firewall configuration? (warning long post ahead..)

RouterOS Beginner Basics
1

thankfully this forum is friendly so I will try to continue with my Mikrotik woes (the other problem I have is here)
the hardware: Mikrotik RB2011UiAS
_version: RouterOS version: 6.30.4

  • on the Mikrotik there are two Nanostations M2 working as AP to 2.4 devices (laptops, smartphones etc. AirMAX off, 20MHz)
  • Nanostations are in bridge mode_
    - Mikrotik is 192.168.1.10 (ether1) to Archer D2 and 192.168.20.1 to Nanostations.
    - Nanostation 1 is 192.168.20.2 in ether3 and Nanostation 2 is 192.168.20.3 in ether4

so some firewall rules where transfered from Nanostation M2 that was acting as router but they don’t seem to work correctly.
I will list the firewall rules in Nanostation and the logic

(in the logic that they where executed from 1 → end)

\

  1. is DCHP request (from any IP to dest 255.255.255.255/32, ports 67,68 UDP) pass (otherwise in Nanostation they couldn’t get DHCP)

  2. is DNS to OpenDNS to the following IPs at port 53 (two rules one for TCP one for UDP) pass
    208.67.222.222
    208.67.220.220
    208.67.222.220
    208.67.222.123
    208.67.220.123
    208.67.220.222

  3. is ICMP pass

  4. all following ports pass from any src to any dst
    80 http TCP
    443 https TCP
    110 pop3 TCP
    25 smtp TCP/UDP (two rules)
    995 pop3s TCP
    143 imap TCP
    993 imaps TCP
    587 smtp TCP
    465 smtp TCP
    5223 apple notification TCP
    7777-7779 camera TCP
    123 ntp UDP
    5228-5230 Google notification TCP
    5222-5223 Whatsapp TCP
    5242-5243 Viber TCP/UDP (two rules)
    4244 Viber TCP/UDP (two rules)
    9785 Viber TCP/UDP (two rules)
    5938 Teamviewer TCP

  5. DROP p2p (had a rule like that in UBNT, anyway the technician that did the first setup added some extra rules in Mikrotik and Layer7 stuff)

  6. DROP anything else TCP/UDP (two rules) to port 53 (users can’t get their own dns, only OpenDNS allowed)

  7. DROP anything else in TCP/UDP (two rules)

They were transfer like this

/ip firewall layer7-protocol
add name=p2p_dns regexp=“^.+(torrent|thepiratebay|isohunt|entertane|demonoid|b tjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).$"
add name=p2p_www regexp="^.(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|me
ganova|fulldls|btbot|fenopy|gpirate|commonbits|wtorrentz|torrentz).*$”

/ip firewall filter
add chain=forward dst-address=255.255.255.255 dst-port=67-68 protocol=udp src-address=0.0.0.0
add chain=forward comment=“openDNS Allow” dst-address=208.67.222.222 dst-port=53 protocol=tcp src-address=0.0.0.0/0
add chain=forward comment=“openDNS Allow” dst-address=208.67.222.222 dst-port=53 protocol=udp src-address=0.0.0.0/0
add chain=forward comment=“OpenDNS Allow” dst-address=208.67.220.220 dst-port=53 protocol=tcp src-address=0.0.0.0/0
add chain=forward comment=“OpenDNS Allow” dst-address=208.67.220.220 dst-port=53 protocol=udp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.222.220dst-port=53 protocol=tcp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.222.220 dst-port=53 protocol=udp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.222.123 dst-port=53 protocol=tcp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.222.123 dst-port=53 protocol=udp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.220.123 dst-port=53 protocol=tcp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.220.123 dst-port=53 protocol=udp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.220.222 dst-port=53 protocol=tcp src-address=0.0.0.0/0
add chain=forward comment=“open dns allow” dst-address=208.67.220.222 dst-port=53 protocol=udp src-address=0.0.0.0/0
add chain=forward comment=“ICMP allow” dst-address=0.0.0.0/0 protocol=icmp src-address=0.0.0.0/0
add chain=forward comment=“ntp time service” dst-port=123 protocol=udp
add action=drop chain=forward layer7-protocol=p2p_www
add action=drop chain=forward dst-port=53 layer7-protocol=p2p_dns protocol=udp
add action=reject chain=forward p2p=all-p2p
add action=drop chain=forward layer7-protocol=p2p_dns src-address=192.168.20.0/24
add action=drop chain=forward layer7-protocol=p2p_www src-address=192.168.20.0/24
add action=drop chain=forward content=torrent src-address=192.168.20.0/24
add action=drop chain=forward content=tracker src-address=192.168.20.0/24
add action=drop chain=forward content=getpeers src-address=192.168.20.0/24
add action=drop chain=forward content=info_hash src-address=192.168.20.0/24
add action=drop chain=forward content=announce_peers src-address=192.168.20.0/24
add action=drop chain=forward p2p=all-p2p src-address=192.168.20.0/24
add chain=forward comment=http dst-port=80 protocol=tcp
add chain=forward comment=pop3 dst-port=110 protocol=tcp
add chain=forward comment=https dst-port=443 protocol=tcp
add chain=forward comment=smtp dst-port=25 protocol=tcp
add chain=forward comment=pop3-s dst-port=995 protocol=tcp
add chain=forward comment=imap dst-port=143 protocol=tcp
add chain=forward comment=imap-s dst-port=993 protocol=tcp
add chain=forward comment=smtp dst-port=587 protocol=tcp
add chain=forward comment=“apple notification service” dst-port=5223 protocol=tcp
add chain=forward comment=camera dst-port=7777 protocol=tcp
add chain=forward comment=camera dst-port=7779 protocol=tcp
add chain=forward comment=camera dst-port=7778 protocol=tcp
add chain=forward comment=facetime disabled=yes dst-port=3478-3497 protocol=udp
add chain=forward comment=facetime disabled=yes dst-port=16384-16387 protocol=udp
add chain=forward comment=facetime disabled=yes dst-port=16393-16402 protocol=udp
add chain=forward comment=smtp dst-port=486 protocol=tcp
add chain=forward comment=“Google GCM” dst-port=5228-5230 protocol=tcp
add chain=forward comment=whatsapp dst-port=5222-5223 protocol=tcp
add chain=forward comment=viber dst-port=5242-5243 protocol=tcp
add chain=forward comment=viber dst-port=5242-5243 protocol=udp
add chain=forward comment=viber dst-port=4244 protocol=tcp
add chain=forward comment=viber dst-port=4244 protocol=udp
add chain=forward comment=viber dst-port=9785 protocol=tcp
add chain=forward comment=viber dst-port=9785 protocol=udp
add chain=forward comment=teamviewer dst-port=5938 protocol=tcp
add action=reject chain=forward dst-port=51413 protocol=tcp
add action=reject chain=forward dst-port=51413 protocol=udp
add action=reject chain=forward protocol=tcp src-port=51413
add action=reject chain=forward protocol=udp src-port=51413
add action=drop chain=forward dst-address=0.0.0.0/0 dst-port=53 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=forward dst-address=0.0.0.0/0 dst-port=53 protocol=udp src-address=0.0.0.0/0
add action=drop chain=forward protocol=udp
add action=drop chain=forward protocol=udp

Which must be wrong.. either they are not executed in order or smth else. Because 1. for example NTP requests at 123 port don’t pass
or 2. even worse the last two rules are wrong
add action=drop chain=forward protocol=udp
add action=drop chain=forward protocol=udp
since they shoud be tcp and udp BUT if I turn the one to TCP noone has internet.. :confused:

2

well after a lot of trial and error that seems to work

/ip firewall address-list
add address=192.168.20.4-192.168.20.254 list=clients
/ip firewall filter
add chain=forward dst-address=255.255.255.255 dst-port=67-68 protocol=udp
add chain=forward comment=“openDNS Allow” dst-address=208.67.222.222 dst-port=53 protocol=tcp
add chain=forward comment=“openDNS Allow” dst-address=208.67.222.222 dst-port=53 protocol=udp
add chain=forward comment=“OpenDNS Allow” dst-address=208.67.220.220 dst-port=53 protocol=tcp
add chain=forward comment=“OpenDNS Allow” dst-address=208.67.220.220 dst-port=53 protocol=udp
add chain=forward comment=“open dns allow” dst-address=208.67.222.220 dst-port=53 protocol=tcp
add chain=forward comment=“open dns allow” dst-address=208.67.222.220 dst-port=53 protocol=udp
add chain=forward comment=“open dns allow” dst-address=208.67.222.123 dst-port=53 protocol=tcp
add chain=forward comment=“open dns allow” dst-address=208.67.222.123 dst-port=53 protocol=udp
add chain=forward comment=“open dns allow” dst-address=208.67.220.123 dst-port=53 protocol=tcp
add chain=forward comment=“open dns allow” dst-address=208.67.220.123 dst-port=53 protocol=udp
add chain=forward comment=“open dns allow” dst-address=208.67.220.222 dst-port=53 protocol=tcp
add chain=forward comment=“open dns allow” dst-address=208.67.220.222 dst-port=53 protocol=udp
add chain=forward comment=“ICMP allow” protocol=icmp
add action=drop chain=forward layer7-protocol=p2p_www
add action=drop chain=forward dst-port=53 layer7-protocol=p2p_dns protocol=udp
add action=reject chain=forward p2p=all-p2p
add action=drop chain=forward layer7-protocol=p2p_dns src-address=192.168.20.0/24
add action=drop chain=forward layer7-protocol=p2p_www src-address=192.168.20.0/24
add action=drop chain=forward content=torrent src-address=192.168.20.0/24
add action=drop chain=forward content=tracker src-address=192.168.20.0/24
add action=drop chain=forward content=getpeers src-address=192.168.20.0/24
add action=drop chain=forward content=info_hash src-address=192.168.20.0/24
add action=drop chain=forward content=announce_peers src-address=192.168.20.0/24
add action=drop chain=forward p2p=all-p2p src-address=192.168.20.0/24
add chain=forward comment=“ntp time service” dst-port=123 protocol=udp
add chain=forward comment=“ntp time service” dst-port=123 protocol=tcp
add chain=forward comment=http dst-port=80 protocol=tcp
add chain=forward comment=http disabled=yes dst-port=8081 protocol=tcp
add chain=forward comment=http disabled=yes dst-port=8080 protocol=tcp
add chain=forward comment=pop3 dst-port=110 protocol=tcp
add chain=forward comment=https dst-port=443 protocol=tcp
add chain=forward comment=smtp dst-port=25 protocol=tcp
add chain=forward comment=pop3-s dst-port=995 protocol=tcp
add chain=forward comment=imap dst-port=143 protocol=tcp
add chain=forward comment=imap-s dst-port=993 protocol=tcp
add chain=forward comment=smtp dst-port=587 protocol=tcp
add chain=forward comment=“apple notification service” dst-port=5223 protocol=tcp
add chain=forward comment=camera dst-port=7777 protocol=tcp
add chain=forward comment=camera dst-port=7779 protocol=tcp
add chain=forward comment=camera dst-port=7778 protocol=tcp
add chain=forward comment=smtp dst-port=486 protocol=tcp
add chain=forward comment=“Google GCM” dst-port=5228-5230 protocol=tcp
add chain=forward comment=whatsapp dst-port=5222-5223 protocol=tcp
add chain=forward comment=viber dst-port=5242-5243 protocol=tcp
add chain=forward comment=viber dst-port=5242-5243 protocol=udp
add chain=forward comment=viber dst-port=4244 protocol=tcp
add chain=forward comment=viber dst-port=4244 protocol=udp
add chain=forward comment=viber dst-port=9785 protocol=tcp
add chain=forward comment=viber dst-port=9785 protocol=udp
add chain=forward comment=teamviewer dst-port=5938 protocol=tcp
add action=reject chain=forward dst-port=51413 protocol=tcp
add action=reject chain=forward dst-port=51413 protocol=udp
add action=reject chain=forward protocol=tcp src-port=51413
add action=reject chain=forward protocol=udp src-port=51413
add action=drop chain=forward dst-port=53 protocol=tcp
add action=drop chain=forward dst-port=53 protocol=udp
add action=drop chain=forward comment=“drop everything else for clients Address List TCP” protocol=tcp src-address-list=clients
add action=drop chain=forward comment=“drop everything else for clients Address List UDP” protocol=udp src-address-list=clients

The list clients (192.168.20.4-192.168.20.254) is because I want to access the Nanostations from outside the Mikrotik (from 192.168.1.x addresses) and if I put 192.168.20.0/24 that didn’t work.

If you see something terribly wrong please tell me.

One problem is left. Don’t know if the NTP rules works.. it seems to work after I added a TCP rule also which is not what I knew.. for example my phone can get NTP time now but still the Nanostations can’t get NTP time..

3

Hi

You can combine such rules

add chain=forward comment=camera dst-port=7777 protocol=tcp
add chain=forward comment=camera dst-port=7779 protocol=tcp
add chain=forward comment=camera dst-port=7778 protocol=tcp

to

add chain=forward comment=camera dst-port=7777,7778,7779 protocol=tcp

or

add chain=forward comment=camera dst-port=7777-7779 protocol=tcp

These ones … prepare address list with allowed destination addresses and then

add chain=forward comment="openDNS Allow" dst-address=208.67.222.222 dst-port=53 protocol=tcp
add chain=forward comment="openDNS Allow" dst-address=208.67.222.222 dst-port=53 protocol=udp
add chain=forward comment="OpenDNS Allow" dst-address=208.67.220.220 dst-port=53 protocol=tcp
......
add chain=forward comment="open dns allow" dst-address=208.67.220.222 dst-port=53 protocol=udp

to

add chain=forward comment="openDNS Allow" dst-address-list=ALLOWED_DNS_DEST dst-port=53 protocol=udp
add chain=forward comment="OpenDNS Allow" dst-address-list=ALLOWED_DNS_DEST dst-port=53 protocol=tcp

These

add chain=forward comment=http disabled=yes dst-port=8081 protocol=tcp
add chain=forward comment=http disabled=yes dst-port=8080 protocol=tcp

to

add chain=forward comment=http disabled=yes dst-port=8080,8081 protocol=tcp

and so on …

4

I think your main issue is that you should have a rule to accept all packets from already established connections

/ip firewall filter add chain=forward action=accept connection-state=established,related

at the beginning of the chain.

That’s because the rules are applied to each packet and not to each connection …

5

right! will do! it’s my third day with the MT.. :slight_smile:



I added that to the top of my rules but then anything passed and nothing was filtered from the rest of the rules.. :confused: