Filtering traffic with a LAN

olivier2831 · August 9, 2023, 2:15pm

Hello,

On a remote site, I’ve got the following setup (details omitted):
Cloud server — ------ Router ----- ---- Printer

The printer receives printing jobs from a Cloud server over the Internet.
This cloud server has a fixed public IP address.

The router is provided by an ISP.
It can implement some NAT/PAT rules but unfortunately, cannot use source IP to filter some traffic !
The router has a fixed public IP and a fixed private one.

For various reasons, I can’t change any device address.
I’m thinking about adding a box between the LAN and the printer to filter unwanted traffic.

The three rules I would like to implement on this box are:
“1. accept traffic coming in from LAN-facing interface, with Cloud server IP address and destined to printer IP and specific application port
2. drop traffic coming in from LAN-facing interface and destined to printer IP and specific application port
3. let anything else pass through”

How can I implement this with RouterOS ?

Best regards

tdw · August 9, 2023, 2:37pm

Configure the Mikrotik as a switch rather than a router.

If whichever Mikrotik you use has bridge hardware-offload enabled it would have to be implemented with switch ACLs, the various switch chips have different switch rule capabilies so check https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Introduction and https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-RuleTable - generally fast ethernet (100Mb) switch chips do not support rules.

Otherwise disable bridge hardware-offload and use /interface bridge filter rules, which should be sufficient in this case, otherwise it is one of the few scenarious where /interface bridge settings set use-ip-firewall=yes and using /ip firewall filter rules is applicable

olivier2831 · August 9, 2023, 3:13pm

So I can leave both Ethernet interfaces (the LAN-facing and the printer-facing ones) belonging to the same single bridge ?

tdw · August 9, 2023, 5:33pm

Yes

olivier2831 · August 22, 2023, 3:13pm

I couldn’t succeed yet, using a 6.49.6 powered mAP.

During my first testing, I wrote a couple of rules in IP/Firewall/Filter rules. Is it the correct tool to implement my rules ?
While searching, I also found potentially relevant forms in Bridge/Filters and Switch/Rules but I didn’t use any of them.

mkx · August 22, 2023, 4:17pm

That’s one of possibilities … but make sure you enable “use-ip-firewall=yes” as suggested by @tdw. Beware that for this use case apply rule properties which are slightly different than for “normal” IP firewall.

Use of bridge filters is another possibility, even more resource friendy but way less flexible …e.g. it’s not possible to reference connection states (because bridge rules are L2 while statefull firewall is L4).

Perhaps show us what you came up with so far and somebody might help you get further.

olivier2831 · August 22, 2023, 4:52pm

My setup is:

PC1 ---- Switch1---- mAP ---- PC3
|
PC2 ---------

My test is ping PC3 from PC2 while PC1 is for configuring mAP. mAP’s interface to PC3 is ether2 and mAP ether1 is connected is upstream Switch1.
During my tests, PC2 could positively ping PC3.
I was waiting this to fail due to my firewall rule named FOO.

My (hand edited) config is

/interface bridge
add admin-mac=18:FD:74:19:FF:F0 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-19FFF2 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment="PerenIP: move ether1 into bridge" interface=ether1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
set bridge=bridge interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
/ip dhcp-client
add disabled=no interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment=FOO dst-address=192.168.4.193 src-address=192.168.4.55
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
 ...
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none \
    out-interface-list=WAN

mkx · August 22, 2023, 5:10pm

It could be that traffic between both wired ports is entirely handled by (integrated) switch and thus bypasses bridge and firewall. Set one (or both) ether ports with hw=no in /interface/bridge/port configuration section, this should force traffic through CPU and thus allow bridge to do filtering.

olivier2831 · August 22, 2023, 5:19pm

That was it: turning Hardware Offload to Off on one port forced my IP Firewall Filter rules to be run !

Thank you all very much for you help !