Filter Rules to Allow Internet for Multiple Subnets

RouterOS General
1

Hi Everyone,

I’m relative newby to Mikrotik, so this maybe a simple question, but I hope someone can help me out.

I’m trying to create a base setup that I can use in multiple environments and am currently playing around on my 750G r3 to increase my knowledge. I have setup the Filter Rules to allow access to the internet to a bridge called LAN-WIFI. Here are the rules:

/ip firewall filter
add action=accept chain=input comment=\
    "M7 Default Rule: Accept established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="M7 Default Rule: L2TP Ports" dst-port=\
    500,1701,4500 in-interface=Internode protocol=udp
add action=accept chain=input comment="M7 Default Rule: L2TP IPSec" \
    in-interface=Internode protocol=ipsec-esp
add action=accept chain=input comment="M7 Default Rule: L2TP IPSec" \
    in-interface=Internode protocol=ipsec-ah
add action=accept chain=input comment="M7 Default Rule: Winbox Remote Access" \
    dst-port=8291 protocol=tcp src-address-list=AllowWinboxRemotely
add action=drop chain=input comment="M7 Default Rule: Drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="M7 Default Rule: Accept ICMP" \
    protocol=icmp
add action=accept chain=input comment=\
    "M7 Default Rule: Accept to local loopback (For CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment=\
    "M7 Default Rule: Drop all NOT coming from LAN" in-interface=!LAN-WIFI
add action=accept chain=forward comment=\
    "M7 Default Rule: Accept established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="M7 Default Rule: Drop Invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "M7 Default Rule: Drop all EXCEPT not DST NAT rules" \
    connection-nat-state=!dstnat in-interface=Internode

My question is in the example above you can see that there is a drop rule for anything not on the LAN-WIFI bridge. If I were to introduce another subnet on another Bridge to handle a DMZ type network, how can I do that without including the new subnet in the LAN-WIFI bridge?

I hope that makes sense.

Thanks in advance…

Duke

2

As it is now, rule

/ip firewall filter
add action=drop chain=input comment=\
    "M7 Default Rule: Drop all NOT coming from LAN" in-interface=!LAN-WIFI

can be transcribed to two rules:

/ip firewall filter
add action=accept chain=input comment="M7 Default Rule: allow all coming from LAN" in-interface=LAN-WIFI
add action=drop chain=input comment="ultimate rule: drop anything not explicitly accepted by previous rules"

With changed rules it’s easy to add another rule accepting appropriate traffic from other in interfaces by placing it above the last “drop all” rule. And be as specific as it gets (e.g. only accept UDP ports 123 and 53 - that’s NTP and DNS).

Another possibility is to use interface lists … so instead of “… in-interface=!LAN-WIFI” you would use … in-interface-list=!LAN-interfaces". However I find the “not” rules a bit unflexible replacement for the two rules I wrote above.

3

Mkx is in the right track. However be aware that using a drop rule on the input chain has to be done carefully so you dont lock yourself out.
https://forum.mikrotik.com/viewtopic.php?t=180838

4

Thanks mkx. Perfect!

5

Thanks anav, most informative and I’ve bookmarked that page.

6

Sorry to be a pain, but I have one more question regard the multi subnet setup.

If I wanted to have the LAN subnet (bridge LAN-WIFI), let’s say 10.0.10.0/24 have one way access to the Security Camera subnet of 192.168.18.0/24 (bridge SEC-SYS) how can this be achieved? I don’t want the security system to be able to have access to the LAN side of things, but I want the LAN side to be able view the cameras and administer the Security system via HTTP.

Thanks

Duke

7

Hi duke,
(1) Traffic across the router (wan to lan, lan to wan, lan to lan) is handled by the firewall filter forward chain.

One only needs to allow access from Bridge to Camera

add action=accept chain=forward in-interface=LAN-WIFI out-interface=SEC-SYS

Typically I recommend narrowing down access only to those that need it ->> if not all users require access and that access is only required for a few IPs, make two firewall address lists. Access and Cameras.

add action=accept chain=forward in-interface=LAN-WIFI src-address=list=Access out-interface=SEC-SYS dst-address-list=Cameras

(2) An ‘allow’ rule only permits ORIGINATED traffic to reach the other side. Return traffic (answers to the query are permitted as RELATED traffic). Thus the camera system would only be able to answer requests from the lan wifi bridge. The camera would not be permitted to originate traffic and send it to the bridge

Note: All rules I have are predicated upon the fact that all traffic is dropped by my last rule in the forward chain ( a drop all rule ), and thus I have only to make allow rules for the traffic I wish to allow above this rule.

8

Hi Anav,

Thanks.

I’ve tried that, but the SEC-CAM bridge can still access the LAN-WIFI side. Is there a way to make it one way only?

Here are the rule as they stand now.

/ip firewall filter
add action=accept chain=input comment=\
    "M7 Default Rule: Accept established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="M7 Default Rule: L2TP Ports" dst-port=\
    500,1701,4500 in-interface=Internode protocol=udp
add action=accept chain=input comment="M7 Default Rule: L2TP IPSec" \
    in-interface=Internode protocol=ipsec-esp
add action=accept chain=input comment="M7 Default Rule: L2TP IPSec" \
    in-interface=Internode protocol=ipsec-ah
add action=accept chain=input comment="M7 Default Rule: Winbox Remote Access" \
    dst-port=8291 protocol=tcp src-address-list=AllowWinboxRemotely
add action=drop chain=input comment="M7 Default Rule: Drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="M7 Default Rule: Accept ICMP" \
    protocol=icmp
add action=accept chain=input comment=\
    "M7 Default Rule: Accept to local loopback (For CAPsMAN)" dst-address=\
    127.0.0.1
add action=accept chain=input comment=\
    "M7 Default Rule: allow all coming from LAN-WIFI" in-interface=LAN-WIFI
add action=accept chain=forward in-interface=LAN-WIFI out-interface=\
    SEC-CAM
add action=drop chain=input comment="M7 Default Rule: Drop anything not explic\
    itly accepted by previous rules"
add action=accept chain=forward comment=\
    "M7 Default Rule: Accept established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="M7 Default Rule: Drop Invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "M7 Default Rule: Drop all EXCEPT not DST NAT rules" \
    connection-nat-state=!dstnat in-interface=Internode

I really appreciate your patience with me on this.

Thanks

Duke

9

As per my note in the previous post…

10

Thanks anav. I’ve noted that, but it doesn’t matter where I place the forward rule, I can access both side of the connection from either side. It doesn’t make sense. I’ve even placed this rule last and still can access both sides.

Am I missing something?

11

Post a complete config and I will take a look.

/export hide-sensitive file=anynameyouwish

12

Hi anaz,

Here is the config:

# may/17/2022 12:16:20 by RouterOS 6.48.6
# software id = BE1E-SC82
#
# model = RouterBOARD 750G r3
# serial number = 6F3A07AFA21C
/interface bridge
add name=LAN-WIFI
add name=SEC-CAM
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=Internode user=\
    xxxxx@internode.on.net
/interface l2tp-client
add connect-to=xx.xx.xx.xx name=Test user=M7
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=l2tp-Pool ranges=192.168.86.10-192.168.86.50
/ppp profile
set *0 on-up="/ip firewall connection remove [ find ]"
add dns-server=192.168.8.7 name=matrix7
/interface bridge port
add bridge=LAN-WIFI interface=ether5
add bridge=SEC-CAM interface=ether2
/interface l2tp-server server
set enabled=yes use-ipsec=required
/ip address
add address=192.168.8.1/24 interface=LAN-WIFI network=192.168.8.0
add address=192.168.122.254/24 interface=SEC-CAM network=192.168.122.0
/ip dns
set allow-remote-requests=yes servers=172.64.36.1,172.64.36.2
/ip firewall address-list
add address=192.168.8.0/24 list=Green-LAN
add address=xx.xx.xx.xx list=AllowWinboxRemotely
add address=192.168.122.0/24 list=Orange-DMZ
/ip firewall filter
add action=accept chain=input comment=\
    "M7 Default Rule: Accept established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="M7 Default Rule: L2TP Ports" dst-port=\
    500,1701,4500 in-interface=Internode protocol=udp
add action=accept chain=input comment="M7 Default Rule: L2TP IPSec" \
    in-interface=Internode protocol=ipsec-esp
add action=accept chain=input comment="M7 Default Rule: L2TP IPSec" \
    in-interface=Internode protocol=ipsec-ah
add action=accept chain=input comment="M7 Default Rule: Winbox Remote Access" \
    dst-port=8291 protocol=tcp src-address-list=AllowWinboxRemotely
add action=drop chain=input comment="M7 Default Rule: Drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="M7 Default Rule: Accept ICMP" \
    protocol=icmp
add action=accept chain=input comment=\
    "M7 Default Rule: Accept to local loopback (For CAPsMAN)" dst-address=\
    127.0.0.1
add action=accept chain=input comment=\
    "M7 Default Rule: allow all coming from LAN-WIFI" in-interface=LAN-WIFI
add action=drop chain=input comment="M7 Default Rule: Drop anything not explic\
    itly accepted by previous rules"
add action=accept chain=forward comment=\
    "M7 Default Rule: Accept established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="M7 Default Rule: Drop Invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "M7 Default Rule: Drop all EXCEPT not DST NAT rules" \
    connection-nat-state=!dstnat in-interface=Internode
add action=accept chain=forward in-interface=LAN-WIFI out-interface=SEC-CAM
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=Green-LAN
add chain=srcnat dst-address-list=Green-LAN src-address-list=Green-LAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.8.0/24
set api-ssl disabled=yes
/ppp secret
add name=Caroline profile=MarquetteProfile service=l2tp
/system clock
set time-zone-name=Australia/Sydney
/system identity
set name=Matrix7-Mikrotik
/system ntp client
set enabled=yes primary-ntp=192.231.203.132
/system ntp server
set enabled=yes
/system package update
set channel=long-term

Thanks

Duke