help to setup firewall

josey · June 30, 2021, 9:49am

I think im missing something in firewall and i cant get this.

rb433gl,
WLAN 10.70.180.1/24
LAN1.10.20.0.180/24 (default gw 0.0.0.0/0 – 10.20.0.254/24)

second router
LAN2 10.20.0.0/24 (10.20.0.254/24)
LAN3 XXXXX
LAN4 10.30.0.0/24
LAN 5 XXXXXX

Firewall FIRST rule is set to
cahin forward
dst. address 10.30.0.0/254
action drop

and i still can access to web servers / web pages on network 10.30.0.0/24
HTTP or HTTPS

what is the catch?
this first rule should drop all traffic to 10.30.0.0/24 or im missing something here?

mikeeg02 · June 30, 2021, 11:36am

Is your destination address in your rule /24 or is it /254 as your post says?

rextended · June 30, 2021, 11:40am

Just from the title “firewall”,
“firewall” what?

What a mess…

How to write posts:
http://forum.mikrotik.com/t/getting-the-most-out-of-this-forum/40983/1

josey · June 30, 2021, 12:02pm

sorry,
10.30.0.0/24

ok, topic edited to help to setup firewall

anav · June 30, 2021, 2:12pm

Hi Josey, the more coherent the explanation provided the quicker and more accurate our assistance can be.

So please provide.
a. a network diagram (your explanation is confusing) and the more labelling the better.
b. a copy of your current config /export hide-sensitive file=anynameyouwish
c. any requirements that are special, aka what do you want users/devices to be able to do, or NOT to do, without any reference the config or solutions.

josey · July 1, 2021, 5:15am

a)
pfsense as internet router with
WAN
LAN2 10.20.0.0/24 interface ip 10.20.0.254
LAN3 10.30.0.0/24 interface ip 10.30.0.254
LAN4 10.40.0.0/24 interface ip 10.40.0.254
LAN5 xx.xx.xx.xx not important
LAN6 xx.xx.xx.xx not important

MIKROTIK RB433GL
WLAN 10.70.0.0/24 interface ip 10.70.0.1
LAN 10.30.0.0/24 interface ip 10.30.0.180
GW on mikrotik is 10.30.0.254

routes, dns etc are setup corectly, internet works and i can access to all networks behind PFS.

b)
[admin@MikroTik] > ip firewall export

jul/1/2021 06:50:01 by RouterOS 6.48.3

software id = M11L-RRJ2

model = 433GL

serial number = 448104C4AE1F

/ip firewall filter
add action=drop chain=forward dst-address=10.20.0.0/24
add action=reject chain=forward port=!53,80,443,3128 protocol=tcp reject-with=
icmp-network-unreachable
add action=reject chain=forward port=!53 protocol=udp reject-with=
icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.70.0.0/24
[admin@MikroTik] >
[admin@MikroTik] >

c)
what i want is that users behind mikrotik wlan can access internet but can not access network 10.20.0.0/24 (first fw rule)

second rule is to reject all ports except 53, 80, 443 and 3128 because proxy is running on PFS and mikrotik is providing neccessary data over wpad.

mikeeg02 · July 1, 2021, 11:36am

I know you have WLAN’s ip listed as interface, but is WLAN a bridge port? If it is, in the bridge settings you would need to enable ip-firewall.

The rest of the configuration export would be helpful.

mozerd · July 1, 2021, 12:23pm

MikroTik have done a fabulous job updating its online documentation. …
I recommend that you check out the following link for superb direction on RouterOS Firewall construction and explanations.

Securing your router
Building Your First Firewall
Building Advanced Firewall

Congratulations to the MikroTik Team for this excellent work in progress.

anav · July 1, 2021, 3:14pm

Disagree,
Some of the rules in the intro are not practical or normal from my limited experience
setting mac winbox Server interface list to NONE???
Turnine IP DNS allow remote request to NO???

On the building a firewall page - the extra noise and garbage of ICMP jumping!!! yuck
In the advance page - playing with raw rules… not recommended except for the very knowledgeable user…

rextended · July 1, 2021, 3:56pm

Who write this guide???

Router interface
Ethernet/SFP interfaces

It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router:
/interface print
/interface set X disabled=yes

Where X numbers of unused interfaces.

I do not know where it live, if core devices are installed on publics road, where everyone can plug his own device on free ports…

Or home user must disable router ports if use only wifi…

Oh, I just have an SFP module to plug on this free port…

rextended · July 1, 2021, 4:01pm

Again, we use EVERYDAY the bandwidth server on PRODUCTION environment…
“Production Environment” is like IT PRO, not for home user…

Bandwidth server

A bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment:
/tool bandwidth-server set enabled=no

josey · July 2, 2021, 4:25am

ok so i get questions a) b) c)
which i ansvered and explain
but it seems that one simple fw rule is not that simple isnt it?

any other question?

no device is not on public road its in locked office.
ok i know that it is good practice to disable not used interfaces, but if your device is on public road, why i just cant unplug lan cable on active lan interface?

im off topic now.

can i get this fw to work, because it seems that suggested help documentation does not help.

thank you