Notes: Some IPs are already rotated to protect the innocent.
/ip firewall filter
add action=reject chain=forward comment="Block Telkom Router access" \
dst-address=172.31.100.1 dst-port=80 protocol=tcp reject-with=\
icmp-network-unreachable src-address-list=!trusted-local
add action=accept chain=forward comment="allow admin access to all VLANs" \
src-address-list=trusted-local
add action=accept chain=input comment="allow admin access mikrotik" \
src-address-list=trusted-local
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="DROP SOME MUDFISH IPS" \
dst-address-list=mudfish_block
add action=drop chain=forward comment="DROP KONAMI AU" \
dst-address-list=konami-au
add action=drop chain=forward comment="DROP KONAMI HK" \
dst-address-list=konami-hk
add action=drop chain=forward comment="DROP KONAMI JP" \
dst-address-list=konami-jp
add action=drop chain=forward comment="DROP KONAMI KR" \
dst-address-list=konami-kr
add action=drop chain=forward comment="DROP KONAMI TW" \
dst-address-list=konami-tw
add action=accept chain=forward comment="allow VLAN to the internet" \
in-interface=all-vlan out-interface=ether1
add action=accept chain=forward comment="allow WLAN to the internet" \
in-interface=all-wireless out-interface=ether1
add action=accept chain=forward comment=\
"allow WHITELISTED INTERNET to access server port 443 on VLAN 200" \
dst-address=172.31.102.130 dst-port=443 in-interface=ether1 \
out-interface=vlan_200 protocol=tcp src-address-list=trusted-public
add action=accept chain=forward comment=\
"allow TRISTIAN-OCI to access WIREGUARD" dst-address=172.31.102.71 \
dst-port=51820 in-interface=ether1 out-interface=vlan_200 protocol=udp \
src-address=192.29.30.26
add action=accept chain=forward comment=\
"allow ALL DEVICES to access DNS server on VLAN 200" dst-address-list=\
pihole-dns dst-port=53 out-interface=vlan_200 protocol=udp
add action=accept chain=forward comment="allow VLAN 300 to access k8s-ingress \
on VLAN 200 using public domain name" dst-address=172.31.102.130 \
dst-port=443 in-interface=vlan_300 out-interface=vlan_200 protocol=tcp \
src-address-list=""
add action=accept chain=forward comment="allow VLAN 400 to VLAN 200 servers" \
dst-port=8123,1883,1880 in-interface=vlan_400 out-interface=vlan_200 \
protocol=tcp src-address-list=""
add action=accept chain=forward comment="allow HASS to CCTV" \
dst-address-list=cctv in-interface=vlan_200 out-interface=vlan_400 \
src-address=172.31.102.44 src-address-list=""
add action=accept chain=forward comment="allow HASS to XIAOMI MIIO" \
dst-address-list=xiaomi_miio in-interface=vlan_200 out-interface=vlan_400 \
src-address=172.31.102.44
add action=accept chain=forward comment="allow HASS to HARMONY HUB" \
dst-address=192.168.0.3 in-interface=vlan_200 out-interface=vlan_400 \
src-address=172.31.102.44
add action=accept chain=forward comment="allow WLAN to VLAN 400" dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="drop everything else"
add action=drop chain=input comment="drop everything else"