ddos-attackers
add address=<my_public_ip> list=PUBLIC_IP
add address=10.0.0.0/16 list=LDAP_ALLOWED_HOSTS
add address=10.0.0.0/16 list=WANLAN
add address=<my_public_ip> list=WANLAN
add address=<my_public_ip> list=ddos-targets
/ip firewall connection tracking
set tcp-established-timeout=2h5m
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=jump chain=forward comment=DDoS connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=100,100,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos disabled=yes src-address-list=!WANLAN
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos log=yes log-prefix=!ddos_attckrs src-address-list=!WANLAN
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Winbox" connection-state="" dst-port=8291 protocol=tcp src-address=10.0.0.0/16
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop all other input" log-prefix=!input_drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin" out-interface=sfp-sfpplus2
add action=masquerade chain=srcnat dst-address=10.0.0.0/16 src-address=10.0.0.0/16
add action=dst-nat chain=dstnat comment=LDAP disabled=yes dst-address-list=PUBLIC_IP dst-port=51389 protocol=tcp src-address-list=LDAP_ALLOWED_HOSTS to-addresses=10.0.220.2 to-ports=389
add action=dst-nat chain=dstnat dst-address-list=PUBLIC_IP dst-port=51812 protocol=udp src-address-list=LDAP_ALLOWED_HOSTS to-addresses=10.0.220.2 to-ports=1812
add action=dst-nat chain=dstnat comment="Web" dst-address-list=PUBLIC_IP dst-port=80 protocol=tcp to-addresses=10.0.50.1 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=PUBLIC_IP dst-port=443 protocol=tcp to-addresses=10.0.50.1 to-ports=443
add action=dst-nat chain=dstnat comment=ETRI dst-address-list=PUBLIC_IP dst-port=52079 protocol=tcp to-addresses=10.0.5.1 to-ports=22
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers