Just got a new Hex to replace a Verizon G3100 (while waiting for an RB5009).
Could someone please check my config to see if I’m secure? I forward ports 5800 and 5900 for VNC, and 8123 for Home Assistant.
Thank you!
# oct/18/2022 05:47:15 by RouterOS 6.49.7
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number =
/interface bridge
add admin-mac=18:FD:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-port=5800 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=forward dst-port=5900 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=forward dst-port=8123 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input in-interface=ether1 log=yes
add action=accept chain=forward in-interface=ether1 out-interface=bridge
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.0.0/16
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5800 log=\
yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5900 log=\
yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.176 dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176
/ip route
add disabled=yes distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=104.16.132.229
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
anav
October 18, 2022, 10:54am
2
It would appear you no clue on how to use firewall rules.https://forum.mikrotik.com/viewtopic.php?t=179343
also firewall basic something like this will work for you…
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
Thank you so much for your help!
I did not want to leave the VPN active, but unchecking it leaves all the VPN-related entries in the exported config file. I don’t know how to remove them permanently.
Is this better:
# oct/18/2022 10:00:15 by RouterOS 6.49.7
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = Hxxxxxxx
/interface bridge
add admin-mac=18:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE bridge-learning=no local-address=192.168.89.1 remote-address=\
vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="NEW defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
icmp
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else" log=yes
add action=fasttrack-connection chain=forward comment=\
"NEW defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="NEW defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="NEW allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward dst-port=5800 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=forward dst-port=5900 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=forward dst-port=8123 in-interface=ether1 log=yes \
protocol=tcp
add action=drop chain=forward comment=NEW
/ip firewall nat
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=accept chain=forward comment="NEW allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5800 log=\
yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5900 log=\
yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.176 dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add disabled=yes distance=1 gateway=192.168.2.1
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=104.16.132.229
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
anav
October 18, 2022, 2:29pm
4
There was no VPN config in your first post??
What are the requirements???
add action=accept chain=forward dst-port=5800 in-interface=ether1 log=yes
(2) You have a duplicate forward chain LAN TO WAN RULE but LOL< you stuck in the DST NAT rules… Remove part in orange.
The correct entry depends on what type of WANIP connection you have. ( Dynamic WANIP, or fixed STATIC WANIP
/ip firewall nat add action=accept chain=forward comment=“NEW allow internet traffic” add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5800 log=
(3) plain mac-server only is not encrypted/secure thus change it to NONE .LAN
In QUICK SET, I checked the VPN checkbox. Then I unchecked it. But the entries remain when I export the config.
I removed the port forwarding from the INPUT CHAIN RULES – thank you.
When I removed this line I lose outbound (LAN to WAN) connectivity:
add action=accept chain=forward comment=“NEW allow internet traffic” in-interface-list=LAN out-interface-list=WAN
I was going to tackle Wireguard next. You previously helped me setting up Wireguard with another Hex so I hope I can get it working on this one without further help.
anav
October 18, 2022, 4:49pm
6
(1) You removed the wrong internet traffic rule… I said duplicate and told you which copy to delete even…
NOT THIS ONE (in correct spot in forward chain)add action=accept chain=forward comment=“NEW allow internet traffic”
THIS ONE: ( in nat rules wrong!!)/ip firewall natadd action=accept chain=forward comment=“NEW allow internet traffic”
YOu can go into the input chain on /ip firewall filter and remove all the added rule s there;
Thank you again very much.
I posted another question about VLAN config on a CSS326 in SWoS. Should I post it here instead?
anav
October 18, 2022, 7:26pm
8
No that is a separate enough topic and you should keep it there…
Yes, the CSS326 is connected to the Hex port #2 (ether2).
anav
October 18, 2022, 8:53pm
10
No vlans coming from the h ex though.
I’m still having problems.
I have Home Assistant on private IP 192.168.2.176 port 8123
From outside my LAN I can access it fine.
From inside the LAN, if I point a browser to 192.168.2.176:8123 it works.
But, if from inside the LAN I point to the :8123 it fails.
Do I need some sort of rule to allow this?
Here’s what I’ve got in the firewall.
Thank you!
/ip firewall filter
add action=accept chain=input comment="NEW defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="NEW defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment="NEW defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="NEW defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="NEW allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="NEW defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall nat
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" out-interface-list=WAN
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat dst-port=8123 log=yes protocol=tcp to-addresses=192.168.2.176
Whew – solve it!
You had mention previously about Hairpin Nat and that is what solved my problem.
I used this thread:
http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1
anav
October 19, 2022, 1:28pm
13
Excellent, yes the article on port forwarding I linked at the top of the thread, explains hairpin nat in detail.