Firewall ether1 - pppoe - vlan7

thn80 · February 10, 2023, 8:17am

Hello,

I’m relatively new to MikroTik and trying to get into the firewall topic at the moment. It is clear to me that I should try to stay with the default firewall settings.

However, just for my understanding:
My MikroTik router is connected via its Ethernet port 1 to a Draytek DSL modem.
So I have the hardware interface ether1 on which pppoe is running which uses VLAN7 (Telekom) to get Internet access.

Would it be correct to handle both VLAN7 and PPPoE as untrusted (maybe creating an interface list “WAN” with both interfaces), because VLAN7 is the Internet and the other endpoint of my PPPoE connection is at my provider?
What about the ether1 interface? Should this also be handled as completely untrusted? Beside transporting the VLAN7 & PPPoE, this interface should be used to connect to the Admin interface of the Draytek modem. How would you handle this?

Currently, I cannot provide an export of my configuration, because I am just trying to understand the basics.

Thanks a lot in advance,

Thomas

p3rad0x · February 10, 2023, 9:40am

Good day,

I’m I correct in saying that your DSL modem is connecting to port 1 on the mikrotik. VLAN7 has been assigned to the interface and VLAN7 is the interface for the PPPoE?

If this is the case I would say only worry about VLAN7 and the PPPoE.

Add vlan7 and the pppoe into your WAN interface list, then disable neighbour discovery for that address list.

First things you want to do for a mikrotik that is getting a public IP address is.

Update the the latest long term or stable release.
Update the firmware
Configure your IP services so only allowed addresses or subnets is allowed to access the router.
Setup firewall rules on the input chain for the WAN interface list that will drop incoming traffic like ssh, winbox ect
If you are using your mikrotik as a dns server also add a rule to drop incoming DNS request so you do not become an open resolver.
If you are not using the tik as a dns server goto IP → DNS and disable allow remote requests.

If you have any other questions feel free to post them the community is always eager to help new users

thn80 · February 10, 2023, 10:34am

It is the other way around. The DSL modem is connected to port 1 of the MikroTik. PPPoE is assigned to the interface and PPPoE is the interface for VLAN7.
But this changes nothing from the result of your answer. Both PPPoE and VLAN7 are untrusted.

Thanks for your help.

An5teifo · February 10, 2023, 1:33pm

I would add all untrusted interfaces into a dedicated list e.g. WAN.

anav · February 10, 2023, 4:34pm

There is nothing special about the WAN list, be it ether1, vlan7, or the pppoe-name provided.
If not sure put all three on an interface list WAN.

The point being WAN is WAN, its a public facing connection, calling it untrusted is not necessary.
What is more important is declaring whats untrusted ON the INSIDE of the router such as guest networks for wifi, IOT devices, MEDIA devices etc…
Those should be put on vlans. In this way all vlans are segrated from each other (and assumed not trusted). Thus all subnets are blocked from each other at layer2, and one needs to do the same on the firewall rules to block at layer 3. One uses a trusted interface list, to identify what is trusted, the rest are not … simple!

vlan10-home
vlan20-guest wifi
vlan30-iot devices
vlan40-media devices

interface list
add name=WAN
add name=LAN
add name=MGMT
interface list members
add interface=pppoe-name list=WAN
add interface=vlan7 list=WAN
add interface=ether1 list=WAN
add vlan10-home list=LAN
add vlan20-guest list=LAN
add vlan30-iot list=LAN
add vlan40-media list=LAN
add vlan10-home list=MGMT
add interface=wireguard1 list=MGMT

/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Firewall rules… Only the admin on the trusted interface needs access to the router…
(input chain)
add action=accept chain=input comment=“Allow ADMIN to Router” in-interface-list**=MGMT** src-address-list=AdminAccess
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” connection-state=new dst-port=53,123 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment=“Drop All Else”

where one has a firewall address list of statically set “fixed” LANIP leases called AdminAccess:
add ip-address=IP_Admin_desktop list=AdminAccess
add ip-address=IP_Admin_laptop-wired list=AdminAccess
add ip-address=IP_Admin_laptop-wifi list=AdminAccess
add ip-address=IP_Admin_iphone/ipad-wifi list=AdminAccess
add ip-address=IP_Admin_laptop-remote=AdminAccess { wireguard }
add ip-address=IP_Admin_iphone/ipad-remote list=AdminAccess { wireguard }

Firewall rules… All need access to internet, no one needs access to other vlans…
(forward chain)
add action=accept chain=forward comment=“allow VLANS to WAN " in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Port Forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=” - DROP ALL other FORWARD traffic"

With these forward chain rules all vlans are blocked from each other…
If you need to punch holes to a shared device, or want to allow admin to access other vlans, easy to put applicable accept rules prior to the last drop rule.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Basically the rule of thumb is that if you have two or more subnets that require firewall rules, ( be it originating traffic, or receiving traffic) easiest to create a specific interface to combine them.