Load Balancer PCC + Firewall to same MK

RouterOS General
1

Good morning everyone !!

I have configured an MK device with PCC type Balancer configuration with 4 WAN, I had not noticed that in all the configurations they put, it does not mention or rather I have not seen that they put FILTER rules in the balancers, I understand that if there are no rules in the firewal filter there is no protection to the networks and to the same router, my question would be, in my case, I need to have a firewall + pcc balancer, is it possible?

If so, what would be the basic rules to protect the filter with the balancer and not affect my package markings that I already have?

Regards !!

2

Examples usually focus on the thing they are explaining. It doesn’t mean you can’t combine it with something else. Basic firewall can be:

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
<stuff you want to allow>
add action=drop chain=forward

Same thing for chain=input. For it differs slightly, forward can use for example:

add action=accept chain=forward in-interface-list=LAN comment="from LAN to anywhere"
add action=accept chain=forward in-interface-list=Guest out-interface-list=WAN comments="guests to internet"
add action=accept chain=forward connection-nat-state=dstnat commment="forwarded ports"

And input e.g.:

add action=accept chain=input in-interface-list=LAN comment="full access to router from trusted LAN"
add action=accept chain=input in-interface-list=Guest protocol=udp dst-port=53 comment="DNS for guests"
add action=accept chain=input in-interface-list=Guest protocol=tcp dst-port=53 comment="DNS for guests"
add action=accept chain=input protocol=tcp dst-port=1194 comment="OpenVPN server on router"

You get the idea. Possibilities are endless, it depends on what you need.

3

In my case it is a balancer, I need to have access to my network to some web cameras by port 8080 for example (web) as well as winbox access (winbox api mobile) to some of my wan (wan2) that has public ip.

Do I have to open the ports in the filter as mentioned? or in what way would it be?

Thansk for you example!

4

If it’s forwarded ports using dstnat, all you need is that rule with connection-nat-state=dstnat. For access to router itself, add accept rules in input chain.

It’s probably not the best idea to allow WinBox access from internet. In theory it should be safe with strong passwords, but there were already some ugly bugs in the past, so the less you open, the better.

And if you decide to use my example, be careful. Before you add the last unconditional drop rule, add unconditional log rule first, make sure that it won’t log anything when you connect to router again, and only then add drop rule, to avoid locking yourself out.

5

This is my rules now, with you example !!

/ip firewall filter
add action=drop chain=forward dst-address-list=ListaNegraDNS \
    src-address-list=UCA_FTTH
add action=accept chain=forward comment="FW_CONN_ESTABLISHED_Y_RELATED - acept\
    ar solo las conexiones relacionadas y establecidas" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "FW_DROP_CONN_INVALID -  denegar conexiones invalidas" connection-state=\
    invalid
add action=accept chain=forward comment="Desde la LAN hacia donde sea" \
    in-interface=bridgeFTTH
add action=accept chain=forward comment="Puerto Reenviados - forwarded ports" \
    connection-nat-state=dstnat
add action=accept chain=input comment=\
    "Acceso completo al enrutador desde una LAN confiable" in-interface=\
    bridgeFTTH
add action=accept chain=input comment="Servidor OpenVPN acceso" dst-port=1194 \
    protocol=tcp
add action=accept chain=input comment="*************Permitir Protocolos ICMP" \
    connection-limit=15,32 icmp-options=0:0 limit=5,5:packet protocol=icmp
add action=accept chain=input icmp-options=8:0 limit=5,5:packet protocol=icmp
add action=accept chain=input icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=input icmp-options=11:0 limit=5,5:packet protocol=\
    icmp
add action=accept chain=input icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    BogonLista
add action=drop chain=forward comment="FW_DROP_ALL" log=yes
add action=drop chain=input comment="*************Block Intrusos WebProxy" \
    dst-port=3128 in-interface=Wan1 protocol=tcp
add action=drop chain=input comment="*************Block Intrusos WebProxy" \
    dst-port=3128 in-interface=Wan2 protocol=tcp
add action=drop chain=input comment="************* Block Intrusos DNS - UDP" \
    dst-port=53 protocol=udp src-address=!192.168.8.0/22
add action=drop chain=input comment="************* Block Intrusos DNS - TCP" \
    dst-port=53 protocol=tcp src-address=!192.168.8.0/22
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
    65506 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=add-src-to-address-list address-list=MebRootVictima \
    address-list-timeout=1d chain=forward comment=\
    "Drop Mebroot y Torpig y logueo el cliente de origen." dst-address-list=\
    MebRoot
add action=drop chain=forward dst-address-list=MebRoot
add action=drop chain=input dst-address-list=MebRoot
add action=drop chain=output dst-address-list=MebRoot
add action=drop chain=forward dst-port=!80 protocol=tcp src-address-list=\
    MebRootVictima
add action=drop chain=forward dst-port=!53 protocol=udp src-address-list=\
    MebRootVictima
add action=drop chain=Virus comment=\
    "Block Port Malware Ransomware WannaCrypt" dst-port=137-139,445,3389 \
    protocol=tcp
add action=drop chain=input dst-port=137-139,445,3389 protocol=tcp
add action=drop chain=input dst-port=137-139,445,3389 protocol=udp
add action=drop chain=forward dst-port=137-139,445,3389 protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Wan1
add action=masquerade chain=srcnat out-interface=Wan2
add action=masquerade chain=srcnat out-interface=Wan3
add action=masquerade chain=srcnat out-interface=Wan4
add action=dst-nat chain=dstnat comment=\
    "CAM SEG - Ctto: xxx - tcp" dst-port=8082 in-interface=Wan2 \
    log=yes log-prefix=cam_dcs-2121 protocol=tcp to-addresses=192.168.11.235 \
    to-ports=81

But it does not open the camera when accessing the Internet, I try to enter through the WAN2 that has a public ip.

Locally, if the web is open on port 81, but online from port 8082, it does not open the camera.

Will something be missing?

Thanks!!

6

I see few problems:

Order of rules matters, they are processed from top to bottom. You added unconditional drop rule in forward chain, but you also have other rules after - no packet will ever reach those.

The same idea (accept established & friends, drop invalid, accept what you want to open, drop the rest) is also valid for input chain. Default action is accept, so now everything you didn’t block is allowed. If you have it enabled, everyone can connect to WinBox, WebFig, etc. It’s not the only way, but wouldn’t it be more clear if nothing would be accessible from internet, except the things you allow? Another popular thing is anti-bruteforce on ssh, but do you need it accessible from internet at all? Maybe you do, but many people don’t, so it’s easier to have it closed completely.

Your chain=virus and chain=Virus (it’s two different chains btw) are useless, because nothing jumps to them.

But none of this blocks access to camera. What exactly happens depends on other rules. If WAN2 is not your primary connection, you need proper mangle rules to send responses back to WAN2, as you can see in PCC example: https://wiki.mikrotik.com/wiki/Manual:PCC

7

Its explanation is very logical, I will have to accommodate the filter rules with its example and the mangroves with the example of a PCC of Mikrotik’s web.

I appreciate your time and teaching!

8

That’s what happens when people just copy/paste rules and stuff from the web, even the wiki without reading. as one of the correspondents stated, order is important.

Regards.