I have SOHO and friend of mine recommended to switch to MikroTik for versitality of their products running RouterOS.
So purchased hEX S and cAP ac that is connected via PoE to the hEX S.
My “hEX S” has “ether1” connected to VDSL Modem via “pppoe-out1” connection.
Ports “spf1,ether2,ether3,ether4,ether5” are local ports. and included in “bridge”
so “ether1” is my internet port and so is “pppoe-out1”..
#ALL INTERFACES
#interface print from my hEX S
/interface print
# NAME TYPE
0 ether1 ether
1 ether2 ether
2 ether3 ether
3 ether4 ether
4 ether5 ether
5 sfp1 ether
6 bridge bridge
7 pppoe-out1 pppoe-out
.
#LAN + WAN
#interface member print from my hEX S
/interface list member print
# LIST INTERFACE
0 LAN bridge
1 WAN ether1
#LAN only ports
#interface bridge port print showing rest of the ports as LAN
/interface bridge port print
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether2 bridge yes 1 0x80 10 10 none
1 ether3 bridge yes 1 0x80 10 10 none
2 ether4 bridge yes 1 0x80 10 10 none
3 ether5 bridge yes 1 0x80 10 10 none
4 sfp1 bridge yes 1 0x80 10 10 none
.
.
My previous ADSL Modem/Router Technicolor TG582 was great,
I could control it from telnet, and here are example of the firewall rule when I wanted to allow incoming traffic:
(1) - add/check the hostname/port
:expr add name=RPi512 type=ip addr=107.189.10.209
:expr add name=RPi512 type=ip addr=2002:6bbd:0ad8:0:ba27:ebab:fc5d:f34a
:expr add name=RPi512rtmp type=serv proto=tcp dstport=1935
:expr list
.
.
(2) - add/check the firewall rule
:firewall rule add chain=forward_level_Expert index=3 srcintf=wan serv=RPi512rtmp srcip=190.58.131.145 dstip=107.189.10.209 log=enabled action=accept
:firewall rule add chain=forward_level_Expert index=3 srcintf=wan serv=RPi512rtmp dstip=2002:6bbd:0ad8:0:.... log=enabled action=accept
:firewall rule list
.
I would start after rule no. 2 as that was designated for persistent abusers
(3) - check the firewall list
:firewall level list
Rules (flags: C=Constant, D=Dynamic, E=Enable, L=Log)
=====
Chain Nr. Flags Rule name Action Conditions
------------------------------------------------------------------------------------------------------------------------------------------
forward_level_Expert 1 C EL : accept : lan.* > *.*
2 C EL : drop : wan.abusers > *.*
3 C EL : accept : RPi512rtmp wan.190.58.131.145 > *.107.189.10.209
4 C EL : accept : RPi512rtmp wan.* > *.2002:6bbd:0ad8:0:ba27:ebab:fc5d:f34a
.................... ... ..... ........... ....................................................
29 C EL : deny : wan.* > *.*
Last year I had upgraded from ADSL to VDSL and got from my ISP new VDSL Modem/Router,
that is restricted to only handful of rules that can be saved in firewall via
web interface and the device is restricted, locked DNS servers, etc.
But the firewall rules are easy to set up, just add “SERVICE [name + port number(s)+ type UDP,TCP or both]”
and then create a firewall rule for Inbound service:
“SERVICE” + action “allow, block” + LAN IPv4 or v6 + access from “Single IP/Range” and last "LOG rule
Perhaps the fact the have a block of /28 IPv4 on LAN side could be the problem,
but it never was when we had the stock ADSL/VDSL Modem/Routers.
Is it important that “input” rules are first in firewall rules, or they can be after
“forward” rules in MIkroTIk firewall?
I understand that “input” is to allow access to the router, which I do not need (just ICMP), I am
after allowing/opening specific port(s) to specific LAN IP address from my block of /28 that my ISP give me
and restricting access to that port/ip only from certain outside IP ranges.
I have tried the following:
#IPv4 firewall to a router=input (Block everything apart of ICMP)
/ip firewall filter add action=accept chain=input comment="MT default configuration" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="MT default configuration" src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="MT default configuration" protocol=icmp
/ip firewall filter add action=drop chain=input comment="MT default configuration"
.
#IPv4 firewall address list for LAN
/ip firewall address-list add address=107.189.10.216/28 list=allowed_to_router comment="MT default configuration"
/ip firewall address-list add address=107.189.10.209-107.189.10.222 list=allowed_to_router
.
#IPv4 firewall for clients=forward | in-interface=bridge
/ip firewall filter
add action=fasttrack-connection chain=forward comment="MT FastTrack" connection-state=established,related
add action=accept chain=forward comment="MT Established, Related" connection-state=established,related
add action=drop chain=forward comment="MT Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="MT Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="MT Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="MT Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
# And here I would place my custom rules to allow access to different local LAN IP range of public IPv4 adresses - 107.189.10.209-107.189.10.222:
add action=accept chain=forward protocol=tcp dst-address=107.189.10.209 dst-port=1935-1935 log=yes log-prefix=""
add action=drop chain=forward comment="MT Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!107.189.10.216/28
I have followed the wiki posts [https://wiki.mikrotik.com/wiki/Firewall]
but none of them seems to work for me,
and I would end up with open network (all the hosts are accessible from Internet).
What am I doing wrong?
On “chain=forward” my “in-interface” should be “ether1” or “bridge” or “pppoe-out1”?
ether1 is connected to VDSL Modem in bridge mode.
bridge is where all of my LAN clients are
pppoe-out1 is the connection created to connect to my ISP
EDIT: added Code display