Firewall - Check - No Portforwarding

RouterOS General
1

Hi,
I have a firewall. Can you please check them? Port forwarding doesn’t work. Otherwise, are you sure?

/ip firewall address-list
add address=10.50.99.0/24 list=LAN1
add address=10.50.50.0/24 list=LAN1
add address=10.50.51.0/24 list=LAN1
add address=10.50.52.0/24 list=LAN1
add address=10.50.53.0/24 list=LAN1
add address=10.50.54.0/24 list=LAN1
add address=10.50.55.0/24 list=LAN1
add address=10.50.56.0/24 list=LAN1
add address=10.50.57.0/24 list=LAN1
add address=10.50.58.0/24 list=LAN1
add address=10.50.59.0/24 list=LAN1
add address=10.50.60.0/24 list=LAN1
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=vpn01.testvpn.de list=allowedHosts
add list=ddos-attackers
add list=ddos-targets
add address=192.168.2.0/24 list=Costumer
add address=10.52.50.0/24 list=LAN3
add address=192.168.133.0/24 list=LAN3
add address=192.168.144.0/24 list=LAN2
add address=vpn02.testvpn.de list=allowedHosts
add address=vpn03.testvpn.de list=allowedHosts
add address=10.51.50.0/24 list=LAN2
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=tcp
add action=accept chain=input port=8291 protocol=tcp src-address=192.168.133.0/24
add action=accept chain=input port=8291 protocol=tcp
add action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=45735 protocol=tcp src-address-list=!allowedHosts
add action=drop chain=input dst-port=45735 protocol=tcp src-address-list=BruteForce
add action=accept chain=input dst-port=45735 protocol=tcp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new
add action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=!allowedHosts
add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=BruteForce
add action=accept chain=input dst-port=8291 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-address-list=LAN3 src-address-list=LAN1
add action=accept chain=forward dst-address-list=LAN1 src-address-list=LAN3
add action=accept chain=forward dst-address=192.168.133.0/24 src-address=10.50.50.0/24
add action=accept chain=forward dst-address=10.50.50.0/24 src-address=192.168.133.0/24
add action=accept chain=forward dst-address-list=Costumer src-address=10.50.50.0/24
add action=accept chain=forward dst-address=10.50.50.0/24 src-address-list=Costumer
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNAT" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=accept chain=input comment="Allow Wireguard" dst-port=45001,53235 protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface=!WAN1 protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface=wg0 protocol=udp
add action=accept chain=forward dst-port=22 protocol=tcp src-address=10.10.10.0
add action=accept chain=forward protocol=icmp src-address=10.10.10.0
add action=accept chain=forward dst-address=192.168.144.0/24 src-address=10.10.10.0/31
add action=accept chain=forward dst-port=443 protocol=tcp
add action=accept chain=forward comment="Allow existing and related connections" connection-state=established,related
add action=drop chain=forward comment="Block invalid packets" connection-state=invalid
add action=accept chain=forward comment="Allow LAN to WAN" in-interface=BRIDGE out-interface=WAN1
add action=accept chain=forward comment="Allow LAN ro WAN" dst-address-list=LAN3 in-interface=wg0
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=accept chain=prerouting comment="Allow established and related connections" connection-state=established,related
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=drop chain=forward layer7-protocol=youtube log=yes log-prefix=DROP
/ip firewall mangle
add action=mark-packet chain=forward comment="Mark VoIP Pakete" new-packet-mark=voip_pkt passthrough=no protocol=udp src-port=10000-20000
add action=mark-packet chain=forward comment="Mark VoIP Pakete" dst-port=10000-20000 new-packet-mark=voip_pkt passthrough=no protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat comment=10.50.52.2 dst-port=443 in-interface=WAN1 log=yes log-prefix=443 protocol=tcp to-addresses=10.50.52.2 to-ports=443
add action=masquerade chain=srcnat comment="Masquerade for WAN access" out-interface=WAN1
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" log=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to LAN lan from WAN" dst-address-list=LAN in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp log=yes protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN log=yes
add action=accept chain=prerouting dst-address-list=LAN3 src-address-list=LAN1
add action=accept chain=prerouting dst-address-list=LAN1 src-address-list=LAN3
add action=accept chain=prerouting dst-address=10.50.50.0/24 src-address=192.168.133.0/24
add action=accept chain=prerouting dst-address=192.168.133.0/24 src-address=10.50.50.0/24
add action=accept chain=prerouting dst-address=192.168.144.0/24 src-address=10.10.10.0
add action=accept chain=prerouting dst-address=192.168.133.0/24 src-address=10.50.50.0/24
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=prerouting comment="Block Input Bogon IPs" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="Block Output Bogon IPs" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="Block nicht globale IPs to WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="Block Forward to local LAN to WAN" dst-address-list=LAN1 in-interface-list=WAN
add action=drop chain=prerouting comment="Block Forward to local LAN to WAN" dst-address-list=LAN2 in-interface-list=WAN
add action=drop chain=prerouting comment="Block Forward to local LAN to WAN" dst-address-list=LAN3 in-interface-list=WAN
add action=accept chain=prerouting comment="Allow traffic from allowed hosts" src-address-list=allowedHosts
add action=drop chain=prerouting comment="Block traffic to DDoS targets, except from allowed hosts" dst-address-list=!allowedHosts src-address-list=ddos-attackers
add action=drop chain=prerouting comment="Block traffic to DDoS targets, except from allowed hosts" dst-address-list=ddos-targets src-address-list=!allowedHosts
2

No point in reading too far. Tells me all i need to know, if this is an internet facing device (gets public IP) then your setup is flawed for security reasons.
If you want to config the router, use VPN to access the router then use winbox.

add action=accept chain=input port=8291 protocol=tcp

3

Yes, sorry, I had forgotten that, I had configured it as emergency access at the beginning and then deactivated it again.
Is the rest okay?

4
  1. Use the entry - add action=accept chain=input port=8291 protocol=tcp …not a safe event. If there is a need to access Winbox from outside, it is safest to use a vpn connection. If vpn seems too complicated, we can use address-list, interface-lists, for specific IP addresses that have permission to access your Winbox port. What does a firewall with address-lists look like? I had written an example here- http://forum.mikrotik.com/t/l2tp-broken-after-router-swap/174277/2
    Maybe such information will be useful to you.
  2. the firewall itself has quite a large mix. It would be more correct to separate the “Input” chain from the “forward” chain. The order of rules matters. Firewall rules are executed from top to bottom. This affects the stable operation of the traffic flow and, of course, safety.
    Port forward rules are usually put under Masquarade in the NAT section.
5

Well if all those subnets are local, why are you creating firewall list?
A. to identify single subnets in a config use src or dst address .0/24
B. to identify two or more subnets having similar traffic flow expectations use INTERFACE LISTS
C. to identify two or more external subnets (not known to the local router) use firewall address lists
D. to identify some users ( less than a subnet, or from various subnets ), WITHOUT or WITH any whole subnets USE: firewall address lists.

Overall, I cannot really help as you are concerned more with stopping traffic than focussing on what traffic flows your users need.
I am a minimalist so I tend simply to drop traffic at the end of both input and forward chain and dispense with what I call normally bloatware rules.

6

I actually got most of it from here https://help.microtik.com/docs/display/ROS/Building+Advanced+Firewall.

If the firewall is perhaps better, I tried to rebuild it again and sorted it:

/interface list
add name=VLAN
add name=LAN
add name=WAN
add name=GUEST
add name=MGTM
add name=DMZ
add name=WIREGUARD

/interface list member
add interface=WAN1 list=WAN
add interface=VLAN_99 list=MGTM
add interface=VLAN_100 list=LAN
add interface=VLAN_300 list=DMZ
add interface=VLAN_200 list=GUEST
add interface=wg0 list=WIREGUARD

/ip firewall address-list
add address=10.50.99.0/24 list=MGMT
add address=10.50.50.0/24 list=LAN
add address=10.50.51.0/24 list=LAN
add address=10.50.52.0/24 list=DMZ
add address=10.50.53.0/24 list=LAN
add address=10.50.54.0/24 list=LAN
add address=10.50.55.0/24 list=LAN
add address=10.50.56.0/24 list=LAN
add address=10.50.57.0/24 list=LAN
add address=10.50.58.0/24 list=LAN
add address=10.50.59.0/24 list=LAN
add address=10.50.60.0/24 list=LAN
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=vpn01.testvpnit.de list=allowedHosts
add address=vpn02.testvpnit.de list=allowedHosts
add address=vpn03.testvpnit.de list=allowedHosts
add list=ddos-attackers
add list=ddos-targets
add address=m.ittestvpn.de list=allowedHosts
add address=vpn.ittestvpn.de list=allowedHosts


/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=LAN
add action=accept chain=input port=8291 protocol=tcp
add action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=46821 protocol=tcp src-address-list=!allowedHosts
add action=drop chain=input dst-port=46821 protocol=tcp src-address-list=BruteForce
add action=accept chain=input dst-port=46821 protocol=tcp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new
add action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=!allowedHosts
add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=BruteForce
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Wireguard dst-port=40002 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface-list=WIREGUARD protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface-list=WIREGUARD protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow GUEST DNS queries - UDP" dst-port=53 in-interface-list=GUEST protocol=udp
add action=accept chain=input comment="Allow GUEST DNS queries - TCP" dst-port=53 in-interface-list=GUEST protocol=tcp
add action=drop chain=input comment="Block invalid TCP packets" connection-state=invalid protocol=tcp
add action=drop chain=input comment="Block new packets that are not SYN" connection-state=new protocol=tcp tcp-flags=!syn
add action=drop chain=input comment="Block unusual MSS packet values" connection-state=new protocol=tcp tcp-mss=!536-65535
add action=drop chain=input comment="Block Port Scans" protocol=tcp psd=20,3s,10,2
add action=drop chain=input comment="Block TCP RST Floods" limit=2,2:packet protocol=tcp tcp-flags=rst
add action=drop chain=input comment="Block ICMP Flood (Ping)" limit=!1,1:packet protocol=icmp
add action=drop chain=input comment="Block incoming from bad IPv4 addresses" src-address-list=bad_ipv4
add action=drop chain=forward comment="Block forwarding from non-global IPv4" src-address-list=not_global_ipv4
add action=drop chain=forward comment="Block forwarding to non-global IPv4" dst-address-list=not_global_ipv4
add action=drop chain=input comment="Drop all else"
add action=return chain=detect-ddos comment="Detect potential DDoS attacks" dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos comment="Add potential targets to DDoS list"
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos comment="Add potential attackers to DDoS list"
add action=return chain=detect-ddos comment="Detect potential DDoS attacks (SYN/ACK)" dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-port=443 protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow LAN to WAN internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow GUEST to WAN internet traffic" dst-port=80,443 in-interface-list=GUEST out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Allow destination NAT from WAN and LAN" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
add action=drop chain=output comment="Block outgoing to bad IPv4 addresses" dst-address-list=bad_ipv4
/ip firewall nat
add action=dst-nat chain=dstnat comment=10.50.52.2 dst-port=443 in-interface=WAN1 log=yes log-prefix=443 protocol=tcp to-addresses=10.50.52.2 to-ports=443
add action=masquerade chain=srcnat comment="Masquerade for WAN access" out-interface=WAN1
/ip firewall raw
add action=drop chain=prerouting comment="Block potential DDoS attacks" dst-address-list=ddos-targets src-address-list=ddos-attackers
/ip firewall service-port set sip disabled=yes
7

Well if you followed their guide, then there should be no issues, just make sure you copied it correctly.
I personally would not implement any rules I didnt understand and thats another reason to start small, learn and then add if required.

https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration