Help checking my hEX S config for home office

Hi,

I have recently purchased a hEX S router for use at home and after spending a few days reading through the doco and forum posts I think I have my config working.

But I am not 100% sure I have everything right and would be grateful if someone with experience would check over what I have done before I connect it to the internet (My main concern is I haven’t secured it enough).

I started by updating the router (to RouterOS v6.46.5 stable) and then reseting it to the default. After which I apply my config below.

Thanks David.

Network Diagram:

Config:

#Setup VLANs
/interface vlan
add interface=bridge name=main-vlan vlan-id=100
add interface=bridge name=iot-vlan vlan-id=101
add interface=bridge name=guest-vlan vlan-id=102

/interface list
add name=VLAN

/interface list member
# add to the exiting list so we maintain access to router
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
# this is our new list
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=guest-vlan list=VLAN

# IP Setup
/ip pool
add name=main-pool ranges=192.168.100.10-192.168.100.254
add name=iot-pool ranges=192.168.101.10-192.168.101.254
add name=guest-pool ranges=192.168.102.10-192.168.102.254

/ip address
add address=192.168.100.1/24 interface=main-vlan
add address=192.168.101.1/24 interface=iot-vlan
add address=192.168.102.1/24 interface=guest-vlan


/ip dhcp-server network
#set comment=main-dhcp-network [find comment=defconf]
add address=192.168.100.0/24 gateway=192.168.100.1 comment="main-dhcp-network"
add address=192.168.101.0/24 gateway=192.168.101.1 comment="iot-dhcp-network" 
add address=192.168.102.0/24 gateway=192.168.102.1 comment="guest-dhcp-network"

/ip dhcp-server
add address-pool=main-pool interface=main-vlan disabled=no name=main-dhcp
add address-pool=iot-pool interface=iot-vlan disabled=no name=iot-dhcp
add address-pool=guest-pool interface=guest-vlan disabled=no name=guest-dhcp


# Ingress Behavior
/interface bridge port
set pvid=100 frame-types=admit-only-untagged-and-priority-tagged [find bridge=bridge]
set pvid=101 [find interface=ether4]
set frame-types=admit-all [find interface=ether5]

# Egress Behaviour
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,sfp1 vlan-ids=100 comment="main-vlan"
add bridge=bridge untagged=ether4 tagged=bridge,ether5 vlan-ids=101 comment="iot-vlan"
add bridge=bridge tagged=bridge,ether5 vlan-ids=102 comment="guest-vlan"


# enable vlan filtering
/interface bridge
set vlan-filtering=yes [find name="bridge"]


/


#remove default ip addressing
/ip dhcp-server
remove [find name=defconf]
/ip dhcp-server network
remove [find gateway=192.168.88.1]
/ip pool
remove [find name=default-dhcp]
/ip address
remove [find interface=bridge]


/


# Clear and re-set the firewall for ease of ordering
/ip firewall filter
remove [find action!="passthrough"]

/ip firewall filter
#Input Chain
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN access to router services"
add chain=input action=accept in-interface=main-vlan comment="Allow main-vlan access to router services"
add chain=input action=drop comment="Drop all other traffic" 
#Forward Chain
add chain=forward action=accept comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add chain=forward action=accept comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access Only"
add action=drop chain=forward comment="Drop all other traffic"
#redundant rules from defaults?
#add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
#add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN


/


# Security

# Setup a new administrative account
/user add name=YOUR_UNIQUE_NAME password=YOUR_STRONG_PASSWORD group=full
/user remove admin

# Disable all the configuration methods except ssh and winbox
/ip service enable ssh
/ip service disable telnet,ftp,www,www-ssl,api,api-ssl

# Ensure only winbox MAC Address based access from main-vlan
/ip neighbor discovery-settings set discover-interface-list=main-vlan
/tool mac-server mac-winbox set allowed-interface-list=main-vlan
/tool mac-server set allowed-interface-list=main-vlan

#disable unused wireless related packages
/system package
disable hotspot
disable wireless

## allow viewing resource and usage graphs on main-vlan for each main interface
/tool graphing resource
add allow-address=192.168.100.0/24
/tool graphing interface
add allow-address=192.168.100.0/24 interface=ether1
add allow-address=192.168.100.0/24 interface=main-vlan
add allow-address=192.168.100.0/24 interface=iot-vlan
add allow-address=192.168.100.0/24 interface=guest-vlan

#all done reboot to confirm
/system reboot

One thing that’s not going to work is with the HexS you can only use Port 1 or the SFP Slot not both at the same time.

@ITDave According to the block diagram you can use the SFP and ether1 at the same time.

@hallz the output of /export hide-sensitive having executed your script would provide a better picture of what you have done

First off, great diagram and first post! Normis should send you a t-shirt for first efforts of such magnitude!

(1) In the input chain you have a duplicate rule in that the second rule (b) is already covered by the first rule (a)!! …You could get rid of the second rule(b) but see (2)
(a) add chain=input action=accept in-interface-list=VLAN comment=“Allow VLAN access to router services”
(b) add chain=input action=accept in-interface=main-vlan comment=“Allow main-vlan access to router services”

(2) The rule above(a) allows all users on all vlans to access all services on the router. Better would be to tighten it down a notch for better security..

So in this case I would actually keep your second rule(b) above but make its purpose clear AND GET RID of the first rule.
add chain=input action=accept in-interface=main-vlan source-address-list=adminaccess comment=“Admin2router”
Note: You will need to create a firewall address list.
add address=IP_of_admin_desktop list=adminaccess
add address=IP_of_admin-laptop list=adminaccess
add address=IP_of_admin-smartphone list=adminaccess

(3) Then if you still need to allow all vlans to the router for some services, include them next but only for the specific service vice WIDE OPEN.
The most common is DNS.
add action=accept chain=input comment=“Allow VLan DNS queries-UDP”
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=“Allow VLan DNS queries-TCP”
dst-port=53 in-interface-list=VLAN protocol=tcp

(4) The two rules one you ask about redundancy.
Concur, with the drop all rule at the end, any such traffic should be dropped at the end anyway.
However, there must be some value to dropping invalid connections as soon as possible and I trust the good judgement of MT to put that one in there. I keep it for example and most others do as well.
The Second rule has more to do with allowed Destination NAT (port forwarding) if one has servers.
So you dont need this rule at the moment. When and if you decide to have a server that needs to be reached you simply need to add the following rule…
add action=accept chain=forward comment=
“Allow Port Forwarding - DSTNAT” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN

(5) In terms of security, I also change the winbox and ssh ports from standard… and limit access to winbox and ssh to at least the main-vlan or better to specific IPs.

(6) Not sure the format of your bridgeports… It should look like this…
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether5 {trunk port}
add bridge=bridge frame-type=admit only untagged or priority tagged frames interface=sfp1 pvid=100
add bridge=bridge frame-type=admit only untagged or priority tagged frames interface=ether2 pvid=100
add bridge=bridge frame-type=admit only untagged or priority tagged frames interface=ether3 pvid=100
add bridge=bridge frame-type=admit only untagged or priority tagged frames interface=ether4 pvid=101

(7) Cleaned up the bridge vlan rules…
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3,sfp1 vlan-ids=100 comment=“main-vlan”
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=101 comment=“iot-vlan”
add bridge=bridge tagged=bridge,ether5 vlan-ids=102 comment=“guest-vlan”

Thanks @anav! I will spend some time adding in your suggestions and post a full export as suggested by @tdw when I am done

Ok here is what I have now, with a few decisions along the way:

1,2 & 3) I have added rules as suggested so IoT and Guest VLANs now just get dhcp and dns. I have decided to keep the main-vlan as also the management vlan so I don’t have to maintain a ip/host list.
4) Have made suggested changes. Have put in the dstnat rule as disabled in case I ever decide to host a server.
5) I am going to leave the default ports and just limit to the main-vlan as I will probably forget the ports and then wonder why it doesn’t work
6 & 7) My diagram didn’t indicate that for port 5 Access Point I want the main-vlan 100 to be untagged from the access point (I read somewhere that this is required to manage a Ubiquiti AP). So I am not sure if my rules are correct or if I should change them to what you have suggested (have left as is for now).

# apr/18/2020 15:44:56 by RouterOS 6.46.5
# software id = PUV1-Y3IK
#
# model = RB760iGS
# serial number = :D
/interface bridge
add admin-mac= :D auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=guest-vlan vlan-id=102
add interface=bridge name=iot-vlan vlan-id=101
add interface=bridge name=main-vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/ip pool
add name=main-pool ranges=192.168.100.10-192.168.100.254
add name=iot-pool ranges=192.168.101.10-192.168.101.254
add name=guest-pool ranges=192.168.102.10-192.168.102.254
/ip dhcp-server
add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=101
add bridge=bridge comment=defconf interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether3,ether5,sfp1 vlan-ids=100
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 untagged=ether4 vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=guest-vlan list=VLAN
add interface=main-vlan list=MGMT
/ip address
add address=192.168.100.1/24 interface=main-vlan network=192.168.100.0
add address=192.168.101.1/24 interface=iot-vlan network=192.168.101.0
add address=192.168.102.1/24 interface=guest-vlan network=192.168.102.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=main-dhcp-network gateway=192.168.100.1
add address=192.168.101.0/24 comment=iot-dhcp-network gateway=192.168.101.1
add address=192.168.102.0/24 comment=guest-dhcp-network gateway=192.168.102.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="Drop all other traffic"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new disabled=\
    yes in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Australia/Melbourne
/tool graphing interface
add allow-address=192.168.100.0/24 interface=ether1
add allow-address=192.168.100.0/24 interface=main-vlan
add allow-address=192.168.100.0/24 interface=iot-vlan
add allow-address=192.168.100.0/24 interface=guest-vlan
/tool graphing resource
add allow-address=192.168.100.0/24
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Copy all.
Your hybrid port config looks ok.

Thanks!

I turned my config into a little guide so I don’t forget how to set it up:
https://github.com/hallzhallz/hallzhallz.github.io/tree/master/2020-04-25%20Mikrotik%20hEX%20S

This part you can get rid of as its part of the default config and doesnt make sense…

/ip dns static
set address=192.168.100.1 [find name=router.lan]

That changed the default configuration static DNS entry ‘router.lan’ address to match one of the new gateway addresses so the Mikrotik can be referenced by name, which is fine.