493AH + R52n as home router

RouterOS Beginner Basics
1

Hi guys,

My old wireless home router has started to act strange, and saw my cut to buy a new better and more effective router, and in same way learn about a new Router OS (have only used pfSense this far, which is quiet simply by the webinterface, probably because I’m used to it).
Anyways, I need some help t start a standard configuration for my new mikrotik router.
I have following hardware:
493AH routerboard
R52n wireless miniPCI card w/ 2x atennas

I want the setup as following (described in text):
WAN port as Eth1, and Eth2-Eth9 as regular LAN ports for home networking. The internal installed R52n should work as WLAN for the home network.

Eth1: WAN port (connected to xDSL modem, DHCP leased IP from ISP)
Eth2: LAN (IP via DHCP)
Eth3: LAN (IP via DHCP)
Eth4: LAN (IP via DHCP)
Eth5: LAN (IP via DHCP)
Eth6: LAN (IP via DHCP)
Eth7: LAN (IP via DHCP)
Eth8: LAN (IP via DHCP)
Eth9: LAN (IP via DHCP)
WLAN: The installed R52n should was as WLAN router, which again leases IPs to wirekess devices via DHCP.

When its first in use, I can play with the features and learn some more, with the standard configuration I want as backup.

Any help are preciated.
PS. I’m not sure if the board can ‘find’ the R52n installed, how does I check if it is installed correctly, and founded by the 493AH device?

2

I was maybe a little TOO newbie when I wrote…

Have solved some issues with the firmware upgrade to 4.10, which ofcause then founded my wireless device! And btw, when you found out where and how to upgrade, then its super easy, probably the easiest firm upgrade I ever done on a router. Thumbs up!

Oki, so now a little bit more qualified ask for help to find the right technology…

My setup is now:
Eth2: DHCP1 (192.168.1.0/24)
Eth3: DHCP2 (192.168.2.0/24)
Eth4: DHCP3 (192.168.3.0/24)
Eth5: DHCP4 (192.168.4.0/24)
Eth6: DHCP5 (192.168.5.0/24)
Eth7: DHCP6 (192.168.6.0/24)
Eth8: DHCP7 (192.168.7.0/24)
Eth9: DHCP8 (192.168.8.0/24)
Wlan1: DHCP9 (192.168.9.0/24)
Eth1: WAN DHCP Client

The only thing I need now, is how I assign Eth2-9 to access Eth1 so they got internet access? I havn’t concluded yet, if I want Wlan to be isolated from the rest of the LAN net, or if it should work in one big LAN & WLAN.
So, how does I make the connection between Eth1 - Eth2 and Eth1 - Eth3 and Eth1 - Eth4 etc. etc.??
bonding? Bridging?

Any comments on the setup are welcome too :slight_smile:

3

You are complicating things a bit too much.

For you LAN you have two options.
1.) Use the switch chip on the Mikrotik to tie all of the ports together. Never used it so no idea how to get it working properly.
2.) Bridge ether2 - ehter9 together and do everything you want, DHCP/IP addresses, etc. on the bridge. You can also assign the wireless interface to the bridge so it acts like the WLAN.

The switch chip gives you less control but uses no CPU time where as the bridge uses CPU time but gives you the option to run the packets through the firewall and therefore a lot of control. You have a 493AH which is massive overkill for a house, so I wouldn’t even begin to worry about the CPU usage if you are just using it for the home.

In order to route out to the internet you need to set up a NAT rule assuming you have a route out to the internet.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 action=masquerade

This will get you going with the most basic configuration and working and routing based off of the information given. Keep in mind that Mikrotik does very little for you, you are expected to decide what security you need and want on your router and set it up yourself. There are plenty of examples in the Wiki and several people on the forums that can help, but ultimate responsibility to set these things up is on you.

4

Let me see if I got it right. With bridging Eth2 to Eth9, they can share one DHCP server and same IP address pool, instead of having one each port?
If so, then I see you point in lowering the CPU usage for lesser DHCP services, and then it make a point. But yet again, as you point by yourself, the 493AH is a little ‘overkill’ for home use, so even with the DHCP per port, I’m not affraid of the router performance yet, since it has to manage maximum 8 devices all in all.

Its not an overkill for home use really. With 493AH I can skip the stupid energy eating switch who should sit behind the router otherwise. In other words, I have an 8 port switch in my router instead of the standard 4-5 port switch for standard home routers. So its energy efficient and scalable, since I can at any time set a switch behind port X if the need for that should exist.
Annnd, the last reason why I bought this board, is for the possibility for integrate WLAN by adding the R52n miniPCI. Wonderful pieces of hardwares if you ask me :slight_smile: Love them already!

That the mikrotik doesn’t have any rules by default are also a big plus, cuz then it save some time for you, where you normally would have deleted all rules in your firewall, for making your owns. So in my oppinion its a plus, but e, you have to notice and remember it if you came from a standard home router system.

I got inspirered by another user from this board (lend the image that MAKcz created for his solution):

So if I wanna stick with that ideoligy, how do I make the connections between each net?

5

I bought a standard 493 for my home as well, just to give you an idea of how much overkill your AH is though, we have standard 493 boards running hotels and servicing anywhere from 50-100+ unique users in a 24 hour period without it breaking a sweat. They are not running user manager, or the Dude or much anything extra so that helps with the CPU load, but they rarely spike above 30% as long as something funky isn’t going on in the network. But it will give you plenty of horse power to play around with anything that they can do in your house.

Yes you are correct about bridging and it allowing all interfaces to share one IP, DHCP server, and pool. One thing you always need to keep in mind about a Mikrotik is that it is based off of Linux, because of that it will treat interfaces, vlans, bridges, etc just like Linux will. So when you bridge all of the interfaces together, it thinks that the bridge is just another interface it can use like an actual physical interface. Hence why you can assign all of the IP addresses, DHCP Server, and pool to that interface and it reaches out to all of the interfaces assigned to the bridge. You can also tell the bridge to use the firewall so that you can filter things between the bridge ports.

I was just making sure you were aware that they come with no security set up. A fair amount of people come in after they are used to dumb LinkSys/D-Link/Netgear etc routers that hide most everything from you and have basic preset security, and they expect the same from the Mikrotik.

The Mikrotik should automatically route between all of those subnets for you as long as you have an IP within that subnet on that interface unless you explicitly tell it not to in the firewall filter. If you want a guest wireless section, you will probably want these filter rules set up to prevent the the “guest network” from talking to the rest of your subnets. Your computers on the other interfaces just need to have their default route set to the IP of the interface they are connected to so they know how to return the packets. You can set up an all encompassing masquerade rule for all of the subnets or you can set up one for each subnet to allow them to get out to the internet. I would personally use one masquerade rule for each subnet, just so it doesn’t potentially route something you don’t want it to.

6

Hehe, thats nice. At least I know now that it will fit for any use for next 15years for home use.

I have try’d the bridging, but it seems like it just make make connection between the ports connected to that bridge, and therefor I got a IP from the WAN DHCP (the ISP DHCP erver and not the RB dhcp I assigned). It worked with internet and so on, but I’m affraid it won’t fit in the case that I posted a picture of above.

I forgot to add to that diagram, that it was not excatly my case, but it looks like it. I have as noted Eth1-Eth9, and an additional miniPCI making the Wlan1 interface.
The Wlan interface ain’t for guest like the diagram, but for my privat WLAN (hence I have it encrypted with WPA2-PSK ofc). But the diagram is almost the same as the setup I had in my head.

I can see that it can make some troubles if the only router you have touched is a DLINK or what ever, where it does everything for you, and you can’t really choose anything by your own (which is why I decided to get some REAL router hardware at my home now). I have worked with FreeBSD pFsense before, so I got a little more than just standard home router experience, but yet I ain’t 100% familiar with the RouterOS (only tested some RB750G’s in the company I’m employed in).

My problem is still, that without the bridge I can’t access the WAN interface from any of the 8 other LAN interfaces? NAT rules with masq. could maybe do it? I’m not sure, havn’t really operated with Masqurading before, and the wiki didn’t really made me any cleaver on that point :frowning:
So how does I make the communication allowed between each interfaces (tho they should automatically be able to, if they just have the mask route, which they have, but it still doesn’t seems to work for me)? And even more important making communication between each interface and the WAN interface in Eth0? The diagram above is still the background idea for the setup, and I’ll add all security rules and deny rules, when I got the interfaces to work right.

Btw., does the Mikrotik have an default “Deny all” rule?

7

The masquerade rule is just another src-nat rule/action. It changes the packet header to a src-address of it’s public interface. If you wanted to, you could specify an actual public IP you wanted to NAT traffic out of with action=src-nat instead, but with you picking up a DHCP lease masquerade will be the way you want to go as your public IP can change. Once you have the needed NAT rules you should be able to browse out to the internet fine since the ISP will then be able to route and address packets back to you. The reason why you don’t need to set up specific routes between the interfaces with your current setup is because of the way routing works. When you send out a packet addressed to another subnet on the MikroTik, it will read the header and see that your dst-address is something that is local to itself and that it has a route for, so it will send it to the correct interface and broadcast it out. The default route is a catch all route, so anything it doesn’t have a specific route for a subnet, the 0.0.0.0/0 will match any and all dst-addresses, it will just forward those packets onto the gateway of that route, and let the modem/router/ISP take it all from there.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Bridging ties all of the interfaces together to act as one “interface”. When you bridge things together you will want to remove the DHCP sever/IP addresses/ etc that are running on the actual physical interfaces and then put what you want on the bridge interface itself. If you don’t do that you will cause issues on the network. You can think of it like it’s making a layer2 network between those interfaces that you just so happen to be able to control by passing the packets through the firewall if you do decide to.

No there are no firewall rules at all by default in the MikroTik. You need to set up all of the ones you want to have. There are several examples by users on the Wiki about what they have done to secure their routers. Review those and decide what parts to adopt for your install and modify them as needed.

8

So, after what you can see on my setup screenshots, you mean that the only thing I’m missing for getting out to the web, is masq. rules in the firewall? Or do I miss anything else? (Will look thorugh the NAT wiki later for getting hang on the masq).
About the default routing local, I try’d with the setup as posted in screenshots, to locate a laptop on 192.168.2.0/24 net, from another desktop located on 192.168.7.0/24 net, with a shared map on the laptop, but it couldn’t find it, it seems?

The reason I asked for if there was a default “Deny all” or “Allow all”, if be cause its like that on pFsense if I ain’t wrong, which is Linux based too. So its was just to make sure if I had to make a opposite to any default things :slight_smile:

9

I think I’m have to ask for some help now for making the rules… No matter what I try to add of rules, then the test PC on 192.168.3.253 can’t access the web or ping to web.

I have created a visio map for how the setup is, in the hope that any1 could add some help to the rules of the router.
I have also posted some images in earlier posted, shown the configuration I use atm.

If there is any additional questions before you can help me with the rules I have to add to make it work, plz feel free to ask.

10

We’ll at the very least need your Firewall, DHCP Client, IP Address, and IP Route config to be able to see what is going on and give any pointers.

The most likely candidate would be a NAT rule if you are able to ping that interface of the MikroTik. If not then the issue is with that portion of the network, or the MikrTik doesn’t have an IP assigned to it on that interface. It could also a filter rule that could be causing the issue. Each firewall rule has a counter next to it, when you try to go out to the internet on that subenet, do does the appropriate NAT rule incrament? If not then something is either too specific so it’s not catching the rule, or an earlier rule is catching it and causing your problem. In all sections of the firewall, rule order is very important.

You won’t be able to directly “find” other devices on other subnets, because your computer is on a different network. That’s what you did when you set up a different IP and subnet on each interface. When you send out a packet destined for another subnet than the one you are on, the computer sees that and if it doesn’t have a specific route for that subnet, it will forward it off to the default route. The router will then take that packet and does the same thing. In this case, the subnet you are trying to get to is local to itself, so it will route it out to the right interface. The only way you will be able to access the other subnets on the router is if you know what the IP addresses of the other machines that you are trying to access. Instead of being on a layer2 network, you are now on a layer3 of the OSI model.
http://en.wikipedia.org/wiki/OSI_model

Most firewalls will have some default filter rules, like pfsense. Mikrotiks do not. The most you get out of them is a default user name and a default IP address in some cases, the rest is up to you.

11

IP Address:

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.1.1/24     192.168.1.0     192.168.1.255   LAN1
 1   192.168.2.1/24     192.168.2.0     192.168.2.255   LAN2
 2   192.168.3.1/24     192.168.3.0     192.168.3.255   LAN3
 3   192.168.4.1/24     192.168.4.0     192.168.4.255   LAN4
 4   192.168.5.1/24     192.168.5.0     192.168.5.255   LAN5
 5   192.168.6.1/24     192.168.6.0     192.168.6.255   LAN6
 6   192.168.7.1/24     192.168.7.0     192.168.7.255   LAN7
 7   192.168.8.1/24     192.168.8.0     192.168.8.255   LAN8
 8   192.168.9.1/24     192.168.9.0     192.168.9.255   wlan1
 9 D 172.31.255.226/16  172.31.0.0      172.31.255.255  WAN

Route:

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          172.31.0.1         0
 1 ADC  172.31.0.0/16      172.31.255.226  WAN                0
 2 ADC  192.168.1.0/24     192.168.1.1     LAN1               0
 3 ADC  192.168.2.0/24     192.168.2.1     LAN2               0
 4 ADC  192.168.3.0/24     192.168.3.1     LAN3               0
 5 ADC  192.168.4.0/24     192.168.4.1     LAN4               0
 6 ADC  192.168.5.0/24     192.168.5.1     LAN5               0
 7 ADC  192.168.6.0/24     192.168.6.1     LAN6               0
 8 ADC  192.168.7.0/24     192.168.7.1     LAN7               0
 9 ADC  192.168.8.0/24     192.168.8.1     LAN8               0
10 ADC  192.168.9.0/24     192.168.9.1     wlan1              0

Firewall filter:
None

Firewall NAT:

Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=masquerade src-address=192.168.1.0/24

 1   chain=srcnat action=masquerade src-address=192.168.2.0/24

 2   chain=srcnat action=masquerade src-address=192.168.3.0/24

 3   chain=srcnat action=masquerade src-address=192.168.4.0/24

 4   chain=srcnat action=masquerade src-address=192.168.5.0/24

 5   chain=srcnat action=masquerade src-address=192.168.6.0/24

 6   chain=srcnat action=masquerade src-address=192.168.7.0/24

 7   chain=srcnat action=masquerade src-address=192.168.8.0/24

 8   chain=srcnat action=masquerade src-address=192.168.9.0/24

 9 X chain=dstnat action=accept dst-address=0.0.0.0/0

10 X chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.0.0/24

DHCP Servers:

Flags: X - disabled, I - invalid
 #   NAME             INTERFACE           RELAY           ADDRESS-POOL           LEASE-TIME ADD-ARP
 0   LAN1 dhcp        LAN1                                dhcp_pool1             3d
 1   LAN2 dhcp        LAN2                                dhcp_pool2             3d
 2   LAN3 dhcp        LAN3                                dhcp_pool3             3d
 3   LAN4 dhcp        LAN4                                dhcp_pool4             3d
 4   LAN5 dhcp        LAN5                                dhcp_pool5             3d
 5   LAN6 dhcp        LAN6                                dhcp_pool6             3d
 6   LAN7 dhcp        LAN7                                dhcp_pool7             3d
 7   LAN8 dhcp        LAN8                                dhcp_pool8             3d
 8   WLAN dhcp        wlan1                               dhcp_pool9             3d

EDIT:
Its a little embarazing to say, but I fixed the internet issue, cuz I had defined the gateway for each subnet as 192.168.x.0/24 which ofc only are the definition of the subnet! DOH! I changed all gateways to be 192.168.x.1 instead now, and ofc its working then. Sorry for the noobness of that.
And I can access each PC on each subnet now. Working as intended.

Thnx for your inlightning :slight_smile:

Here at the end, are there any default/normal firewall/nat rules, that you would suggest that I’m AT LEAST using for security reasons?

12

At the very least you’ll want to turn off services on the router that you don’t want to use, HTTP, Telnet, etc. For the ones you want to leave on, you may want to consider setting up a firewall filter to protect those services.

For the filter one thing to keep in mind about the chains is this.
forward chain = traffic that is going over the router
input chain = traffic that is destined to the router itself
output chain = traffic the router is sending out itself

We use this guide here to protect the router against scripted brute force login attempts, since we support many MikroTiks and when we are traveling, we don’t know what IP addresses we will always be coming off of, we don’t really use an address list for these kinds of access.
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)

We use the first part of this wiki page here to cut down on spam from end users in case they are infected with a virus.
http://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output

Here is a list of user submitted firewall examples. You can read through them and decide what one to use, or what parts out of each to use.
http://wiki.mikrotik.com/wiki/Firewall

I’ve used the Dmitry example for my own home minus the port knocking.

13

Thanks a lot. Many useful links there, now I have something to “play” with. :slight_smile:

14

I have to ask once again. I have used some time now on adding and editting some firewall rules, based on Dimitry exampel. But, I don’t really understand the “Sanity-check” firewall rule? What does it do, and how nessecary is it? If I have to add it, it will be a lot of rules, since I have 8 LAN interfaces, which are NOT bridghed together.
And my local access list will grow too and be something like:

/ ip firewall filter
add chain=forward in-interface=LAN1 out-interface=LAN2 action=accept comment="Allow 

traffic between wired and wireless networks"
add chain=forward in-interface=LAN2 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN9 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN1 out-interface=LAN1 action=accept
add chain=forward in-interface=LAN2 out-interface=LAN2 action=accept
add chain=forward in-interface=LAN3 out-interface=LAN3 action=accept
add chain=forward in-interface=LAN4 out-interface=LAN4 action=accept
add chain=forward in-interface=LAN5 out-interface=LAN5 action=accept
add chain=forward in-interface=LAN6 out-interface=LAN6 action=accept
add chain=forward in-interface=LAN7 out-interface=LAN7 action=accept
add chain=forward in-interface=LAN8 out-interface=LAN8 action=accept
add chain=forward in-interface=LAN9 out-interface=LAN9 action=accept

What is the portknocking that you havn’t choose to use?

15

The Sanity check is there to make sure the packets that are coming into the router are valid packets and not mangled or potentially harmful.

As for the number of rules, that is why in his example he is making his own chains of firewall rules. With it you can make an action=jump and jump to that custom chain where the packets will be processed through that, and then will return to the original chain they came from at the end. That way you can have one set of rules apply in many situations without having to make one for each interface or chain, and cut down on your number of rules significantly.

It looks like port knocking isn’t included in that particular wiki, but basically what it does is in the filter, the router listens to a predetermined combination, where you send it protocol and port number and it will put your IP address in an address list if you get the combination right that will allow you to access the services on the router for administration.

I wouldn’t worry about making explicit accept rules for traffic on the LAN of the router unless you want to specifically block off one interface from the others. By default the accept is implied, so in that case you would only need a reject rule. To cut down on the number of rules there as well, since you know the subnets of the other interfaces, you can actually make an address list of your subnets, and set up the rule to drop packets from the one subnet destined to the other subnets.

/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address-list="LAN Subnets" action=drop
/ip firewall address-list
add list="LAN Subnets" address=192.168.0.0/24
add list="LAN Subnets" address=192.168.1.0/24
add list="LAN Subnets" address=192.168.2.0/24
....
add list="LAN Subnets" address=192.168.8.0/24

How you would do that with the bridge, is when assigning the interface to the bridge is specify the horizon.
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
http://wiki.mikrotik.com/wiki/Manual:MPLSVPLS#Split_horizon_bridging

16

Took some time, but now I have pasted most of my firewall… But I’m getting some invalids that I can’t figure, can any1 help me figure it out?
Here is a paste of the firewall print so far:

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; BLOCK SPAMMERS OR INFECTED USERS
     chain=forward action=drop protocol=tcp src-address-list=spammer 
     dst-port=25 

 1   ;;; Detect and add-list SMTP virus or spammers
     chain=forward action=add-src-to-address-list protocol=tcp 
     address-list=spammer address-list-timeout=1d dst-port=25 
     connection-limit=30,32 limit=50,5 

 2   ;;; drop ftp brute forcers
     chain=input action=drop protocol=tcp src-address-list=ftp_blacklist 
     dst-port=21 

 3   chain=output action=accept protocol=tcp content=530 Login incorrect 
     dst-limit=1/1m,9,dst-address/1m 

 4   chain=output action=add-dst-to-address-list protocol=tcp 
     address-list=ftp_blacklist address-list-timeout=3h 
     content=530 Login incorrect 

 5   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist 
     dst-port=22 

 6   chain=input action=add-src-to-address-list connection-state=new 
     protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist 
     address-list-timeout=1w3d dst-port=22 

 7   chain=input action=add-src-to-address-list connection-state=new 
     protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 
     address-list-timeout=1m dst-port=22 

 8   chain=input action=add-src-to-address-list connection-state=new 
     protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 
     address-list-timeout=1m dst-port=22 

 9   chain=input action=add-src-to-address-list connection-state=new 
     protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

10   ;;; drop ssh brute downstream
     chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist 
     dst-port=22 

11 X chain=forward action=drop src-address=192.168.1.0/24 
     dst-address-list=LAN-Subnets 

12   ;;; Sanity Check Forward
     chain=forward action=jump jump-target=sanity-check 

13 I ;;; Deny illegal NAT traversal
     chain=sanity-check action=jump jump-target=drop 
     packet-mark=nat-traversal 

14 X ;;; Block port scans (check to see if this is too agressive and blocks le>
    hosts)
     chain=sanity-check action=add-src-to-address-list protocol=tcp 
     psd=20,3s,3,1 address-list=blocked-addr address-list-timeout=1d 

15   ;;; Block TCP Null scan
     chain=sanity-check action=add-src-to-address-list 
     tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp 
     address-list=blocked-addr address-list-timeout=1d 

16   ;;; Block TCP Xmas scan
     chain=sanity-check action=add-src-to-address-list 
     tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp 
     address-list=blocked-addr address-list-timeout=1d 

17 I chain=sanity-check action=jump jump-target=drop protocol=tcp 
     src-address-list=blocked-addr 

18 I ;;; Drop TCP RST
     chain=sanity-check action=jump jump-target=drop tcp-flags=rst 
     protocol=tcp 

19 I ;;; Drop TCP SYN+FIN
     chain=sanity-check action=jump jump-target=drop tcp-flags=fin,syn 
     protocol=tcp 

20 I ;;; Dropping invalid connections at once
     chain=sanity-check action=jump jump-target=drop connection-state=invalid 

21   ;;; Accepting already established connections
     chain=sanity-check action=accept connection-state=established 

22   ;;; Also accepting related connections
     chain=sanity-check action=accept connection-state=related 

23 I ;;; Drop all traffic that goes to multicast or broadcast addresses
     chain=sanity-check action=jump jump-target=drop 
     dst-address-type=broadcast,multicast 

24 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN1 

25 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN2 

26 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN3 

27 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN4 

28 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN5 

29 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN6 

30 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN7 

31 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=LAN8 

32 I ;;; Drop illegal destination addresses
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local 
     dst-address-list=BOGONS in-interface=WLAN 

33 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN1 

34 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN2 

35 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN3 

36 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN4 

37 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN5 

38 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN6 

39 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN7 

40 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=LAN8 

41 I ;;; Drop everything that goes from local interface but not from local add>
   s
     chain=sanity-check action=jump jump-target=drop 
     src-address-list=!LAN-Subnets in-interface=WLAN 

42 I ;;; Drop illegal source addresses
     chain=sanity-check action=jump jump-target=drop src-address-list=BOGONS 
     in-interface=WAN 

43 X ;;; Drop everything that goes from public interface but not to local addr>
    (The above rule is for not nat-ed hosts!)
     chain=sanity-check action=jump jump-target=drop 
     dst-address-list=!LAN-Subnets in-interface=WAN 

44 I ;;; Drop all traffic that comes from multicast or broadcast addresses
     chain=sanity-check action=jump jump-target=drop 
     src-address-type=broadcast,multicast 

45   chain=forward action=jump jump-target=restrict-tcp protocol=tcp 

46 I chain=forward action=jump jump-target=restrict-udp protocol=udp 

47 I chain=forward action=jump jump-target=restrict-ip 

48   chain=restrict-tcp action=reject reject-with=icmp-network-unreachable 
     connection-mark=auth 

49   ;;; anti-spam policy
     chain=restrict-tcp action=jump jump-target=smtp-first-drop 
     connection-mark=smtp 

50   chain=smtp-first-drop action=add-src-to-address-list 
     src-address-list=first-smtp address-list=approved-smtp 
     address-list-timeout=0s 

51   chain=smtp-first-drop action=return src-address-list=approved-smtp 

52   chain=smtp-first-drop action=add-src-to-address-list 
     address-list=first-smtp address-list-timeout=0s 

53   chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable 

54 I chain=restrict-tcp action=jump jump-target=drop connection-mark=other-tcp 

55 I chain=restrict-udp action=jump jump-target=drop connection-mark=other-udp 

56 I chain=restrict-ip action=jump jump-target=drop connection-mark=other 

57   ;;; Allow local traffic (between router applications)
     chain=input action=accept src-address-type=local dst-address-type=local 

58   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN1 
     src-port=68 dst-port=67 

59   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN2 
     src-port=68 dst-port=67 

60   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN3 
     src-port=68 dst-port=67 

61   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN4 
     src-port=68 dst-port=67 

62   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN5 
     src-port=68 dst-port=67 

63   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN6 
     src-port=68 dst-port=67 

64   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN7 
     src-port=68 dst-port=67 

65   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN8 
     src-port=68 dst-port=67 

66   ;;; DHCP protocol would not pass sanity checking, so enabling it explicit>
   before other checks
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=WLAN 
     src-port=68 dst-port=67 

67   ;;; Sanity Check
     chain=input action=jump jump-target=sanity-check 

68 I ;;; Dropping packets not destined to the router itself, including all bro>
   ast traffic
     chain=input action=jump jump-target=drop dst-address-type=!local 

69   ;;; Allow pings, but at a very limited rate (5 packets per sec)
     chain=input action=accept connection-mark=ping limit=5,5 

70   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN1 

71   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN2 

72   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN3 

73   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN4 

74   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN5 

75   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN6 

76   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN7 

77   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=LAN8 

78   ;;; Allowing some services to be accessible from the local network
     chain=input action=jump jump-target=local-services in-interface=WLAN 

79   ;;; Allowing some services to be accessible from the Internet
     chain=input action=jump jump-target=public-services in-interface=WAN 

80 I chain=input action=jump jump-target=drop 

81   chain=dhcp action=accept src-address=0.0.0.0 dst-address=255.255.255.255 

82   chain=dhcp action=accept src-address=0.0.0.0 dst-address-type=local 

83   chain=dhcp action=accept dst-address-type=local 
     src-address-list=LAN-Subnets 

84   ;;; SSH (22/TCP)
     chain=local-services action=accept connection-mark=ssh 

85   ;;; DNS
     chain=local-services action=accept connection-mark=dns 

86   ;;; HTTP Proxy (3128/TCP)
     chain=local-services action=accept connection-mark=proxy 

87   ;;; Winbox (8291/TCP)
     chain=local-services action=accept connection-mark=winbox 

88   ;;; Log & Drop Other Local Services
     chain=local-services action=log log-prefix="" 

89 X ;;; #check the log twice before enabling this
     chain=local-services action=drop 

90   ;;; SSH (22/TCP)
     chain=public-services action=accept connection-mark=ssh 

91   ;;; PPTP (1723/TCP)
     chain=public-services action=accept connection-mark=pptp 

92   ;;; Winbox (8291/TCP)
     chain=public-services action=accept connection-mark=winbox 

93   ;;; GRE for PPTP
     chain=public-services action=accept connection-mark=gre 

94   ;;; Log & Drop Other Public Services
     chain=public-services action=log log-prefix="" 

95 X ;;; #check the log twice before enabling this
     chain=public-services action=drop 

96 X ;;; Log Everything that we drop
     chain=drop action=log log-prefix="" 

97 X ;;; #check twice before enabling this
     chain=drop action=drop
17

It looks like you have your drop chain rules disabled. So the rules with the action of jump to drop chain, are invalid because they have nowhere to go.

I’m not sure on this point, but I think you may need a return action on your sanity check chain so that packets can continue to be processed by the router after they pass.

18

That make sense. I have some Mangle rules too, as listed in the Dimitry exampel. Should I be missing anything in the firewall setting which have importance of standard rules (beside my owns specific firewalling rules)?

19

Not really sure what you are asking there, if you are asking if there are any default settings in the firewall that you need to turn on to make it work, then no, just by adding in the rules, packets going through the router will be processed by the rules. As far as I know the section that lets you have extra stuff processed by the firewall is the bridge and telling it to pass packets going through the bridge through the IP firewall as well.

20

I suspect that once you enable that ‘drop’ chain you’re going to see some unwanted side effects.

You’re redirecting bogons coming in on all your LAN interfaces to the drop chain (which is currently disabled so it’s not dropping things), but bogon space - usually, you don’t show the actual address list you’re using - also includes RFC1918 space. You have that space on your LAN interface, so you’d be dropping all traffic between your local networks.

I honestly think all that stuff is WAY overkill for a home router. You don’t need port knocking, you don’t need FTP blacklists - that may make sense when you’re either protecting an FTP server or need to access your router administratively from everywhere and for come reason refuse to use VPNs for that, but you’re a home user. When you’re an ISP it makes sense to go look for worms, but as a home user it is simply easier to just run decent home security and make sure you don’t have worms on the clients behind the router (though you could add that stuff in later if you wanted to play around). If you want I can post a small, simple firewall configuration that will cover 99.9% of everything you’d ever encounter.