I am new to Mikrotik and I need some help with Firewall Rules.
I read about how to secure the router so I did some basic steps to protect it, such as disable the services, allow connection from
certain ip address only etc…
So what I need now is the “Best practice” firewall rules, plus open for some web servers (80 and 443) and deny the rest…
There is NO nat in the picture because I have official static ip addresses on the server…
I read a lot of articles which are “outdated” and really does not work for me, so what I need now is someone who are willing to help me
of course I will pay via pay-pal for the time used to configure the firewall rules.
Direct access to the router will of course be provided if needed…
So if there is someone who is interested, just let me know…
Study the rules below which do what you need. Use the GUI tool from here to open ports which is very simple too do. Add custom accept rules above the drop ones shown. #Router and internal network protection, no internal servers, LAN is friendly
/ip firewall filter
add chain=input action=drop connection-state=invalid comment=“Disallow weird packets”
add chain=input action=accept connection-state=new in-interface=LAN comment=“Allow LAN access to router and Internet”
add chain=input action=accept connection-state=established comment=“Allow connections that originated from LAN”
add chain=input action=accept connection-state=related comment=“Allow connections that originated from LAN”
add chain=input action=accept protocol=icmp comment=“Allow ping ICMP from anywhere”
add chain=input action=drop comment=“Disallow anything from anywhere on any interface”
add chain=forward action=drop connection-state=invalid comment=“Disallow weird packets”
add chain=forward action=accept connection-state=new in-interface=LAN comment=“Allow LAN access to router and Internet”
add chain=forward action=accept connection-state=established comment=“Allow connections that originated from LAN”
add chain=forward action=accept connection-state=related comment=“Allow connections that originated from LAN”
add chain=forward action=drop
thank you very much for reply.
I have just copied and pasted the rules you wrote, and please see the screen-shot I took from WinBox GUI
What I do not understand here in Mikrotik is why we need allow the traffic from LAN as everything works without any rule ?
I was able to access the internet from the server without any rule in the firewall list, and I am also able to access the server FROM the
internet without any rule because server have the official ip address and do not need a NAT..
I wish that Mikrotik could CLOSE all the traffic default so we can just open what we need instead of opening everything as default, kind of wired if you ask me..
I am aware that mikrotik routerOS is not a firewall but router only, of course it can do many of the firewall features by the way …
You did copy the rules, but the order is not really ok.
Your “Disallow weird packages” is below your drop everything, so these rules will never be hit and are useless on the place you have configured them now.
They should be as first rule. Also I recommend that you group the rules on chain type. So group your input and forward chain as two groups. It does not change the working principle of the firewall filter but makes it much more easier to read the list of filter rules.
Please delete the rules and then readd them (change WAN and LAN to match your interface names). Do not change the order. They are processed in order (top to bottom) such that they only drop when needed. If MikroTik blocked traffic by default these forums would run over with questions.
I have deleted all the rules and copied them again, please see attached image again and let me now if the rule sequence is ok now..
What happens now with these rules, the server can access the internet (sporadic only some time when refreshing I cannot access the internet at all from the server) and it loads the web pages from internet very slowly and of course I am not able to access the server from the internet on its port 80. This is what I wanted, close everything and than open needed ports…
BUT, do I need to add some additional rules against the dos protection and virus protections ?
Because some clients can open the Web sites which can return the virus via already opened session by the client from the inside ..
Any best practice on this part with right rule sequence ?
So in short words what I need now is to open port 80 to the server for example ip address 8.8.8.8
and of course if I need more protections such as ddos, virus etc…
I think I am beginning to understand the rule sequence but not completely yet ..
can someone please help with my previous post ?
Now I have the correct order for these rules, but when accessing the internet from server`s desktop
all the pages loads to slow and sometimes it just times out with a message the page cannot be displayed …?
Also I need an example rule for opening a port to Web server (80) from certain ip address only at the begining
so I can modify it later…
please see the attached screen-shot below, as you can see I have added the rule for the Web server but it`s not being read at all
and I am not able to access the server from internet.. any idea why ?
I have used example ip 8.8.8.8, so let`s say this is the ip address of the web server..
I am not using NAT, because there is a public IP on both WAN and LAN interfaces so the server uses the LAN interface ip as its gateway
to internet…
Okay, that changes things … someone else will have to help you then. I don’t know how to route that kind of traffic. Get terminal command prompt and run the command: /export compact file=a_setup_file. Get that file from the Files menu, remove any personal information, and post it here. Make sure it contains the following information for someone to help you:
ok, below is the configuration which is exported from the router…
ISSUES:
What I need is to add open a port 80 to web server which I did, BUT I still cannot open the web server from the internet
and when I am on the server desktop, I am able to access the internet open the web pages, but it`s too slow and somethimes
it just times out and I receive the message “The page cannot be displayed”
NOTE, these ip addresses are not the real ones, for example on my
router these ip addresses for LAN and WAN interface are the real official ip addresses:
Also assume that Web Server uses this ip address 172.12.34.50
sep/06/2013 19:50:52 by RouterOS 6.2
software id = xxxx-xxxx
/interface ethernet
set 0 name=LAN
set 1 name=WAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password=“”
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no
permissions=owner signup-allowed=no time-zone=-00:00
/ip address
add address=172.12.34.53/29 interface=WAN network=172.12.34.48
add address=172.12.34.54/32 interface=LAN network=172.12.34.48
/ip firewall address-list
add address=47.2x.xx.xx list=my_ip_address
/ip firewall filter
add chain=input comment=“Allow access to router from known network”
src-address-list=my_ip_address
add action=drop chain=input comment=“Disallow weird packets”
connection-state=invalid
add chain=input comment=“Allow LAN access to router and Internet”
connection-state=new in-interface=LAN
add chain=input comment=“Allow connections that originated from LAN”
connection-state=established
add chain=input comment=“Allow connections that originated from LAN”
connection-state=related
add chain=input comment=“Allow ping ICMP from anywhere” protocol=icmp
add action=drop chain=input comment=
“Disallow anything from anywhere on any interface”
add action=drop chain=forward comment=“Disallow weird packets”
connection-state=invalid
add chain=forward comment=“Allow LAN access to router and Internet”
connection-state=new in-interface=LAN
add chain=forward comment=“Allow connections that originated from LAN”
connection-state=established
add chain=forward comment=“Allow connections that originated from LAN”
connection-state=related
add chain=forward comment=“Open port 80 for Web Server”
dst-address=172.12.34.50 dst-port=80 protocol=tcp
add action=drop chain=forward
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add distance=1 gateway=172.12.34.49
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=47.2x.xx.xx/32 disabled=yes
set ssh address=47.2x.xx.xx/32
set api disabled=yes
set winbox address=47.2x.xx.xx/32
set api-ssl disabled=yes
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
/tool bandwidth-server
set enabled=noThank You all for helping !!!
add chain=forward comment=“Open port 80 for Web Server”
dst-address=8.8.8.8 dst-port=80 protocol=tcpWhy is your dst-address=8.8.8.8? … unless your Googles DNS server that line is most likely wrong. dst-address should be whatever the server you are running on port 80 is… In your case likely something in 172.12.34.53/29
I am aware that ip address 8.8.8.8 is google DNS server I just used it as an example ip address,
in short words “let`s say my server have an ip address 8.8.8.8” I wrote about this in my previous posts on this thread.
I am just hiding my official ip address and therefore using 8.8.8.8 “as it was my server ip address”
Have corrected the config now, please see my previous post:
now I have changed the ip address of the server, NOTE all these ip addresses I used in this config example are the INTERNAL
ip address just because I will hide my real official ip addresses, BUT in my real configuration I am using official ip addresses, so NO NAT is used at all in my case..
for some reason my Firewall rule does not forward the traffic to the server:
add chain=forward comment=“Open port 80 for Web Server”
dst-address=172.12.34.50 dst-port=80 protocol=tcp
OK. So I see one other problem. Based on the way you have your interfaces assigned and your subnets the router thinks your server is within the subnet on the wan port, not the lan port. So when it gets a packet for 50 it goes out the wan and not the lan. I think you need to fix your subnets and create some static routes.
Assuming your isp is just sending you a block of IP’s and not routing one range to a specific ip. What you want to do is get rid of the /32 address. Bridge the wan and lan ports and then turn on bridge firewall. Oh, and make sure that your lan machines use your isp as the gateway not the router.
I can explain more when I get to a computer
You could alternatively drop the /32 and use a private range for your lan and so dst/src nat.
thank you very much for reply efaden, I think you may have a point here..
because the router does not read my firewall rule for the web server, which means what you said…
Hm I was also thinking about NAT solution, but there is some applications that does not like NAT so well
and on the other hand, NAT-in will slow the traffic down I think.
So if it`s not so practical for you to write from the tablet/mobile phone, I can wait until you have an pc…
In the main time I will think about the solution, but perhaps you could modify my configuration in previous
post ? make 2 examples:
use the bridge interfaces
or choose the NAT anyway
not sure..
Will run some voice servers, and as far as we know NAT and voice are as cat and mouse game in most cases..
Change the firewall rule to use in-bridge-port instead of in-interface since the interface is bridge-wan, but you really want to match which port it entered the bridge (e.g. LAN)
DON’T FORGET - Your LAN computers should use your ISPs gateway and not the routerboard.
I can do a NAT style one too I suppose. But try that first and see if it will work for you. The NAT version involves
Remove /32 from LAN. Add Class C to LAN.
Assign LAN computers IPs in Class C
Use NAT to assign LAN Class C addresses to WAN bridged addresses.
sep/06/2013 19:50:52 by RouterOS 6.2
software id = xxxx-xxxx
/interface ethernet
set 0 name=LAN
set 1 name=WAN
/interface bridge
add name=bridge-wan
/interface bridge port
add interface=WAN bridge=bridge-wan
add interface=LAN bridge=bridge-lan
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password=“”
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no
permissions=owner signup-allowed=no time-zone=-00:00
/ip address
add address=172.12.34.53/29 interface=bridge-wan network=172.12.34.48
/ip firewall address-list
add address=47.2x.xx.xx list=my_ip_address
/ip firewall filter
add chain=input comment=“Allow access to router from known network”
src-address-list=my_ip_address
add action=drop chain=input comment=“Disallow weird packets”
connection-state=invalid
add chain=input comment=“Allow LAN access to router and Internet”
connection-state=new in-interface=LAN
add chain=input comment=“Allow connections that originated from LAN”
connection-state=established
add chain=input comment=“Allow connections that originated from LAN”
connection-state=related
add chain=input comment=“Allow ping ICMP from anywhere” protocol=icmp
add action=drop chain=input comment=
“Disallow anything from anywhere on any interface”
add action=drop chain=forward comment=“Disallow weird packets”
connection-state=invalid
add chain=forward comment=“Allow LAN access to router and Internet”
connection-state=new in-bridge-port=LAN
add chain=forward comment=“Allow connections that originated from LAN”
connection-state=established
add chain=forward comment=“Allow connections that originated from LAN”
connection-state=related
add chain=forward comment=“Open port 80 for Web Server”
dst-address=172.12.34.50 dst-port=80 protocol=tcp
add action=drop chain=forward
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add distance=1 gateway=172.12.34.49
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=47.2x.xx.xx/32 disabled=yes
set ssh address=47.2x.xx.xx/32
set api disabled=yes
set winbox address=47.2x.xx.xx/32
set api-ssl disabled=yes
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
/tool bandwidth-server
set enabled=no
I just used it as an example ip address,