If i access to my ftp server through ssh on lan i see that the ip is 192.168.79.50/24 gw 192.168.79.2 and dns 8.8.8.8;8.8.4.4 and i can ping google.it
But if i try to connect from outside on port 23456 i get connection aborted . Same situation on port 23455 for other device. The dns is updated of course
Where i’m wrong? I’m not skilled so please be patient
Sorry, 192.168.80.1 is the lan ip of the provider modem and it is connected to eth1 on ccr with 192.168.80.2 ip address. I get the dynamic public ip address from the modem.
From my smartphone, or also from a pc outside of my net.
Which IP do you use to connect? Do you use your dynamic public IP? This this case, you should configure port-forwarding on your modem because it implements source NAT for you. Or you should get dynamic IP directly on your router (it might or may not be possible depending on your ISP, some modems provide “bridge mode” to achieve it).
Unfortunately the CCR devices do not come with a default firewall as they are mainly targeting ISP/Corporate use, not consumer NAT routing.
You could consider using the default firewall of home devices:
/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
In this firewall, ether1 is assumed to be the WAN interface and “bridge” is the LAN interface, but you can change the interface list memberships as required.
@dax79
Since you are new to Mikrotik devices, you should have a look at the (unofficial) Rules:
particularly #8.
AFAICR TIM (italian Telecom) provides routers which can rarely be set to bridge mode, so the idea of using another device with OpenWRT is probably the best one, but the ISP provided modem/router should be able to forward some ports[1].
If you have available a Fritzbox 7530 running OpenWRT, maybe you could still set it up as "main" router (with its own firewall), I have no idea how fast is the 7530 (nor which kind of speed your connection has), but loosely having two routers one after the another (i.e. double NAT) is not as bad as many people believe, the only sometimes noticeable issue - in some cases - can be an increase in latency, that may only affect gaming.
AFAICR in OpenWRT jargon what on Mikrotiks is called hairpin NAT is usually called NAT loopback, if you want to search info on that.
Yes, i have a 7530 running openwrt. My connection speed is 100/20 Mb.
Could be an option a totally firewall disable on openwrt? I mean the 7530 a main router for internet connection without a firewall and the port forwarding managed by ccr?
Yes, you can set the Fritzbox as bridge (no NAT, no Firewall) as Ilka suggested, so it will become a "media converter" and use the CCR as "edge router" (and firewall).
Since the firewall will be on the CCR, you should never connect any other device directly to the Fritzbox, only the CCR should be connected to it.
Sorry if i wasn’ t clear, it’ s due to my lacking knowledge. Is it possible to use fritz as ‘normal’ (also as access poitn and with other lan port) modem without nat and firewall?
It is possible to run 2 IP ranges on the network, e.g. 192.168.178.1/24 for the Fritzbox and 192.168.88.1/24 for the MikroTik LAN (both defaults). When you disable the DHCP server of the Fritzbox and put all ports in the MikroTik in the same bridge, with the MikroTik on a static IP like 192.168.178.2/24 with default route via 192.168.178.1 and configure the DHCP server on the MikroTik, the clients will not notice this (unless they want to) and you can use the FritzBox WiFi interface as usual.
The generic point is that the (fiber or cable) connection from your ISP can (please read as WILL) allow anyone on the internet to get inside your house, so the FIRST device connected to it MUST have a working firewall to prevent intrusions.
If the firewall is on the second device, there must be ONLY a connection between it and the first one, and ALL clients must be connected "downstream" from this second device.
If the Fritzbox is your first device, and you plan to use it as access point or however connect to it other devices, it MUST run a firewall.
I don't want to scare you, but - just as an example - a Mikrotik router connected to the internet with default user "admin" and blank password (or a common one) will survive a handful of seconds, maybe a few minutes, before being pwned, see:
There is no reason to believe that any other device on your network, if accessible from the internet, is safe from these bots.
So, whatever topology/approach you choose, ALL clients should be behind a firewall, one way or the other.
In practice it will not be that bad, because when you have a provider modem in bridge mode, and you have only a single IP from the provider (as usual), there will be some setup in bridge mode like the MAC address of the next hop (maybe auto-determined from a “local network devices” GUI thing) and when that points to the MikroTik router as second device and it has the proper firewall, there is no way for outside perpetrators to directly access other devices even when they are on the same physical network.
(which is necessary to re-use the other features of the device in bridge mode, like WiFi or Phone interface)
Yes, of course your suggested as possible alternative approach would work just fine, in that approach the first device is "passthrough" and the other devices even if connected to it will reach anyway internet through the Mikrotik, so the first device would act as two devices, one a switch (passthrough bridge) between only internet and the Mikrotik and the second as a separate bridge between the Mikrotik and the clients.
