Feedback on first setup

ziverzone · August 30, 2024, 9:11pm

I am using this as a learning experience for a home lab and wondered if I could get some feedback on my setup script. I am using VLANS for management, services, DMZ for public services, clients and guests. Guests should only have access to WAN clients should have access to services DMZ services, and management should be the only VLAN capable of managing the router and DMZ would be open to WAN. I am running a local DNS on PiHole on 172.23.20.2 and want the router to default to using this DNS server but if it goes down it should switch to 1.1.1.1. To do this i have used netwatch and a script. Is there a better way to do this? Another question i have is i want to limit the communication from DMZ to services but i want some servers on DMZ to access a NAS drive hosed on the service VLAN. What would be the best way of doing this? Should i allow access to the NASs IP on the needed port or is there a more recommended solution?
Thanks

My setup script:

# Device Config
/system/identity/
set name=Base_Router
print

#### Interface Config ####
# Rename interfaces
/interface/
set ether1 name=ether1_WAN
set ether3 name=ether3_ProxmoxMgmt
set ether9 name=ether9_GuestWAP
set ether10 name=ether10_ClientWAP
set ether15 name=ether15_Mgmt
set sfp-sfpplus1 name=sfp+1_Proxmox
set sfp-sfpplus2 name=sfp+2_MainPC
print

# Create LAN bridge
/interface/bridge/
add name=bridge_LAN
print

/interface/bridge/port/
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3_ProxmoxMgmt pvid=10
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5
add bridge=bridge_LAN interface=ether6
add bridge=bridge_LAN interface=ether7
add bridge=bridge_LAN interface=ether8
add bridge=bridge_LAN interface=ether9_GuestWAP pvid=35
add bridge=bridge_LAN interface=ether10_ClientWAP pvid=30
add bridge=bridge_LAN interface=ether11
add bridge=bridge_LAN interface=ether12
add bridge=bridge_LAN interface=ether13
add bridge=bridge_LAN interface=ether14
add bridge=bridge_LAN interface=ether15_Mgmt pvid=10
add bridge=bridge_LAN interface=ether16
add bridge=bridge_LAN interface=sfp+1_Proxmox
add bridge=bridge_LAN interface=sfp+2_MainPC pvid=20
print

# Create bridge VLANs
/interface/bridge/vlan/
add bridge=bridge_LAN vlan-ids=10 tagged=bridge_LAN untagged=ether3_ProxmoxMgmt,ether15_Mgmt
add bridge=bridge_LAN vlan-ids=20 tagged=bridge_LAN,sfp+1_Proxmox untagged=sfp+2_MainPC
add bridge=bridge_LAN vlan-ids=25 tagged=bridge_LAN,sfp+1_Proxmox
add bridge=bridge_LAN vlan-ids=30 tagged=bridge_LAN untagged=ether10_ClientWAP
add bridge=bridge_LAN vlan-ids=35 tagged=bridge_LAN untagged=ether9_GuestWAP
print

# Create VLAN interfaces
/interface/vlan/
add name=Mgmt vlan-id=10 interface=bridge_LAN
add name=Service vlan-id=20 interface=bridge_LAN
add name=DMZ vlan-id=25 interface=bridge_LAN
add name=Client vlan-id=30 interface=bridge_LAN
add name=Guest vlan-id=35 interface=bridge_LAN
print

#### IP Config ####
# WAN IP Config
/ip/dhcp-client/
add interface=ether1_WAN use-peer-dns=no
print

# LAN IP Config
/ip/address/
add address=172.23.10.1/24 interface=Mgmt
add address=172.23.20.1/24 interface=Service
add address=172.23.25.1/24 interface=DMZ
add address=172.23.30.1/24 interface=Client
add address=172.23.35.1/24 interface=Guest
print

# LAN DHCP Config
/ip/pool/
add name=dhcp_pool_10 ranges=172.23.10.200-172.23.10.254
add name=dhcp_pool_20 ranges=172.23.20.200-172.23.20.254
add name=dhcp_pool_30 ranges=172.23.30.20-172.23.30.254
add name=dhcp_pool_35 ranges=172.23.35.20-172.23.35.254
print

/ip/dhcp-server/
add interface=Mgmt address-pool=dhcp_pool_10 name=dhcp_10
add interface=Service address-pool=dhcp_pool_20 name=dhcp_20
add interface=Client address-pool=dhcp_pool_30 name=dhcp_30
add interface=Guest address-pool=dhcp_pool_35 name=dhcp_35
print

/ip/dhcp-server/network/
add address=172.23.10.0/24 gateway=172.23.10.1 dns-server=172.23.10.1
add address=172.23.20.0/24 gateway=172.23.20.1 dns-server=172.23.20.1
add address=172.23.30.0/24 gateway=172.23.30.1 dns-server=172.23.30.1
add address=172.23.35.0/24 gateway=172.23.35.1 dns-server=172.23.35.1
print

# DNS Config
/ip dns set servers=1.1.1.1 allow-remote-requests=yes
/tool netwatch add host=172.23.20.2 name=PiHoleCheck up-script=upDNS down-script=downDNS

#### Firewall ####
# Firewall NAT Config
/ip/firewall/nat/
add action=masquerade chain=srcnat out-interface=ether1_WAN
print

# Firewall Config
/ip/firewall/filter/
add chain=input action=accept connection-state=established,related comment="input accept: established,related"
add chain=input action=accept src-address=!172.23.25.0/24 in-interface=!ether1_WAN protocol=udp dst-port=67 comment="input accept: from !(WAN,DMZ) UDP DHCP"
add chain=input action=accept src-address=172.23.10.0/24 protocol=udp dst-port=5678,20561 comment="input accept: from Mgmt UDP (Discovery,MAC winbox)"
add chain=input action=accept src-address=172.23.10.0/24 protocol=tcp dst-port=8291 comment="input accept: from Mgmt TCP (Winbox)"
add chain=input action=accept in-interface=!ether1_WAN protocol=udp dst-port=53 comment="input accept: from !WAN UDP DNS"
add chain=input action=accept in-interface=!ether1_WAN protocol=tcp dst-port=53 comment="input accept: from !WAN TCP DNS"
add chain=input action=accept protocol=icmp icmp-options=8 comment="input accept: ICMP Ping"
add chain=input action=drop

add chain=forward action=accept connection-state=established,related comment="forward accept: established,related"
add chain=forward action=accept src-address=172.23.30.0/24 dst-address=172.23.20.0/24 comment="forward accept: Client -> Service"
add chain=forward action=accept out-interface=ether1_WAN comment="forward accept: to WAN"
add chain=forward action=drop
print

# Enable VLAN filtering
/interface/bridge set bridge_LAN vlan-filtering=yes

My upDNS/downDNS template (IP switched accordingly):

:local primaryDNS "172.23.20.2"
:local backupDNS "1.1.1.1"
:local currentDNS /ip dns get servers

:if ($currentDNS = $primaryDNS) do={
	/ip dns set servers=$backupDNS
}

TheCat12 · August 31, 2024, 12:26pm

Firstly, I want to congratulate you on your configuration - it looks very promising and surely it will work even without the suggestions/answers I’ll give you throughout the post.

Yes, you could just list them in the DNS settings in order - the primary DNS server as the first entry and the backup one as the second:

/ip dns set servers=172.23.20.2,1.1.1.1 allow-remote-requests=yes

The solution you suggested is the recommended one. Only as a tip, use address lists to reference the servers which should have access to the NAS so that you use only one firewall rule with a set src-address-list parameter instead of multiple ones:

/ip firewall address-list
add list=Servers address=172.23.20.x
add list=Servers address=172.23.20.y
...

ziverzone · August 31, 2024, 3:54pm

Thanks for your response. The docs for DNS say:

Servers are processed in a queue order - static servers as an ordered list, dynamic servers as an ordered list. When DNS cache has to send a request to the server, it tries servers one by one until one of them responds. After that this server is used for all types of DNS requests. Same server is used for any types of DNS requests, for example, A and AAAA types.

…

If at some point the server which was being used becomes unavailable and can not provide DNS answers, then the DNS cache restarts the DNS server lookup process and goes through the list of specified servers once more.

This makes it sound like it would switch to the second server if pihole goes down but then not switch back when it comes back online as 1.1.1.1 will still be online. I am using pihole for some local DNS addresses that i have not assigned on cloudflare so want it to use that server whenever possible. Have i misunderstood the docs? Anothere question i had is should i be using fast track rules or any other optimisations to my firewall?

TheCat12 · September 2, 2024, 8:54pm

Now that you put it that way, the misunderstanding is on my side, so please discard my advice for relying only on the DNS order.

Since you don’t use queues or mangling you can use default FastTrack rule. If you want to extend your firewall, you can revert to the following articles from the docs:

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=28606504 - SYN/DoS/DDoS Protection

https://help.mikrotik.com/docs/display/ROS/Bruteforse+prevention - Bruteforce prevention