i apologize to be a beginner and would apprechiate your input. I have a Mikrotik Hex Router, which I setup in the Quick Setup in the bridge mode. Router mode is not preffered. Now I would like to add a simple firewall rule that only devices from a specific network range can access the LAN devices, for instance 10.11.12.0/24. How may I accomplish this using the WinBox? May I need the adjust the exitsting firewall rules to accomplish this? Is it possible to have a firewall in the bridge mode of the Quick Setup?
Yes, you can modify the configuration that was created with QuickSet. However, once you manually change something, NEVER use QuickSet again - it will blow away whatever changes you made.
IP firewall by default does not apply to bridged traffic and everything is allowed. If you need some filtering, you can use either stateless bridge filters (Bridge->Filters), or for something more complex it’s possible to enable Bridge->Settings->Use IP Firewall, and then all bridged traffic will run through IP firewall. It can have unexpected behaviour if combined with regular routing, because everything is mixed together.
Thank you, so far all works fine. I made an initial Quick Set with brdige mode. I enabled in Bride -Settings - Use IP Firewall.
The input chain works well, however the Forward chain not:
add action=accept chain=input comment=
“defconf: Router Access: accept established,related” connection-state=
established,related
add action=drop chain=input comment=“defconf: Router Access: drop invalid”
connection-state=invalid
add action=accept chain=input comment=“defconf: Router Access: accept ICMP”
protocol=icmp
add action=drop chain=input comment=
“defconf: Router Access: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=
“defconf: Clients: fasttrack (Bypass FW after Initial)”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: Clients: accept established,related” connection-state=
established,related
add action=drop chain=forward comment=“defconf: Clients: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: Clients: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
The forward chain I can’t get work. On the LAN side is everything working well. The LAN side can reach everything on the WAN side. Pinging from the WAN side a client on the LAN side works also, which I don’t understand why. Should it not be denied? What is missing?
Well, basicly the goal is to have an external firewall for old programmable logic controler or plcs. At the same time I like the external firewall not to appear on the network and to receive an IP or to register. That is why I attempt to use the bridge mode, which works so far well. Just the firewall config seems to miss something. Did I miss to consider something that makes it work?
@anav: It’s perfectly possible that bridge with transparent firewall is the right choice, I just wanted to make sure about it. If it is, it needs some changes. Using in/out-interface(-list) is not very useful, because it will be always bridge interface for any bridge port. Individual interfaces need to be matched by in/out-bridge-port(-list).
Thank you. Please find the config attached. It has the firewall enabled and configured.
I try to dig into bridge filters. I find it difficult to get videos and examples on it, anything you may recommend? BridgeFirewall.rsc (3.08 KB)
Yes as per my previous recommendation, stay away from bridge filters unless an advanced user.
(1) WAN port is NOT usually part of the bridge.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
(2) I would turn this OFF..…
/interface bridge settings
set use-ip-firewall=yes
(3) Can replace interface list member etherports with bridge entry
/interface list member
add comment=defconf interface=ether1 list=WAN add interface=bridge=LAN
(4) ETHER1 is the WAN port, not the bridge.
/ip dhcp-client
add comment=defconf disabled=no interface=bridge??? should be ether1
(5) This is wrong and does not match anything else.
/ip dhcp-server network add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
Thanks, that was very helpful. I started from the scratch and made sure that the router has no default configuration:
Winbox - System - Reset Configuration
Keep all disabled/empty, except enable or select “No Default Configuration”
Then I initially used Quick Set for initial setup and followed the advice, once manually changed something, NEVER use QuickSet again - it will blow away whatever changes you made.
Mode: Bridge
Address Acq.: Automatic
Address Src.: Any
VPN: Disabled
Attached the basis config for all further work QuickStartBridge.rsc (781 Bytes)
Thank you very much, the input helped to add/setup the firewall correctly. The WAN stands for the external network (connected to ether1) in front of the firewall, the LAN for the network (bridge ether2 to ether5) behind the firewall. The Clients are receiving their IP from DHCP server in front of the firewall, other services are allowed as DNS, NTP, SNMP too. A specific external subnet has access too (connect to PLC).
Attached the working fireall setup, However router hardening still needs to be done.
Refer to: https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
Open question:
Why can’t I communicate on the LAN (bridge) side, for instance ether 4 can’t access ether5? Adding rule right way?
add action=accept chain=forward comment=“CLIENTS: Allow connections between LAN” in-bridge-port-list=LAN out-bridge-port-list=LAN
Should fasttrack-connection be added? What are the pros and cons? BridgeFirewall.rsc (2.95 KB)
Let somebody else who understand the config reply… I dont normally put the wan port on ether1, nor use firewall rule settings on the bridge etc etc…
I have no idea why you think port forwarding is done in the Forward Chain, why you have a whole whack of what would be considered, first, unnecessary input chain rules, and second located in the forward chain?
Do you know what you are doing or is this just copy and paste from somewhere? And on top of ignoring all previous advice??
No Wait, it all makes sense. You are a student of SOB, and he has been teaching you his genius ways.
I will let Sob then complete his lessons!!! Over to you good sir!!
As I use the Mikrotik as switch and not as router, so it does not appear with an IP in the network. Access to the router happens through MAC on the LAN side, which is desired
I apprechiate very much your input and I have tried to apply these. At some points I still lack understanding. Please find the config attached and the comments on it above Startup.rsc (832 Bytes)
In that case you simply need this guidance - https://forum.mikrotik.com/viewtopic.php?t=182276
Interestingly you have no vlans?
In other words you have no way to manage the device securely from all users.
There is no WAN, just LAN, and you only need one IP address, that assigned to the MT device on the previous Routers LAN.
There are no firewall rules required unless you want to institute some here.
# model = RB750Gr3
/interface bridge
add name=bridge1
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.X/24 interface=bridge1 network=192.168.88.0
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1
