Firewall routing masquerade security

redblue · November 26, 2014, 12:56pm

Hello Forum

I found a security issue that I was not aware about it.
I always assumed that if I use the function source nat masquerade, no routing would be possible in-between in and out interfaces.

However, this is not the case.
Imagine the default configuration of a Mikrotik Routerboard 450G.
There you have two interfaces configured.
One as ether 1-gateway (WAN) and ether 2 master-local.
The ether 2 interface is configured with ip addr. 192.168.88.1 and the ether 1 interface as dhcp client. Also srcnat masquerade is configured for port address translation to ether 1 ip address. All source ip addresses are translated from LAN to the outside address.

If you configure a PC in the network range of the ether 1 interface and use the ether 1 ip address as the default gateway, the packets are routed from outside (WAN) to inside (LAN)
With a firewall rule it’s possible to stop this.
In the manuals I always have seen, that communication from outside interface to inside interface is only possible with a static NAT rule.
This not true! RB is still routing!
How do you handle your internet access?
How do you secure your WAN Interface?

best regards redblue

jarda · November 27, 2014, 10:50pm

You need to set general drop rule at input and forward chain from wan side and allow only established and related connection packets to pass in from wan port. +other exceptions you want to allow. Routeros accepts connections by default if you do not set other rules.

marrold · November 27, 2014, 11:49pm

How do you secure your WAN Interface?

I use a firewall. The default behaviour on the Mikrotiks is to accept everything.