how to setup a correct firewall rules when the Mikrotik is behind the ISP modem

RouterOS Beginner Basics
1

Hello guys,

I am trying to add the correct firewall rules on my mikrotik router.

The router is running behind the ISP modem. The WAN interface (eth1) has a static IP address on 192.168.1.0/30 ( .2 is the Mikrotik .1 is the ISP) than the LAN has a 192.168.88.0/24 subnet.
I have disabled the DHCP on the ISP modem (because it’s not possible to convert it to Bridge, it’s a VDSL modem :smiley: ) and I added the mikrotik IP to the DMZ (to avoid any port filter from the ISP modem)

I have 2 services actually running and working fine on the Mikrotik (OpenVPn and L2TP IPsec) . No issue with all off them . I have changed the default port for ssh, ftp, web. the cli is accessible only by ssh with a sshkey. But I am still feeling unsecure :slight_smile:.

I don’t have too much rules running on and I would like to get your help to setup them in a proper way. Thank you in advance

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward connection-mark=TV
add action=accept chain=input dst-port=1194 protocol=tcp
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WANList
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LANList log=yes
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment=winbox dst-port=8291 in-interface=WAN protocol=tcp
add action=drop chain=input comment=winbox dst-port=8291 in-interface=WAN log=yes protocol=tcp
2

My VDSL modem can be put into bridge mode in the following way:

  1. disable PPPoE client i.e. disable WAN
  2. start pppoe client on Mikrotik, bound to WAN interface (ether1)
  3. add pppoe-out1 interface to WAN interface list

The recipe above probably doesn’t work if your ISP doesn’t use PPPoE.


If you keep using current double-NAT setup, then you have to consider ether1 as WAN interface, regardless the IP address (being a private one).

3

Thank you for your reply.

My VDSL is quite different. it’s a Zyxel ZXHN H267A V1.0 I don’t know if I can convert as you said.

I still need PPPoE user and pass VCI and VPI settings plus the Vlan the ISP is using

4

Well for starters, its cleaner and less prone to errors if you group the chains together …
That way you can see the order within a chain more readily etc..
rules out of order
Irules need modifying
rules to remove
rules missing

/ip firewall filter
{input chain}
add action=accept chain=input comment=“accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=input comment=“drop all not coming from LAN” disabled=yes in-interface-list=!LANList log=yes
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment=winbox dst-port=8291 in-interface=WAN protocol=tcp
add action=drop chain=input comment=winbox dst-port=8291 in-interface=WAN log=yes protocol=tcp

{forward chain - basically fine}
add action=accept chain=forward comment=“accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment=“accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=drop chain=forward comment=“drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WANList

TO

/ip firewall filter
{input chain}
add action=accept chain=input comment=“accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 protocol=tcp in-interface-list=WAN
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=drop chain=input comment=“drop all not coming from LAN” in-interface-list=!LANList log=yes

Notes:
Duplicate established related line removed
Input port for VPN is from the WAN and thus limited such access to what is required
Source address list allowed to router limited to LAN access, and thus limited only to interfaces required.
LAst input chain rule was ENABLED as it effectively blocks any WAN access and only allows LAN access for things like DNS or NTP from clients.

Now the discussion is why have the source address access list for LAN access (admins) to the router but later allow ALL LAN users access to the LAN by the last rule.
Suggesting if you want to limit access to the router do it two steps and instead of the block all not from the LAN rule create two rules.
a. Allow LAN users access to the router for DNS only both udp and tcp (similar rules for NTP is providing that as a service)
b. last rule , drop all else. ( drops all wan to router and all lan to router not authorized)

So it would look like
/ip firewall filter
{input chain}
add action=accept chain=input comment=“accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 protocol=tcp in-interface-list=WAN
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“DROP ALL ELSE”

5

Hi anav,

thank you very much.

I have adjusted all of them based on your suggestion. See below

I added some more rules for the L2TP traffic (udp port 500 was blocked and I was not able to establish the LT2P tunnel)
I have included port 4500 and 1710 as well and I have excluded the 70.0/30 subnet because I was not able to navigate thru the NordVPN tunnel

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 in-interface-list=WANList protocol=tcp
add action=accept chain=input in-interface-list=LANList src-address-list=allowed_to_router
add action=accept chain=input comment=allowlanDNSqueries connection-state=new dst-port=53 in-interface-list=LANList protocol=udp
add action=accept chain=input comment=allowlanDNSqueries connection-state=new dst-port=53 in-interface-list=LANList protocol=tcp
add action=accept chain=input dst-port=4500 log=yes protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input src-address=192.168.70.0/30
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward connection-mark=TV
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANList
add action=drop chain=forward comment="drop invalid" connection-state=invalid

Thanks to your post I learnt how the firewall is basically working on the Mikrotik.

Suggesting if you want to limit access to the router do it two steps and instead of the block all not from the LAN rule  create two rules.

Yes my attempt was to secure the access to the router but I got confused on how the rules are processed, how they need to be written (the order). I have just a basic experience on firewall (not for mikrotik) but here the chain were confusing me.

6

Hi there… taking a look at the changes… some mods for accuracy.

add action=accept chain=input dst-port=4500 log=yes protocol=udp in-interface-list=WAN
add action=accept chain=input dst-port=1701 protocol=udp in-interface-list=WAN
add action=accept chain=input dst-port=500 protocol=udp in-interface-list=WAN

as for this one…
add action=accept chain=input src-address=192.168.70.0/30 (two useable IP addresses??)

What is the purpose of this rule…?
If its an IP address that you want to have full access to the router (so it seems), simply add it to the firewall address list
If its a separate interface like a VPN coming into the LAN, then yes I can see if you want to VPN in and then config the router it is a viable entry
but its difficult to determine not seeing the rest of the config.

7

Hi umam83,
I have almost the same configuration, which is basically a cut and paste from the old wiki/new spaces:

/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="lan access to router" in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input comment="openvpn access" dst-port=1194 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop everything else" in-interface-list=!LAN log-prefix=!LAN
add action=accept chain=forward comment="established, related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid dst-address-type="" fragment=no log=yes log-prefix=invalid src-address-type=""
add action=drop chain=forward comment="drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=!LAN
add action=drop chain=forward comment="drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/24
add action=jump chain=forward connection-state=new in-interface-list=WAN jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos log=yes
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.0.0/24
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers

So far everything looks fine, I have been running on RB1100AHx4 for months now. My only concern is (if I may ask it in your post) the ddos detection. I cannot seem to understand how/if it works. New connections from WAN seem to go straight to drop, instead of the forward.

8

Hi James,

here you can find more about this specific rules and how they work.

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=28606504

9

Thanks again.

I will correct also those rules . Regarding the subnet 70.0/30 is basically 1 host pc I am using thru the NordVPN tunnel. I will add to the address list and I will test.

Thank you for the advice

10

Yup if it doesnt work on the address list, then your creation of another input rule is the other option (both are okay).
I am just not sure if you simply need to name the interface or put in the subnet, or put in the IP address etc… (again havent seen the rest of the config).
I would be tempted if firewall address does not work…

add chain=input action=accept in-interface=opnvpn-name source-address=???\

The problem is that if the OPNVPN-1 you are using for remote access is not the LAN interface list, it will not be seen on the primary allow Admin access rule, so I addressed this below.


The other option to look into is
interface list names…
Personally for me the LAN as the input interface list on admin rules is too wide if one has many vlans…
For example if I have
vlan10 home wired and wireless
vlan20 guests
vlan 30 thermostats etc.
vlan 40 media
vlan 50 cameras
vlan 99 management

My rule would be
add chain=input action=accept comment=“Allow Admin Access” in-interface-list=MGMT src-address-list=authorized
Where I have created a management interface list…

/interface list
add blah blah WAN
add blah blah LAN
add blah blah INTERNET ACCESS
add name= MGMT

/Interface list member
add interface=vlan 99 list=MGMT
add interface=opnvpn-1 list=MGMT

Then the basic rule ALSO works…
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

(note: Alternatively if vlan10 , your home vlan is the trusted vlan it could be used instead of vlan99.)

11

If it’s L2TP/IPSec, more useful addition than in-interface-list=WAN (I’m not sure if that help anything) would be ipsec-policy=in,ipsec (only for this port, not the other two), because you want to allow only L2TP encrypted by IPSec.

12

Which Chain ? Rule ? SourceNat? Forward Chain?

13

Sorry for the late answer.

so for the Nordvpn, the mikrotik is working as client (no interface has been created) . The subnet is routed thru the tunnel and to confirm, yes the I added the host to address-list and the rule is working fine.

I didn’t separate the network in Vlans, for the access I have create a loopback interface /32 and I ssh on it.

14

Thank you Sob for your reply.

I have 3 VPN services in total. The mikrotik router is my L2TP IPSEC server and it is also connected to NordVPN but I have also my own OpenVPN server running on my Raspberry Pi :smiley:

15

This would be for incoming L2TP/IPSec.