NAT and routing form Public to Private network

RouterOS General
1

Hi

I have RB2011iL on Public (ether1-gateway) IP is 1.1.1.10 on Private (local bridge) 10.1.1.1

I setup NAT from private network to public and its fine (connection to 1.1.1.20 report source address 1.1.1.10)
But WHY i can ping and connect from 1.1.1.20 host ( in public net ) to 10.1.1.2 (in private network) ? I know bed firewall setup :slight_smile: But this is default setup form MikroTik


Please help.
Sebastian

jan/02/1970 01:17:55 by RouterOS 6.1

software id = U3ZV-3AFN

/interface bridge
add admin-mac=D4:CA:6D:1A:21:52 auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/ip address
add address=10.1.1.1/24 comment="default configuration" interface=bridge-local network=10.1.1.0
add address=1.1.1.10/24 interface=ether1-gateway network=1.1.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip route
add distance=1 gateway=1.1.1.20
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local

2

Because you need to add something in your forward chain to drop it. The default configuration on mikrotik is to allow all forward traffic.

Sent from my SCH-I545 using Tapatalk

3

I know that i need something but i don’t know what. I spend all day on testing but always i block normal flow also. i think that I need add few “allow” roles and one ore more “drop”.

4

Few day and no help for anybody ? I it really so hard to solve that issue ?

I don’t believe.

5

What type of device is 1.1.1.20? Does it have a gateway set to route that localnet 10.1.1.x to 1.1.1.10?

6

I'll post in a bit once I get somewhere I can actually read it.

Adding syntax highlighting.

jan/02/1970 01:17:55 by RouterOS 6.1

software id = U3ZV-3AFN

/interface bridge
add admin-mac=D4:CA:6D:1A:21:52 auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/ip address
add address=10.1.1.1/24 comment="default configuration" interface=bridge-local network=10.1.1.0
add address=1.1.1.10/24 interface=ether1-gateway network=1.1.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip route
add distance=1 gateway=1.1.1.20
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local

7

To get basic firewall behaviour on the forward chain you should:

  1. Allow connections from the LAN side to the WAN side.
  2. Allow ESTABLISHED connections from the WAN side to the LAN side.
  3. Allow RELATED connections from the WAN side to the LAN side.
  4. Drop remaining forward chain traffic.

You can use Connection State for the selection of ESTABLISHED/RELATED connections. You can use IP ranges or in/out interface to select direction.

See the link below for details of filter entries:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

8

This is what I would do…
/ip firewall address-list
add address=10.1.1.0/24 list=LocalRanges

/ip firewall filter
add chain=input comment=“Connection State - Established” connection-state=established
add chain=input comment=“Connection State - Related” connection-state=related
add action=drop chain=input comment=“Connection State - Invalid” connection-state=invalid
add action=jump chain=input comment=“ICMP - From Internet - Jump” in-interface=ether01-gateway jump-target=ICMP protocol=icmp
add chain=input comment=“ICMP - From Local” in-interface=!ether01-gateway protocol=icmp
add action=drop chain=input comment=“TCP - Syn Flood Suppression - Drop SynFlood” src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood address-list-timeout=30m chain=input comment=“TCP - Syn Flood Detection - Add To SynFlood (30 Connections Per IP Address)” connection-limit=
30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment=“TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)” protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment=“TCP - DoS Attack Supression - Tarpit BlackList (3 Connections Per IP Address)” connection-limit=3,32 protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=“TCP - DoS Attack Detection - Add to BlackList for 1d (10 Connections per IP Address)”
connection-limit=10,32 protocol=tcp
add chain=input comment=“Local Ranges” src-address-list=LocalRanges
add action=drop chain=input comment=“Default Drop”

add chain=forward comment=“Connection State - Established” connection-state=established
add chain=forward comment=“Connection State - Related” connection-state=related
add action=drop chain=forward comment=“Connection State - Invalid” connection-state=invalid
add chain=forward comment=“Forward to Ether1-Gateway” out-interface=ether01-gateway
add chain=forward comment=LocalRanges dst-address-list=LocalRanges src-address-list=LocalRanges
add action=drop chain=forward comment=“Default Drop”

add chain=ICMP comment=“ICMP - Allow Echo Reply (0:0-255), Limit 5pps” icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps” icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Source Quench (4:0), Limit 5pps” icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Echo Request (8:0), Limit 5pps” icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Time Exceeded (11:0), Limit 5pps” icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment=“ICMP - Allow Parameter Bar (12:0), Limit 5pps” icmp-options=12 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment=“ICMP - Drop All Others” protocol=icmp