Good morning all.
I am newbie to the network security.
I have at home small network with static IP where I have some NAS synology, few raspberry pi (one as pi-hole as dns server) and Arduino, ip camers, and PLC for home automation. I have bought recently RB4011 and got it running.
I am happy user so far, no issue at all. Following various instruction I have secured my router. In addition to default I have created some extra rules in FW. Can someone have a look on below and advise If I did all correct. Thank you and Merry Xmas. Tomas
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid log=yes log-prefix=ip
add action=drop chain=input comment=“Drop all traffic from addresses on "CountryIPBlocks" address list” log=yes log-prefix=ipipip src-address-list=CountryIPBlocks
add action=drop chain=forward comment=“Drop all traffic from addresses on \"CountryIPBlocks\" address list” log=yes log-prefix=ipip src-address-list=CountryIPBlocks
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“Drop invalid connections through router” connection-state=invalid
add chain=input comment=“Allow everything from the LAN interface to the router” in-interface=bridge
add chain=input comment=“Allow established connections to the router, these are OK because we aren’t allowing new connections” connection-state=established
add chain=input comment=“Allow related connections to the router, these are OK because we aren’t allowing new connections” connection-state=related
add action=drop chain=input comment=“Drop everything else to the router”
First of all: are you sure your Internet interface is ether1 hardware port? Not interface vlan or pptp or pppoe?
I’d rather choose action=drop that reject with tcp, because you force your router to send tcp reset to every trash tcp syn in the world. UDP - drop too.
Also I’d choose an interface with forward and input chains for sure for more direction control.
P.S.:
When running nmap I do have open ports:
tcp: 53, 8081, 8291, 37775, 37776, 37777, 37778
udp: 123 and 53
That is really-really bad thing. In our modern world, do not open winbox and dns port to the whole world, even without address list of global addresses. Also in IP - Services disble all things you don’t use. And add IP addresses from local network to System - Users - Address who can have a permittion to enter the router from one or the other protocol.
Hi and thanks for replay.
Answering my ether1 is my WAN configured as static.
I did not open those ports. they are open by default. In IP Service list I have deselected all services except winbox. I was afraid that by deselecting winbox I will not be able to control router at all even from LAN.
I will change to drop instead of reject according to your advice.
What ports do you recommend to drop on ether1?
Can I keep it 8081 and cameras open?
I believe you can. Don’t forget about System - Users IP addresses.
All ports from outside are dropped by default firewall rules
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
As you said you are a beginner, so do yourself a favor and start slowly or you’ll make yourself more harm than good.
First: learn to backup (both textual and binary) and restore. This allows you to try out lots and lots of tricks and return easily to known good points. Every good specialist has reseted configuration hundreds of times to try out, learn, try again.
Second: learn to upgrade packages and firmware.
Third: reset configuration, create a default AP configuration with VPN support and learn to use it (IPSec/L2TP is built into any modern OS). This way you don’t need to expose any router services to wide internet. Export the configuration into text file and learn what is configured and how. Mikrotik’s default configuration is quite good, so take your time.
Fourth: Enjoy your nice new router!
Fifth: If possible try to take the MTCNA course, it gives you lots of good insight.
Hi Kalamaja,
Thanks for all hints,
especially #5 will certainly do it , added into ‘to do’ 2020 list. #2 all upgraded #1 done already #4 yes already enjoying a lot but there is plenty to learn yet. #3 will do AP mode and VPN thank you again for all
Cheers
Order is important and thus when you provide a list for review they typical thing is to do list the rules in the order that they should be executed (input chain first then forward chain).
As for the input rule for Capsman and cap service on same platform you have
4?? add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
Doing some research (not having used capsman mind you) the following config…
4.?? /ip firewall filter
add action=accept chain=input comment=“IN - CAPSMAN Local” dst-address-list=
“Loop Local” dst-port=5246,5247 protocol=udp src-address-list=
“Loop Local”
add action=accept chain=input comment=“IN - CAPSMAN LAN” dst-port=5246,5247
in-interface-list=LAN protocol=udp
Where:
dst-address-list=“Loop Local” = 127.0.0.1
(NOTE: I Dont know which 4. Rule is the correct one and hoping others can chime in and elucidate us on the particulars)
ALLOW RULE for ADMIN of router to access ROUTER (from specific IP for example or firewall address list, if you have a desktop and laptop you use…)
ALLOW RULE for port 53 (tcp and udp) from in-interface LAN if the router is providing DNS services
add action=drop chain=input comment=“Drop everything else to the router”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In other words its generally more efficient and easy to read to create rules for traffic one wishes to allow and then drop all else. In that regard, one doesnt have to worry about unauthorized traffic since only traffic reflected in your allow rules are authorized and the rest is all dropped. The same policy can be applied on the forward chain.
ADD RULE FOR LAN TO WAN TRAFFIC, or to specific subnets, vlans, users etc…
ex .add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
ADD RULE to allow PORT FORWARDING if required.
ex. add action=accept chain=forward connection-state=new connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop everything else through the router”
Your router is incapable of ddos activities, its simply too small of a cpu for such a load.
There may be some mitigating methods to slow down the effects of ddos but the method or approach you have taken is one that I have not seen before.
Hopefully others can chime in and provide clear guidance…
if you are going to use IPSEC you will need to put back the default rules for ipsec in both input and forward chains and then make the necessary changes.
