Firewall rules

ObiVan · September 10, 2013, 9:18pm

thank you very much for configuration and suggestion !
think I understand the problem now.

Will test both options and will let you know..
and yes I understood the part regarding the default gateway for the servers…

efaden · September 11, 2013, 1:35am

No problem. Forgot to mention if you want to use the NAT method then I believe given how your IPs are setup you would actually need to assign all of the IPs you are assigned to your WAN interface.

There are basically two ways your ISP can provide you IPs… via routing (e.g. they give you an IP inside of one range, and then route another range to that one)… or just give you a bunch of IPs in a bridged mode. It seems like yours are bridged. Therefore on the inside of your Modem/CPE or whatever you have all you just have a pile of IPs to assign to machines. Thats why I recommended using the bridge setup. Good luck.

-Eric

ObiVan · September 11, 2013, 9:08am

I understand what You mean yes, just for to clear whole scenario a bit I made a network drawing as You can see below.
The words can never describe what the pictures can

I assume that You will understand this scenario once You see the drawing.

efaden · September 11, 2013, 10:14am

Ah. Now I get it. Yes you want to run in bridged mode now and then routed mode when you replace the pfsense box.

Sent from my SCH-I545 using Tapatalk 4

ObiVan · September 11, 2013, 3:02pm

have just tested the bridged mode, and it works just fine
Will run it in bridge mode until I remove the pfSense, then I will run a routing on MikroTik just as I do now on the pfSense.

THANK YOU very much again for helping and very good suggestions, I hope that other will learn about this now.

Karma will of course be given, no doubt about that

efaden · September 11, 2013, 3:09pm

No problem. Just let me know if you have problems when you convert over. Basically you want to configure the ips just like the PFsense box, and remove the bridge and set it back up like you had it in the original config.

ObiVan · September 11, 2013, 3:14pm

will do, no problems!

do You have any other good suggestions to these firewall rules, note, these are the only rules I have added
on the MikroTik so far, of course web server port opening rule is an addition, but other “security” rules You can suggest in addition to these below
and of course in the right sequence … ?
#Router and internal network protection, no internal servers, LAN is friendly
/ip firewall filter
add chain=input action=drop connection-state=invalid comment=“Disallow weird packets”
add chain=input action=accept connection-state=new in-interface=LAN comment=“Allow LAN access to router and Internet”
add chain=input action=accept connection-state=established comment=“Allow connections that originated from LAN”
add chain=input action=accept connection-state=related comment=“Allow connections that originated from LAN”
add chain=input action=accept protocol=icmp comment=“Allow ping ICMP from anywhere”
add chain=input action=drop comment=“Disallow anything from anywhere on any interface”
add chain=forward action=drop connection-state=invalid comment=“Disallow weird packets”
add chain=forward action=accept connection-state=new in-interface=LAN comment=“Allow LAN access to router and Internet”
add chain=forward action=accept connection-state=established comment=“Allow connections that originated from LAN”
add chain=forward action=accept connection-state=related comment=“Allow connections that originated from LAN”
add chain=forward action=drop

ObiVan · September 11, 2013, 3:17pm

My point is to BLOCK just EVERYTHING except the web server ports or other ports that I will use later…

efaden · September 11, 2013, 3:28pm

Not really. That’s basically what I do also. I have allow related/established, drop invalid, allow stuff I want, then default drop. The only thing you may want to add is some limits on what ICMPs you allow, throttle connections to also limit DOS attacks, drop bogons (private/invalid addresses), etc.

Checkout these for examples.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples
http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router#Loading_A_Firewall

They have some examples of limiting ICMP, etc.

Also… in your rules you have “in-interface”… when you are bridged that should be “in-bridge-port” …

ObiVan · September 11, 2013, 3:36pm

ok I understand Your point, and yes I was also thinking about dos, bogon and ICMP limit protections as well..
But tell me one thing about the bogon and ICMP limitation rules, what about their sequences in my case ?

can I add all additional rules below all my rules I have now as long as all of the rules are above this one ?
of course some rules are special and has to be placed in the right sequence.. and I am aware that all the rules
are read from top to bottom in MikroTik
add chain=forward action=drop

efaden · September 11, 2013, 3:43pm

In theory you want to place things like DOS at the top to drop them with as little processing as possible. Same with bogons etc… that said you could make the argument that placing related and established should be at the top because that allows your traffic you already have seen (e.g. established connections) to bypass the rest of the firewall. I’m not entirely sure there is a “right” answer to that question. Personally I have my DOS, Bogons, and ICMP above my related and established.

But as you said… make sure they are above your drop or really anything else that accepts traffic… e.g accepting port 80. Because your goal is to protect port 80 from those attacks. Established and related are kind of special cases.

-Eric

ObiVan · September 11, 2013, 3:48pm

sure I see the point yes, I agree with You, its best to stop dos, bogon and limit the ICMP at he top because in this case this traffic is stopped right away and will not be processed while the rest of the ACLs are processed..

will check a bit on MikroTik wiki and I will build a good solution, I will share it with You when I get the MikroTik in the production.
but the most important thing for me is the LAST rule which denies everything else.. this is the “real security” rule …

pcunite · September 11, 2013, 3:57pm

This is true for each chain. Top to bottom for the input chain, and top to bottom for anything that gets into the forward chain. So where you place your rules depends on which chain you suspect your traffic will appear.

ObiVan · September 11, 2013, 4:03pm

ok, I think I understand it now, thank You for clearing out this

ObiVan · September 11, 2013, 7:45pm

actually regarding the bogon rules in the firewall rule, I am not sure if this rule is needed because
I think that only Border Routers that runs the BGP protocol should filter these networks so they are not
distributed out and filter incoming BGP so we cannot accept them if someone distributes them out..

In this case it`s ISP who stops these networks on their Border Routers that runs the BGP…

efaden · September 11, 2013, 8:00pm

Yeah. That is true. Just depends where you operate your router.

Sent from my SCH-I545 using Tapatalk 4

ObiVan · September 11, 2013, 8:04pm

in my case I am not running any BGP sessions so this rule is not needed..

efaden · September 11, 2013, 11:31pm

Then you are correct. Glad we got it all working.

kasinjsh · March 3, 2016, 12:03pm

Hello and sorry to pick up old topic, but My problem is very similar.

I just got Mikrotik routers for My work so i have just started to work whit Mikrotik routers and, as You know, they are much more complex than every consumer grade router.

My scenario is to create network whit one main router (RB2011U) and bunch of APs (wAP) and hEX poE Lite series routers if needed as bridges. I am learning from the ground and I know how to setup basic router functionality like configuring DHCP client for WAN, DHCP Server for LAN, address list, basic firewall security etc. so that router can function as basic router whit 1 WAN input and 1LAN (as i don’t need more right now). I have setup Spiceworks IT management program whit PDQ Deploy, PDQ Inventory and VNC client on every computer for remote assistance in cases.

Problem starts whit port forwarding and opening. My next task is to open and forward ports to My server PC (Running Win 8.1 Pro and We cant afford proper server version) so I can reach server from outside internal network. I need to open ports 80, 443 and 5900. When i open ports ether in WinBox or thou ssh I have the same problems as this topics author - internet on internal router network (LAN) becomes slow and times out and I cant connect to My server from from LAN. Problem and solution is described here but now it looks so in cosmos that I’m slowly just getting use to this router configuration. I will post My “/export compact file=a_setup_file” file and can someone please point Me what is needed to change so I can accomplish this? Code is simple as i stated. Any info or learning information is good.

# mar/03/2016 14:01:20 by RouterOS 6.34.2
# software id = XXXX-XXXX
#
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=pool1 disabled=no interface=LAN lease-time=1d name=server1
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=WAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip firewall filter
add action=drop chain=input comment="Disallow weird packets" \
    connection-state=invalid
add chain=input comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=LAN
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=established
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment=\
    "Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" \
    connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=LAN
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=established
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=related
add action=drop chain=forward comment=\
    "Disallow anything from anywhere on any interface"
/ip firewall nat
add action=masquerade chain=srcnat
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Riga
/system ntp client
set enabled=yes primary-ntp=85.254.217.235 secondary-ntp=81.63.144.23
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled

stfoye · April 8, 2016, 3:27pm

I setup my mikrotik and was looking for how to put a security on the router for LAN connections. I now saw a rule on the internet. After setting it up, the router will not allow any LAN traffic to pass through.

Please how do I stop or correct this?

This is the rule I implemented:
/ip firewall filter add chain=input src-address=192.168.88.180
src-mac-address=!60:E3:27:12:56:E6 action=drop disabled=no

/ip firewall filter add chain=input src-address=!A.B.C.D
src-mac-address=1A:2B:3C:4D:5E:6F action=drop disabled=no

How do I correct this?