Hello Everyone,
I am in the process of making the move from some old Unifi equipment to Mikrotik for my home/office network.
The AP is a Grandstream one, but I am keeping an eye out for new Mikrotik APs to test, and when I find one that fits my needs I will change that as well.
The router replacement procedure is not complete yet, so the Unifi Gateway is still “keeping the fort” so to speak, with it’s default firewall config, switches have already been replaced.
The reason for that is:
- I wanted to make sure that the Mikrotik FW is correctly configured first.
- I need to have my public IP reassigned from the Unifi MACto the Mikrotik MAC, and this will be the last step.
Anyway, I was wondering if anyone with some more experience would like to throw a quick glance at my FW conf, just to make sure I have not missed something obvious or made some grand error.
IPV6 is currently disabled, so I don’t have any filters for ipv6, and hope this is enough, please let me know if I should make a general drop all ipv6 filter rule as well at the top.
I have the following Vlans: Data, Guest, Management/infrastructure, IoT/Phone, Work
Data, Guest, Work, IOT have their own separate SSIDs on WiFi
Switches, APs, servers, services etc in the management/infrastructure vlan run with static ips
I don’t have any real experience configuring firewalls, but below are my thoughts while doing this exercise.
I have created the defconf: entries, by looking at the examples in post #11 and I hope this will server as a good the base conf.
http://forum.mikrotik.com/t/default-firewall-config/134431/1
Then I have made some specific changes with the following goals in mind:
I have allowed access to manage the router from my main desktop (static ip), everything else should be blocked.
(I have a serial console cable in case of emergency…)
I allow forward from my main desktop to reach management lan to manage APs Switches, Servers, services etc.
I allow all vLANs to access the internal Pihole DNS server (The Pi Hole DNS uses an internal BIND9 DNS that acts as a forward for external lookups)
I allow the internal forward to reach the Google DNS, and block all other forwards towards port 53 through WAN
I allow forward from “Data” vlan to reach the SAMBA network share on the management vlan.
I allow forward LAN to WAN traffic
Then drop all other forwards.
/ip/firewall/filter export hide-sensitive:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin to Router" connection-state="" dst-address-list=router src-address-list="admin access"
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="admin to management" dst-address-list="infrastructure and management" src-address-list="admin access"
add action=accept chain=forward comment="Allow vlans to reach udp port 53 on local dns" dst-address-list=pi-hole dst-port=53 protocol=udp src-address-list=local_networks
add action=accept chain=forward comment="Allow vlans to reach tcp port 53 on local dns" dst-address-list=pi-hole dst-port=53 protocol=tcp src-address-list=local_networks
add action=accept chain=forward comment="Allow Internal DNS server to forward to Google DNS 53/tcp" dst-address-list="Google DNS" dst-port=53 protocol=udp src-address-list=bind9
add action=accept chain=forward comment="Allow Internal DNS server to forward to Google DNS 53/udp" dst-address-list="Google DNS" dst-port=53 protocol=tcp src-address-list=bind9
add action=drop chain=forward comment="Drop all other DNS requests to external network" dst-port=53 protocol=tcp
add action=drop chain=forward comment="Drop all other DNS requests to external network" dst-port=53 protocol=udp
add action=accept chain=forward comment="Data to SMB share on Cortex" dst-address-list=cortex dst-port=445 protocol=tcp src-address-list=data
add action=accept chain=forward comment="allow LAN to WAN traffic" connection-state="" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
Thanks in advance!
//
L