I need to block all unused/unneeded protocols in the ACL firewall of the CRS326 switch.
The switch serves in an in-house small LAN without any links to other such devices except to a basic WAN-router for Internet access.
It shall allow only TCP, UDP, ICMP, ARP, RARP, and any other essential protocols (if any beyond the listed) it needs to operate.
VLAN, multicast, IPv6, IPsec not used here, neither PPPOE; maybe sometime later, but for now I need to block as much as possible and allow as less as possible up to the bare minimum for a TCP/IP LAN.
Which of the following MAC and IP protocols (OSI L2 and L3) are essential for this switch to operate in its default factory configuration? Which can I safely block/drop?

mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | or 0..65535 | or 0x0000-0xffff)

protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp | or 0..255)

The above lists are from here > https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29

A firewall segregates two or more parts of a network, A network is called a functional interaction of items.
.
Make a packet-trace (only the the headers … to be wise) on every part of your network(s) AND decide yourself what’s needed and what’s not !
.
You wanna call yourself bible-proof … so read the bible(s) [yes, even in networking, are really more than one]
.
my advise ?! … start with the protocols you can identify as unneccesary by the 100% … then capture further and eliminate till you’re skinny like john the baptize from the dessert !
.
And … give us the “john-the-baptize-from-the-dessert-result” ?!

you can ! … all the way … use the contrary approach … drop everything, till “your” network works again like expected …
.
or you do a trip to google … protocols that should never left my local-LAN … my local-machine … … my Mind … etc.

Very good advice, thanks. Will do tcpdump on the uplink-router for all traffic from the IP/MAC of the switch, as well tcpdump on a PC attached to the switch for all traffic coming from the IP/MAC of the switch.

Yeah, can be done, but for the danger of locking myself out of the switch Already happened, serial cable came to the rescue

or you do a trip to google … protocols that should never left my local-LAN … my local-machine … … my Mind … etc.

I did, but must have used the wrong search keywords. Ok, thx, will try again with your search keywords too.

Yeah, can be done, but for the danger of locking myself out of the switch >

.
every good network administrator has done this … like every good sailor has crossed the … fan

Very true.

Networking Joke Of The Day:
Hello network support. Yes you might be correct, it could be a network issue, most likely a layer 8 issue.

LOL!

I find tin foil over the router being careful to leave room for heat dissipation prevents most unwanted traffic.

While analyzing on the uplink-router the traffic coming from the switch, I observed this:
My MT switch with IP 192.168.88.1/17 (MAC c4:ad:34:78:e1:88) sends the following packets to the DNS server 192.168.254.254/24.
Gateway is the said uplink-router 192.168.127.254 (MAC 24:a4:3c:06:6c:2d) on one side and 192.168.254.253 (MAC 24:a4:3c:06:6c:2c) on the other side.
Does it send the same packet twice each time? The only difference is “In” vs. “Out” but the srcIP and dstIP addresses remain the same in both cases.

root@ubnt:/tmp# tcpdump -i any -nn -xe -vv host 192.168.88.1
…
03:48:51.236326 In c4:ad:34:78:e1:88 ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 45479, offset 0, flags [none], proto UDP (17), length 65)
192.168.88.1.58803 > 192.168.254.254.53: [udp sum ok] 6851+ A? cloud2.mikrotik.com. (37)
0x0000: 4500 0041 b1a7 0000 4011 f0b3 c0a8 5801
0x0010: c0a8 fefe e5b3 0035 002d e4ca 1ac3 0100
0x0020: 0001 0000 0000 0000 0663 6c6f 7564 3208
0x0030: 6d69 6b72 6f74 696b 0363 6f6d 0000 0100
0x0040: 01
03:48:51.236867 Out 24:a4:3c:06:6c:2c ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 63, id 45479, offset 0, flags [none], proto UDP (17), length 65)
192.168.88.1.58803 > 192.168.254.254.53: [udp sum ok] 6851+ A? cloud2.mikrotik.com. (37)
0x0000: 4500 0041 b1a7 0000 3f11 f1b3 c0a8 5801
0x0010: c0a8 fefe e5b3 0035 002d e4ca 1ac3 0100
0x0020: 0001 0000 0000 0000 0663 6c6f 7564 3208
0x0030: 6d69 6b72 6f74 696b 0363 6f6d 0000 0100
0x0040: 01
…
03:49:11.283763 In c4:ad:34:78:e1:88 ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 46098, offset 0, flags [none], proto UDP (17), length 65)
192.168.88.1.50100 > 192.168.254.254.53: [udp sum ok] 42120+ AAAA? cloud2.mikrotik.com. (37)
0x0000: 4500 0041 b412 0000 4011 ee48 c0a8 5801
0x0010: c0a8 fefe c3b4 0035 002d 6204 a488 0100
0x0020: 0001 0000 0000 0000 0663 6c6f 7564 3208
0x0030: 6d69 6b72 6f74 696b 0363 6f6d 0000 1c00
0x0040: 01
03:49:11.284303 Out 24:a4:3c:06:6c:2c ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 63, id 46098, offset 0, flags [none], proto UDP (17), length 65)
192.168.88.1.50100 > 192.168.254.254.53: [udp sum ok] 42120+ AAAA? cloud2.mikrotik.com. (37)
0x0000: 4500 0041 b412 0000 3f11 ef48 c0a8 5801
0x0010: c0a8 fefe c3b4 0035 002d 6204 a488 0100
0x0020: 0001 0000 0000 0000 0663 6c6f 7564 3208
0x0030: 6d69 6b72 6f74 696b 0363 6f6d 0000 1c00
0x0040: 01

Not sure what understanding packet flows has to do with blocking protocols. Start a new thread.

Starting tcpdump explicitly for Ethernet packets shows that the switch sends every 2 seconds such packets.

root@ubnt:/tmp# tcpdump -i eth1 -nn -xe -vv ether host c4:ad:34:78:e1:88
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:23:16.530879 c4:ad:34:78:e1:88 > 01:80:c2:00:00:00, 802.3, length 39: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.c4:ad:34:78:e1:88.8001, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.c4:ad:34:78:e1:88, root-pathcost 0, port-role Designated
0x0000: 0000 0202 3c80 00c4 ad34 78e1 8800 0000
0x0010: 0080 00c4 ad34 78e1 8880 0100 0014 0002
0x0020: 000f 0000 0000 0000 0000 00
14:23:18.553234 c4:ad:34:78:e1:88 > 01:80:c2:00:00:00, 802.3, length 39: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.c4:ad:34:78:e1:88.8001, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.c4:ad:34:78:e1:88, root-pathcost 0, port-role Designated
0x0000: 0000 0202 3c80 00c4 ad34 78e1 8800 0000
0x0010: 0080 00c4 ad34 78e1 8880 0100 0014 0002
0x0020: 000f 0000 0000 0000 0000 00
…

It seems this protocol (STP 802.1w) I have to permit by specifying “802.2” from the given ACL list.

But, I couldn’t find out which device has the above destined MAC 01:80:c2:00:00:00 .
I tried “arp -n” but it does not list that MAC.
Which tool should I use to find/locate the device/interface in the LAN that has this MAC?

Update:
found it described at https://en.wikipedia.org/wiki/Multicast_address#Ethernet .
“… The IEEE has allocated the address block 01-80-C2-00-00-00 to 01-80-C2-FF-FF-FF for group addresses for use by standard protocols. …
01-80-C2-00-00-00 Spanning Tree Protocol (for bridges) IEEE 802.1D
…”

So, then I think I should try it out by allowing only these protocols: TCP, UDP, ICMP, ARP, RARP, 802.2, and blocking all other protocols.

Seems you have lot of spare time.
In that case you might want to look into Mikrotik firewalls on their demo WebGUI system:
Open following link in your browser: demo.mt.lv or demo2.mt.lv
You do not need a password.

Then check the firewall section for rules you might want to use.

I wanted to add the following ACL rules, but it brings an error saying that the keyword “action” is unknown.
Has this perhaps been forgotten to implement in this beta? Anybody know?

/interface ethernet switch rule

add all allowed ports and their protocols:

add mac-protocol=ip protocol=tcp dst-port=80 action=accept
add mac-protocol=ip protocol=tcp dst-port=443 action=accept
add mac-protocol=ip protocol=tcp dst-port=22 action=accept
add mac-protocol=ip protocol=udp dst-port=53 action=accept
add mac-protocol=ip protocol=tcp dst-port=53 action=accept
add mac-protocol=ip protocol=udp dst-port=123 action=accept
add mac-protocol=ip protocol=tcp dst-port=123 action=accept
add mac-protocol=ip protocol=icmp action=accept comment=“accept all icmp types”
add mac-protocol=arp action=accept comment=“essential”
add mac-protocol=rarp action=accept comment=“essential”
add mac-protocol=802.2 action=accept comment=“essential”
#…
add action=drop disabled=no comment=“deny all other”

Sure, I’m the admin I’ve to take any necessary time for this important security stuff.

In that case you might want to look into Mikrotik firewalls on their demo WebGUI system:
Open following link in your browser: demo.mt.lv or demo2.mt.lv
You do not need a password.

Then check the firewall section for rules you might want to use.

Hmm. Thx, I just tried to connect via https and also via http, but there is no connection.
Is that web service at default port 80 or something different?

Since "action=" seems not possible in ACL (cf. posting #13), then I wanted to try to "redirect-to-cpu=yes". Ok, now the packet has to be processed by the slower CPU. But what does this practically mean? Will the packet be landing in the "/ip firewall filter" location? Or are there some other, CPU specific commands to issue? But where are these documented?

This is the CPU device:
/interface ethernet switch port print
Columns: NAME, SWITCH, STORM-RATE

NAME SWITCH STO

...
26 switch1-cpu switch1 100

What can I do with this "switch1-cpu" any different than with the default switch chip where the ACL runs? Is there any documentation anywhere on this "filtering with the CPU" stuff?

Oh, man, what a nightmare I'm experiencing for days with the correct setup attempts of these many different firewalls in this device...
It seems it's a real expert device for the true professionals with 10+ years experience with these devices, with many up-to-date network certifications and of course a university degree, maybe a Dr. title is necessary for being able to set up the firewall on these devices... Ie. looks like it's rocket science to setup the firewall on these devices!
I bet, of the users who use the firewall(s) on these CRS devices, at least 95%, if not more, have their firewall configured incorrectly or incomplete. Prove me wrong, folks! And thanks for the help.

Hahaha, no the problem is you have no clue as to what the requirements are and they change every nanosecond.
You want to play with features, that is fine, but then you try to invent requirements so that you can use a feature.
No one here has time or reason to prove anything LOL.

The name of the game is simplicity and efficiency, neither of which you seem to have a knack for.
My advice is to forget the config and features for now and a focus on articulating a set of requirements for your network.
What are the groups of users
What are their use cases.
A nice clean efficient config will fall from that set of requirements.
A nominal network diagrams that shows the available physical and/or planned connectivity with available devices rounds out the picture.

However I doubt you will take advice and unfortunately another component of learning these routers is really listening to those providing advice.
Arrogance has no place in the MT config world. Even when something works, there will be another person that can do the same thing with more elegance and efficiency.

As for qualifications, all one needs is an open mind (and my self certification MTUNA, no need for Dr. just call me Mr Ascerbic).

@anav, the requirements have already been posted in posting #13 ( http://forum.mikrotik.com/t/blocking-all-unused-unneeded-protocols-keeping-only-bare-minimum-essential-ones/139243/1 )
It’s not about users, as there is just one admin user for this device, and he is obviously already configured/set-up; there is nothing more to do about users. This is a simple small LAN environment, nothing more. This firewall on this switch shall be a central firewall for all attached LAN clients plus the WAN interface.
The posted requirements already cover more than 99% of the cases. I would be glad if at least these few firewall rules would finally function in this CRS switch device.

Even when something works, there will be another person that can do the same thing with more elegance and efficiency.

Yeah, you say it, I would love to see finally just one working solution for my said simple firewall requirements. Just show me you or anybody else here. Big thanks in advance!

Is someone able to decipher this from the wiki ( https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29 ) ? :

new-dst-ports (ports) > Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted. Multiple “new-dst-ports” are not supported on CRS3xx series switches.

It talks of 3 possibilities. Does it mean the following 3 variations? :

1. new-dst-ports=“” comment=“drop?”
2. new-dst-ports=ether5 comment=“redirect to a different port?”
3. (not specifying new-dst-ports at all means accept?)

And the add command requires the ports param (ie. it’s mandatory!). Hey, I’ve 26 switch ports, am I supposed to specify all of them? ether1,ether2,.. 26 of this??? Or will it force me to use VLANs? I don’t want to use VLANs, I don’t need it.

ports (ports) > Matching ports on which will the rule apply on received traffic.

Ok, I finally almost solved it completely in ACL! Without even using the CPU.
Only remaining problem is when I add the final “drop all other” rule: then it blocks somehow too much. Will analyze the final missing part later with tcpdump…

[admin2@MikroTik] /interface/ethernet/switch/rule> print
Flags: X - disabled, I - invalid; D - dynamic
0 switch=switch1 ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,
ether21,ether22,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2,switch1-cpu
mac-protocol=ip protocol=tcp dst-port=80 copy-to-cpu=no redirect-to-cpu=no mirror=no
…

It’s not fully tested yet.

Update:
I now asked the Technical Support with the following support ticket describing the problem:

ACL firewall blocks too much. Need advice.

Hello Technical Support of MikroTik,
my device is a CRS326 with RouterOS 7.0beta5.
I need to use the ACL firewall (ie. the firewall on the switch chip) of this device. Below are my firewall rules.
This switch is in a small LAN environment. There is no other switch device in this LAN, but there is an uplink-router (Ubiquiti).
The ACL is described here > https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29 > .

This shall make up a central firewall for all clients attached to this switch.
I have the following firewall rules imported, but the last rule does block too much.

As can be seen, besides select TCP, UDP, ICMP packets I’m already accepting all ARP, RARP, and 802.2 packets.
But there must be some other essential protocol(s) missing in my list below as it blocks too much.
Can you please tell me which other mandatory/essential (broadcast?) protocol/s is/are missing in this rules list?

Thanks.

Regards,

xxx


My ACL_firewall.rsc file for import:

###########
/interface ethernet switch rule

:global myPorts “ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,
ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,
ether21,ether22,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2,switch1-cpu”

add all allowed ports and their protocols:

add mac-protocol=ip protocol=tcp dst-port=80 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=tcp dst-port=443 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=tcp dst-port=22 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=udp dst-port=53 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=tcp dst-port=53 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=udp dst-port=123 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=tcp dst-port=123 switch=switch1 ports=$myPorts
add mac-protocol=ip protocol=icmp comment=“accept all icmp types” switch=switch1 ports=$myPorts
add mac-protocol=arp comment=“essential” switch=switch1 ports=$myPorts
add mac-protocol=rarp comment=“essential” switch=switch1 ports=$myPorts
add mac-protocol=802.2 comment=“essential” switch=switch1 ports=$myPorts
#…
add new-dst-ports=“” comment=“drop/deny all other” switch=switch1 ports=$myPorts disabled=no
###########

Finally solved! Doing tests now.
Reason was that this switch device uses besides the shown few L2 protocols also some IP L3 protocols internally. Will analyze them later.