I have a working hotspot running version 3.4 on a RB150.
What I would like to do now is lockdown the hotspot before I put this into production. I have played with the firewall for the last few days and I have gotten it to do a few things I want but still its not where I want it to be.
I have looked over the wiki and cant find a How-to on securing a hotspot. All I really want to do is:
limit access to the hotspot router (only ssh from certain LAN IPs)
block all access to hotspot router from WLAN
block all access to internet router from WLAN
So if anyone knows of a good how-to for securing a hotspot, please let me know.
Take a look at the “Firewall Filter” section of the docs. At the bottom, there are a couple examples of “how to protect your router” and “how to protect your customers”.
I add this line to the filter examples so my computers can have access:
/ip firewall filter add chain=input action=accept src-address=xxx.xxx.xxx.xxx/yy place-before=0
change xxx.xxx.xxx.xxx/yy to your wan IP/netmask.
Thanks for your help. I have had a look at that documentation and I am still trying to digest all of it.
The thing is when you create the hotspot you get 11 firewall rules and 17 NAT rules right off the bat. They just appear. So when I want to add rules (and I have), I dont know where to put them. The rules I add (just like the one you sudgested) do not take affect.
So until I understand how things are jumping, forwarding, inputing and outputing, I am a little lost.
The rules in the filter are applied in the order in the filter list.
/ip firewall filter print
Once a rule applies, and it is not any type of jump or fallthrough, the filter looks no further. For example:
/ip firewall filter add chain=input action=accept src-address=68.99.58.96/27
/ip firewall filter add chain=input action=drop
This allows access to all functions on the router from the IP set 68.99.58.96/27, because the first rule applies, and the second is never used.
All other IPs are blocked by the second rule, since the first rule does not apply to them.
If you place any rules after that second one, it will never be checked. The second rule applies to everybody and drops everything.
To add a rule out of order, use place-before with the add command like:
/ip firewall filter add chain=input action=accept protocol=icmp place-before=1
This will place this rule as rule 1 and move the current rule 1 to rule 2.
192.168.4.10 is the IP of the internet router. This did not work.
I then noticed that port 80 gets redirected to ports 64784-64785. So now this type of traffic looks internal to the router so its not really forwarding anymore. I changed the rule to:
Maybe it is just me, but all that is done by the “protect your router” firewall example. And I think if you want to protect your router, the input chain is the vulnerable one.
I am talking about the DSL router here, not the hotspot router. I did the “protect your router” example and disabled services etc. My hotspot router is already locked down. Its the one hop away router I was worried about. By default it was vunerable to several attacks.
