Firewall for public IP subnet and LAN

RouterOS General
1

My router seems to be working, but not exactly as intended, and I don’t understand how it is working at all! Can anyone explain please?

The WAN port is connected to the internet via a Draytek Vigor 167, and ether5 is connected to a switch that has a number of servers configured with IP addresses in my public IP subnet. Ether1 and ether5 are grouped in a bridge. Ether1 is WAN. Remaining ports are grouped in a bridge and also designated as LAN, and also specified for NAT. They are connected to the wired and wireless LAN.

The firewall rules are (IP addresses modified for security):

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 
 2    ;;; Free access to our public subnet from the LAN
      chain=forward action=accept dst-address=91.112.121.232/29 in-interface-list=LAN log=no log-prefix="" 
 3    ;;; No firewall for public subnet on seleected ports
      chain=forward action=accept protocol=tcp dst-address=91.112.121.232/29 in-interface-list=WAN dst-port=22,80,443 log=no log-prefix="" 
 4    chain=forward action=accept protocol=tcp dst-address=91.112.121.232/29 in-interface-list=WAN dst-port=25,465,587,995,143,585,993 log=no log-prefix="" 
 5    chain=forward action=accept protocol=tcp dst-address=91.112.121.232/29 in-interface-list=WAN dst-port=4190,4949,60000-61000,53,10000,9090 log=no log-prefix="" 
 6    chain=forward action=accept protocol=udp dst-address=91.112.121.232/29 in-interface-list=WAN dst-port=53,60000-61000 log=no log-prefix="" 
 7    chain=forward action=accept protocol=icmp dst-address=91.112.121.232/29 in-interface-list=WAN log=no log-prefix="" 
 8    chain=forward action=drop dst-address=91.112.121.232/29 in-interface-list=WAN log=no log-prefix="" 
 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 
10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 
12    ;;; Allow SMTP to Postmark
      chain=forward action=accept protocol=tcp dst-address-list=Postmarkapp dst-port=587 log=no log-prefix="" 
13    ;;; Allow SMTP submit for SMTP2go
      chain=forward action=accept protocol=tcp dst-address-list=SMTP2go dst-port=587 log=no log-prefix="" 
14    ;;; SMTP submit for Another Group
      chain=forward action=accept protocol=tcp dst-address=123.321.28.68 dst-port=587 log=no log-prefix="" 
15    ;;; SMTP submit for Public Body
      chain=forward action=accept protocol=tcp dst-address=111.222.164.71 dst-port=587 log=no log-prefix="" 
16    ;;; SMTP submit to our mail server at Digital Ocean
      chain=forward action=accept protocol=tcp dst-address=133.144.104.71 dst-port=587 log=no log-prefix="" 
17    ;;; Reject any SMPT submit not to our approved servers
      chain=forward action=drop protocol=tcp in-interface-list=LAN dst-port=587 log=no log-prefix="" 
18    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
19    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

Rule 2 is intended to allow access from the LAN to the servers with public IP addresses and seems to work. Rules 3 to 7 are intended to allow access from the internet to the servers with public IP addresses, but only on specified ports/protocols. Rule 8 is intended to drop external traffic attempting to access the public servers on any other ports/protocols.

Rules 12 to 16 allow mail submission on port 587 to specific services, rule 17 drops other access to port 587 (this is aimed at blocking malware that attempted to send mail from the LAN - there should be another rule dropping all access to other mail submission ports). Rule 19 is the standard rule for blocking WAN traffic that isn’t NAT.

Stats show that there are no hits for rules 3 to 8. This is puzzling me. I don’t know why there are no hits, and I don’t know why traffic gets to the servers with public IP addresses without matching rules 3 to 7 (although I am glad it does, or things would not work!).

Are there obvious mistakes here? Any suggestions please?

How does router such as mikrotik rb750 achieve connection to internet service provider (ISP)
2

From you other post you are using PPPoE for the WAN connection. Unless you have added the PPPoE client interface to the WAN interface list you effectively have no firewall as the final drop rule will do nothing. Whilst the ethernet connection from the modem is connected to ether1 that is not the WAN interface, it is merely transporting ethernet packets between the modem and the PPPoE client interface.

Unrelated, but you may wish to add an IP address to the ethernet interface to gain access to the modem management interface.

3

You should not need all those firewall rules for services you apparently are using. All outgoing connections are already allowed.
The only reason to have those would be to count the number of connections made.
And as tdw wrote: when you did not add the PPPoE using the quick set, but did it yourself using the “Interface → Add PPPoE” menu, you need to add it to the WAN interface list.
I would also advise to add a rule at the bottom of the list that has action “accept”. That rule is there anyway (default) and adding it explicitly allows you to see the traffic that your own rules do not match.

4

Thanks very much for comments. Hope I understand correctly - what I have done is remove the interface list from the rules and instead specify the in-interface explicitly - the PPPoE is called ZEN-ISP so that is now in the rules for the public subnet. Also, I have removed the address range from the final drop, so anything coming from the PPPoE connection should be dropped if it isn’t heading to the public IP address range on acceptable ports. Does that make sense?

I hope that deals with the point that the final rules was ineffective with the PPPoE interface not part of WAN.

Sorry, I don’t understand the point about not needing so many rules. I wanted to limit incoming traffic to the servers on the public subnet. Limiting port access just seemed a useful extra if there needed to be at least one rule allowing traffic to get to the servers. They don’t refer to outgoing traffic - those servers are inside my network.

I can sort of see the point of the final accept suggestion, but isn’t that just the outgoing traffic from the LAN? I’m not sure how to evaluate it.

An address for the modem is a good idea, although I didn’t give it priority because there is nothing that needs configuration. How is it done?