Firewall - Im beginner :)

Jorg · July 24, 2024, 6:41pm

Hello everyone,
I have programmed an IPv4 firewall, but I am not sure if that is correct.
The network is currently behind a Fritzbox because of the firewall that works there.
I have read many posts here in the forum and videos from the internet. This is the result.

Can anyone tell me if I have done everything correctly?

Without the OK from here, I don’t dare to switch the network to the modem in bridge mode.

Best regards

# 2024-07-24 18:54:33 by RouterOS 7.15.2
# software id = UGTZ-ZKF4
#
# model = RB4011iGS+
# serial number = XXXXXXXXXXX
/ip firewall layer7-protocol
add name=dyndns1 regexp="\\aaaaa.bbbbb."
/ip firewall address-list
add address=10.18.20.11 comment="Adminzugang PC-Flur LAN" list=Admin
add address=10.18.20.21 comment="Adminzugang Laptop LAN" list=Admin
add address=208.67.222.222 comment="Erlaubte DNS-Server" list=DNS
add address=208.67.220.220 comment="Erlaubte DNS-Server" list=DNS
add address=8.8.8.8 comment="Erlaubte DNS-Server" list=DNS
add address=8.8.4.4 comment="Erlaubte DNS-Server" list=DNS
add comment="Internes Netzwerk" list=All_LAN
add address=224.0.0.0/4 comment=Multicast list=All_LAN
add address=255.255.255.255 comment=Local list=All_LAN
add address=10.18.98.0/24 list=All_LAN
add address=10.18.5.0/24 list=All_LAN
add address=10.18.20.0/24 list=All_LAN
add address=10.18.22.0/24 list=All_LAN
add address=10.18.25.0/24 list=All_LAN
add address=10.18.30.0/24 list=All_LAN
add address=10.18.32.0/24 list=All_LAN
add address=10.18.40.0/24 list=All_LAN
add address=10.18.50.0/24 list=All_LAN
add address=10.18.53.0/24 list=All_LAN
add address=10.18.54.0/24 list=All_LAN
add address=10.18.55.0/24 list=All_LAN
add address=10.18.60.0/24 list=All_LAN
add address=10.18.70.0/24 list=All_LAN
add address=10.18.74.0/24 list=All_LAN
add address=10.18.78.0/24 list=All_LAN
add address=10.18.80.0/24 list=All_LAN
add address=10.18.98.0/24 list=All_LAN_-_No_Guest
add address=10.18.5.0/24 list=All_LAN_-_No_Guest
add address=10.18.20.0/24 list=All_LAN_-_No_Guest
add address=10.18.22.0/24 list=All_LAN_-_No_Guest
add address=10.18.30.0/24 list=All_LAN_-_No_Guest
add address=10.18.32.0/24 list=All_LAN_-_No_Guest
add address=10.18.40.0/24 list=All_LAN_-_No_Guest
add address=10.18.50.0/24 list=All_LAN_-_No_Guest
add address=10.18.53.0/24 list=All_LAN_-_No_Guest
add address=10.18.54.0/24 list=All_LAN_-_No_Guest
add address=10.18.55.0/24 list=All_LAN_-_No_Guest
add address=10.18.60.0/24 list=All_LAN_-_No_Guest
add address=10.18.70.0/24 list=All_LAN_-_No_Guest
add address=10.18.74.0/24 list=All_LAN_-_No_Guest
add address=10.18.78.0/24 list=All_LAN_-_No_Guest
add address=10.18.80.0/24 list=All_LAN_-_No_Guest
add address=10.18.5.0/24 list=All_LAN_-_No_MGMT
add address=10.18.20.0/24 list=All_LAN_-_No_MGMT
add address=10.18.22.0/24 list=All_LAN_-_No_MGMT
add address=10.18.25.0/24 list=All_LAN_-_No_MGMT
add address=10.18.30.0/24 list=All_LAN_-_No_MGMT
add address=10.18.32.0/24 list=All_LAN_-_No_MGMT
add address=10.18.40.0/24 list=All_LAN_-_No_MGMT
add address=10.18.50.0/24 list=All_LAN_-_No_MGMT
add address=10.18.53.0/24 list=All_LAN_-_No_MGMT
add address=10.18.54.0/24 list=All_LAN_-_No_MGMT
add address=10.18.55.0/24 list=All_LAN_-_No_MGMT
add address=10.18.60.0/24 list=All_LAN_-_No_MGMT
add address=10.18.70.0/24 list=All_LAN_-_No_MGMT
add address=10.18.74.0/24 list=All_LAN_-_No_MGMT
add address=10.18.78.0/24 list=All_LAN_-_No_MGMT
add address=10.18.80.0/24 list=All_LAN_-_No_MGMT
add address=10.18.25.0/24 list=LAN_Guest
add address=10.18.98.0/24 list=All_LAN_-_DSL
add address=10.18.5.0/24 list=All_LAN_-_DSL
add address=10.18.20.0/24 list=All_LAN_-_DSL
add address=10.18.25.0/24 list=All_LAN_-_DSL
add address=10.18.30.0/24 list=All_LAN_-_DSL
add address=10.18.50.0/24 list=All_LAN_-_DSL
add address=10.18.80.0/24 list=All_LAN_-_DSL
add address=10.18.32.0/24 list=All_LAN_-_LTE
add address=10.18.40.0/24 list=All_LAN_-_LTE
add address=10.18.53.0/24 list=All_LAN_-_LTE
add address=10.18.54.0/24 list=All_LAN_-_LTE
add address=10.18.55.0/24 list=All_LAN_-_LTE
add address=10.18.60.0/24 list=All_LAN_-_LTE
add address=10.18.70.0/24 list=All_LAN_-_LTE
add address=10.18.74.0/24 list=All_LAN_-_LTE
add address=10.18.78.0/24 list=All_LAN_-_LTE
add address=10.0.0.0/8 disabled=yes list=unexpected-src-address-hitting-ISP
add address=127.0.0.0/8 disabled=yes list=unexpected-src-address-hitting-ISP
add address=169.254.0.0/16 list=unexpected-src-address-hitting-ISP
add address=172.16.0.0/12 list=unexpected-src-address-hitting-ISP
add address=192.0.0.0/24 list=unexpected-src-address-hitting-ISP
add address=192.0.2.0/24 list=unexpected-src-address-hitting-ISP
add address=192.88.99.0/24 list=unexpected-src-address-hitting-ISP
add address=192.168.0.0/16 disabled=yes list=unexpected-src-address-hitting-ISP
add address=198.18.0.0/15 list=unexpected-src-address-hitting-ISP
add address=198.51.100.0/24 list=unexpected-src-address-hitting-ISP
add address=203.0.113.0/24 list=unexpected-src-address-hitting-ISP
add address=233.252.0.0/24 list=unexpected-src-address-hitting-ISP
add address=240.0.0.0/5 list=unexpected-src-address-hitting-ISP
add address=248.0.0.0/6 list=unexpected-src-address-hitting-ISP
add address=252.0.0.0/7 list=unexpected-src-address-hitting-ISP
add address=254.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=192.168.0.98 comment=ISP1-address list=unexpected-src-address-hitting-ISP
add address=10.25.184.133 comment=ISP2-address list=unexpected-src-address-hitting-ISP
add address=192.168.0.98 comment=ISP1-address list=expected-dst-address-to-my-ISP
add address=10.25.184.133 comment=ISP2-address list=expected-dst-address-to-my-ISP
add address=10.18.40.21 list=CAM
add address=10.18.40.22 list=CAM
add address=10.18.40.23 list=CAM
add address=10.18.40.24 list=CAM
add address=10.18.40.25 list=CAM
add address=10.18.40.26 list=CAM
add address=10.18.20.22 list=Admin
add address=aaaaa.bbbbb.de list=DYNDNS
add address=10.18.30.21 list=DVBTRECEIVER
add address=acme-v02.api.letsencrypt.org list=LetsEncrypt
add address=acme-staging-v02.api.letsencrypt.org list=LetsEncrypt
add address=letsencrypt.org list=LetsEncrypt
add address=srv02.srvdns.de list=DYNDNS
add address=10.18.56.0/24 list=All_LAN
add address=10.18.56.0/24 list=All_LAN_-_LTE
add address=10.18.56.0/24 list=All_LAN_-_No_Guest
add address=10.18.56.0/24 list=All_LAN_-_No_MGMT
add address=10.18.56.15 list=Shelly
add address=10.18.50.0/24 disabled=yes list=LAN_with_open_ports
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no tcp-established-timeout=30m
/ip firewall filter
add action=log chain=input comment="------------------------------------------------------------------------------------------------------------------------------------------------------------\
    ---------------------------- INPUT - REGELN ------------------------------------------------------------------------------------------------------------------------------------------------\
    ----------------------------------------" disabled=yes
add action=accept chain=input comment=LetsEncrypt dst-port=80 in-interface-list=WAN-DSL log=yes log-prefix=LetsEncrypt protocol=tcp src-address-list=LetsEncrypt
add action=accept chain=input comment="Ping | WAN-DSL und WAN-LTE verbieten | LAN erlauben" in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment="Allgemein | Local Loopback (CAPsMAN) erlauben" dst-address=127.0.0.1
add action=accept chain=input comment="VLAN -> DNS/NTP | UDP erlauben VLAN-Bridge1" dst-port=53,67,68,123 in-interface-list=ALL-VLAN protocol=udp
add action=accept chain=input comment="VLAN -> DNS/NTP | TCP erlauben VLAN-Bridge1" dst-port=53,67,68,123 in-interface-list=ALL-VLAN protocol=tcp
add action=accept chain=input comment="ADMIN -> Zugang in alle VLANs erlauben" dst-address-list=All_LAN src-address-list=Admin
add action=accept chain=input comment="Allow access INPUT from all VLANs" disabled=yes in-interface-list=ALL-VLAN
add action=accept chain=input comment="Allgemein | established,related,untracked Verbindungen erlauben" connection-state=established,related,untracked
add action=drop chain=input comment="Allgemein | Alles ohne Verbindungsstatus blockieren"
add action=log chain=input comment="------------------------------------------------------------------------------------------------------------------------------------------------------------\
    ------------------ FORWARD - REGELN --------------------------------------------------------------------------------------------------------------------------------------------------------\
    ----------------------" disabled=yes
add action=accept chain=forward disabled=yes dst-address=10.18.60.15 in-interface=VLAN20-Main protocol=tcp
add action=passthrough chain=forward disabled=yes dst-port=52330 in-interface=VLAN20-Main log=yes out-interface=VLAN60-Printer protocol=udp src-port=52330
add action=accept chain=forward comment="VLAN32 Traffic -> VLAN30" dst-address=10.18.30.0/24 src-address=10.18.20.0/24
add action=accept chain=input comment=PGM2 disabled=yes dst-address=10.18.50.150 in-interface-list=LAN-In-Interface-List protocol=tcp src-port=19102
add action=accept chain=forward comment="VLAN30 [DVBTreceiver] Traffic -> VLAN50 [Server]" connection-state=established,related,new,untracked dst-address=10.18.50.150 src-address-list=\
    DVBTRECEIVER
add action=accept chain=forward comment="VLAN56 [Shelly] Traffic -> VLAN50 [Server]" dst-address=10.18.50.150 src-address=10.18.56.0/24
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=srcnat,dstnat
add action=accept chain=forward comment="Allgemein | established,related,untracked Verbindungen erlauben" connection-state=established,related,untracked
add action=log chain=input comment="---------------------------------------------------------------------------------------------------------- ADMIN | FORWARD - REGELN ------------------------\
    ------------------------------------------------------------------------------------------------------------------------------------------------------" disabled=yes
add action=accept chain=forward comment="VLAN32 Traffic -> VLAN30   TEST !!!" disabled=yes dst-address=10.18.50.0/24 src-address=10.18.98.0/24
add action=accept chain=forward comment="ADMIN Traffic -> VLAN-Alle" dst-address-list=All_LAN src-address-list=Admin
add action=log chain=input comment="---------------------------------------------------------------------------------------------------------- VLAN | FORWARD - REGELN -------------------------\
    -----------------------------------------------------------------------------------------------------------------------------------------------------" disabled=yes
add action=accept chain=forward comment="Server Traffic -> ALLE VLAN" dst-address-list=All_LAN src-address=10.18.50.150
add action=accept chain=forward comment="Server Traffic -> MultiMedia" dst-address=10.18.30.31 src-address=10.18.50.150
add action=accept chain=forward comment="VLAN98 Traffic -> VLAN80" dst-address=10.18.80.0/24 src-address=10.18.98.0/24
add action=accept chain=forward comment="VLAN98 Traffic -> VLAN60 | Drucker" dst-address=10.18.60.11 src-address=10.18.98.0/24
add action=accept chain=forward comment="VLAN98 Traffic -> VLAN60 | USB-Server" disabled=yes dst-address=10.18.60.15 dst-port=52330 protocol=udp src-address=10.18.20.0/24 src-port=52330
add action=accept chain=forward comment="VLAN98 Traffic -> VLAN60 | USB-Server" disabled=yes dst-address=10.18.98.0/24 src-address=10.18.60.15
add action=drop chain=forward comment="Drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop all cross-VLAN traffic" connection-state=invalid,new,untracked disabled=yes dst-address=10.18.0.0/16 src-address=10.18.0.0/16
add action=log chain=input comment="VLAN | FORWARD - REGELN" disabled=yes
add action=accept chain=forward comment="VLAN -> Internetzugang DSL erlauben" in-interface-list=ALL-VLAN out-interface-list=WAN-DSL
add action=accept chain=forward comment="VLAN -> Internetzugang LTE erlauben" in-interface-list=ALL-VLAN out-interface-list=WAN-LTE
add action=accept chain=forward comment="Allgemein | Port Forwarding erlauben" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Allgemein | Alles Andere verwerfen"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Maskieren des WAN-Port DSL" disabled=yes dst-address-list=!All_LAN_-_DSL in-interface-list=ALL-VLAN new-routing-mark=to_ISP1 passthrough=no \
    src-address-list=All_LAN_-_DSL
add action=mark-routing chain=prerouting comment="Maskieren des WAN-Port LTE" disabled=yes dst-address-list=!All_LAN_-_LTE in-interface-list=ALL-VLAN new-routing-mark=to_ISP2 passthrough=no \
    src-address-list=All_LAN_-_LTE
add action=mark-connection chain=prerouting disabled=yes dst-address-list=DYNDNS new-connection-mark=HairPin_NAT passthrough=yes src-address-list=LAN_with_open_ports
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=yes in-interface-list=VLAN-DSL new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=yes in-interface-list=VLAN-LTE new-routing-mark=to_ISP2 passthrough=yes
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=HairPin_NAT disabled=yes
add action=masquerade chain=srcnat comment="Maskieren des WAN-Port DSL" out-interface-list=WAN-DSL
add action=masquerade chain=srcnat comment="Maskieren des WAN-Port LTE" out-interface-list=WAN-LTE
add action=redirect chain=dstnat comment="Alle NTP Anfragen auf das Routerboard umleiten | UDP" dst-port=123 in-interface-list=ALL-VLAN protocol=udp to-ports=123
add action=redirect chain=dstnat comment="Alle NTP Anfragen auf das Routerboard umleiten | TCP" dst-port=123 in-interface-list=ALL-VLAN protocol=tcp to-ports=123
add action=dst-nat chain=dstnat comment="DYNDNS -> FHEM" dst-address-list=DYNDNS dst-port=19102 protocol=tcp to-addresses=10.18.50.150
add action=dst-nat chain=dstnat comment="DYNDNS -> FHEM" dst-address-list=DYNDNS dst-port=19101 protocol=tcp to-addresses=10.18.50.150
add action=dst-nat chain=dstnat comment=OwnCloud-Sync dst-port=19104 in-interface=eth01--WAN-DSL protocol=tcp to-addresses=120.18.50.150 to-ports=19104
add action=dst-nat chain=dstnat comment=FHEM-PGM2 disabled=yes dst-port=19102 in-interface=eth01--WAN-DSL protocol=tcp to-addresses=120.18.50.150
add action=passthrough chain=dstnat comment="port forward https to server" disabled=yes dst-port=52330 in-interface-list=ALL-VLAN protocol=udp to-addresses=192.168.120.2
add action=dst-nat chain=dstnat comment="port forward https to server" disabled=yes dst-port=52330 in-interface-list=ALL-VLAN protocol=tcp to-addresses=192.168.120.2
add action=redirect chain=dstnat comment="Alle NTP Anfragen auf das Routerboard umleiten | UDP" disabled=yes dst-address=10.18.60.15 dst-port=52330 protocol=udp src-address=10.18.98.0/24 \
    src-port=52330
add action=redirect chain=dstnat comment="Alle NTP Anfragen auf das Routerboard umleiten | UDP" disabled=yes dst-address=120.18.60.15 dst-port=52330 protocol=udp src-port=52330 to-ports=52330
add action=dst-nat chain=dstnat comment=USB-Server disabled=yes log=yes protocol=udp src-port=52330 to-addresses=10.18.60.15 to-ports=52330
add action=redirect chain=dstnat disabled=yes in-interface=all-ethernet layer7-protocol=dyndns1 protocol=tcp
add action=dst-nat chain=dstnat disabled=yes dst-address-list=DYNDNS dst-port=22,443 protocol=tcp to-addresses=10.18.50.150
add action=dst-nat chain=dstnat comment="DYNDNS -> FHEM" disabled=yes dst-address-list=DYNDNS dst-port=19102 protocol=tcp to-addresses=10.18.50.150 to-ports=19102
/ip firewall raw
add action=drop chain=prerouting comment="Verbot von nicht legitimen SRC-Adressen auf der WAN-Seite" in-interface-list=WAN src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment="Verbot von nicht legitimen DST-Adressen auf der WAN-Seite" dst-address-list=!expected-dst-address-to-my-ISP in-interface-list=WAN
add action=drop chain=prerouting comment="Verbot von nicht legitimen Traffic aus dem LAN" in-interface-list=ALL-VLAN src-address-list=!All_LAN
add action=accept chain=prerouting src-address-list=DNS
add action=accept chain=output dst-address-list=DNS
/ip firewall service-port
set sip ports=5060,5061,5063,5064,5065,5075,5099,5100