Lis of ingress allow ports for Windows networks

As I have segregated departments into their own VLANs, I need to allow those port IN specific from those VLANs. I made a list of ports needed for AD DC and file sharing work on Windows network:

LINE BY LINE:

# TCP Services
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=53 comment="DNS"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=88 comment="Kerberos"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=135 comment="RPC Endpoint Mapper"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=389 comment="LDAP"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=636 comment="LDAP SSL"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=445 comment="SMB (SMB2, SMB3)"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=464 comment="Kerberos password change"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=3268 comment="Global Catalog lookup"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=3269 comment="Global Catalog lookup SSL"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=5722 comment="File Replication Service"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=49152-65535 comment="Dynamic RPC ports"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=443 comment="HTTP SSL"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=80 comment="HTTP"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=427 comment="Service Location Protocol"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=631 comment="Internet Printing Protocol"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=9100 comment="Direct IP-based Printing"

# UDP Services
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=53 comment="DNS"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=88 comment="Kerberos"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=389 comment="LDAP"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=123 comment="Windows Time service"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=464 comment="Kerberos password change"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=3702 comment="WS-Discovery"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=161,162 comment="SNMP"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=427 comment="Service Location Protocol"

# NetBIOS
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=137,138 comment="NetBIOS Name Service, NetBIOS Datagram Service"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=139 comment="NetBIOS Session (Older Printer & File Sharing, SMB1/CIFS)"

ONE LINERS:

# TCP Services
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=53,88,135,389,636,445,464,3268,3269,5722,443,80,427,631,9100 comment="Main TCP Services (Part 1)"

/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=49152-65535 comment="Main TCP Services (Part 2)"

# UDP Services
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" dst-port=53,88,389,123,464,3702,161-162,427 comment="DNS, Kerberos, LDAP, Windows Time service, Kerberos password change, WS-Discovery, SNMP, Service Location Protocol"

# Separate rules for NetBIOS ports TCP
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" dst-port=137,138 comment="NetBIOS Name Service, NetBIOS Datagram Service"

# Separate rules for NetBIOS ports UDP
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" dst-port=139 comment="NetBIOS Session (Older Printer & File Sharing, SMB1/CIFS)"

I suppose these should be enough for everything to work? Feel free to fill in.

UPDATE: The port list I defined here works fine. I maybe modified it a bit, but in essence that’s it. (It seems everything works without RPC dynamic range.)

Allowing only specific ports I filter out an ungodly amount of crap from the network… And everything works! This is the last drop rule, for the last few days:

Does anyone else employ the same strategy? I am kind of curious.

So you need to allow VLAN to VLAN traffic, but have a mandate to restrict by IP and port?
If so, what you are doing seems reasonable in terms of rules and efficiencies.

This was built for a very large distributed network that consists of 5 huge buildings with office spaces, production and warehouse areas. Some LAN ports are located in weird places, so after the last expansion I became quite uneasy about the fact that it is relatively easy to access ports and attack the networks.

So I have segmented it, and firewalled everything. The last forward rule is drop all, so only explicit allow forwards traffic. Each sector have their own VLAN, and servers are in separate VLAN, as are backbone infrastructure, and also CAPs are in their own group.

From VLANs to Server VLAN I allowed the list I published here. Everything works apparently, domain services, DNS, File and Print sharing, MySQL (MariaDB) etc., and everything that was not bound to a port is blocked. - I have 800k packets dropped right now, and yet each aspect of the LAN works.

As for VLAN to VLAN communication, the idea was that one client has no business communicating with clients from other VLANs. So if there is an infected client, it can drop only clients in their own VLAN. The only traffic I allow is RDP and direct IP printing (and ICMP). Nothing else. (For RDS there is a filter on each RDS enabled computer.)

I had some trouble fixing up the firewall rules correctly, but I think I have mostly got it. At this moment I see about 350 active clients in entire network, and soon when new APs come there will be about 400-450.