Block internet router access from LAN

rischfre · February 21, 2022, 9:10pm

Hi,

my Mikrotik router is behind my internet provider router (f.eg: 192.168.1.1). The Mikrotik is placed in this router, in its DMZ zone.
Any device in the LAN is allowed to go on internet, but are locked inside their own VLAN.
The only exception is the VLAN99 (Management) which is allowed to go to internet or to any other VLAN.

Now, i would like to go further, and only allow devices from management VLAN (99) to access my internet router.
In case i create a firewall roule which blocks the internet router IP (192.168.1.1), in that case the whole internet access is blocked as well.

I guess, we are in a similar situation as for Hairpin, but my knowledge in networking are too weak to do this setup.

Coudl you please help me?

Thank you

Sob · February 22, 2022, 12:29am

Post what exactly you did and someone will (probably) tell you what’s wrong with it.

404Network · February 22, 2022, 12:39am

Concur,
/export hide-sensitive file=anynameyouwish

rischfre · February 22, 2022, 7:55am

Here you have:

# feb/21/2022 23:02:49 by RouterOS 7.1.2
# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD


/interface bridge
add name=BR1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface vlan
add interface=BR1 name=vlan10 vlan-id=10
add interface=BR1 name=vlan20 vlan-id=20
add interface=BR1 name=vlan30 vlan-id=30
add interface=BR1 name=vlan40 vlan-id=40
add interface=BR1 name=vlan99 vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=99 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=99 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no frequency=auto \
    hide-ssid=yes installation=indoor mode=ap-bridge ssid=wifi_Base vlan-id=99 vlan-mode=use-tag
set [ find default-name=wlan2 ] country=spain disabled=no frequency=auto \
    hide-ssid=yes installation=indoor mode=ap-bridge ssid=wifi_BLUE vlan-id=30 vlan-mode=use-tag
/ip pool
add name=VLAN10_POOL ranges=10.0.10.231-10.0.10.254
add name=VLAN20_POOL ranges=10.0.20.231-10.0.20.254
add name=BASE_POOL ranges=10.0.99.231-10.0.99.254
add name=VLAN30_POOL ranges=10.0.30.231-10.0.30.254
add name=VLAN40_POOL ranges=10.0.40.231-10.0.40.254
/ip dhcp-server
add address-pool=VLAN10_POOL interface=vlan10 name=VLAN10_DHCP
add address-pool=VLAN20_POOL interface=vlan20 name=VLAN20_DHCP
add address-pool=BASE_POOL interface=vlan99 name=BASE_DHCP
add address-pool=VLAN30_POOL interface=vlan30 name=VLAN30_DHCP
add address-pool=VLAN40_POOL interface=vlan40 name=VLAN40_DHCP
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=wlan1
add bridge=BR1 interface=wlan2
/ip neighbor discovery-settings 
set discover-interface-list=BASE
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether2,ether3,ether4 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=switch1-cpu,ether4 switch=switch1 vlan-id=30
add independent-learning=no ports=switch1-cpu,ether2 switch=switch1 vlan-id=40
add independent-learning=no ports=switch1-cpu,ether2,ether4 switch=switch1 vlan-id=99
/interface list member
add interface=ether1 list=WAN
add interface=vlan99 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan99 list=BASE
add interface=ether5-access list=BASE
add interface=vlan30 list=VLAN
add interface=vlan40 list=VLAN
add list=VLAN
/ip address
add address=192.168.1.2/30 interface=ether1 network=192.168.1.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
add address=10.0.30.1/24 interface=vlan30 network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40 network=10.0.40.0
add address=10.0.99.1/24 interface=vlan99 network=10.0.99.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=199.85.126.10,1.1.1.2 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=176.103.130.132,176.103.130.134 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip firewall address-list
add address=192.168.1.1 list="Router Vodafone"
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=drop chain=input connection-state=invalid 
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Base -> Winbox" dst-port=8291 in-interface-list=BASE protocol=tcp
add action=accept chain=input comment="VLAN -> DNS tcp" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="VLAN -> DNS udp" dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop 
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="Base -> VLANs" in-interface-list=BASE out-interface-list=VLAN
add action=drop chain=forward connection-state=invalid 

add action=accept chain=forward comment="--> Router Vodafone" dst-address-list="Router Vodafone" in-interface=vlan99 out-interface=ether1
add action=drop chain=forward comment="--> Router Vodafone" dst-address-list="Router Vodafone" in-interface-list=VLAN out-interface=ether1

add action=accept chain=forward comment="VLAN  -> Internet" in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop 
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=RouterSwitchAP
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

muriukik1 · February 22, 2022, 8:23am

Hello All,

I am kinda new year. I am seeking some assistance in securing my RB2011UiAS. I have configured NAT on the two ISP that I have. But I also want to secure some port to be open and secure. I have been getting funny going through that port and I am suspecting they are affecting some of the services we have. I would appreciate any help on this.

WeWiNet · February 22, 2022, 8:27am

1.) DMZ normally means whatever is inside that zone should not at all be able to access/manage your internet GW. Is it DMZ really?
2.) Do you do NAT on Mtik? If so you can drop requests to 192.168.0.1 if not NATed
3.) Or on forward chain, before NAT, drop all traffic directly to 192.168.0.1 coming from the VLAN i/f you want to block
Input chain to Mtik and output chain to gateway needs to be open.
Also if you have DNS servers or similar stuff on internet gateway used by the VLAN clients it won’t work.
Make sure this is all handled either by Mikrotik or by cloud service.

Sob · February 22, 2022, 4:59pm

So before you add these:

/ip firewall filter
add action=accept chain=forward comment="--> Router Vodafone" dst-address-list="Router Vodafone" in-interface=vlan99 out-interface=ether1
add action=drop chain=forward comment="--> Router Vodafone" dst-address-list="Router Vodafone" in-interface-list=VLAN out-interface=ether1

it works (all VLANs can access internet), but when you add them, it stops? I don’t see how it would be possible. Yes, drop rule deals with VLANs (in-interface-list=VLAN), but another condition is dst-address-list=“Router Vodafone” and if that list contains only single address, rule won’t touch anything else. You can enable logging for the rule (log=yes), to see if it really blocks your traffic, but it can’t.

rischfre · February 23, 2022, 8:00am

Hi,

WeWinet found the issue. In fact the rules which are working for me are:

add action=accept chain=forward comment="BASE -> Router Vodafone" in-interface=ether1 out-interface-list=BASE src-address-list="Router Vodafone"
add action=drop chain=forward comment=" --> Router Vodafone" in-interface=ether1 src-address-list="Router Vodafone"

I guess because:

output chain to gateway needs to be open

which was not the case in the first version of my config.

Thank you!

Sob · February 23, 2022, 7:57pm

And where exactly did you put them? Because if it’s at same position as previous ones, it can’t work. You just reversed previous rule:

Original one blocked traffic from VLANs to ether1 and addresses in “Router Vodafone” list.
New one blocks traffic from ether1 and addresses in “Router Vodafone” (after preceding rules allows it to BASE)

So all outgoing packets are still allowed, and this would only block responses. But it would have to be at the beginning of chain, because any response will have connection-state=established and will be allowed by fasttrack rule or the following one, and nothing will be blocked.

rischfre · February 23, 2022, 11:35pm

Hi,

both rules are put after the “(accept) Allow Establish” and a final “(drop) at the end of the rules”

It’s working,… in a later post, may be i’ll ask a review of all my rules.

Thanks