My MikroTik switch ( https://mikrotik.com/product/CRS326-24G-2SplusRM ) has RouterOS, operating in Bridge Mode.
I’m just learning the RouterOS Firewall. I already have some iptables experience.
On this wiki page is an intro with an example config: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter ,
but my requirements for all traffic (WAN-to-LAN, LAN-to-ANY) are different (much more stringent):
by default block everything, explicitly define each protocol/port that shall be allowed/opened.
Let’s say my LAN is 192.168.0.0/17 and I have to put the following items into the firewall:
srcIP srcLoc srcPort destIP destLoc destPort Protocol Comments
------- ------- ------ ------- ------- -------- -------- --------
any LAN any any any 80 tcp http
any LAN any any any 443 tcp https
any LAN any any any 22 tcp ssh
any LAN any 1.2.3.4 WAN 465 tcp smtps(ssmtp)
any LAN any 1.2.3.4 WAN 995 tcp pop3s
any LAN any 192.168.10.1 LAN 53 udp+tcp DNS
192.168.11.x LAN any 192.168.10.1 LAN 1234 tcp blafoo
How to best do/organize this in this firewall? This FW has no entries defined yet.
Could someone show me a skeleton example script on how best to do this?
Thanks, but what does “default Firewall Filter” mean? Should it be available in the device by default?
When I issue this command then it prints nothing but the header, so, I’m a little bit confused (btw, the device has the 7.0beta5 installed):
[xxxxx@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
[xxxxx@MikroTik] >
We strongly suggest to keep default firewall on. Here are few adjustment to make it more secure, …
Unfortunately I just don’t understand why my device does not know anything of this said default firewall settings.
I myself did not delete any firewall stuff yet. I only did a software upgrade to the latest 7.0beta5 from the latest 6.x release version.
So far I didn’t configure the firewall of this device (my two uplink-routers of alien brand have firewalls of their own, I so far used them, but now will use also the FW of this switch).
So, why is this mentioned default firewall not present in my switch device, and: where can I find these default firewall settings to study & use?
@Zacharias, again thanks for posting the default firewall settings, but I wonder wherefrom you got them yourself? Did you find it in your device or is that from a MikroTik document/webpage?
As said above, in my device there are no such default firewall entries present, as far as I can see; I hope I haven’t overlooked anything.
@mutluit
Your switch CRS326-24G-2SplusRM does not have the same default Firewall rules like a Router would have.
Your switch default CONFIGURATION is a switchnot a Router. Your Switch does have L3 capabilities that you would have to configure yourself. BUT like I mentioned in another of your threads the CRS326-24G-2SplusRM performance as a L3 device is poor.
@mozerd, thanks for clarification and the links. I want to keep this device as is by default: a switch with RouterOS in Bridge Mode, but will need to use its firewall as well.
Is this configuration/setup choice a good/acceptable one, or would there be a better configuration/setup in terms of security and performance?
(as was already mentioned in one of the other threads, it shall serve just about 20x 1G clients and 2x 10G servers, all inside the LAN, and where this switch is placed behind 2 uplink-WAN-routers. Security is the most important requirement, then network performance. Currently still testing/configuring/learning the device in a non-productive test environment with 7.0beta5 firmware)
Since you will be attaching 2 10G servers … how will your users use these servers? what sort of access privileges will be needed? will anyone on the WAN side need access to these servers? Have you or your team given user access privileges any thought? Always remember that simplicity is your best friend … its not the number of rules that is important … it’s the least number of rules needed to meet your objectives. always keep it simple..
The most important RULE in Router/Switch Security is being pro-active … so you must define the user privileges first then write the rules to fit that need.
Yes, thanks, I already have applied the above recommendations for protecting the admin access to the device, and access from WAN to the LAN is limited to a few admin users only.
Regarding users accessing the local servers: they access only a few special applications serving from certain ports using the tcp protocol, and these applications have their own user management with password.
Ok, I’ll take a closer look at the user privilege settings in RouterOS, but I think these are device admin users only, not the normal users in LAN. Never mind, I’ll see. Thx again.
This is the Default Firewall a Mikrotik Router has configured…
Your CRS does not have it because it is intended to be used as a switch, that is the reason…
I just informed you of the Mikrotik’s suggested firewall.. which ofcorse you can make it more strict…
The Link that @mozerd posted has the same Firewall Rules i posted on my earlier post…
Ok, all right, I finally grasped it as follows: only on the router models is a default firewall pre-configured, not on the switch devices like mine, but on the switch devices one can configure and use the firewall as well, but then the performance of the device can slightly degrade.
Thanks everybody kindly helping me to understand my MT device better.
Exactly…
All the CRS Series models are Router-Switches, you might use it as a Switch only or a Router or both… It is up to you…
So in case you choose to use it as a Routing Device you must setup a Firewall…
Here you can see the performance results of the Device either for Switching or Routing…
In case it will be used as a Router, the performance in terms of speed will be at a Max of about 270 Mbps…
@Zacharias, I’m going to use your above posted default firewall settings.
As said, I’ll use this CRS router-switch device as a switch (not as a router), but with RouterOS. It is in Bridge Mode instead of Router Mode.
Forgive me, but I even don’t know yet what this CAPsMAN thing is Do I really need the following action? :
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
And: I don’t use any ipsec yet, maybe later. Can I safely skip these two? :
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
And: what is this fasttrack thing?
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
Hmm. that I unfortunately don’t understand, b/c I want to use the firewall on the switch as this has many advantages in my use case: centrally configuring firewall rules for all attached devices/clients…
If that’s the case then configure your CRS as a Router-Switch…
That means, all the important facilities must be running on the CRS, DHCP, DNS, Firewall, Routing etc…
Ofcrorse the above is not important… You can enable IP Firewall in the Bridge Settings and Filter the Traffic passing through the Bridge… But i do not consider such configuration ideal for your case…
Hi folks, can you please check whether my below draft firewall script is ok.
Not all the said tcp ports are entered yet, but for testing it should suffice.
There is one important question open: how do I cover the ARP packets the devices do send and receive between each other, esp. to/from the router, in the LAN?
### My firewall script (draft/experimental; not tested yet):
/ip firewall filter
add chain=input connection-state=established,related,untracked action=accept
add chain=input connection-state=invalid action=drop
#add chain=input protocol=icmp action=accept # see below
#add chain=input dst-address=127.0.0.1 action=accept # CAPsMAN
#add chain=input in-interface-list=!LAN action=drop # drop all not coming from LAN
#add chain=forward ipsec-policy=in,ipsec action=accept
#add chain=forward ipsec-policy=out,ipsec action=accept
add chain=forward connection-state=established,related action=fasttrack-connection
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN action=drop # drop all from WAN not DNATed
### Block "bogon" IP addresses:
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
### Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
#...
add chain=forward action=drop comment="deny anything other" # CHECK: what about ARP etc.?
### Create tcp chain and allow only some tcp ports, and at end drop all the rest:
add chain=tcp protocol=tcp dst-port=80 action=accept
add chain=tcp protocol=tcp dst-port=443 action=accept
add chain=tcp protocol=tcp dst-port=22 action=accept
add chain=tcp protocol=tcp dst-port=53 action=accept
add chain=tcp protocol=tcp dst-port=123 action=accept
#...
add chain=tcp action=drop comment="deny any other tcp"
### Create udp chain and allow only some udp ports, and at end drop all the rest:
add chain=udp protocol=udp dst-port=53 action=accept
add chain=udp protocol=udp dst-port=123 action=accept
#...
add chain=udp action=drop comment="deny any other udp"
### Create icmp chain and allow only needed icmp types:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
#...
add chain=icmp action=drop comment="deny all other icmp types"
Do I really need the following action? :