CHR 7.6 firewall issues

RouterOS General
1

Hello, i have installed a chr on cloud vm and i am trying to create some firewall rules in order to secure my router.

my problem is that my rules doesn’t work, it seems like they get bypass!! for example ssh and winbox are allowed while i have an input rule to drop everything from wan. also my bruteforce rules are not “catching” packets, they should count traffic these rules.

bellow is my config:

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
/ip address
add address=5.XXXX.XXXX.196/24 interface=ether1 network=5.XXX.XXX.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dns
set servers=XXXXXXXXX,XXXXXXX
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port Scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=jump chain=input comment="SYN Flood INPUT" connection-state=new \
    jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=1d chain=input comment=Blacklist connection-state=\
    new dst-port=1026,8292 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
    address-list-timeout=1h chain=input comment="Third attempt" \
    connection-state=new dst-port=1026,8292 protocol=tcp src-address-list=\
    connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
    address-list-timeout=15m chain=input comment="Second attempt" \
    connection-state=new dst-port=1026,8292 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=5m chain=input comment="First attempt" \
    connection-state=new dst-port=1026,8292 protocol=tcp
add action=accept chain=input comment="bruteforce ssh&winbox" disabled=yes \
    dst-port=1026,8292 protocol=tcp src-address-list=!bruteforce_blacklist
add action=accept chain=input comment="WG VPN Rule" dst-port=13231 protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input src-address-list="port scanners"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
add action=jump chain=forward comment="SYN Flood FW" connection-state=new \
    jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
    SYN-ATK protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \
    log-prefix="WAN DNS" protocol=udp
/ip route
add dst-address=0.0.0.0/0 gateway=5.XXXX.XXXX.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1026
set api disabled=yes
set winbox port=8292
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Amsterdam
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

what i am configuring wrong? why firewall is not working properly? i have only 1 interface ether1 and is in WAN interface list. the accept input rule for winbox and ssh it is disabled but still i can connect. i have tried to clear connection tracker and reboot the chr.

2

So, what is this rule suppose to do ?

add action=accept chain=input comment=“bruteforce ssh&winbox” disabled=yes
dst-port=1026,8292 protocol=tcp src-address-list=!bruteforce_blacklist


So you ARE allowing SSH + Winbox to your router if they are NOT the bruteforce_blacklist.

Why not make such filter rules and ONLY ALLOW IP’s that are on a specific white-list of trusted public IP’s ?

3

disabled=yes :slight_smile: and it is still allowing connections.

4

The rule is disabled. But yes, it’s not clear what was the firewall config when @OP did the vetification …

5

Fixed the horrible firewall settings!!
However you have to make sure you can reach the CHR for configuration purposes, assuming you have something set up ???
If not how do you reach it.
I am hoping something smart like Wireguard.
By the way you have no LAN of any sort on the CHR right??

To reach winbox you need access to the input chain, so for example I would come into the router via wireguard,
I would use SSH to reach my VM but to reach the router I would use WG and perhaps SSH as a backup.
You also need to have an interface attached to /tool mac-server mac-winbox

By the way, no clue as to why you think you need bloated firewall rules.
Are you running servers as there is none indicated on your config??

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=wg-interface src-address-list=authorized  { for future wireguard access to chr }
add action=accept chain=input  src-address=SSH address??? dst=port=winboxport  protocol=tcp { for current SSH connection }
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface=wg-interface out-interface-list=WAN  { for future access to internet from wg clients }
add action=drop chain=forward  comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=5.XXXX.XXXX.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1026   {  i usually never publish my ssh port !! }
set api disabled=yes
set winbox port=xxxxxxx  { i usually never publish my winbox port !! }
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Amsterdam
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN

/interface list
add name=ADMIN
/interface list members
add interface=wg-interface  list=ADMIN
add interface=SSH  list=ADMIN
6

Hello, thanks for the info!
I will use wireguard to create a few site2site VPNs and also i will manage the chr through SSH and WG.

I have no LAN on CHR, only 1 WAN and a WG that i will create and use it as relay VPN server.

Also why i need to have an interface attached to /tool mac-server mac-winbox? is it not a security issue?

Can you explain me why my rules didn’t work and what was the mistake in order to learn?

thanks again!