DMZ exposed host

dadach · November 26, 2018, 8:26am

Hi, can I run RouterOS as an exposed host? If I configure the firewall properly, what are the chances someone can hack it?
I have a cable modem that has wan, but I was wondering if I can block everything except the mikrotik IP, and leave it on DMZ?
Also, this way I can vpn to it, as it does not work through cable modem with NAT.
thanks.

mkx · November 26, 2018, 8:37am

If you only forward port needed for VPN then it’s quite secure. No known VPN vulnerabilities of ROS are currently known. To make RB even safer you could deploy some more advanced techniques, such as port knocking.

dadach · November 26, 2018, 8:41am

so on this machine I am planning to run plex server, torrent, bitcoin node, and lightning wallet, that is about 5-6 more ports open towards the internet. would that compromise the router?

Jotne · November 26, 2018, 8:48am

No, problem is when you open management ports for the router to the internet. Like Winbox/SSH/Telnet/web to Router itself.
Open port trough the Router should be no problem.
But you need to make sure that the service you open are secure. Like using good password, follow best practice etc.

mkx · November 26, 2018, 8:55am

Now I’m confused about your network topology. I’ll assume this one:

cable modem (internet gateway, NAT) <-+-> mikrotik (for VPN)
(NAT, basic firewall,...)    ^
                             \-> host for other things

.
There are two things:

device as VPN end point (mikrotik), you need to NAT one (or more in case of port knocking) port from cable modem to mikrotik
host for other things, which might need NATed ports or not, depending on intended availability from the internet. E.g. bitcoin miner probably doesn’t need port forwarded as NAT does it dynamically for LAN clients connecting WAN servers.

.
You might actually want to reconfigure cable modem into bridge mode and use mikrotik as router, firewall, …

cable modem <---> mikrotik <--> LAN
(bridge mode)        ^
                     \--> host for other things

.
In this case, you’d configure all NAT and port forwarding on mikrotik. Using fine firewall rules (default is fine, you need to add only a few rules to allow certain connections otherwise forbidden) the whole setup can still be secure enough.

In both cases you can decide whether the “host for other things” is actually part of your LAN or separate (kind of DMZ) … in first scenario you can put LAN either behind mikrotik or parallel to it (but it’s highly probable that cable modem lacks lots of routing/firewall capability present in ROS), in second scenario you can decide to have two LAN segments, one for DMZ and one for the rest of LAN (it is just a matter of proper configuration).

dadach · November 26, 2018, 9:20am

it is cable modem on 0.1 lan and it gives mikrotik 0.2 address, then mikrotik has its own 88.1-100 ip range. i will not connect anything to the technicolor cable modem except mikrotik, and everything on the network will be in 88.1 lan
technicolor modem does not have bridge mode i think…

dadach · November 26, 2018, 11:33am

ok, thank you