Help with firewall settings

raw75 · December 23, 2018, 10:00pm

Hi guys,

this is my setup and what I’m trying to do: FritzBox as router with modem (IP 192.168.2.1), MikroTik hEX S connected via LAN ether2 (IP 192.168.2.21) to the FritzBox for internet access. The MikroTik is connected to an IPVanish VPN Server to which I route certain network devices to cover their public IP. This seems to work quite good but as an absolute MikroTik beginner I am not sure if I got all the necessary firewall rules to secure the system. Can you have a look at my attached config and pitch me some tipps about what I got wrong or what I should add? Thanks in advance!

/interface l2tp-client
add connect-to=xxx.ipvanish.com disabled=no ipsec-secret=xxx name=IPVanish_Connection password=xxx
use-ipsec=yes user=xxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.2.21/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2 use-peer-dns=no
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip dns static
add address=1.1.1.1 name=Cloudflare
add address=8.8.8.8 name=Google
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=ether2
add action=log chain=input disabled=yes
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=ether2
add action=log chain=forward disabled=yes
add action=drop chain=forward
add action=log chain=output connection-state=invalid disabled=yes
add action=drop chain=output connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=IPVanish_Connection passthrough=yes src-address=
192.168.2.114
add action=mark-routing chain=prerouting new-routing-mark=IPVanish_Connection passthrough=yes src-address=
192.168.2.83
add action=mark-routing chain=prerouting new-routing-mark=IPVanish_Connection passthrough=yes src-address=
192.168.2.138
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=IPVanish_Connection
/ip route
add distance=1 gateway=IPVanish_Connection routing-mark=IPVanish_Connection
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set silent-boot=no

msatter · December 23, 2018, 10:20pm

Look at your DNS servers and those are going to Google and Cloudflare. Better is to use the DNS from IPVanish.

https://support.ipvanish.com/hc/en-us/articles/115002079853-DNS-Leaks

raw75 · December 23, 2018, 10:32pm

Thank you, good tipp. Didn’t think about IPVanish running their own DNS. Does the rest of my setup look ok?

msatter · December 24, 2018, 11:10am

It looks sound but then I am not a expert on that.