Firewall rules (Little audit)

RouterOS General
1

Good afternoon guys,

This is my first post, started my mikrotik journey a few weeks ago and lately I had more time to get involved. I have no prior network experience so, please, don’t judge, I may have a lot of mistakes in my lines but I hope you can tell me if I have to fix something. Learned quite a bit in a few days of going through RouterOS, and I started it a bit shy because I saw a lot of messages about “how hard and complicated is the Mikrotik world”.

So, I have rules for ipv4, so please, if you can tell me if all is good or if I am very safe with this configuration, and if my order is good because I know Mikrotik needs good rules top to bottom. My router is on a ipv4 CGNAT config, but if I really want to, I can go for public ipv6, I just don’t need it for the moment. Though I dont know if I should have ipv6 firewall rules, because I let it enabled in the settings so I don’t get to websites that are not working. I don’t know if you guys turn off ipv6 when ure on a public ipv4 or cgnat but from what I have read, it is nice to let it on.

/ip firewall filter
add action=accept chain=input comment="Accept established,related" \
    connection-state=established,related,untracked log=yes log-prefix=\
    "input accept"
add action=drop chain=input comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix="drop invalid input"
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix="Drop all not from LAN"
add action=accept chain=input comment=\
    "Allow VLAN65 to have Management Access" in-interface=vlan65-management
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log-prefix="drop invalid forward"
add action=drop chain=forward comment="Drop Inter-Vlan Communication" \
    in-interface-list=VLAN out-interface-list=VLAN
add action=accept chain=forward comment="Allow VLAN to Acces the Internet" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Dropp all WAN trafic not commented" \
    log-prefix="drop all wan not commented"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes

Something can come if I want to give acces to specific VLANS to specific ip adresses from other VLANS ( like a media server, or I don’t know..) but not there yet.

And here it is the the IPv6. I put a rule also to block the acces to Winbox ( also don’t know if it makes any sense but i wanted it more secure because I will never acces the router from ipv6)

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=drop chain=forward comment="Block Internet from accesing VLAN65" \
    in-interface-list=WAN out-interface=vlan65-management
add action=drop chain=forward comment=\
    "Block VLAN65 from accesing the Internet" in-interface=vlan65-management \
    out-interface-list=WAN
add action=drop chain=forward comment="Block Inter-VLAN communication" \
    in-interface-list=VLAN out-interface-list=VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

Thank you a lot guys ! Feel free to “correct” my errors.

2

Attempting to provide a review of firewall rules is not all that helpful as the config is interrelated.
So please provide full config to understand context as we dont know what device you have for starters and what it is attached to, ( especially because there is no network diagram or a list of the requirements for user traffic)

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

Do recommend ensuring you have read this post first…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

Thank you a lot, I aprecciate the help that you give for free to others. I altered some things to censor it like you said. This is my full ( ipv6 i mostly used the default config, like I said i dont know if I really need it if I have a ipv4 connection but if I need it I hope it is good ).

Usage is like this . ONT-MikrotikAX3(which acts as wifi acces point)-some cheap managed gigabit switch for the moment ( where I create a Trunk Port that carries all vlan tags and I set some ports on tagged VLANS on the switch for a few computers. The Guest and IOT are mostly used for WIFI.

It is crazy for me that I can speak about Trunk Ports and Vlans all in one week of a few hours per day of reading and trying stuff on Mikrotik Interface ( I think I found a new hobby )

CONFIG

/interface bridge
add admin-mac=censored auto-mac=no comment=Mikro name=bridge-m \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-trunk
set [ find default-name=ether3 ] name=ether3-guest
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5-admin
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.country=CENSORED .hide-ssid=yes \
    .mode=ap .ssid=LERIWE3 datapath.vlan-id=55 disabled=no name=wifi1-lan \
    security.authentication-types=wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=all \
    .width=20/40mhz configuration.country=CENSORED .hide-ssid=no .mode=ap \
    .ssid=55325eettt datapath.client-isolation=no .vlan-id=65 disabled=no \
    name=wifi2-lan security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes
add configuration.mode=ap .ssid=WIFIWER datapath.client-isolation=no \
    .vlan-id=65 disabled=no mac-address=mac-guest master-interface=\
    wifi2-lan name=wifi3-guest security.authentication-types=wpa2-psk .ft=\
    yes .ft-over-ds=yes
add configuration.mode=ap .ssid=m4network datapath.client-isolation=yes \
    .vlan-id=75 disabled=no mac-address=mac-iot master-interface=\
    wifi2-lan name=wifi4-iot security.authentication-types=wpa2-psk,wpa3-psk \
    .ft=no .ft-over-ds=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out1 \
    use-peer-dns=yes user=USER
/interface vlan
add interface=bridge-m name=55-lan vlan-id=55
add interface=bridge-m name=vlan65-guest vlan-id=65
add interface=bridge-m name=vlan75-iot vlan-id=75
add interface=bridge-m name=vlan85-admin vlan-id=85
/interface list
add name=WAN
add name=LAN
add comment="Guest Network" name=Guest
add comment="IoT Network" name=IoT
add comment="VLAN NETWORK" name=VLAN
/ip pool

add name=pool_lan ranges=10.56.1.20-10.56.1.254
add name=pool_guest ranges=10.56.2.10-10.56.2.254
add name=pool_iot ranges=10.56.3.10-10.56.3.254
add name=pool_admin ranges=10.56.9.5-10.56.9.254
/ip dhcp-server
add address-pool=pool_lan interface=55-lan lease-time=12h30m name=\
    dhcp-lan
add address-pool=pool_guest interface=vlan65-guest lease-time=12h30m name=\
    dhcp-guest
add address-pool=pool_iot interface=vlan75-iot lease-time=12h30m name=\
    dhcp-iot
add address-pool=pool_admin interface=vlan85-admin lease-time=12h30m name=\
    dhcp-admin
/disk settings
set auto-media-interface=bridge-m auto-media-sharing=yes auto-smb-sharing=\
    yes
/interface bridge port
add bridge=bridge-m interface=ether2-trunk pvid=55
add bridge=bridge-m interface=ether3-guest pvid=65
add bridge=bridge-m interface=ether4
add bridge=bridge-m interface=ether5-admin pvid=85
add bridge=bridge-m interface=wifi1-lan pvid=55
add bridge=bridge-m interface=wifi2-lan pvid=65
add bridge=bridge-m interface=wifi3-guest pvid=65
add bridge=bridge-m interface=wifi4-iot pvid=75
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-m comment="lan VLAN" tagged=ether2-trunk untagged=\
    wifi1-lan vlan-ids=55
add bridge=bridge-m comment="Guest VLAN" tagged=\
    ether2-trunk,wifi3-guest,wifi2-lan vlan-ids=65
add bridge=bridge-m comment="Management VLAN" tagged=\
    ether2-trunk,bridge-m untagged=ether5-admin vlan-ids=85
add bridge=bridge-m comment="IoT VLAN" tagged=wifi4-iot vlan-ids=75
/interface list member
add interface=bridge-m list=LAN
add interface=ether1-wan list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan85-admin list=LAN
add interface=ether5-admin list=LAN
add interface=55-lan list=VLAN
add interface=vlan65-guest list=VLAN
add interface=vlan75-iot list=VLAN
add interface=ether4 list=LAN
/ip address
add address=192.168.193.1/24  interface=bridge-m network=\
    192.168.193.0
add address=10.56.1.1/24 interface=55-lan network=10.56.1.0
add address=10.56.2.1/24 interface=vlan65-guest network=10.56.2.0
add address=10.56.3.1/24 interface=vlan75-iot network=10.56.3.0
add address=10.56.9.1/24 interface=vlan85-admin network=10.56.9.0
/ip dhcp-server network
add address=10.56.1.0/24 gateway=10.56.1.1
add address=10.56.2.0/24 gateway=10.56.2.1
add address=10.56.3.0/24 gateway=10.56.3.1
add address=10.56.9.0/24 gateway=10.56.9.1

/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1  name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="Accept established,related" \
    connection-state=established,related,untracked log=yes log-prefix=\
    "input accept"
add action=drop chain=input comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix="drop invalid input"
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix="Drop all not from LAN"
add action=accept chain=input comment=\
    "Allow vlan85 to have Management Access" in-interface=vlan85-admin
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log-prefix="drop invalid forward"
add action=drop chain=forward comment="Drop Inter-Vlan Communication" \
    in-interface-list=VLAN out-interface-list=VLAN
add action=accept chain=forward comment="Allow VLAN to Acces the Internet" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Dropp all WAN trafic not commented" \
    log-prefix="drop all wan not commented"
/ip firewall nat
add action=masquerade chain=srcnat \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Block WinBOX OVER ipV6" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=drop chain=forward comment="Block Internet from accesing vlan85" \
    in-interface-list=WAN out-interface=vlan85-admin
add action=drop chain=forward comment=\
    "Block vlan85 from accesing the Internet" in-interface=vlan85-admin \
    out-interface-list=WAN
add action=drop chain=forward comment="Block Inter-VLAN communication" \
    in-interface-list=VLAN out-interface-list=VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=CENSORED
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks again !

4

Awesome so the ISP router is the main router then…and has vlan capability ???
I ask because you stated the ax3 is acting an access point… accuracy is important and expected!. :slight_smile:
If it was an access point only then it would have no need for a WAN interface port, or have a pppoe wan connection, clearly my first question is rhetorical :stuck_out_tongue_winking_eye:
Point out that the statement should have been the ax3 is acting as full wifi router or just wifi router or handling both router and AP duties etc…

The reason for the confusion is that the aX3 is a well known WIFI router and thus when you state, Im using it as an AP, one can reasonably think OKAY just an AP then.

+++++++++++++++++++++++++++++++++++++++++++++++

Now to the meat!

  1. I feel sorry for ether4, why do all the other ports get a name but he/she doesnt??
  2. Curious I see you added client isolation for the IOT wlan, why not do the same for guest wifi ??
  3. Since you have a trusted admin vlan, will add some security. There is no need to name single subnets as interface entries. They should be used for two or more subnets with common traffic flow or not to flow etc… For single subnets in rules use src address or dst address mostly. One exception is the management or trusted interface list.
    /interface list
    add name=WAN
    add name=LAN
    add name=TRUSTED

/interface list member
add interface=ether1-wan list=WAN
add interface=pppoe-out1 list=WAN
add interface=55-lan list=LAN
add interface=vlan65-guest list=LAN
add interface=vlan75-iot list=LAN
add interface=vlan85-admin list=LAN
add interface=vlan85-admin list=TRUSTED

  1. I am not sure about how bridge ports and bridge vlans are handled with respect to when you have a datapath entry noting the vlan but I will hopefully handle this properly.
    Im assuming that all the bridge ports (unless you use a hybrid ports ) have ingress-filtering=yes by default applied. If not ensure you enter that.
    I think the way it works is… if you enter ONLY the datapath vlan in wifi, you still need to enter the bridge ports, if you enter bridge and vlan in datapath you dont need any wlan entries all dynamically entered. I dont see any issues with manual entries though.

/interface bridge port
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=ether2-trunk pvid=55
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=ether3-guest pvid=65
add bridge=bridge-m frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=ether5-admin pvid=85
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=wifi1-lan pvid=55
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=wifi2-lan pvid=65
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=wifi3-guest pvid=65
add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=wifi4-iot pvid=75

The BIG FAIL is not tagging the bridge…
/interface bridge vlan
add bridge=bridge-m comment=“lan VLAN” tagged=bridge-m,ether2-trunk untagged=wifi1-lan vlan-ids=55
add bridge=bridge-m comment=“Guest VLAN” tagged=tagged=bridge-m,ether2-trunk **untagged=**wifi3-guest,wifi2-lan vlan-ids=65
add bridge=bridge-m comment=“Management VLAN” tagged=tagged=bridge-m,ether2-trunk,bridge-m untagged=ether5-admin vlan-ids=85
add bridge=bridge-m comment=“IoT VLAN” tagged=tagged=bridge-m, **untagged=**wifi4-iot vlan-ids=75

  1. The bridge does no DHCP remove the address… there are no pools or dhcp …

  2. Remove old default static IP dns entry
    /ip dns static
    add address=192.168.88.1 name=router.lan type=A

  3. Set mac only to none, and winbox-mac to TRUSTED
    /tool mac-server
    set allowed-interface-list=none
    /tool mac-server mac-winbox
    set allowed-interface-list=TRUSTED

  4. set Neighbours to trusted.
    /ip neighbor discovery-settings
    set discover-interface-list=TRUSTED

  5. Yes if not using ipv6, then in settings Disable ipv6
    Remove all address lists and firewall rules but copy them first to a file for potential future use, put these two rules instead.
    add chain=input action=drop
    add chain-forward action=drop

  6. If the case that ether 4 is emerg access or even preferred config port we call this offbridge access.
    /interface ethernet
    set [ find default-name=ether4 ] name**=OffBridge4**
    /ip address
    add address=192.167=8.77.1/30 interface=OffBridge4 network=192.168.77.0
    /interface list member
    add interface=ether1-wan list=WAN
    add interface=pppoe-out1 list=WAN
    add interface=55-lan list=LAN
    add interface=vlan65-guest list=LAN
    add interface=vlan75-iot list=LAN
    add interface=vlan85-admin list=LAN
    add interface=OffBridge4 list=LAN
    add interface=vlan85-admin list=TRUSTED
    add interface=OffBridge4 list=TRUSTED[/i

    Now all you have to do is plug your laptop into ether4, change IPV4 settings to 192.167.77.2 and you should be able to gain entry and safely configure the router.

5

Haha ! Ethernet4 is my second option to acces vlans in case I screw up something. I don’t know if my logic is good but I can connect manual without a DHCP using an IP in the same subnet of the bridge and I can fix if I do something that bad to destroy my “vlan port for management” also.

Yea, I am sorry for my statement, english obviously is not my main langauge. I wanted to say that I have a GPON to convert the FTTB to Ethernet, I put the ISP router into a box because it was an useless piece of crap to be honest. So, my AX3 is the router and also acces point ( I plan to use another acces point but connected to the switch in the future ).

Hope everything is clear now haha. Thank you !

I will edit my message after because I see you edited the post so you might add more. Thank you !

6

Now for the firewall rules…sugesst not log anything, there is no point except use up memory
For learning purpose this rule was wasted because the vlan-85 traffic would never hit it, being accepted by the block everything but wan rule LOL…
add action=accept chain=input comment=
“Allow vlan85 to have Management Access” in-interface=vlan85-admin



/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“admin access” in-interface-list=TRUSTED
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { insert this rule here last of all rules or you may lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“admin access to LAN” in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment=“drop all else”

7

_1. Haha, I already answered in my last message. You ara a nice person, you gave so many details, thanks !

2. My wifi config was not final to be honest but I struggled hard to get my phone to have an ip assigned from the DHCP Server.

3. So I can have an entry in more than one Interface lists ? So, I don’t put bridge in any interface list ? It shouldn’t be on TRUSTED alongside my management VLAN ? Also, if i want to not have internet on VLAN85 (management) can I just remove it from the LAN interface list ? This way I can give internet from the WAN only to the LAN (the other 3 vlans).

4. So, should bridge be tagged on all interfaces ? The AI chat bot failed me here, because I put a lot of questions whether to put the bridge on all ports or not. Though my vlans are working good without it, because i get ip in that range for sure haha.

The thing here is that, same as a few days ago, wifi interfaces won’t work as untagged. Phone can not connect to the wifi, It works only when I tag all wifi ssids in the corresponding VLAN table. I also tried “admit-only-priority-and-untagged” but it locked myself out and my pc lost the connection. It is connected to a Switch that has marked the tags on specific ports. Am I doing it wrong ? I have to use Admit All to have everything working at the moment. Is Admit all insecure online, for attacks or something ?

5. Thank you, I just wanted to set an adress without a DHCP for the bridge but i think i forgot to delete something.

9. Will not break some websites or something ? I see some rules are dropped in the firewall ipv6, around 5000 packets in a few days “dropped when not comming from the lan, it is about inputs” probably they are local.

10. Thanks ! This is nice, so I don’t have to set an adress for the bridge, I set it specific on that port with a subnet with less IP adresses like /30.

Sorry for so many questions but if I don’t want VLANS to communicate with the rest of the networks, is it ok to keep OFFBridge4 and Vlan85-admin in TRUSTED list but not in LAN ? I use my laptop to manage it anyway and I plug it in, I don’t trust that much my windows big computer, so I manage the router mostly from Fedora on winbox or maybe ssh in the future.

___________________________________________________________

About Firewall:

I see you advise me to give up on ipsec, is it better without it ? I thought ipsec makes my router more secure. Also, VLAN85 to Management Acces, I had a feeling is a rule that will be basically useless.

add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp

These two lines are not a part of “add action=accept chain=input connection-state=established,related,untracked” ? Also that
“untracked” doesn’t make a bit more insecure the router ? It seems even without it the router can do easily 1 GBPS on my vlan.

Thank you a lot ! I am looking forward to modify a lof of things Tomorrow. I will start for sure with that Ethernet4 acces port, so I do

8

There was no ipsec in your config, that I saw.
Had you make tunnels?
In any case for the homeowner the easiest VPN is wireguard and that does not require those rules.

No on your vlan firewall thoughts… the drop rule at the end blocks all vlan to vlan traffic that you do not explicitly allow above it.
In other words, its a nonsensical idea to remove the trusted vlan and offbridge from the LAN interface list.

If the router is at all invovled in DNS the user need access to the router services and thus the DNS port 53 rules.
The default rules allow every user to the router, mostly for this purpose but also for admin to be able to access the router for config services.
My approach is to split the two so that users do NOT have access to the router for config purposes.

9

Thank you !

I created some fictive configuration again. I also changed the default pvid of the bridge to 7 and for ethernet4-emergency also to 7, don’t know if this is good. But Switch had also pvid1 default and I can’t change it.

Today I will try to be more specific because yesterday I got carried away to make things faster and this is not good when configuring. ( is just that I wanna start my server again because it is off for a few days and I want to put it back in a final environment or at least close to the final stage of configuration ).

1. The thing is that I don’t really plan to do any Inter-VLAN communication. The IOT for sure I want it completly isolated from the rest. I tried to document myslef a bit more today and what I understood is that “tag=bridge” on the VLAN tables is it necesary only if I plan to do Inter-Vlan routing. I might want to do that in the future but if I do it, is it not more insecure than the way I want it to do it now ?

2. About Wi-Fi ssids. I really tried to do as you said but, if i try this on the Wi-fi or even on the ether2-trunk from the Ax3, I lose connection to the DHCP server on my computer, phones, everything. I talk about the rule under this sentence. Even on the ether5 which is a management vlan93 port, the rule with only priority and untagged breaks everything. I did some research and I see even de pcunite uses admit-only-vlan-tagged on trunk ports and it seems my config also works like this but not on the option from the code below. Don’t know if it is something wrong or it is just not working in L2 Switching.

add bridge=bridge-m frame-types=admit-only-priority-and-untagged interface=wifi1-lan pvid=15

3. Also, with the Wi-fi it is very annoying because i tried these rules first one by one

**add bridge=bridge-m comment=“Guest VLAN” tagged=tagged=bridge-m,ether2-trunk untagged=wifi3-guest,wifi2-lan vlan-ids=25

add bridge=bridge-m comment=“Guest VLAN” tagged=tagged=ether2-trunk untagged=wifi3-guest,wifi2-lan vlan-ids=25**


The only way the DHCP assigned ip to it was to use the following

add bridge=bridge-lan comment=“Guest VLAN” tagged=wifi2-GI,wifi3-guest vlan-ids=25

I have the full config now under this, firewall modified, I disabled the ipsec. I decided to let the name VLAN for the rest and TRUSTED as you said for the others. Hope I was more clear now, I will add the Diagram also. Thank you !


10

Please read this reference, make the necessary changes and ask more questions and post again.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

11

I was reading the “switch+router” config, I studied it is just not 100% my use case but I implemented from there some of my settings. It is ok, I already asked too many questions and for the moment I think I will just give it a go with what I have. I will implement the OffBridge that you told me and as long as my devices gets ip adresses in the correct dhcp for each vlan and I can not ping from one to another has to be good for the moment.

Thank you for all of your help !