Blocking traffic to rest of network but allowing access to forwarded ports on public IP

jackwilsdon · November 17, 2023, 12:53pm

I’ve got an “untrusted” VLAN set up which can access the internet but is blocked from connecting to any other devices:

/ip firewall filter add action=drop chain=forward comment="untrusted: drop local" disabled=yes in-interface=vlan2 out-interface-list=LAN

However this rule also seems to prevent devices on this VLAN from accessing forwarded ports on the router’s public IP.

Devices on the untrusted VLAN are on the 10.10.11.0/24 subnet, whereas the port forwaded device is on 10.10.10.0/24 (specifically it’s 10.10.10.100).

The port forwarding rule I am using is:

/ip firewall nat add action=dst-nat chain=dstnat comment=https dst-address=!10.10.10.1 dst-address-type=local dst-port=443 protocol=tcp to-addresses=10.10.10.100 to-ports=443

Am I doing something wrong here with either my “drop local” filter rule or port forwarding NAT rule?

anav · November 17, 2023, 2:27pm

Full config
/export file=anynameyouwish ( minus router serial number and any public WAN IP information )

jackwilsdon · November 17, 2023, 2:53pm

Here’s my configuration (removed any sections which aren’t relevant):

# nov/17/2023 06:16:38 by RouterOS 6.48.2
# software id = XXXX-XXXX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan2 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=main \
    supplicant-identity=MikroTik wpa2-pre-shared-key=main
add authentication-types=wpa2-psk mode=dynamic-keys name=untrusted \
    supplicant-identity=MikroTik wpa2-pre-shared-key=untrusted
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge security-profile=main ssid=main \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=main \
    ssid=main wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan1 name=\
    wlan3 security-profile=untrusted ssid=untrusted wds-default-bridge=bridge \
    wps-mode=disabled
add disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan2 name=\
    wlan4 security-profile=untrusted ssid=untrusted wds-default-bridge=bridge \
    wps-mode=disabled
/ip pool
add name=main ranges=10.10.10.2-10.10.10.254
add name=untrusted ranges=10.10.11.2-10.10.11.254
/ip dhcp-server
add address-pool=main disabled=no interface=bridge lease-time=23h59m59s name=\
    main
add address-pool=untrusted disabled=no interface=vlan2 lease-time=23h59m59s name=\
    untrusted
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3 pvid=20
add bridge=bridge interface=wlan4 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan2 list=LAN
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.10.11.1/24 comment=untrusted interface=vlan2 network=10.10.11.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.11 gateway=10.10.10.1 netmask=\
    24
add address=10.10.11.0/24 dns-server=1.1.1.1 gateway=10.10.11.1 netmask=24
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="untrusted: drop local" disabled=yes \
    in-interface=vlan2 out-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "allow local traffic to reach exposed ports" dst-address=10.10.10.0/24 \
    src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http dst-address=!10.10.10.1 \
    dst-address-type=local dst-port=80 protocol=tcp to-addresses=10.10.10.100 \
    to-ports=80
add action=dst-nat chain=dstnat comment=https dst-address=!10.10.10.1 \
    dst-address-type=local dst-port=443 protocol=tcp to-addresses=\
    10.10.10.100 to-ports=443

anav · November 17, 2023, 3:35pm

(1) Question about your settings here… what is vlan10??
Point of personal preference i prefer to manually untag bridge ports on the config so they show up on the export and can follow the Admin/s logic.
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20

TO:
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1,wlan2 vlan-ids=20

(2) Again personal preference but I prefer the following format…
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=20
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=20

(3) Dont understand your settings for dchp server network… what is special about 10.10.10.11 ???
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.11 gateway=10.10.10.1
add address=10.10.11.0/24 dns-server=1.1.1.1 gateway=10.10.11.1

(4) Your input chain rules dont quite match your stated concerns, in that anyone can access your router for config purposes
Thus recommend the following at least:
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=TrustedLAN in-interface=bridge src-address=10.10.10.0/24
add action=accept chain=input comment=“access to services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“access to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“DROP ALL ELSE” { put this rule in last }

(5) Accessing internal servers by their WANIP is a bit tricky, since the default rule only allows it from the WAN side
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Recommended to change this rule to the following three rules which are clearer and provide better security and fix your dst nat problem.:
add action=accept chain=forward comment=“internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“DROP ALL ELSE”

(6) Looking at your source nat rules, I see you have accounted for local users on the trusted subnet also accessing the servers by the WANIP, as you have the required hairpin nat rule in place.
The hairpin nat rule is NOT required for the VLAN subnet as that is a different subnet.

(7) Not sure what you are doing with the dstnat rules, a kind of cute method to deal with a dynamic WANIP attempt but the problem is that you do not rule out 10.10.11.0 subnet which is also local.
It would appear that you are trying to direct ALL users to go out a server for all browsing??? Can you provide a better explanation please… What is at 10.100.100 and what is its purpose??

add action=dst-nat chain=dstnat comment=http dst-address=!10.10.10.1
dst-address-type=local dst-port=80 protocol=tcp to-addresses=10.10.10.100
to-ports=80
add action=dst-nat chain=dstnat comment=https dst-address=!10.10.10.1
dst-address-type=local dst-port=443 protocol=tcp to-addresses=
10.10.10.100 to-ports=443