Hi, I want to implement a DMZ.
For example:
I have 3 interfaces: LAN, DMZ and WAN
*Traffic initiated in LAN with destination DMZ or WAN must be allowed, and also DMZ or WAN response to LAN
*Traffic initiated in DMZ with destination LAN must be denied. Only must be permited if exists a rule allowing that connection initiated on DMZ.
Can you show me how to do firewall rules to get what I want?
I was thinking sometime like:
(Permit all traffic from LAN)
chain=forward action=accept in-interface=LAN
(Permit response from DMZ to LAN when traffic is initiated on LAN)
chain=forward action=accept connection-state=established,related in-interface=DMZ out-interface=LAN
(Drop traffic initiated on DMZ to LAN)
chain=forward action=drop connection-state=new in-interface=DMZ out-interface=LAN log=no log-prefix=“”
Normally (when you trust connection tracking) you would use a single accept rule for established,related without interface spec, then the accept “new” traffic in the direction(s) you want (i.e. from LAN, and probably some selected ports from internet to DMZ) and finally a drop to drop everything not matching.
Note that the MikroTik default firewall is much like this except that it denies unwanted new traffic and then ends with a default accept.
I don’t like that method, but I understand why they do this (much less chance of locking yourself out).
When setting up a default-drop firewall, first add a default accept rule at the end (you can enable logging to help) and see what it catches, and only change it into a drop once you have identified that it is not accepting any wanted traffic.
Of course you also use safe mode when working on a firewall without having a second access.
(serial port, unfiltered network port, IPv6 as an alternative protocol, or MAC-address access)
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked \
comment="allow established, related and untracked"
add action=drop chain=forward connection-state=invalid \
comment="drop invalid"
# things to allow:
add action=accept chain=forward in-interface=<LAN> \
comment="allow everything from LAN"
add action=accept chain=forward connection-nat-state=dstnat \
comment="allow forwarded ports"
# end of things to allow
add action=log chain=forward disabled=yes \
comment="log what will be blocked; use before enabling the last reject rule"
add action=reject chain=forward reject-with=icmp-admin-prohibited \
comment="block everything else"
Everything not specifically allowed is blocked, so it’s not easy to let something pass by mistake. Then add what else should be allowed, e.g. if you’d want to allow access from DMZ to WAN, you’d add:
Similarly, our standard starting config contains an address list named whitelist.mgmt where we designate any management subnets. The first rule of the firewall permits the management traffic. The second removes all the default firewall rules, then the rest of our standard ruleset is pasted in.
/ip firewall filter
add chain=input src-address-list=whitelist.mgmt
remove [find where !dynamic]
I have a configuration of the rb2011 with the following ports: eth1 pppoe eth2 LAN eth5 DMZ, all ports are not in bridge, I have configured a nat on pppoe to dmz without specifying any protocol, but I wanted the dmz to be isolated from the LAN.
The DMZ serves only for internet service for customers.
To make sure that no one from the DMZ enters the LAN, do I have to take further filter?
It depends. If you used config like I posted, then everything not specifically allowed is blocked. So if you didn’t allow access from DMZ to LAN, it’s already blocked and you don’t need to do anything. If you have something else, it’s impossible to tell without seeing it.
I wanted to find a configuration that blocks everything from WAN to LAN and then open the doors that interest me.
The default configuration does not, and every time I configure a RB I go crazy every time. Surely I have inserted rules that are useless.
Is there a configuration that blocks everything except for the internet?
Current default configuration does block everything from WAN. But it allows everything else, so if you change default WAN port, you need to update config for new one.
Try to look at config I posted, it’s just few rules, try to understand what they do and you’ll get it. I’m not sure how to make it any simpler.
I saw that closes all the doors from wan to lan and that’s fine.
I open the doors that interest me, only that I need to open the 21tcp / ip port to access the nas from the wan side, only that it does not work.
If I disable the rule:add action=reject chain=forward reject-with=icmp-admin-prohibited comment=“block everything else”
then it works. Do I have to do anything else?
I’d say you need proper dstnat rule(s). And if you already did try something, it would be good idea to post what exactly you tried. You know, so that someone could possibly point out any mistakes. Just saying “I tried something and it didn’t work” isn’t very useful.