Help with firewall and public IP static rout

dobria · January 16, 2014, 7:37am

Hello,

I have a firewall question.

I have /24 network public IP addresses. I have configured (static rout) the first public IP address on the LAN interface and it is default rout to other public IP, which I configure to local servers.

I would like to allow only specific port to be forwarded to the servers with public IP behind the router.

Thank you!

efaden · January 16, 2014, 5:25pm

So your using a bridged setup? … post a diagram on your export. But if you are using a bridged setup then you can use the bridge-filter.

-Eric

dobria · January 16, 2014, 10:03pm

Hi Eric,

Thank you for your answer.
Yes, I’m using bridged setup. And with your help I managed to add rules like

;;; Allow port 3389
chain=forward action=accept protocol=tcp dst-address=X.X.X.X dst-port=3389

;;; Drop All other ports
chain=forward action=drop dst-address=X.X.X.X

And it is working correct, but now the server have no outgoing connection.

I tried something logical for me (but clearly incorrect) to add allow rule for source before drop all ports like

;;; Allow all outgoing ports
chain=forward action=accept src-address=X.X.X.X

But seems like it is not doing the job - still no outgoing traffic from the X.X.X.X server.

I’m not exactly sure how to post a diagram on my export. Sorry.

efaden · January 16, 2014, 10:30pm

dobria:

efaden:

So your using a bridged setup? … post a diagram on your export. But if you are using a bridged setup then you can use the bridge-filter.

-Eric

Hi Eric,

Thank you for your answer.
Yes, I’m using bridged setup. And with your help I managed to add rules like

;;; Allow port 3389
chain=forward action=accept protocol=tcp dst-address=X.X.X.X dst-port=3389

;;; Drop All other ports
chain=forward action=drop dst-address=X.X.X.X

And it is working correct, but now the server have no outgoing connection.

I tried something logical for me (but clearly incorrect) to add allow rule for source before drop all ports like

;;; Allow all outgoing ports
chain=forward action=accept src-address=X.X.X.X

But seems like it is not doing the job - still no outgoing traffic from the X.X.X.X server.

I’m not exactly sure how to post a diagram on my export. Sorry.

Just post your whole export… and put it into the ROS syntax tags.

dobria · January 17, 2014, 4:42pm

# jan/17/2014 18:05:39 by RouterOS 6.7
# software id = XXXX-XXXX
#
/interface bridge
add arp=proxy-arp name=B-LAN
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp name=LAN speed=1Gbps
set [ find default-name=ether3 ] arp=proxy-arp name=WAN speed=1Gbps
set [ find default-name=ether1 ] comment="On Board - Disabled" disabled=yes \
    name=WAN2
/interface eoip
add arp=proxy-arp mac-address=XX:XX:XX:XX:XX:XX name=T-LAN remote-address=\
    10.255.255.2 tunnel-id=XXXXX
/ip neighbor discovery
set WAN2 comment="On Board - Disabled" discover=no
/interface vlan
add arp=proxy-arp interface=B-LAN l2mtu=65531 name=STAFF vlan-id=XXXX
/ip neighbor discovery
set STAFF discover=no
/ip dhcp-server
add add-arp=yes disabled=no interface=STAFF lease-time=1d name=staff-DHCP2 \
    src-address=192.168.168.111
/ip pool
add name=users ranges=192.168.0.2-192.168.15.255
add name=staff ranges=192.168.168.10-192.168.168.200
add name=pptp ranges=192.168.1.100-192.168.1.150
/ip dhcp-server
add add-arp=yes address-pool=users disabled=no interface=B-LAN lease-time=\
    1w name=staff-DHCP1 src-address=192.168.1.111
/port
set 0 flow-control=hardware name=serial0
/interface bridge port
add bridge=B-LAN interface=LAN
add bridge=B-LAN interface=T-LAN
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.111/16 comment=GW interface=LAN network=192.168.0.0
add address=192.168.168.111/24 comment="GW Staff" interface=LAN network=\
    192.168.168.0
add address=X.Y.Z.2/24 comment="Public LAN" interface=LAN network=\
    X.Y.Z.0
add address=X.Y.Z.1/24 comment="Public LAN" interface=LAN network=\
    X.Y.Z.0
add address=D.E.F.162/30 comment=WAN interface=WAN network=\
    D.E.F.160
add address=10.255.255.1/30 comment=EOIP interface=WAN network=10.255.255.0
add address=X.Y.Z.122/24 interface=LAN network=X.Y.Z.0
/ip dhcp-server network
add address=192.168.0.0/16 comment=LAN-users dns-server=\
    192.168.1.111,192.168.1.212,192.168.1.124,192.168.1.125 domain=\
    domain.local gateway=192.168.1.111
add address=192.168.168.0/24 comment=LAN-users2 dns-server=192.168.168.111 \
    gateway=192.168.168.111
/ip dns
set allow-remote-requests=yes cache-size=512KiB max-udp-packet-size=512 \
    servers=192.168.1.124,192.168.1.125
/ip firewall address-list
add address=192.168.0.0/16 comment="my local network" list=local-addr
add address=192.168.0.0/16 comment="my src-nated local network hosts" list=\
    nat-addr
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add chain=forward comment=Server3 dst-address=A.B.C.3 \
    dst-port=80,443,4022 protocol=tcp
add action=drop chain=forward comment=\
    "Drop All ports to A.B.C.3" disabled=yes dst-address=\
    A.B.C.3
/ip route
add distance=1 gateway=A.B.C.161

efaden · January 17, 2014, 4:50pm

dobria:

# jan/17/2014 18:05:39 by RouterOS 6.7
# software id = XXXX-XXXX
#
/interface bridge
add arp=proxy-arp name=B-LAN
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp name=LAN speed=1Gbps
set [ find default-name=ether3 ] arp=proxy-arp name=WAN speed=1Gbps
set [ find default-name=ether1 ] comment="On Board - Disabled" disabled=yes \
    name=WAN2
/interface eoip
add arp=proxy-arp mac-address=XX:XX:XX:XX:XX:XX name=T-LAN remote-address=\
    10.255.255.2 tunnel-id=XXXXX
/ip neighbor discovery
set WAN2 comment="On Board - Disabled" discover=no
/interface vlan
add arp=proxy-arp interface=B-LAN l2mtu=65531 name=STAFF vlan-id=XXXX
/ip neighbor discovery
set STAFF discover=no
/ip dhcp-server
add add-arp=yes disabled=no interface=STAFF lease-time=1d name=staff-DHCP2 \
    src-address=192.168.168.111
/ip pool
add name=users ranges=192.168.0.2-192.168.15.255
add name=staff ranges=192.168.168.10-192.168.168.200
add name=pptp ranges=192.168.1.100-192.168.1.150
/ip dhcp-server
add add-arp=yes address-pool=users disabled=no interface=B-LAN lease-time=\
    1w name=staff-DHCP1 src-address=192.168.1.111
/port
set 0 flow-control=hardware name=serial0
/interface bridge port
add bridge=B-LAN interface=LAN
add bridge=B-LAN interface=T-LAN
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.111/16 comment=GW interface=LAN network=192.168.0.0
add address=192.168.168.111/24 comment="GW Staff" interface=LAN network=\
    192.168.168.0
add address=X.Y.Z.2/24 comment="Public LAN" interface=LAN network=\
    X.Y.Z.0
add address=X.Y.Z.1/24 comment="Public LAN" interface=LAN network=\
    X.Y.Z.0
add address=D.E.F.162/30 comment=WAN interface=WAN network=\
    D.E.F.160
add address=10.255.255.1/30 comment=EOIP interface=WAN network=10.255.255.0
add address=X.Y.Z.122/24 interface=LAN network=X.Y.Z.0
/ip dhcp-server network
add address=192.168.0.0/16 comment=LAN-users dns-server=\
    192.168.1.111,192.168.1.212,192.168.1.124,192.168.1.125 domain=\
    domain.local gateway=192.168.1.111
add address=192.168.168.0/24 comment=LAN-users2 dns-server=192.168.168.111 \
    gateway=192.168.168.111
/ip dns
set allow-remote-requests=yes cache-size=512KiB max-udp-packet-size=512 \
    servers=192.168.1.124,192.168.1.125
/ip firewall address-list
add address=192.168.0.0/16 comment="my local network" list=local-addr
add address=192.168.0.0/16 comment="my src-nated local network hosts" list=\
    nat-addr
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add chain=forward comment=Server3 dst-address=A.B.C.3 \
    dst-port=80,443,4022 protocol=tcp
add action=drop chain=forward comment=\
    "Drop All ports to A.B.C.3" disabled=yes dst-address=\
    A.B.C.3
/ip route
add distance=1 gateway=A.B.C.161

I guess i’m still confused. Based on that setup your using NAT, not bridging your WAN. How does your ISP deliver those IPs to you?.. Plus why does your LAN have private and public IPs…

dobria · January 17, 2014, 5:09pm

I'm using NAT for private IP addresses (192.168.0.0/16, and testing somthing with 192.168.168.0/24), and the GW is LAN interface.
At the same time my ISP routes statically Public IP (X.Y.Z.0/24) addresses through

/ip address
add address=D.E.F.162/30 comment=WAN interface=WAN network=
D.E.F.160

[myuser@mtrouter] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 D.E.F.161 1
1 ADC 10.255.255.0/30 10.255.255.1 WAN 0
2 ADC 192.168.0.0/16 192.168.1.111 B-LAN 0
4 ADC 192.168.168.0/24 192.168.168.111 B-LAN 0
6 ADC X.Y.Z.0/24 X.Y.Z.1 B-LAN 0
7 ADC D.E.F.160/30 D.E.F.162 WAN 0

I dont know why the export does not contain all /ip rout info

Thank you again for your time. I hope I can provide you correctly necessary info.

efaden · January 17, 2014, 5:14pm

Not sure why… but a lot of your export is missing..
Why are you running all of those different networks on the same network? or port? I would segregate your “DMZ” stuff from your NAT stuff.

Post the whole export so I can see the firewall rules…

But based on the way I think it is setup you can just drop the traffic you don’t want to pass in the firewall filter forward chain.