Firewall Check

theflyingdutchman · October 25, 2022, 12:21am

Hello,

I’d love it if someone (or more than 1) could look over my firewall before I put it into “production” (i.e. stop using double-nat at home ) I’m most concerned with inadvertently allowing access from the WAN side. Wireguard is the only “hole” I have in this regard. Here are the relevant bits:

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1

/interface vlan
add interface=bridge name=GuestVLAN vlan-id=30
add interface=bridge name=HomeVLAN vlan-id=10
add interface=bridge name=IOTVLAN vlan-id=40
add interface=bridge name=MgmtVLAN vlan-id=20

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=30
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=40

/interface list member
add interface=ether5 list=WAN
add interface=ether4 list=LAN
add interface=HomeVLAN list=LAN
add interface=MgmtVLAN list=LAN
add interface=GuestVLAN list=LAN
add interface=MgmtVLAN list=MANAGE
add interface=ether4 list=MANAGE
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MANAGE

/interface wireguard peers
add allowed-address=192.168.100.2/32 comment="iPhone" interface=wireguard1 persistent-keepalive=30s public-key=\
    "blahblahblahblah"

/ip address
add address=192.168.10.1/24 interface=HomeVLAN network=192.168.10.0
add address=192.168.20.1/24 interface=MgmtVLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GuestVLAN network=192.168.30.0
add address=192.168.99.1/24 interface=ether4 network=192.168.99.0  # for when I break things
add address=192.168.40.1/24 interface=IOTVLAN network=192.168.40.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0

/ip dhcp-client
add interface=ether5

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow all management traffic" in-interface-list=MANAGE  # wireguard0 is on the MANAGE list.  But only authenticated traffic gets to the wireguard0 interface, right? Also, is this rule redundant?  After initial connection, will traffic go through established rule?
add action=accept chain=input comment="Allow UDP DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow TCP DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow wireguard connections" dst-port=13231 in-interface-list=WAN log=yes protocol=udp
add action=drop chain=input comment="drop all else" log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet access on LAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow management to home" in-interface=MgmtVLAN out-interface=HomeVLAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow wireguard to MGMT" in-interface=wireguard1 log=yes out-interface-list=MANAGE
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip route
add blackhole disabled=no dst-address=192.168.0.0/16
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=10.0.0.0/8

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.20.0/24,192.168.99.0/24 disabled=yes
set www-ssl address=192.168.20.0/24,192.168.99.0/24,192.168.100.0/24 certificate=full-chain disabled=no tls-version=only-1.2
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

Thanks!

Sob · October 25, 2022, 1:13am

It seems fine. Regarding the “Allow all management traffic” rule and WG, it’s safe, because nothing will connect to WG without allowed key. And it’s not redundant, further packets after first one will be allowed by first fule as established, but you need this rule to allow the first packet, otherwise there won’t be established connection.

theflyingdutchman · October 25, 2022, 1:28am

add action=accept chain=input comment="Allow all management traffic" in-interface-list=MANAGE

If the above rule is allowing connections which will then become established, is there any use for the rule below?

add action=accept chain=input comment="allow wireguard connections" dst-port=13231 in-interface-list=WAN log=yes protocol=udp

Or are they both needed because rule 2 allows connections TO WAN interface, while rule 1 allows connections FROM WG?

I don’t think I completely understand the traffic flow to each interface.

Sob · October 25, 2022, 1:39am

You got it. First rule is for packets inside WG tunnel. Second is for outer packets that carry them.