Individual firewall and Node-RED port problem

RouterOS General
1

So far, I have been using the default firewall because it is generally considered to provide very good protection. However, for beginners it is not very clear, especially when you want to introduce isolating rules, e.g. main network from guest network etc. So, with the help of a network expert, we created our own firewall rules and so far I haven’t noticed any problems.

Firewall:

/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=drop chain=input connection-state=invalid in-interface-list=WAN
add action=accept chain=input comment="Start - Firewall for WAN" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=input dst-port=8291 in-interface-list=WAN \
    protocol=tcp
add action=accept chain=input in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="End - Firewall for WAN" \
    in-interface-list=WAN
add action=accept chain=input comment="Start - Blocking guest network acces\
    s to the router and main gateway." connection-state=\
    established,related in-interface-list=Guest
add action=accept chain=input comment="Allowing guests to DNS query" \
    dst-port=53 in-interface-list=Guest protocol=udp
add action=drop chain=input comment=\
    "End - Blocking guest network access to the router and main gateway." \
    in-interface-list=Guest
add action=accept chain=forward in-interface-list=Guest \
    out-interface-list=WAN
add action=accept chain=forward connection-state=established,related \
    in-interface-list=WAN out-interface-list=Guest
add action=drop chain=forward in-interface-list=Guest
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Unfortunately, since yesterday I have had a problem connecting Node-RED with Home Assistant. To be precise, it returns me the following message:
[error] Unable to listen on http://127.0.0.1:1880/
[error] Error: port in use

I even changed the default port 1880 to 2741, but the same thing happens every time. I suspect it’s the fault of the firewall or loopback, which is set by default in the RouterOS configuration.

BTW: What do you think about my firewall rules?

Thank you in advance for any tips.

2

Why do you allow winbox access (TCP port 8291) from WAN? Winbox is not a very secure protocol.

The implicit action of firewall is to accept packets which were not dropped due to explicit rules. Your rules only deal with some specific packets, so they will slip some traffic.
So your firewall is not as bullet-proof as you wish it would be. But I agree that default could be better as well by having explicit drop all rule as the last rule instead of having a combined “dtop everything which is not dst-nated coming from WAN”. Using two rules instead would make it more readable and more versatile for additions such as you need.

Regarding the error message: where does the http client run? You have to check that host because 127.0.0.1 is always “localhost” and if host’s networking is not totaly fubar, that traffic never leaves that nachine. So nothing to do with Mikrotik and its firewall.

3

Not much!
In fact if port 8291 is your winbox port, your FW is a piece of trash.
Also you have no clue on the importance of order of firewalls and finally its hard to read being disorganized mixing up the chains.
Finally without seeing the rest of the config and subnets/vlans its hard to really comment otherwise.

@Mkx, the default firewall rules ARE ONLY for a person who does not change the config.
WAN on ether1, all other ports on the bridge on the same LAN subnet.
Its not meant for anything else.
What MT fails to do is make this clear.

4

Something like this should be the default FW ruleset as a staring point for anyone that starts to make changes to the config.

/ip firewall address-list ( mostly from static dhcp leases )
add address=IP1 list=Admin (desktop)
add address=IP2 list=Admin (laptop)
add address=IP3 list=Admin (smartphone/pad)
add address=IP4 list=Admin (remote wireguard IP)
/interface list
name=WAN
name=LAN
/interface list members
UNK since you only provide FW info.

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input src-address-list=Admin comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules to keep)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec (remove if no intention of ipsec)
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec (remove if no intention of ipsec)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes ( enable if required )
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

5

I see that you have a lot of knowledge about firewall configuration.

Could you help me create the most secure firewall possible for such a scheme?:

Description:

  • Main - Main LAN + WLAN


  • Guest - Guest network WLAN + occasionally LAN


  • Smart Home - Moving all IoT devices connected to SSID “Jakub” to this separated VLAN using MAC address redirection with one-way communication
6

Not sure what you mean by vlan1, but if you are using vlans then use all vlans ( but not vlan1 for data).
Thus make it vlan10.

Remember with a drop all rule at the end of the forward chain all subnets are automatically isolated at L3, and thus for the config below you
only need to add to the above, one rule!

(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes ( enable if required )
add action=accept chain=forward comment=“allow smart access” src-address=192.168.68.0/24 dst-address=192.168.69.0/24
add action=drop chain=forward comment=“drop all else”

You could also state it as such
add action=accept chain=forward comment=“allow smart access” in-interface=vlan10-name out-interface=vlan322-name

You should have enough information and understanding to figure out pretty much anything else you need.

7

I admit that I was afraid of creating a very complicated firewall, but after reading your https://forum.mikrotik.com/viewtopic.php?t=180838 guide, I see that it is not that difficult at all. You rely on the default firewall configuration and simply additionally seal it with your own rules.

So how can you restore the default firewall rules without having to restore the rest of the RouterOS settings?

@mkx @anav
Do you think my problem with Node-RED is not caused by the MT configuration? In the search engine I found information https://stackoverflow.com/questions/54200639/node-red-unable-to-listen-on-http-127-0-0-11880 that the reason may be loopback, which is set by default in the RouterOS configuration, although honestly I do not know what it is really needed for.

8

Loopback is internal to the router and should not have any ill effects for your traffic.
See what Mkx states two posts below, he actually knows stuff…I just read listen and believe what he and very select few others say. :slight_smile:

9

When writing VLAN number 1, I meant the default / undefined VLAN. Does it really matter whether the main network will be an undefined VLAN or VLAN 10?

10

No, if done properly but I prefer to go all vlans once I start using vlans.

11

The name of interface doesn’t matter. What matters is that 127.0.0.1 address always refers to the machine itself where you execute command using this address. So if you use a web browser and enter that URL, then Node-RED should be running on the very same machine. And the traffic doesn’t leave local machine so whatever tge outcome, it isn’t affected by router at all.

12 
/ip firewall address-list
add address=192.168.68.49 comment=Solid-Aurora list=admin
add address=192.168.68.50 comment=Rapid-Monster list=admin
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Config Access" src-address-list=\
    admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=input comment="drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow Smart Home access" \
    dst-address=192.168.69.0/24 src-address=192.168.68.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

@anav
Can you tell me what rule to add in the default firewall to make VLAN Guest work? Completely fails to connect to DNS.

13

Not without the complete config shown
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long dhcp lease lists )

14 



RouterOS 7.14beta3
/interface bridge
add admin-mac=xxx auto-mac=no comment=Main name=bridge \
    port-cost-mode=short
/interface vlan
add interface=bridge name=vlan322_iot vlan-id=322
add interface=bridge name=vlan433_guest vlan-id=433
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Guest
add name="Smart Home"
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel_24 width=\
    20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5180-5300 name=channel_50 \
    skip-dfs-channels=all width=20/40mhz-Ce
/interface wifi datapath
add bridge=bridge disabled=no name=datapath_main
add bridge=bridge client-isolation=yes disabled=no name=datapath_guest \
    vlan-id=433
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no encryption="" \
    ft=yes ft-over-ds=yes name="security_main 50" wps=disable
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no ft=\
    yes ft-over-ds=yes name=security_guest_50 wps=disable
add authentication-types=wpa2-psk disable-pmkid=no disabled=no ft=yes \
    ft-over-ds=yes name=secuirty_main_24 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no \
    encryption="" ft=yes ft-over-ds=yes name=secuirty_guest_24 wps=disable
/interface wifi configuration
add channel=channel_50 country=Poland datapath=datapath_main disabled=no \
    mode=ap name=wifi_50 security="security_main 50" ssid=Jakub
add channel=channel_50 country=Poland datapath=datapath_guest disabled=no \
    mode=ap name=wifi_50_guest security=security_guest_50 ssid=Dom
add channel=channel_24 country=Poland datapath=datapath_main disabled=no \
    mode=ap name=wifi_24 security=secuirty_main_24 ssid=Jakub
add channel=channel_24 country=Poland datapath=datapath_guest disabled=no \
    mode=ap name=wifi_24_guest security=secuirty_guest_24 ssid=Dom
/interface wifi steering
add disabled=yes name=steering1 neighbor-group=\
    dynamic-Jakub-109f34cf,dynamic-Dom-4be23367 rrm=yes
/ip pool
add comment=Main name=default-dhcp ranges=192.168.68.10-192.168.68.254
add comment=Guest name=pool_guest ranges=192.168.67.10-192.168.67.254
add comment="Smart Home" name=pool_iot ranges=192.168.69.1-192.168.69.254
/ip dhcp-server
add address-pool=default-dhcp comment=Main interface=bridge lease-time=1w \
    name=defconf
add address-pool=pool_guest comment=Guest interface=vlan433_guest lease-time=\
    1h name=dhcp_guest
add address-pool=pool_iot comment="Smart Home" interface=vlan322_iot \
    lease-time=1d name=dhcp_iot
/user group
add name=restart policy="reboot,read,winbox,!local,!telnet,!ssh,!ftp,!write,!p\
    olicy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan433_guest list=Guest
add interface=vlan322_iot list="Smart Home"
/interface wifi cap
set certificate=request discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=wifi_50 \
    slave-configurations=wifi_50_guest supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=wifi_24 \
    slave-configurations=wifi_24_guest supported-bands=2ghz-ax
/ip address
add address=192.168.68.1/24 comment=Main interface=bridge network=\
    192.168.68.0
add address=192.168.67.1/24 comment=Guest interface=vlan433_guest network=\
    192.168.67.0
add address=192.168.69.1/24 comment="Smart Home" interface=vlan322_iot \
    network=192.168.69.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.67.0/24 comment=Guest dns-server=192.168.67.1 gateway=\
    192.168.67.1 netmask=24
add address=192.168.68.0/24 comment=Main dns-server=192.168.68.1 gateway=\
    192.168.68.1 netmask=24
add address=192.168.69.0/24 comment="Smart Home" dns-server=192.168.69.1 \
    gateway=192.168.69.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.49 comment=Solid-Aurora list=admin
add address=192.168.68.50 comment=Rapid-Monster list=admin
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Config Access" src-address-list=admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=input comment="drop all not coming from LAN" disabled=\
    yes in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow Smart Home access" \
    dst-address=192.168.69.0/24 src-address=192.168.68.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Master
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
15

Unfortunately I cannot comment as I dont use or are familiar with vlans using datapaths and capsman.
I will say that bridge vlan filtering does not seem to be turned on, and I dont see any /interface bridge vlan settings…

16

I understand your suspicions, but if it was a configuration issue, WLAN Guest probably wouldn’t work on the previous firewall either.

17

If vlan-filtering is not enabled, certain things which don’t rely on it still work. As it’s usual with partial config. I suggest you to follow advice by @anav … he’s a very experienced user (even though he likes things done exactly his way).

18

@mkr
Thanks for the clarification. I’m a beginner and I don’t know much about MT configuration, especially since it’s not a simple software.

I have enabled VLAN filtering on the Primary Router, but the Guest VLAN is still not working.

What else can I do?