Firewall help needed

go4030 · June 11, 2023, 9:03pm

I’m configuring a Hap AC Lite from scratch using ROS 6.49.8. I’m using the firewall setting from the default install as a base but modifying them to adjust for my LAN and WAN setup. I had to make modifications in steps 5 (LAN), 11 (WAN), 12 (WAN) below because I don’t have those same designations for LAN and WAN subnets in my new setup.

Could someone check this over and let me know if what I changed is still equivalent to the security of the default firewall? I basically just changed the references to the WAN and LAN. Any comments or critiques are welcome. Thank you.

Default Firewall Filter I used as a base:

/ip firewall filter
1.  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
2.  add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
3.  add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
4.  add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
5.  add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
6.  add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
7.  add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
8.  add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
9.  add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
10. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
11. add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
12. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

My Modified Firewall Filter:
Step 5 changed from LAN to “list_all_local” (defined below)
Step 11 changed from WAN to “ether1[INTERNET]” (defined below)
Step 12 changed from WAN to “ether1[INTERNET]” (defined below)

/ip firewall filter
1.  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
2.  add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
3.  add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
4.  add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
5.  add action=drop chain=input src-address-list=!list_all_local
6.  add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
7.  add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
8.  add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
9.  add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
10. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
11add action=accept chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1[INTERNET]"
/ip firewall nat
12. add action=masquerade chain=srcnat out-interface="ether1[INTERNET]"

Here are the rest of the settings for reference:

# software id = 080H-7JVK
#
# model = RB952Ui-5ac2nD

/interface ethernet
set [ find default-name=ether1 ] name="ether1[INTERNET]"
set [ find default-name=ether2 ] name="ether2[TRUSTED]"
set [ find default-name=ether3 ] name="ether3[IOT]"
set [ find default-name=ether4 ] name="ether4[MEDIA]"
set [ find default-name=ether5 ] name="ether5[WORK]"

/interface bridge
add name=BridgeTest
add name="Bridge[IOT]"
add name="Bridge[MEDIA]"
add name="Bridge[TRUSTED]"
add name="Bridge[WORK]"

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[TRUSTED]" supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[IOT]" supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[MEDIA]" supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[WORK]" supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no installation=indoor mode=ap-bridge name="WifiLAN2G[TRUSTED]" security-profile="WifiSecProfile[TRUSTED]" ssid=zz2_t
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DC master-interface="WifiLAN2G[TRUSTED]" multicast-buffering=disabled name="WifiLAN2G[WORK]" security-profile=\
    "WifiSecProfile[WORK]" ssid=zz2_w vlan-id=40 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge name="WifiLAN5G[TRUSTED]" security-profile="WifiSecProfile[TRUSTED]" ssid=zz5_t
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DD master-interface="WifiLAN5G[TRUSTED]" multicast-buffering=disabled name="WifiLAN5G[WORK]" security-profile=\
    "WifiSecProfile[WORK]" ssid=zz5_w vlan-id=40 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:D9 master-interface="WifiLAN2G[TRUSTED]" multicast-buffering=disabled name="WifiLAN2G[IOT]" security-profile=\
    "WifiSecProfile[IOT]" ssid=zz2_i vlan-id=20 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DA master-interface="WifiLAN2G[TRUSTED]" multicast-buffering=disabled name="WifiLAN2G[MEDIA]" security-profile=\
    "WifiSecProfile[MEDIA]" ssid=zz2_m vlan-id=30 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:D8 master-interface="WifiLAN5G[TRUSTED]" multicast-buffering=disabled name="WifiLAN5G[IOT]" security-profile=\
    "WifiSecProfile[IOT]" ssid=zz5_i vlan-id=20 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DB master-interface="WifiLAN5G[TRUSTED]" multicast-buffering=disabled name="WifiLAN5G[MEDIA]" security-profile=\
    "WifiSecProfile[MEDIA]" ssid=zz5_m vlan-id=30 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/ip pool
add name=dhcp_pool1 ranges=10.10.10.20-10.10.10.240
add name=dhcp_pool2 ranges=10.10.20.20-10.10.20.240
add name=dhcp_pool3 ranges=10.10.30.20-10.10.30.240
add name=dhcp_pool4 ranges=10.10.40.20-10.10.40.240

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="Bridge[TRUSTED]" lease-time=1h name="dhcp[TRUSTED]"
add address-pool=dhcp_pool2 disabled=no interface="Bridge[IOT]" lease-time=1h name="dhcp[IOT]"
add address-pool=dhcp_pool3 disabled=no interface="Bridge[MEDIA]" lease-time=1h name="dhcp[MEDIA]"
add address-pool=dhcp_pool4 disabled=no interface="Bridge[WORK]" lease-time=1h name="dhcp[WORK]"

/interface bridge port
add bridge="Bridge[TRUSTED]" interface="ether2[TRUSTED]"
add bridge="Bridge[IOT]" interface="ether3[IOT]"
add bridge="Bridge[MEDIA]" interface="ether4[MEDIA]"
add bridge="Bridge[WORK]" interface="ether5[WORK]"
add bridge="Bridge[TRUSTED]" interface="WifiLAN2G[TRUSTED]"
add bridge="Bridge[TRUSTED]" interface="WifiLAN5G[TRUSTED]"
add bridge="Bridge[IOT]" interface="WifiLAN2G[IOT]"
add bridge="Bridge[IOT]" interface="WifiLAN5G[IOT]"
add bridge="Bridge[MEDIA]" interface="WifiLAN2G[MEDIA]"
add bridge="Bridge[WORK]" interface="WifiLAN2G[WORK]"
add bridge="Bridge[WORK]" interface="WifiLAN5G[WORK]"

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip address
add address=10.10.10.1/24 interface="Bridge[TRUSTED]" network=10.10.10.0
add address=10.10.20.1/24 interface="Bridge[IOT]" network=10.10.20.0
add address=10.10.30.1/24 interface="Bridge[MEDIA]" network=10.10.30.0
add address=10.10.40.1/24 interface="Bridge[WORK]" network=10.10.40.0

/ip dhcp-client
add disabled=no interface="ether1[INTERNET]"

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1

/ip firewall address-list
add address=10.10.10.0/24 list=list_all_local
add address=10.10.20.0/24 list=list_all_local
add address=10.10.30.0/24 list=list_all_local
add address=10.10.40.0/24 list=list_all_local

anav · June 11, 2023, 11:12pm

https://forum.mikrotik.com/viewtopic.php?t=180838

go4030 · June 12, 2023, 4:10pm

Thanks anav. That is a very nice and comprehensive firewall document. I like the idea of blocking everything and letting in only what you want. I'm understanding the firewall better now and rewrote mine below.

I have 4 isolated LAN subnet bridges. Each consisting of a physical Ethernet port and a WiFi SSID. My main firewall goals were to isolate each subnet from each other, and also block the router from WAN access. I still need to add something to block the IOT, MEDIA and WORK subnets from router ADMIN.

Where I'm not 100% sure is that I'm using "in-interface" in the firewall rules so that I can chose the bridges. I don't see that in many examples and want to make sure I did this correctly.

Before I make this router live I'd welcome any comments or critiques particularly from a security perspective. Thank you.

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid. do I really need this with other drop below?" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input in-interface="Bridge[TRUSTED]"
add action=accept chain=input in-interface="Bridge[IOT]"
add action=accept chain=input in-interface="Bridge[MEDIA]"
add action=accept chain=input in-interface="Bridge[WORK]"
add action=drop chain=input comment="drop all other inputs"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid. do I reall need this with drop all below?" connection-state=invalid
add action=accept chain=forward comment="allows to WAN internet but no other local subnets" in-interface="Bridge[TRUSTED]" out-interface="Bridge[WAN]"
add action=accept chain=forward comment="allows to WAN internet but no other local subnets" in-interface="Bridge[IOT]" out-interface="Bridge[WAN]"
add action=accept chain=forward comment="allows to WAN internet but no other local subnets" in-interface="Bridge[MEDIA]" out-interface="Bridge[WAN]"
add action=accept chain=forward comment="allows to WAN internet but no other local subnets" in-interface="Bridge[WORK]" out-interface="Bridge[WAN]"
add action=drop chain=forward comment="drop all other forwards"

/ip firewall nat
add action=masquerade chain=srcnat out-interface="Bridge[WAN]"

/interface ethernet
set [ find default-name=ether1 ] name="ether1[INTERNET]"
set [ find default-name=ether2 ] name="ether2[TRUSTED]"
set [ find default-name=ether3 ] name="ether3[IOT]"
set [ find default-name=ether4 ] name="ether4[MEDIA]"
set [ find default-name=ether5 ] name="ether5[WORK]"

/interface bridge
add name="Bridge[IOT]"
add name="Bridge[MEDIA]"
add name="Bridge[TRUSTED]"
add name="Bridge[WAN]"
add name="Bridge[WORK]"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[TRUSTED]" supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[IOT]" supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[MEDIA]" supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="WifiSecProfile[WORK]" supplicant-identity=""

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no installation=indoor mode=ap-bridge name="WifiLAN2G[TRUSTED]" security-profile=
"WifiSecProfile[TRUSTED]" ssid=zz2_t
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DC master-interface="WifiLAN2G[TRUSTED]" multicast-buffering=disabled name=
"WifiLAN2G[WORK]" security-profile="WifiSecProfile[WORK]" ssid=zz2_w vlan-id=40 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge name="WifiLAN5G[TRUSTED]" security-profile="WifiSecProfile[TRUSTED]" ssid=zz5_t
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DD master-interface="WifiLAN5G[TRUSTED]" multicast-buffering=disabled name=
"WifiLAN5G[WORK]" security-profile="WifiSecProfile[WORK]" ssid=zz5_w vlan-id=40 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:D9 master-interface="WifiLAN2G[TRUSTED]" multicast-buffering=disabled name=
"WifiLAN2G[IOT]" security-profile="WifiSecProfile[IOT]" ssid=zz2_i vlan-id=20 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DA master-interface="WifiLAN2G[TRUSTED]" multicast-buffering=disabled name=
"WifiLAN2G[MEDIA]" security-profile="WifiSecProfile[MEDIA]" ssid=zz2_m vlan-id=30 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:D8 master-interface="WifiLAN5G[TRUSTED]" multicast-buffering=disabled name=
"WifiLAN5G[IOT]" security-profile="WifiSecProfile[IOT]" ssid=zz5_i vlan-id=20 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:0B:B6:DB master-interface="WifiLAN5G[TRUSTED]" multicast-buffering=disabled name=
"WifiLAN5G[MEDIA]" security-profile="WifiSecProfile[MEDIA]" ssid=zz5_m vlan-id=30 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/ip pool
add name=dhcp_pool1 ranges=10.10.10.20-10.10.10.240
add name=dhcp_pool2 ranges=10.10.20.20-10.10.20.240
add name=dhcp_pool3 ranges=10.10.30.20-10.10.30.240
add name=dhcp_pool4 ranges=10.10.40.20-10.10.40.240

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="Bridge[TRUSTED]" lease-time=1h name="dhcp[TRUSTED]"
add address-pool=dhcp_pool2 disabled=no interface="Bridge[IOT]" lease-time=1h name="dhcp[IOT]"
add address-pool=dhcp_pool3 disabled=no interface="Bridge[MEDIA]" lease-time=1h name="dhcp[MEDIA]"
add address-pool=dhcp_pool4 disabled=no interface="Bridge[WORK]" lease-time=1h name="dhcp[WORK]"
/interface bridge port
add bridge="Bridge[TRUSTED]" interface="ether2[TRUSTED]"
add bridge="Bridge[IOT]" interface="ether3[IOT]"
add bridge="Bridge[MEDIA]" interface="ether4[MEDIA]"
add bridge="Bridge[WORK]" interface="ether5[WORK]"
add bridge="Bridge[TRUSTED]" interface="WifiLAN2G[TRUSTED]"
add bridge="Bridge[TRUSTED]" interface="WifiLAN5G[TRUSTED]"
add bridge="Bridge[IOT]" interface="WifiLAN2G[IOT]"
add bridge="Bridge[IOT]" interface="WifiLAN5G[IOT]"
add bridge="Bridge[MEDIA]" interface="WifiLAN2G[MEDIA]"
add bridge="Bridge[WORK]" interface="WifiLAN2G[WORK]"
add bridge="Bridge[WORK]" interface="WifiLAN5G[WORK]"
add bridge="Bridge[WAN]" interface="ether1[INTERNET]"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip address
add address=10.10.10.1/24 interface="Bridge[TRUSTED]" network=10.10.10.0
add address=10.10.20.1/24 interface="Bridge[IOT]" network=10.10.20.0
add address=10.10.30.1/24 interface="Bridge[MEDIA]" network=10.10.30.0
add address=10.10.40.1/24 interface="Bridge[WORK]" network=10.10.40.0
/ip dhcp-client

DHCP client can not run on slave interface!

add disabled=no interface="ether1[INTERNET]"

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1

anav · June 12, 2023, 4:51pm

The approach is funny, non-standard and inefficient wrt router performance.
The recommendation/design is optimized for ONE bridge for the LAN, and when you need multiple subnets to make all the subnets as vlans on the single bridge.

In your case you seem to be able to separate (have enough ports) for each subnet so vlans are not really necessary however, its a good idea to practice with them as if you introduce a smart switch anywhere in your network or a smart access point, then you will need to transition to vlans anyway.

So create vlans 10,20,30,40 with interface bridge-lan
change IP address interfaces to vlan names
change /ip dhcp-server interfaces to vlan names
for interface members each vlan is a member of LAN, ( bridge not required )
++++++++++++++++++++++++++++++++++++++++++++++++++++

/ip firewall filter
add action=accept chain=input comment=“accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid. do I really need this with other drop below → YES!!” connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input in-interface=vlan10-Trusted
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all other inputs”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment=“accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid. YES!” connection-state=invalid
add action=accept chain=forward comment=“WAN traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Admin to all VLANS” in-interface=VLAN10-Trusted out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { Disable or Remove if not applicable }
add action=drop chain=forward comment=“drop all other forwards”

* - If there are many folks on the trusted vlan and you dont want them to
a. be able to config router
b. to access all vlans

simply modify both rules to include scr-address-list=Authorized. where Authorized is a firewall address list based on statically set DHCP leases.

/ip firewall address-list
add ip address= IP of admin desktop list=Authorized
add ip address= IP of admin laptop list=Authorized
add ip address= IP of admin iphone/ipad list=Authorized

go4030 · June 13, 2023, 3:28am

Edit: I got it all working with VLANS using the excellent guide here: https://forum.mikrotik.com/viewtopic.php?p=1008185#p1008185