Need Help With Firewall

RouterOS General
1

Issues:

  1. Firewall is blocking getting online
  2. Hairpin nat not working
  3. Firewall is probably not correct

Would like the firewall to:

  • block everything that is not allowed
  • use the brute force stuff
  • separate vlans from router
  • forward port 8090, 6767 & 6868 to 192.168.1.26
  • allow for pptp vpn
  • get hairpin nat working

I have tried to do this but I think some of my logic is off and some of my placement of code is off. If anyone has any input or can point me in the right direction I would really appreciate it. Thank you.
/interface bridge
add comment=“Local Bridge” l2mtu=1598 name=bridge-local
add comment=“Vlan1 Bridge” l2mtu=1594 name=bridge-vlan1
add comment=“Vlan2 Bridge” l2mtu=1594 name=bridge-vlan2
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local
set 2 name=ether3-vlan1
set 3 name=ether4-vlan2
set 4 name=ether5-trunk
/interface vlan
add interface=bridge-local l2mtu=1594 name=vlan-vlan1-ether5 vlan-id=101
add interface=bridge-local l2mtu=1594 name=vlan-vlan2-ether5 vlan-id=102
/ip pool
add name=pool-local ranges=192.168.1.100-192.168.1.254
add name=pool-vlan1 ranges=192.168.2.2-192.168.2.254
add name=pool-vlan2 ranges=192.168.3.2-192.168.3.254
add name=pool-vpn ranges=192.168.10.1-192.168.10.10
/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=local
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1
add address-pool=pool-vlan2 disabled=no interface=bridge-vlan2 name=vlan2
/ppp profile
set 1 local-address=192.168.1.1 remote-address=pool-vpn
/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether5-trunk
add bridge=bridge-vlan1 interface=ether3-vlan1
add bridge=bridge-vlan1 interface=vlan-vlan1-ether5
add bridge=bridge-vlan2 interface=ether4-vlan2
add bridge=bridge-vlan2 interface=vlan-vlan2-ether5
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge-local
add address=192.168.2.1/24 interface=bridge-vlan1
add address=192.168.3.1/24 interface=bridge-vlan2
/ip dhcp-client
add comment=“default configuration” disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add chain=input comment=vpn dst-port=1723 protocol=tcp
add chain=input comment=vpn protocol=gre
add action=drop chain=input comment=“default configuration” connection-state=
invalid disabled=yes in-interface=ether1-gateway
add action=jump chain=input disabled=yes in-interface=bridge-vlan1
jump-target=input-vlan2
add action=jump chain=input disabled=yes in-interface=bridge-vlan2
jump-target=input-vlan2
add chain=input disabled=yes in-interface=bridge-local
add action=drop chain=input disabled=yes
add chain=forward disabled=yes out-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add chain=input-vlan2 disabled=yes dst-port=53 protocol=tcp
add chain=input-vlan2 disabled=yes dst-port=53 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=67 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=68 protocol=udp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=
192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=
192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment=“CCTV Port Forward” dst-port=8090
in-interface=ether1-gateway protocol=tcp src-port=“” to-addresses=
192.168.1.26 to-ports=8090
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.26 to-ports=6868
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway
protocol=udp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway
protocol=udp to-addresses=192.168.1.26 to-ports=6868
add action=masquerade chain=srcnat comment=“Hairpin Nat” dst-address=
192.168.1.26 dst-port=8090 out-interface=ether2-local protocol=tcp
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=“Hairpin Nat” dst-address-type=local
dst-port=8090 protocol=tcp to-addresses=192.168.1.26
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether3-vlan1 disabled=yes
set ether4-vlan2 disabled=yes
set bridge-vlan1 disabled=yes
set bridge-vlan2 disabled=yes
set vlan-vlan1-ether5 disabled=yes
set vlan-vlan2-ether5 disabled=yes

Different Subnet will not ping
2

Which version are you running ?

check:

What’s new in 6.7rc1 (2013-Nov-19 11:17):

*) ipsec - fix policy bypass on IPv6 gre, ipip, eoip tunnels;
*) userman - fix crash on tilera;
*) fixed hairpin nat on bridge with use-ip-firewall=yes;
*) fixed vlan on bridge after reboot having 00:00:00:00:00:00 mac address;
*) address-list - allow manually adding timeoutable entries;
*) address-list - show dynamic entry timeout;


What’s new in 6.6 (2013-Nov-07 13:04):

*) winbox - fixed problem where all previous session opened windows were read only;
*) certificate - no more ‘reset-certificate-cache’ and ‘decrypt’ commands,
private keys can be decrypted only on ‘import’, use ‘decrypt’ before upgrade if needed;
*) fixed arp-reply only with more than one ip address on interface;
*) fixed RB400 not to reboot by watchdog during micro-sd format;
*) web proxy - fix SPDY server push handling;
*) certificate - merged ‘/certificate ca issued’, ‘/certificate scep client’ and
‘/certificate templates’ into ‘/certificate’;
*) console - :foreach command can iterate over keys and values in an array,
by specifying two counter variables, e.g.:
:foreach k,v in=[/system clock get] do={:put “$k is $v”};
*) added support for new Intel 10Gb ethernet cards (82599);
*) certificates - fixed certificate import;
*) wireless - fixed crash when dfs was enabled on pre-n wireless cards;
*) fixed port flapping on CCR;


What’s new in 6.5 (2013-Oct-16 15:32):

*) tftp - added data packet pipelining for read requests;
*) console - exported physical interface configuration uses ‘default-name’
instead of item number to match relevant interface;
*) console - report all constituent errors for parameters with multiple
alternative value types;
*) certificates - merge ‘/certificate ca’ into ‘/certificate’, use set-ca-passphrase to maintain CA functionality;
*) lcd - backlight option is replaced with “/lcd backlight” command
*) dhcp server - added option to disable conflict-detection;
*) console - ‘:return’ does not trigger ‘on-error=’ action of ‘:do’ command;
*) route - fixed crash that could be triggered by change in nexthop
address resolution;
*) route - some imported VPNv4 routes were not using MPLS labels;
*) route - imported VPNv4 routes were not always updated or removed when
the original route changed;
*) winbox - fixed problem where all settings were read only on first open;
*) ovpn server - use only ciphers that are allowed not that client requested;
*) ssh client - fixed public key authentication;
*) ipsec - fix peer mathing with non byte aligned masks;
*) fix routerboot upgrading if RouterOS is partitioned;
*) add support for second serial port on CCR boards;
*) fix serial port baudrate selection on CCR boards;
*) ethernet interface stats that are behind switch chip
show real hw stats instead of just the traffic that goes through cpu;


What’s new in 6.4 (2013-Sep-12 13:52):

*) wireless - improved 802.11n wireless retransmission (doesn’t effect nstreme/nv2)
*) ovpn - allow to specify server via dns name;
*) winbox - fixed problem where ipv6 routes with non local link address gateway
could not be added;
*) fixed watchdog on mipsle boards;
*) traceroute - added count & max-hops parameters;
*) traceroute - added back use-dns parameter;
*) fixed usb Yota LTE modem hangup;
*) console - make newly added item names always immediately available;
*) graphing - make sure that interface graphs gets preserved across reboots;

What’s new in 6.3 (2013-Sep-03 12:25):

*) ssh - fixed denial of service;
*) traceroute - show mpls labels as well;
*) bug fix - sometimes some new interfaces could not be created properly any more (f.e. some pppoe clients could not connect);
*) console - added ‘/console clear-history’ command that clears command-line
history for all users, requires ‘policy’ policy;
*) sstp - limit packet queue for each device;
*) RB2011L - fixed occasional gigabit switch-chip lockup;
*) user manager - will warn on 1MB and stop before reaching minimum of 500KB disk space;
*) hotspot - do not account traffic to local hotspot pages;
*) ppp, hotspot - added ability to specify where to insert rate limiting queue,
it’s parent and type;
*) pptp, l2tp, sstp - allow to specify server via dns name;
*) dhcp - added ability to specify where to insert rate limiting queue;
*) www proxy - support ipv6 parent proxy;
*) webfig - fixed problem when opening quickset page country
was automaticly changed to etsi;
*) traceroute - added mtr like pinging;
*) fix queues - correct queue was not installed when last child removed;
*) fix simple queues - sometimes some simple queues would stop
working after configuration changes;
*) console - fixed issue with local variables having non-empty value
before first assignment;
*) console - fixed command “:global name” without second argument to not
create or change global variable “name”, only effect is to make “name”
refer to global variable.
*) console - fixed passing local variables as argument to function;
*) RB1200 - fixed crash when receiving over l2mtu size packets
on some ethernet interfaces;

What’s new in 6.2 (2013-Aug-02 10:37):

*) console - added “on-error” argument to ‘:do’ command that is executed
if command raises error;
*) hotspot - fixed chap error after failed http-chap login (broken in v6.1);
*) console - added new ‘:return’ command that interrupts execution of script
and passes argument as return value if script was called as function;
*) routerboot - fixed upgrade from RouterOS (could fail on some units);
*) userman - fixed payment gateway response notify processing;
*) console - resolved issue with ‘from-pool’ propery in ‘/ipv6 address’;
*) console - array value syntax in expressions ‘{1;2;3;4}’ now can
specify values with word keys as ‘{a=1;b=2}’;
*) console - added ‘verbose’ argument to ‘/import’ command that enables
line-by-line script import. By default import whole script at once
and don’t print it, as it was in version 6.0;
*) console - ‘:global’, ‘:local’ and ‘:set’ commands have new parameter ‘do’
that allows assigning block of commands to the variable;
*) console - global variables now are common to all users and are
available to all users with at least “read,write,test,policy” policy;
*) console - fixed parameter passing to scripts. Script parameters can
be accessed without declaring them with ‘:local’ and ‘:global’ commands.
For backwards compatibility global variables are first looked up in
script parametrs;
*) console - ‘$var 1 2 a=“a” b=“b”’ syntax for passing parameters to commands
stored in a variable. Parameters are accessed as ‘$1’ ‘$2’ ‘$a’ ‘$b’;
*) ipsec - fixed peer address matching;
*) ups - query smart ups capabilities before issuing any commands;
*) improved CCR responsiveness on other interfaces when one interface is under attack;
*) sms tool - added sim-pin setting;
*) dhcp server - framed routes are now also added to the server routing table;
*) dhcpv6 server - added binding-script option;
*) proxy - allow multiple src-address for ipv4 and ipv6;
*) eoip,gre tunnels could occasionally crash multicore router;
*) fixed bug - sometimes some types of interfaces would stop working;
*) ipsec sometimes could crash kernel on CCR;
*) connection tracking sometimes could crash kernel on CCR;
*) ppp,pptp,l2tp,sstp - added default-route-distance parameter;
*) scep - “/cert scep ra” merged into “/cert scep client” without saving ra config;
*) ipsec - fix phase1 autonegotiation on little endian platforms;
*) pppoe server - allow service with empty service-name to accept all pppoe clients;
*) lcd - current-screen option is replaced with “/lcd show” command
*) lcd - current-interface option is replaced with “/lcd interface display” command
*) graphing - make graphs stable on ppp & ovpn interfaces;
*) www, hotspot - fixed problem when www service stopped responding on high load;
*) winbox, webfig: allow to enter space in the text fields;
*) webfig - fixed configuration of VPLS & routing filters;
*) lcd - added option for enabling or disabling the touch screen;
*) lcd - added options for screen switching;
*) lcd - up to 10 non-physical interfaces can now be added to the lcd;
*) lcd - all interface graph screen can now be customized from /lcd interface page;
*) backup - changed default backup file name to -

-.backup
for file browsers to sort them properly;
*) webfig - it did not work in Opera;
*) webfig - made terminal work again;
*) winbox - added ability to fully set up traffic generator in winbox;
*) trafficgen - allow ranges for ip addrs and udp ports;
*) trafficgen - add tcp header support;
*) queue simple - fixed bug - actual queue order sometimes was wrong;
*) queue simple - queue is not invalid when at least one of target interfaces is up;
*) fixed crash when setting master-port on AR8327 switch chips;
*) fixed addresslist - dynamic entries sometimes would still
show up even afther being timed out;
*) added /ip settings allow-hw-fast-path setting to control AR8327N hardware ipv4 fast path;
*) vrrp - allow more than one vrrp on interface;

What’s new in 6.1 (2013-Jun-12 11:50):

*) pptp, l2tp - fixed crash when tunnel mru was too big and fragmented ip packet
was received;
*) hotspot - fixed problem when after upgrade hotspot html directory was empty;
*) ipv6 nd - dns dynamic-servers were not included in router advertisements;
*) winbox - fixed problem Switch menu disappeared on RB2011;
*) fixed memory amount issue on RB1100AHx2;
*) console - ‘/import’ prints each command that is executed;
*) console - ‘import’ has new argument ‘from-line’ that starts executing
commands after specified line;
*) secure api - fixed problem when wrong client ip address was reported;
*) hotspot - fixed universal client;
*) api - added support for API over TLS (SSL);
*) api - api service is now enabled by default;
*) ppp - do not show R flag for locally authenticated users;
*) vrrp - fixed ah authentication;
*) webfig - added support for RADIUS authentication (via MS-CHAPv2);
*) ipsec - for peers with full IP address specified system will
autostart ISAKMP SA negotiation;
*) trafficgen - added inject-pcap command for replaying pcap files into network;
*) dns - retry queries with tcp if truncated results received;
*) improved queue statistics updating;
*) fix 1G linking with some Cisco devices (affects RB7xx, RB9xx, RB1100, RB2011, CCR);

What’s new in 6.0 (2013-May-17 14:04):

*) ipsec - added /peer passive option which will prevent starting ISAKMP negotiation
and signifies xauth responder/initiator side;
*) RouterBOARD - default wireless config now includes password - serial number;
*) lte - support YOTA WLTUBA-107;
*) console - fixed crash when variable name was not specified for
‘:global’, ‘:local’, ‘:set’, ‘:for’ and ‘:foreach’ commands;
*) hotspot - added mac-cookie login method;
http://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction#MAC_Cookie
*) lcd - show a message when system shutdown is complete;
*) lcd - added Log screen which is accessible through the Main Menu
and shows log messages where action=echo;
*) ipsec - added pre-shared-key-xauth and rsa-signature-hybrid
authentication methods;
*) increased max l2mtu on CCR to 10226 bytes;
*) fixed crash on RB1200;
*) fixed bonding - did not work after remove, undo;
*) fixed queues - router could become unresponsive when configuring queues;

3

I am on version 5.26.

What version is most stable right now?

Do I have to upgrade to 6.7 in order for this to work?

Thanks.

4

What hardware are you on?

5

Why is this disabled?
add chain=input disabled=yes in-interface=bridge-local

6

Also this looks odd…
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0

7

Eric the whole firewall looks odd! It was disabled because it was not working enabled, and then I just disabled the whole thing.

Your other thing that you said looks odd… isn’t that the default masquerade rule?

Maybe we can take this one thing at a time and I can learn something and it might help someone else out.

8

I’ll look through the whole thing in a bit from my laptop. Can you post the export of just the firewall inside of the code tags…

Sent from my SCH-I545 using Tapatalk

9

Also what was it doing wrong? I’m pretty sure I remember what you want, but could you post the basic parameters you need? Eg what you want it to do?

Sent from my SCH-I545 using Tapatalk

10

I could not get the hairpin nat to work, and something in the firewall was preventing me from getting internet access, so I had to totally disable it.

Here is what I am trying to accomplish, and have working so far, except for the firewall:

  • wan on port 1
  • lan on port 2
  • vlan1 on port 3 (guest)
  • vlan2 of port 4 (kids)
  • trunk of lan, vlan1 & vlan2 on port 5
  • camera system on port 8090 with address 192.168.1.26
  • hairpin nat for camera system (this is NOT working)

I would like the firewall to:

  • provide good overall protection, with default drop rule, etc
  • provide protection against floods (like I have now, unless you know a better way, but I think it’s in the wrong place)
  • separate the lan, vlan1, & vlan2 so they are secure from one another
  • force vlan2 to only use opendns dns servers 208.67.222.222 (like we talked about)
  • allow hairpin nat

Here is the current firewall:
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add chain=input comment=vpn dst-port=1723 protocol=tcp
add chain=input comment=vpn protocol=gre
add action=drop chain=input comment=“default configuration” connection-state=
invalid disabled=yes in-interface=ether1-gateway
add action=jump chain=input disabled=yes in-interface=bridge-vlan1
jump-target=input-vlan2
add action=jump chain=input disabled=yes in-interface=bridge-vlan2
jump-target=input-vlan2
add chain=input disabled=yes in-interface=bridge-local
add action=drop chain=input disabled=yes
add chain=forward disabled=yes out-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add chain=input-vlan2 disabled=yes dst-port=53 protocol=tcp
add chain=input-vlan2 disabled=yes dst-port=53 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=67 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=68 protocol=udp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=
192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=
192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment=“CCTV Port Forward” dst-port=8090
in-interface=ether1-gateway protocol=tcp src-port=“” to-addresses=
192.168.1.26 to-ports=8090
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.26 to-ports=6868
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway
protocol=udp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway
protocol=udp to-addresses=192.168.1.26 to-ports=6868
add action=masquerade chain=srcnat comment=“Hairpin Nat” dst-address=
192.168.1.26 dst-port=8090 out-interface=ether2-local protocol=tcp
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=“Hairpin Nat” dst-address-type=local
dst-port=8090 protocol=tcp to-addresses=192.168.1.26
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0Thanks Eric.

11

Alright... here it is... There were some random errors in it. Try this out and well see how it works. You may want to add it a piece at a time.
/ip firewall filter

INPUT CHAIN

add chain=input comment="Connection State - Established" connection-state=established
add chain=input comment="Connection State - Related" connection-state=related
add action=drop chain=input comment="Connection State - Invalid" connection-state=invalid

add action=jump chain=input comment="ICMP - From Internet - Jump" in-interface=ether1-gateway jump-target=ICMP protocol=icmp
add chain=input comment="ICMP - From Local" protocol=icmp in-interface=!ether1-gateway

add action=drop chain=input comment="TCP - Syn Flood Suppression - Drop SynFlood" src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood address-list-timeout=30m chain=input comment="TCP - Syn Flood Detection - Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" protocol=tcp psd=21,3s,3,1 add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit BlackList (3 Connections Per IP Address)" connection-limit=3,32 protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="TCP - DoS Attack Detection - Add to BlackList for 1d (10 Connections per IP Address)" connection-limit=10,32 protocol=tcp

add chain=input comment="SSH Brute Force" in-interface=ether1-gateway dst-port=22 protocol=tcp action=jump jump-target=sshBruteforce

add chain=input comment="Allow Local" in-interface=bridge-local
add action=jump chain=input comment="VLAN1 Traffic Jump" in-interface=bridge-vlan1 jump-target=vlan1
add action=jump chain=input comment="VLAN2 Traffic Jump" in-interface=bridge-vlan2 jump-target=vlan2

add action=jump chain=input comment="VPN Traffic" in-interface=ether1-gateway jump-target=vpn

add action=drop chain=input comment="Default Drop"

FORWARD

add chain=forward comment="Connection State - Established" connection-state=established
add chain=forward comment="Connection State - Related" connection-state=related
add action=drop chain=forward comment="Connection State - Invalid" connection-state=invalid
add chain=forward comment="Forward to Ether1-Gateway" out-interface=ether1-gateway
add chain=forward comment="DST NAT - Port 8090" dst-port=8090 dst-address=192.168.1.26
add chain=forward comment="DST NAT - Port 6767" dst-port=6767 dst-address=192.168.1.26
add chain=forward comment="DST NAT - Port 6868" dst-port=6868 dst-address=192.168.1.26
add action=drop comment="Default Drop" chain=forward

OUTPUT

VLAN1

add chain=vlan1 comment="VLAN1 DNS TCP" dst-port=53 protocol=tcp
add chain=vlan1 comment="VLAN1 DNS UDP" dst-port=53 protocol=udp
add chain=vlan1 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan1 comment="DHCP Port 68" dst-port=68 protocol=udp

VLAN2

add chain=vlan2 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan2 comment="DHCP Port 68" dst-port=68 protocol=udp

VPN

add chain=vpn comment="VPN Traffic" dst-port=1723 protocol=tcp
add chain=vpn comment="VPN Traffic" protocol=gre

ICMP

add chain=ICMP comment="ICMP - Allow Echo Reply (0:0-255), Limit 5pps" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" icmp-options=12 limit=5,5 protocol=icmp add action=drop chain=ICMP comment="ICMP - Drop All Others" protocol=icmp

SSH

add action=drop chain=sshBruteforce src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=sshBruteforce src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=sshBruteforce protocol=tcp
/ip firewall nat

DST-NAT

add action=dst-nat comment="DNS TCP for VLAN2" chain=dstnat dst-port=53 protocol=tcp in-interface=bridge-vlan2 to-addresses=208.67.222.222
add action=dst-nat comment="DNS UDP for VLAN2" chain=dstnat dst-port=53 protocol=udp in-interface=bridge-vlan2 to-addresses=208.67.222.222

add action=dst-nat chain=dstnat comment="Port 8090 Forward" dst-port=8090 dst-address-type=local protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6767 Forward" dst-port=6767 dst-address-type=local protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6868 Forward" dst-port=6868 dst-address-type=local protocol=tcp to-addresses=192.168.1.26

SRC-NAT

add chain=srcnat comment="Hairpin Port 8090" src-address=192.168.1.0/24 dst-address=192.168.1.26 protocol=tcp dst-port=8090 out-interface=bridge-local action=masquerade
add chain=srcnat comment="Hairpin Port 6767" src-address=192.168.1.0/24 dst-address=192.168.1.26 protocol=tcp dst-port=6767 out-interface=bridge-local action=masquerade
add chain=srcnat comment="Hairpin Port 6868" src-address=192.168.1.0/24 dst-address=192.168.1.26 protocol=tcp dst-port=6868 out-interface=bridge-local action=masquerade

add action=masquerade chain=srcnat comment="Masquerade" out-interface=ether1-gateway

12

Eric, thank you. I am going to go over this in detail and respond to each thing you did. I want to see if I understand it to the point of doing it myself. It looks great. You took the time to label things and make them readable.

I will give it a try tomorrow and let you know, and also write back with my comments and maybe you can let me know if I got it right.

13

Sounds good…

Sent from my SCH-I545 using Tapatalk

14

I forgot about the routeros version… which is the MOST stable? Right now I am still on 5.26. I am looking for rock solid with no bugs, so if I need to stay on 5.26 I will.

15

Eric,

I went through your firewall. I fixed a few typos that were causing install errors and I’ll post the final working firewall with the changes tomorrow.

The only error I am having a problem with now is:

[admin@MikroTik] /ip firewall filter> add chain=forward comment=“DST NAT - Port 8090” dst-port=8090 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] /ip firewall filter> add chain=forward comment=“DST NAT - Port 6767” dst-port=6767 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] /ip firewall filter> add chain=forward comment=“DST NAT - Port 6868” dst-port=6868 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp

Do you know what this means?

16

Yeah… add protocol=tcp… totally forgot it.

17

I added the protocol and it loaded successfully.

It seems that the port forwarding is NOT working. When I do a port check to see if port 8181 is open, it is closed. What do you think is the issue?

18

8181? What port is that?.. I didn’t have a forward for that one…

19

I’m losing my mind! I mean 8090

20

Post your most recent export. So it isn’t working? Just that part?

Sent from my SCH-I545 using Tapatalk