DMZ Pinhole

andy2605 · January 15, 2025, 10:21am

Hi,
I am using a RB760iGS running 7.16.2 packages and firmware.
I have a LAN bridge configured on ether2&3 and the SFP socket subnet 172.16.23.0/24
I have a DMZ configured on ether4 subnet 172.16.24.0/28

I have a Raspberry pi running Network UPS Tools on 172.16.23.4:3493 and I am trying (without any sucess) to allow a NUT Client on my Ubuntu server (172.16.24. in the DMZ to communicate to the RPi.
I used to run OpnSense firewall and this was known as a pinhole between networks and was easy to setup through the web interface as it would write the firewall rules for you.

The firewall rules from the config are below. I am sure its something simple that my lack of knowledge is missing or knowing the right phrase to search for. Any help would be greatly appreciated. If there are any good references for learning the RouterOS firewall that would be great as I am using a lot of the hex routers for work and seem to be muddling through.

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward in-interface-list=DMZ
add action=accept chain=input comment="defconf: accept ICMP" \
    in-bridge-port-list=LAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="OVPN Pass" dst-port=1194 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=new in-interface="DMZ Port" \
    out-interface=LAN_bridge
add action=drop chain=forward in-interface=ether5 out-interface=LAN_bridge
add action=drop chain=forward in-interface=VLAN_SCS_WORKSHOP out-interface=\
    LAN_bridge
add action=drop chain=forward in-interface=VLAN_SCS_WAN2 out-interface=\
    LAN_bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT Incoming Mail " dst-address=\
    212.159.16.166 dst-port=587 protocol=tcp to-addresses=172.16.24.8 \
    to-ports=587
add action=dst-nat chain=dstnat comment="NAT SMTPS Incoming Mail " \
    dst-address=212.159.16.166 dst-port=465 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=465
add action=dst-nat chain=dstnat comment="NAT SMTP Incoming Mail " \
    dst-address=212.159.16.166 dst-port=25 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=25
add action=dst-nat chain=dstnat comment="NAT HTTP to the web server" \
    dst-address=212.159.16.166 dst-port=80 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "NAT HTTP to the web server for webmail" dst-address=212.159.16.166 \
    dst-port=8081 protocol=tcp to-addresses=172.16.24.8 to-ports=8081
add action=dst-nat chain=dstnat dst-address=212.159.16.166 dst-port=110 \
    protocol=tcp to-addresses=172.16.24.8 to-ports=110
add action=dst-nat chain=dstnat dst-address=212.159.16.166 dst-port=143 \
    protocol=tcp to-addresses=172.16.24.8 to-ports=143
add action=dst-nat chain=dstnat comment="NAT IMAP to mail Server " \
    dst-address=212.159.16.166 dst-port=993 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=993
add action=dst-nat chain=dstnat comment="NAT HTTPS to Web Server " \
    dst-address=212.159.16.166 dst-port=443 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=443
add action=masquerade chain=srcnat out-interface=ether1

anav · January 15, 2025, 2:40pm

Detailed network diagram would help understand.

andy2605 · January 15, 2025, 3:27pm

Hi,
Network diagram attached.

anav · January 15, 2025, 4:17pm

So you have servers on one subnet.
a. are users coming to the servers from external?
b. are users coming from same subnet as servers?
c. are users coming from the other subnet (where pi is located)

So no traffic ORIGINATED at severs, only responses to incoming requests??
( except for NUT client originating traffic to PI ??? ).

Full config required.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

andy2605 · January 15, 2025, 4:31pm

Hi,

The servers are web and mail. They have traffic from WAN and LAN going to DMZ. User PCs, NAS, and general LAN is where the pi is located. The only thing originated from the server would be outboud mail but all of that is working fine with dst-nat.

NUT client is running on the server to monitor the UPS for power failure. The NUT server is running on the Pi in the LAN. This is a home network so I have 1 ups running the LAN side and the 1 small web and mail server.

Config file attached.
Thanks for your help
The_Gate.rsc (10.2 KB)

anav · January 15, 2025, 5:23pm

When you are willing to change your config to the optimal one bridge approach - all vlans associated with bridge, will be happy to assist.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

andy2605 · January 15, 2025, 5:56pm

Thanks but I am looking for help on firewall rules not rebuilding the config.

There seems to be many ways to configure the RouterOS and your answer seems a bit “my way is best” and misses the question completely.

anav · January 15, 2025, 6:04pm

Understood, no worries. Most are not picky like me.

ConradPino · January 16, 2025, 5:01pm

You misunderstand, @anav was polite whereas I will say “your way is worse and you’ve killed your performance”,
see Layer2 misconfiguration - Bridges on a single switch chip
MT forum users generally ignore bad practice requests.

andy2605 · January 17, 2025, 4:46pm

No offence was intended to anyone.

@anav - thanks for the information regarding VLANs. It was my misunderstanding of the hardware I am using, i presumed each port was a separtate NIC instead of part of a switch.
@ConradPino - thanks for pointing out in a more blunt and to the point way that my current config and config design principles are killing the performance of the router.
I have taken onboard the principles and am working to build a new config.

Is dsnat still the prefered method for allowing WAN access to servers / services (web and mail) within a VLAN or is there a better solution?

anav · January 17, 2025, 4:50pm

The party line:
https://www.youtube.com/watch?v=a_8AV6vIDYQ
https://www.youtube.com/shorts/LEjg54S_C0M

https://www.youtube.com/watch?v=-kNHtlOb5n0&t=52s

andy2605 · January 19, 2025, 4:45pm

I am working on rebuilding the config and wondered if there were any examples of how to make this more granular?

Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.

add chain=input action=accept in-interface-list=VLAN comment=“Allow VLAN”

andy2605 · January 20, 2025, 4:46pm

Do I have to explicitly create drop firewall rules to stop traffic between vlans?

How do I allow the OpenVPN Client access to the LAN? I had this working in the old bad method not using VLANs, copied the config over and I am not able to access clients on the LAN side through the VPN as I did.
new_config.rsc (3.82 KB)

anav · January 20, 2025, 6:55pm

Everything was looking normal until you decided to add an undocumented immigrant in your config.
Where did vlan16 come from??

Also you stated you want nut client to reach pi… dmz to lan.
however in the diagram it states nut client LISTENing on port 3498, which IMPLIES that the pi is going to contact the nut client on that port, not the other way round???

I dont see any opvn settings on the router input chain aka port?? Assuming this is a router service how do you expect to connect??.

Too many interface lists for needs described
/ip interface
add name=WAN
add name=LAN
add name=TRUSTED
/interface list members
add interface=ether1 list=WAN
add interface=LAN_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
add interface=LAN_VLAN list=TRUSTED
add interface=OpenVPN_CLient list=TRUSTED

/ip firewall address-list
add address=192.168.100.X list=Authorized comment=“local admin device 1”
add address=192.168.100.Y list=Authorized comment=“local admin device 2”
add address=OVPN address ( or subnet ) list=Authorized comment=“admin remote vpn”

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp { enabled !! }
add action=accept chain=input in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop all else” { add this rule last }
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“nut client to pi” in-interface=DMZ_VLAN src-address=172.16.24.8/32 out-interface=LAN_VLAN dst-address=172.16.23.4/32
add action=accept chain=forward comment=“admin to LAN” in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

ether5 removed until vlan16 mystery cleared up, but missing sfp1

/interface bridge port
add bridge=br1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=br1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=br1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=br1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=spf1 comment=“trunk to switch”

/interface bridge vlan
add bridge=br1 tagged=br1,sfp1 untagged=ether2,ether3 vlan-ids=10
add bridge=br1 tagged=br1,sfp1 untagged=ether4 vlan-ids=20

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

andy2605 · January 20, 2025, 8:12pm

Sorry I was trying to run before i could walk

Ether5 is a hybrid port for some development. I have it in my current config which is we copying across.
I have removed it and just stuck with the basics. If i can get that working I can add to it, hopefully…
VLAN_Config-amended.rsc (3.1 KB)

andy2605 · January 27, 2025, 7:42pm

I have removed the vpn server for the moment as its not that important.
I have worked up all the VLANs etc but it doesnt seem to be working. I have loaded it onto the hex and I am not able to get traffic from the LAN to wan and DMZ to wan is very slow. WiFi on the LAN and SCS-Wireless stop completely.

It is probably something really simple, fingers crossed.
THanks in advance
The_gate_New-vetted.rsc (9.5 KB)

anav · January 28, 2025, 2:37pm

Please post config in normal export format, its very difficult trying to read your work otherwise.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)

Note: I read recently that auto-mac for bridge is best set to manual NOT AUTO.

andy2605 · February 4, 2025, 4:41pm

I have made some big steps forward and got a config running where I can get an IP from either of the main VLANs but the connection on ether1 seems to keep dropping and network throughput to the internet is painfully slow and keeps failing with a laptop on either vlan.

any ideas?
test_hybrid.rsc (7.19 KB)

anav · February 4, 2025, 4:53pm

Its also not clear whats going on ether2,3 would seem you have setup \hybrid ports to what?? unifi access points?
remove bridge from lan interface as a member.
remove the static dns setting to 192.168.88.1

andy2605 · February 9, 2025, 2:15pm

@Anav - Thank you for all your help I now have 98% of the config working and a better understanding of ROS.
I have 1 final hurdle to overcome - wireguard VPN for road warrior config.
I have the server and a peer setup. I can connect but not access the LAN subnet. I am sure its firewall related. Would you be able to point me to the probably obvious issues in the config?
The-Gate-New-vpn.rsc (9.29 KB)