I want to configure a firewall shielding a training production line with several purchased machines and a few opc-ua servers (IoT devices using the OPC-UA protocal (ocp.tcp, port 4840)).
All equipment is open source hard and software (Raspberry Pi's, Kunbus Revolution PLC (Pi based), OPC-UA protocol, Python sources, github, etc.) and will be made public such that others can use the same setup.
Due to (human) safety & digital security reasons one does not want any one to have remotely access to these (e.g. robot) machines, we neither want to allow the purchased machines to communicate (sometimes) secretly back to their vendors as well as shield it from internet and block automatic updates and install then by hand on the local network only once proven elsewhere. So SrcNat is blocked, only manually opened to receive updates and then closed. In other words, cut the productionline completely off from internet with only the OPC mouse hole open to read OPC server data (this requires the DstNat port to be opened).
The plan is to use a LAN (e.g. 192.168.0.0/24) with a router, RB750GR3, no Wifi, i.e. only wired access and a WAN interface 10.0.0.253
Computer access (login, user interface , etc) to that equipment is only within that LAN physically next to the production line by plugging a notebook into the RB750.
We only allow DstNat to go outward is this OPC-UA where clients from the engineering 10.0.0.0/24 network can communicate with specific opc servers on 192.168.0.3 and .4 on the LAN. All other traffic towards outside the LAN is to be dropped.
I am not a firewall specialist, studied at internet/viewed youtubes, constructed some rules, but still struggling.
Fasttrack disable/removed, access to the router (input) only from LAN itself.
srcNAT disabled and opened two dstnats where access to the 192.168.03:4840 is through 10.0.0.254 (the router WAN address) on port 54843 and .4 via 10.0.0.2:54844.
Here is my current firewall status:
aug/13/2019 10:50:21 by RouterOS 6.45.3
model = RB750Gr3
/ip firewall filter
add action=drop chain=input comment="drop invalid to firewall router at 192.168.0.1/24" connection-state=invalid
add action=accept chain=input comment="allow established connections to firewall router " connection-state=established
add action=accept chain=input comment="allow connection to firewall router from local network (ether2-5 as ether1 is WAN)" in-interface=!ether1 src-address=
192.168.0.0/24
add action=drop chain=input comment="drop all to firewall router not coming from LAN (also no icmp)" in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept established and related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop everything else " disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=10.0.0.253 dst-port=54843 log=yes protocol=tcp to-addresses=192.168.0.3 to-ports=4840
add action=dst-nat chain=dstnat dst-address=10.0.0.253 dst-port=54844 log=yes protocol=tcp to-addresses=192.168.0.4 to-ports=4840
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
This setting works, although any suggestion on improving this is welcome.
I just don't want my students to learn a wrong setting.
Nevertheless there is still a problem to solve: NTP. Some of the systems don't have a realtime clock (e.g. raspberry Pi's). What would be sensible rules for allow NTP to enter?