N00b - protecting router from external access

RouterOS Beginner Basics
1

Hi,

We have a router that serves:

  • external customers with public IP addresses


  • internal networks with public IP addresses


  • and internal private networks.

I just became involved with this router and discovered that smtp is being abused from external sources by simply bouncing them on the router and making the router seem like it’s running an open-relay (and this abuse is not being done through a socks proxy)

I searched around this forum and found a temporary solution at: autodetect and temporary block smtp output|https://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output

Analyzing the address lists helped provide insight into what is happening, and understandably the router’s own WAN address is in the list.

Now, I am just going through the basics of securing the router and preventing input traffic from the internet, without affecting traffic destined for the downstream public networks that pass through this traffic. I have seen great advice of filter rules at the following places … but just seeking confirmation that they will work in my scenario:

For example, in https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS#Protect_local_network_against_attacks_from_public_internet, I am concerned that this rule will drop traffic going to downstream public networks since it’s dependent on dst-nat (which is only applicable on internal private networks). Is this assumption correct?

There are also great suggestions here: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall

Basically, I want to drop packets on the input chain that are not intended for:

  • downstream public networks (won’t be nat’ed)


  • internal private networks (will be nat’ed)

Will appreciate any suggestions

2

I guess my question was too generalized to attract helpful responses … will try to ask better questions next time.

On the whole, I think I have been able to glean enough information from the so many useful MikroTik help and wiki articles to grasp the fundamentals, and will keep gaining better insight as I go along … often from trying things out, and logging them.

3

My problem is I dont understand serve external customers… what the heck do you mean.

You can provide public IPs to folks behind the router, and you can provide internal networks private behind the router.
However I have no idea how you serve external customers. do you simply mean you have servers on your private LANs that external users access??

4

The question was indeed very general.

On a side note: which particular Mikrotik device type are you using? SOHO devices (most Mikrotik devices except CCR, CRS and some high-end RB devices) come with default firewall which pretty much takes care of what you’ve seen on your device. However if your device came with older defaults (which had less optimal firewall settings) or if it came without default config, it’s only too easy to have sub-optimal firewall rules. Unfortunately internet is full of how-tos which are based on old defaults and/or are done by individuals without enough knowledge … and Mikrotik’s own manuals don’t document current defaults either.

5

Hi
I have started working on a small ISP and we have a few Mikrotik routers in here.
We have a problem that 4 internal IPs are visible for external access, making the security of some clients compromised.
So, how can we block these IPs from external access?

I think this topic covers my user case, so i will be reading and trying things.
But any specific suggestions will be welcome! I never used Mikrotik before…