How debug L2 and IP firewall?

noetn · July 26, 2019, 4:21pm

Hello!

I trying isolate untrusted network (another home router with own maskerade (WiFi and LAN) 192.168.0.y) attached in ether2 port.
Ether1 port for ISP. Another ports (include from 2 to end) in bridge with dhcp 129.168.1.x . And WiFi exist too.
I don’t want communication between untrusted ether2 LAN and another ether3, ether4, …
I setup Bridge firewall (no permit with concrete ports) with this setting is enabled IP firewall. No effect.
And I setup IP filter firewal (in almost top list rules) for forward chain (drop 192.168.0.y → 192.168.1.x and reverse). No effect.
I still can connected from 192.168.0 (I trying from WiFi device only) host to 192.168.1 host.

How find out and debug wrong settings?

–
My Mikrotik: RB2011UAS-IN

mkx · July 26, 2019, 4:25pm

Are you testing connectivity from LAN device from one subnet towards router’s address in another subnet or you’re testing between LAN devices?
Post complete configuration (output of command /export hide-sensitive and obfuscate sensitive data, such as public IP address)

noetn · July 26, 2019, 5:34pm

I was successful check ssh connection from WiFi device with 192.168.0._ addres from home router attached in ether2
to ether5 ssh server 192.168.1._

# jul/26/2019 000000 by RouterOS 6.43.7
# software id = _____
#
# model = 2011UAS-2HnD
# serial number = ____
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=aabbcc \
    default-forwarding=no disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=______ tx-power=12 tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=________
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.121-192.168.1.128
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge filter
add action=drop chain=forward comment="Untrusted device" in-interface=ether5 \
    out-interface=ether2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=\
    no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=10 \
    max-concurrent-tcp-sessions=5 servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=forward comment=\
    "defalut routing disable for Untrased network sevices" dst-address=\
    192.168.0.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment=\
    "(Reverse) defalut routing disable for Untrased network sevices " \
    dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="IPTV UDP forwarding" dst-port=5678 \
    in-interface=ether1 protocol=udp src-port=5678
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment="detect and drop port scan connections" \
    protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP \
    protocol=icmp
add action=accept chain=input comment="IGMP for IPTV" in-interface=ether1 \
    protocol=igmp
add action=accept chain=input comment="IPTV UDP incoming" disabled=yes \
    dst-port=1234 in-interface=ether1 protocol=udp
add action=jump chain=input comment="jump to chain services" jump-target=\
    services
add action=accept chain=input comment="Allow Broadcast Traffic" \
    dst-address-type=broadcast
add action=drop chain=input comment="drop everything else"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\
    0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
    3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
    3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
    8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="SYN/FIN scan" protocol=\
    tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="SYN/RST scan" protocol=\
    tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="ALL/ALL scan" protocol=\
    tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=services comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=services comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=services comment="allow winbox" dst-port=8291 \
    in-interface-list=!WAN protocol=tcp
add action=accept chain=services comment="allow DNS" dst-port=53 \
    in-interface-list=!WAN protocol=udp
add action=accept chain=services comment="allow DNS" dst-port=53 \
    in-interface-list=!WAN protocol=tcp
add action=accept chain=services comment="allow www" dst-port=80 \
    in-interface-list=!WAN protocol=tcp
add action=accept chain=services comment="allow ssh" dst-port=22 \
    in-interface-list=!WAN protocol=tcp
add action=accept chain=services comment="allow ftp" dst-port=21 protocol=tcp
add action=accept chain=services comment="allow IPSEC" dst-port=4500 \
    protocol=udp
add action=accept chain=services comment="allow IPSEC" protocol=ipsec-esp
add action=accept chain=services comment="allow IPSEC" dst-port=1701 \
    protocol=udp
add action=accept chain=services comment="allow IPSEC" dst-port=500 protocol=\
    udp
add action=accept chain=services comment="PPTP TCP 1723" dst-port=1723 \
    protocol=tcp
add action=accept chain=services comment="SSTP TCP 443" dst-port=443 \
    protocol=tcp src-address-list=ZA
add action=accept chain=services comment="PPTP GRE" protocol=gre
add action=accept chain=services comment="Web proxy" port=62547 protocol=tcp \
    src-address-list=""
add action=drop chain=services comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=services comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=services connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip proxy
set enabled=yes max-cache-size=none max-client-connections=1 \
    max-server-connections=1 port=62547
/ip proxy access
add action=deny dst-address=0.0.0.0 src-address=!192.168.1.___
/ip route
add disabled=yes distance=1 gateway=192.168.130.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.127/32,192.168.1.59/32
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set always-allow-password-login=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd
set backlight-timeout=5m default-screen=stats-all read-only-mode=yes \
    touch-screen=disabled
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes
add interface=bridge1
/system clock
set time-zone-autodetect=no time-zone-name=//////////
/system scheduler
add interval=1d name=check_update on-event="/system package update\r\
    \nset channel=current\r\
    \ncheck-for-updates once\r\
    \n:delay 90s;\r\
    \n:if ( [get status] = \"New version is available\") do={\r\
    \n  install\r\
    \n  :delay 180s;\r\
    \n  /system reboot\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/18/2018 start-time=03:00:00
add interval=1d name=sched_d_wlan1 on-event=disable_wlan1 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/18/2018 start-time=00:30:00
add interval=1d name=sched_en_wlan1 on-event=enable_wlan1 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/18/2018 start-time=06:00:00
/system script
add dont-require-permissions=no name=disable_wlan1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "interface wireless disable wlan1"
add dont-require-permissions=no name=enable_wlan1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "interface wireless enable wlan1"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · July 26, 2019, 5:52pm

I think you should properly separate ether2 from the rest of LAN on L2 by removing ether2 from brudge and then assure needed communication by routing and firewalling. You’d need separate subnet (probably a /30 would do) for connection between RB and the “untrusted network”'s gateway.

If you go this way, be sure to move LAN IP address from ether2 to bridge “interface” (where it should have been bound already).

noetn · July 26, 2019, 6:59pm

Thanks, I will be try to understand about yours reply in future (in this moment I don’t understand about “separate subnet” and " to bridge “interface” (where it should have been bound already)")
May be exist exactly for my situation some howto or tutorial for based you answer?

But why do not properly working L2 firewal for bridge and no catch packets forward by IP firewall – probably all this separate conception above is the mistake? I saw like advices before and I tried it.. is I was mistaken? Then where my mistake?.