Help on applying advanced firewall rules

Abdelhadi · October 4, 2023, 10:08pm

Hi,
I’m trying to appply advanced firewall rules given in support page (https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall).
I applied most of them successfully. But when I arriive at this part:

/ip firewall raw
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s” src-address-list=bad_ipv4
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s” dst-address-list=bad_ipv4
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s” src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s” dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment=“defconf: drop non global from WAN” src-address-list=not_global_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment=“defconf: drop forward to local lan from WAN” in-interface-list=WAN dst-address=192.168.88.0/24
add action=drop chain=prerouting comment=“defconf: drop local if not from default IP range” in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment=“defconf: drop bad UDP” port=0 protocol=udp
add action=jump chain=prerouting comment=“defconf: jump to ICMP chain” jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment=“defconf: jump to TCP chain” jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=“defconf: accept everything else from LAN” in-interface-list=LAN
add action=accept chain=prerouting comment=“defconf: accept everything else from WAN” in-interface-list=WAN
add action=drop chain=prerouting comment=“defconf: drop the rest”

Once applyied, I’m getting ejected from router! So I connect to router by console to delete firewall raw rules.

Can someone explain to me why this part of rules reject me.

Thanks in advance.

PS:

I already added those list addresses:

/ipv6 firewall address-list
add address=::1/128 comment=“defconf: RFC6890 lo” list=bad_ipv6
add address=::ffff:0:0/96 comment=“defconf: RFC6890 IPv4 mapped” list=bad_ipv6
add address=2001::/23 comment=“defconf: RFC6890” list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: RFC6890 documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: RFC6890 orchid” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
/ipv6 firewall address-list
add address=100::/64 comment=“defconf: RFC6890 Discard-only” list=not_global_ipv6
add address=2001::/32 comment=“defconf: RFC6890 TEREDO” list=not_global_ipv6
add address=2001:2::/48 comment=“defconf: RFC6890 Benchmark” list=not_global_ipv6
add address=fc00::/7 comment=“defconf: RFC6890 Unique-Local” list=not_global_ipv6

llamajaja · October 5, 2023, 11:09am

Why. a ROUTER is for routing authorized traffic, you seem intent or focussed on blocking traffic.
Most of that is not needed.
Best start of with a basic firewall, ensure users on lan have access to services on input chain,
access to wan on forward chain and drop all else in both chains. Suffices for 95% of cases.

Abdelhadi · October 5, 2023, 1:21pm

Hi,
Thanks for your reply.
Why? because it’s indicated in official support page! It seems that it rise the device performance by handling trafic before arriving at firewall rules.
Am I wrong? All I want is to maximize security.
Thanks in advance

Kentzo · October 5, 2023, 6:48pm

Try adding the rules one by one to find the one that leads to ejection.

llamajaja · October 5, 2023, 7:00pm

I would say unless you understand what each rule is doing, what raw means vice other filter categories etc… then you are over your head and shouldnt be applying these rules… and should go for a clean lean and safe config. If interested let me know.

Kentzo · October 5, 2023, 7:07pm

@llamajaja has good wisdon… but if this is your personal device then go hack it.

Although consider something like GNS3 (it can virtualize RouterOS). It’s better because you won’t “brick” your LAN and can always reset to a clean slate.

McGremlin · October 5, 2023, 7:11pm

Hi there!
I won’t help you, because I didn’t do this kind of rules, but it’s interesting for me. Can I ask you a few questions?

Are you doing it (or planning to do so) in running environment?
What’s the biggest expected advantage for you and why? Security or better CPU performance maybe?

If you have just one network 192.168.88.0/24 I think you don’t really need to do it so advanced but it’s your network - try, learn, rise
If you are just using the examples from article to ask but your network is more complex - good luck

EDIT: Of course others can share their thoughts as well

pfturner · April 17, 2024, 11:01pm

I have ipv6 running well with the Basic Mikrotik ipv6 firewall, but I had to make a couple of modifications to get it to work with my internet provide - Starlink. I wanted to test the Advanced firewall in Mikrotik to learn and see whether I had any weaknesses in the Basic implementation given the modifications I made…

So, I have a couple of spots where I had to change the RAW section in order to get it to work and I’d appreciate a nudge in helping to understand why:

I need to disable the following address list item: add address=::1/128 comment=“defconf: RFC6890 lo” list=bad_ipv6 (latest versions of iOS 7 have an Io interface that shows up automatically, so maybe there is a reason why this now needs to be disabled?)
I need to disable the last rule in the RAW ICMPv6 list: add action=drop chain=icmp6 comment=“defconf: drop other icmp” protocol=icmpv6
This next one bothers me more - what ICMPv6 packets could have failed to be accepted in the previous accepted rules in RAW that the firewall wants to drop, but I need to disable in order to get ipv6 working?

Thanks for any advice you can provide.

Kentzo · April 17, 2024, 11:39pm

In both cases you need to log to see what packets are being matched.

vingjfg · April 18, 2024, 6:08am

Hi there!

Can you post the output of the following commands?

/ip/address/print
/ip/firewall/address-list/print
/interface/list/member/print

Also, when posting commands or outputs, consider using the code tag (the button is </> above). This presents the information in a nicer format.

pfturner · April 18, 2024, 12:27pm

The log errors show ICMP codes 136, 134 (router and neighbor advertisements) and 143 (multicast)

Currently, I have to disable the address list item that shows an “X” below - the Io-related one and I have to disable the last drop rule in the advanced ipv6 firewall to get it to work. The above error codes show up in the log if I enable the last drop rule. Thanks for your help!

Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
 #    ADDRESS                                     FROM-POOL    INTERFACE      ADVERTISE
 0  G 2605:xxxx:xxxx:xx00:xxxx:xxff:fexx:6245/64  Starlink-v6  Local          yes      
 1  G 2605:xxxx:xxxx:xx03:xxxx:xxff:fexx:6245/64  Starlink-v6  VLAN-10-Main   yes      
 2  G 2605:xxxx:xxxx:xx01:xxxx:xxff:fexx:6245/64  Starlink-v6  VLAN-20-Guest  yes      
 3  G 2605:xxxx:xxxx:xx02:xxxx:xxff:fexx:6245/64  Starlink-v6  VLAN-30-IoT    yes      
 4 D  ::1/128                                                  lo             no       
 5 DL fe80::xxxx:xxff:fexx:6245/64                             VLAN-10-Main   no       
 6 DL fe80::xxxx:xxff:fexx:6245/64                             Local          no       
 7 DL fe80::xxxx:xxff:fexx:6245/64                             VLAN-30-IoT    no       
 8 DL fe80::xxxx:xxff:fexx:6245/64                             VLAN-20-Guest  no       
 9 DL fe80::xxxx:xxff:fexx:6243/64                             WAN2-Verizon   no       
10 DL fe80::xxxx:xxff:fexx:6242/64                             WAN1-Starlink  no       
11 DL fe80::xxxx:xxff:fexx:6244/64                             WAN3-Eclipse   no       
12 DG 2605:xxxx:xxxx:xxxx:xxxx:xxff:fexx:6242/64               WAN1-Starlink  no

Columns: LIST, INTERFACE
# LIST  INTERFACE    
0 LAN   Local        
1 WAN   WAN1-Starlink
2 VLAN  VLAN-20-Guest
3 VLAN  VLAN-30-IoT  
4 VLAN  VLAN-10-Main 
5 WAN   WAN2-Verizon 
6 WAN   WAN3-Eclipse 
7 VLAN  Local

Flags: X - DISABLED
Columns: LIST, ADDRESS, CREATION-TIME
 #   LIST             ADDRESS                     CREATION-TIME      
;;; Local Network
 0   allowed          2605:xxxx:xxxx:xxxx::/56    2024-03-18 18:16:17
;;; multicast
 1   allowed          ff02::/16                   2024-03-27 13:08:57
;;; DHCPv6 client server value
 2   allowed          2605:xxxx:xxxx:xxxx::1/128  2024-03-27 14:16:06
;;; RFC6890 Linked-Scoped Unicast
 3   no_forward_ipv6  fe80::/10                   2024-04-16 14:54:03
;;; Multicast
 4   no_forward_ipv6  ff00::/8                    2024-04-16 14:54:03
;;; RFC6890 lo
 5 X bad_ipv6         ::1/128                     2024-04-16 14:54:51
;;; RFC6890 IPv4 mapped
 6   bad_ipv6         ::ffff:0.0.0.0/96           2024-04-16 14:54:51
;;; RFC6890
 7   bad_ipv6         2001::/23                   2024-04-16 14:54:51
;;; RFC6890 documentation
 8   bad_ipv6         2001:db8::/32               2024-04-16 14:54:51
;;; RFC6890 orchid
 9   bad_ipv6         2001:10::/28                2024-04-16 14:54:51
;;; IPV4 compat
10   bad_ipv6         ::/96                       2024-04-16 14:54:51
;;; RFC6890 Discard-only
11   not_global_ipv6  100::/64            x        2024-04-16 14:55:26
;;; RFC6890 TEREDO
12   not_global_ipv6  2001::/32                   2024-04-16 14:55:26
;;; RFC6890 Benchmark
13   not_global_ipv6  2001:2::/48                 2024-04-16 14:55:26
;;; RFC6890 Unique-Local
14   not_global_ipv6  fc00::/7                    2024-04-16 14:55:26
;;; Unspecified
15   bad_dst_ipv6     ::/128                      2024-04-16 14:55:58
;;; Unspecified
16   bad_src_ipv6     ::/128                      2024-04-16 14:56:20
;;; Multicast
17   bad_src_ipv6     ff00::/8                    2024-04-16 14:56:20

pfturner · April 18, 2024, 12:39pm

Note that in the respective ICMP RAW rules I have replaced the standard advanced firewall “LAN” in-interface-list with “VLAN” - I have my bridge in LAN and also in VLAN, so it’s a broader list than just LAN. The firewall (as opposed to RAW tab) modifications I had to make for Starlink were based on a user’s post in Github or Reddit specific to Starlink ipv6 implementation in Mikrotik - in addition to the multicast range, I also have to specifically accept packets sourced from the Global addresses given to my LAN interfaces (bridge and VLANs below) and the Global address Starlink provides to the router itself. I am not sure why the link-local information isn’t enough as it would seem to be from the Mikrotik-provided firewall configurations.

vingjfg · April 18, 2024, 5:52pm

Well, it seems you sent me the ipv6 bits and not the ip(v4) ones - can you send again the ipv4 addresses and address-list?

pfturner · April 18, 2024, 7:45pm

I wasn’t sure whether you wanted ipv4 or not since that is working fine for me, but here it is as well… The member list is already above.

Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK         INTERFACE       
0   10.10.1.1/24       10.10.1.0       Local           
1   10.10.20.1/24      10.10.20.0      VLAN-20-Guest   
2   10.10.30.1/24      10.10.30.0      VLAN-30-IoT     
3   10.10.10.1/24      10.10.10.0      VLAN-10-Main    
4 D 192.168.2.2/24     192.168.2.0     WAN2-Verizon    
5 D xxx.xxx.xxx.xxx/21  129.222.16.0    WAN1-Starlink   
6 D 192.168.3.238/24   192.168.3.0     WAN3-Eclipse

Flags: X - DISABLED
Columns: LIST, ADDRESS, CREATION-TIME
 #   LIST               ADDRESS          CREATION-TIME      
 0   LAN                10.10.1.0/24     1970-01-02 00:00:35
;;; 6to4 relay Anycast [RFC 3068]
 1   not_in_internet    192.88.99.0/24   1970-01-02 00:00:35
 2   allowed_to_router  10.10.1.0/24     1970-01-02 00:00:35
;;; RFC6890
 3   not_in_internet    0.0.0.0/8        1970-01-02 00:00:35
;;; RFC6890
 4   not_in_internet    172.16.0.0/12    1970-01-02 00:00:35
;;; RFC6890
 5   not_in_internet    192.168.0.0/16   1970-01-02 00:00:35
;;; RFC6890
 6   not_in_internet    10.0.0.0/8       1970-01-02 00:00:35
;;; RFC6890
 7   not_in_internet    169.254.0.0/16   1970-01-02 00:00:35
;;; RFC6890
 8   not_in_internet    127.0.0.0/8      1970-01-02 00:00:35
;;; Multicast
 9   not_in_internet    224.0.0.0/4      1970-01-02 00:00:35
;;; RFC6890
10   not_in_internet    198.18.0.0/15    1970-01-02 00:00:35
;;; RFC6890
11   not_in_internet    192.0.0.0/24     1970-01-02 00:00:35
;;; RFC6890
12   not_in_internet    192.0.2.0/24     1970-01-02 00:00:35
;;; RFC6890
13   not_in_internet    198.51.100.0/24  1970-01-02 00:00:35
;;; RFC6890
14   not_in_internet    203.0.113.0/24   1970-01-02 00:00:35
;;; RFC6890
15   not_in_internet    100.64.0.0/10    1970-01-02 00:00:35
;;; RFC6890
16   not_in_internet    240.0.0.0/4      1970-01-02 00:00:35
17   allowed_to_router  10.10.10.0/24    2023-07-11 14:14:41

vingjfg · April 19, 2024, 7:24am

Hi there!

Then I am confused - you said you had issues when you added the ip firewall raw rules - do you mean you have issues when you do the same with the ipv6 firewall raw rules?

pfturner · April 19, 2024, 11:39am

I have been using a slightly modified version of MT’s basic ipv6 firewall - I am not clear on why my Starlink internet connection seems to require these slight modifications. I thought I would try the MT advanced ipv6 firewall to see if I could drill down to see where the problem is. To get the advanced ipv6 firewall to allow ipv6 to work I have to do the following:

Disable the address list item: add address=::1/128 comment=“defconf: lo” disabled=no dynamic=no list=bad_ipv6
Disable the final advanced ipv6 RAW rule: Drop other ICMP
I still have to include in the advanced ipv6 firewall an accept input and accept forward rules that permit traffic from my global address for the Starlink internet and the global addresses for my bridge and VLANs.

On #2, the ICMP traffic that is getting dropped are not getting picked up by the LAN-only accept rules for ICMP types 134, 136 and 143 - it seems that some of the traffic getting dropped has the global address of the Starlink interface.

I’m not sure why MT’s ipv6 firewalls do not work without the above - the standard uses LAN and !LAN - which I have replaced with VLAN (which my definition includes the bridge (LAN) and three VLANs). Does an address list that refers to LAN or VLAN include both the ipv4 and ipv6 addresses? If so, does it include the global as well as link-local addresses?

vingjfg · April 19, 2024, 3:02pm

OK! I was uncertain as you posted the ip firewall raw for IPv4 and information for IPv6 - but mentioned the issues related to connectivity so I went with IPv4. I saw a few things in the info you sent, namely that you use the interface-list name “VLAN” and not “LAN”, keep in mind that that means that WAN and VLAN are matched by “!LAN”.

IPv4 and IPv6 are different parts of the firewall, filtering one doesn’t change the other.

Can you post the output of the following command?

/ipv6/firewall/raw/print

pfturner · April 19, 2024, 5:34pm

Flags: X - disabled, I - invalid; D - dynamic 
 0 X  ;;; Enable for transparent firewall
      chain=prerouting action=accept log=no log-prefix="" 

 1 X  ;;; RFC4291, section 2.7.1
      chain=prerouting action=accept icmp-options=135:0-255 log=no log-prefix="" protocol=icmpv6 src-address=::/128 dst-address=ff02::1:ff00:0/104 

 2 X  ;;; Drop bogon IP's
      chain=prerouting action=drop log=no log-prefix="" src-address-list=bad_ipv6 

 3 X  ;;; Drop bogon IP's
      chain=prerouting action=drop log=no log-prefix="" dst-address-list=bad_ipv6 

 4 X  ;;; Drop packets with bad SRC ipv6
      chain=prerouting action=drop log=no log-prefix="" src-address-list=bad_src_ipv6 

 5 X  ;;; Drop packets with bad dst ipv6
      chain=prerouting action=drop log=no log-prefix="" dst-address-list=bad_dst_ipv6 

 6 X  ;;; Drop non global from WAN
      chain=prerouting action=drop in-interface-list=WAN log=no log-prefix="" src-address-list=not_global_ipv6 

 7 X  ;;; Jump to ICMPv6 chain
      chain=prerouting action=jump jump-target=icmp6 log=no log-prefix="" protocol=icmpv6 

 8 X  ;;; Accept local multicast scope
      chain=prerouting action=accept log=no log-prefix="" dst-address=ff02::/16 

 9 X  ;;; Drop other multicast destinations
      chain=prerouting action=drop log=no log-prefix="" dst-address=ff00::/8 

10 X  ;;; Accept everything else from WAN
      chain=prerouting action=accept in-interface-list=WAN log=no log-prefix="" 

11 X  ;;; Accept everything else from VLANs
      chain=prerouting action=accept in-interface-list=VLAN log=no log-prefix="" 

12 X  ;;; Drop the rest
      chain=prerouting action=drop log=no log-prefix=""
13 X  ;;; RFC4890 drop ll if hop-limit!=255
      chain=icmp6 action=drop log=no log-prefix="" protocol=icmpv6 dst-address=fe80::/10 hop-limit=not-equal:255 

14 X  ;;; DST unreachable
      chain=icmp6 action=accept icmp-options=1:0-255 log=no log-prefix="" protocol=icmpv6 

15 X  ;;; Packet too big
      chain=icmp6 action=accept icmp-options=2:0-255 log=no log-prefix="" protocol=icmpv6 

16 X  ;;; Limit exceeded
      chain=icmp6 action=accept icmp-options=3:0-1 log=no log-prefix="" protocol=icmpv6 

17 X  ;;; Bad header
      chain=icmp6 action=accept icmp-options=4:0-2 log=no log-prefix="" protocol=icmpv6 

18 X  ;;; Mobile home agent address discovery (ICMP Type 144)
      chain=icmp6 action=accept icmp-options=144:0-255 log=no log-prefix="" protocol=icmpv6 

19 X  ;;; Mobile home agent address discovery (ICMP Type 145)
      chain=icmp6 action=accept icmp-options=145:0-255 log=no log-prefix="" protocol=icmpv6 

20 X  ;;; Mobile prefix solic
      chain=icmp6 action=accept icmp-options=146:0-255 log=no log-prefix="" protocol=icmpv6 

21 X  ;;; Mobile prefix advert
      chain=icmp6 action=accept icmp-options=147:0-255 log=no log-prefix="" protocol=icmpv6 

22 X  ;;; Echo request limit 5,10
      chain=icmp6 action=accept icmp-options=128:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 

23 X  ;;; Echo reply limit 5,10
      chain=icmp6 action=accept icmp-options=129:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 

24 X  ;;; RFC4890 router solic limit 5,10 only LAN
      chain=icmp6 action=accept in-interface-list=VLAN icmp-options=133:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255 

25 X  ;;; RFC4890 router advert limit 5,10 only LAN
      chain=icmp6 action=accept in-interface-list=VLAN icmp-options=134:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255 

26 X  ;;; RFC4890 neighbor solic limit 5,10 only LAN
      chain=icmp6 action=accept in-interface-list=VLAN icmp-options=135:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255 

27 X  ;;; RFC4890 neighbor advert limit 5,10 only LAN
      chain=icmp6 action=accept in-interface-list=VLAN icmp-options=136:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255 

28 X  ;;; RFC4890 inverse ND solic limit 5,10 only LAN
      chain=icmp6 action=accept in-interface-list=VLAN icmp-options=141:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255 

29 X  ;;; RFC4890 inverse ND advert limit 5,10 only LAN
      chain=icmp6 action=accept in-interface-list=VLAN icmp-options=142:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255 

30 X  ;;; Drop other ICMP
      chain=icmp6 action=drop log=yes log-prefix="dropped_ipv6" protocol=icmpv6

pfturner · April 19, 2024, 5:44pm

Rules 25 and 26 (ICMP 134 and 136) might help me the most. Apart from having to turn off the ::/1 Io address list item…

Kentzo · April 20, 2024, 10:41am

Instead of disabling the rules, can you change it to passthrough with log and then attach here the packets whose dropping breaks your network, exactly as it appears in the log?

The rule that only allows ICMPv6 Type 134 from LAN is plain wrong for an edge router: it is supposed to receive RAs from the upstream (WAN), configure itself and then advertise itself to the downstream (LAN).

I recommend reading https://datatracker.ietf.org/doc/html/rfc4890