How to secure Mikrotik with FW rules?

RouterOS General
1

Hello guys,
I’ve had quite simple question, but .. I have static IP and I’ve create VPN for myself and RDP connection to network (I know this is not very secure, but I will use this very rarely and most of the time this computer will be off), and the question is .. how should I secure mikrotik more from outside attacks? or is this enough?
/ip firewall filter
add chain=input comment=“accept established,related” connection-state=established,related
add chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=drop chain=input connection-state=invalid
add chain=input comment=“allow Winbox” in-interface=ether1-gateway port=8291 protocol=tcp
add action=drop chain=input comment=“block everything else” in-interface=ether1-gateway
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes
what do you think?

2

What you have is almost the same as the default firewall + PPTP
When you have Fasttrack you have to check untracked in connection state input and forward chain.
You are asking about security and using PPTP? That’s the first thing to get rid of.
Disable any services that you don’t use, also why forward chain you don’t trust your LAN side?

Check these links
https://help.mikrotik.com/docs/display/ROS/Securing+your+router
https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=28606504

3

I think: DoS attacks must be blocked from your ISP.

4

own3r1138 - thank you! I will read those :slight_smile: and what else should I use instead of PPTP?

also why forward chain you don’t trust your LAN side? - I do, this is maybe my mistake :smiley: :smiley: thx, I will correct it


rextended - sure, but you know, more secure is not so bad thing I think :slight_smile:

5

I explain myself better (I hope)
drop all remaining at the end is how the firewall must be set, and is the only that count (if you do not put before absurd “accept” rules…)
but do not deplete CPU for try to block DDoS attacks,
or put dozen of useless rules inside the firewall…
Only your ISP can help about that…

6

rextended - I understand, but have no idea what should I delete :smiley:

should I use only “add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes” or what exactly do you think please? and be aware I am kind of newbie .. :slight_smile:

7

on your rules I do not see something like this:

/ip firewall filter
add chain=input action=accept protocol=icmp
add chain=input action=accept dst-address=127.0.0.1

also read what @own3r1138 has wrote

For reference, the default firewall rules for IPv4 and IPv6 are:
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4

8

why should I use ICMP? I dont get it :slight_smile:

And with your rules of course I cannot use RDP or VPN, at least one I need .. Of course RDP computer will be turned on only when I need to .. so maybe this one?
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1570 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.100 to-ports=3389

9

ICMP is not only used for “PING”, but also for PMTUD… read this:
https://en.wikipedia.org/wiki/Path_MTU_Discovery

10

Instead of nickeling and diming the OP,
Just to to this link and choose Option/Para B. - https://forum.mikrotik.com/viewtopic.php?t=182373

Besides that, this tells me you dont really know what the firewall rules do and need to learn more before adding rules from the default.
DANGER
add chain=input comment=“allow Winbox” in-interface=ether1-gateway port=8291 protocol=tcp

Why would you allow input FROM the WAN to your winbox port?
Why would you use the default port anyway?

Another clue dont know what you are doing>
MISSING the action function in many rules including the danger rule above which saves your bacon in that respect!!

11
  • ok, I've learnt something new, thx :slight_smile:
12
  • yes, you are corrent .. maybe I should read “little bit more” before I mess with FW rules .. :slight_smile: ok, I will read it tomorrow, today I just create two rules ..
    /ip firewall filter
    add chain=input action=accept protocol=icmp - this is for MTU path
    add chain=input action=accept dst-address=127.0.0.1 - this drops everything what comes from WAN and didnt ask for it :slight_smile: am I right? :slight_smile:
13

Do yourself a favor Firstly, read all of the above links and topics very helpful then add new rules.
add chain=input action=accept protocol=icmp - this is for MTU path
I posted the recommendations for ICMP although, you should monitor your network and reduce these rules to what you use in your network.
https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
/ip firewall filter add chain=input action=accept dst-address=127.0.0.1
this will allow any incoming that the destination is 127.0.0.1
but this rule will drop whatever is not coming from your LAN in interface-list

/ip firewall filter add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!LAN

TIP this rule should be the last rule in your input chain.


/ip firewall filter
add action=jump chain=input comment="ICMP Flow" jump-target=ICMP protocol=icmp
add action=accept chain=ICMP icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP icmp-options=3:0-4 protocol=icmp
add action=accept chain=ICMP icmp-options=3:9-10 protocol=icmp
add action=accept chain=ICMP icmp-options=3:13 protocol=icmp
add action=accept chain=ICMP icmp-options=8:0 protocol=icmp
add action=accept chain=ICMP icmp-options=11:0-1 protocol=icmp
add action=accept chain=ICMP icmp-options=12:0 protocol=icmp
add action=drop chain=ICMP log=yes log-prefix=--->ICMP
add action=accept chain=input comment="Established Connections" connection-state=established,related,untracked
add action=drop chain=input comment=Invalid connection-state=invalid
add action=accept chain=input comment="IP Services" dst-port=WINBOX protocol=tcp
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!LAN
add action=jump chain=forward comment="Jump Flow" jump-target=ICMP protocol=icmp
add action=accept chain=forward comment="IPsec Policy" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established Connections" connection-state=established,related,untracked
add action=reject chain=forward comment=Invalid connection-state=invalid reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=output comment=Invalid connection-state=invalid reject-with=icmp-admin-prohibited
add action=jump chain=output comment="Jump Flow" jump-target=ICMP protocol=icmp
14

Avoid anything that smells of cute, I think this will be the result and so forth or wouldnt this be nice…
Go with fact!!

15

thank you guys! I promise, that I will read all of your links and study it properly, but tomorrow, today is quite late :slight_smile:

but I did this:
/ip firewall filter
add chain=input action=accept protocol=icmp
add chain=input action=accept dst-address=127.0.0.1

this I didnt add, because “expected end of command (line 1 column 68)”>
add action=drop chain=input comment=“Drop all not coming from LAN” in-interface-list=!LAN

in-interface-list=!LAN - here is some error, but friday is the day :slight_smile:

16

There is no problem with the command maybe you didn’t add ip/firewall/filter
2022-04-28_23-29-22.png
2022-04-28_23-39-41.png
2022-04-28_23-29-55.png

17 
/ip firewall filter
add chain=input action=accept dst-address=127.0.0.1

This permit the correct functionality of internal CPU loopback interface (“localhost”),
nothing to do with WAN or LAN.
This permit the correct behavior of CPU internal functions like CAPsMAN, Wireguard, and others.
The 127.0.0.1 traffic can not come from WAN, not from LAN either, because each device know than that IP is own “localhost” IP…

18

Ah, I see thank you for making this clear I thought this was only for CAPsMAN and didn’t know this rule has anything to do with other services, etc WG.

19

guys you are awesome :slight_smile: I’ve read links which you gave me and I have this BIG HEAD from it :smiley: :smiley: ok, nevermind, I need to study little bit more .. but it’s is possible simple do this? :

  • allow remote access only from one IP (via RDP)
  • drop everything else, that noone even can see login mikrotik page

I know how to do first one, but I dont know how to restrict it only for one IP, maybe like this? :
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1572 in-interface=ether1-gateway log=yes protokol=tcp src-address=50.48.42.147 to-addresses=192.168.88.45 to ports=3389

20

If you are contacting a server behind the router, correct dst nat is the way to go, you need the generic allow rule in the forward chain to allow port forwarded type traffic and all the details for the traffic flow are in the dst-nat rule. Having a source address on the dst-nat rule is an excellent idea!!

The safe way to access the router itself for config purposes, from an external location is ONLY by VPN.