Need recommendations and help configuring a network

Greetings,

I am trying to achieve the following (hope my diagram is clear enough):

At the moment, communication with 10.0.0.X and 172.16.0.X is working, along with internet access but I doubt I am using best practices or optimal configuration as I am using only IP addresses list, a bridge and routes. Also, one issue that I have, it that I cannot seem to configure port forwarding correctly as all the connection to a port, for example 3389 to a server in the 10.0.0X range goes immediately to an external client address (not my public IP address).

I am aware that I need to make modifications to my configuration, I was told to use VLANs to route traffic correctly, after reading on the subject, I noticed that it was preferable to use bridge VLANs.

This is where I am struggling, I have no real idea where to start and this is my first time using VLANs and this is where I need help.

The way I understand it, 172.16.0.X should be isolated, as well as 10.0.0.X to be able to identify traffic properly (correct me if I am wrong).

May anyone help me in setting this up please?

If you have any question, please let me know, I will do my best to answer them.

Additional information:

• The firewall ia WatchGuard T15
  
  
  
• The MikroTik is a hEX router

Thank you for your time and help, it is greatly appreciated.

Can you forward ports on the firewall ???
Assuming yes, then you need to do that for all the port forwardings you wish to accomplish.
The MT can also accept NON-standard ports and convert them to the port your require at the server.

Then you have to apply port forwarding on the MT.
https://forum.mikrotik.com/viewtopic.php?t=179343

Give it a whirl… the next step is to provide a working config
/export file=anynameyouwish ( minus router serial number and any public WANIP info )

Greetings,

Thank you for your answer!

I am currently reading the link that you posted, as additional information, I can provide the following:

• Ports are already forwarded in the WatchGuard (firewall), both in and out.
• I will also provide the requested config as soon as possible (I am not home at the moment).
• In the MikroTik, I see the following when I try to access port 3389 (example with an external network):

I will keep reading and doing some tests later today, I will post an update on my progress, but please consider I am not an expert, I might still need help figuring this out.

Thank you again for your time and help, it is greatly appreciated.

One of my favourite movie lines.

HELP ME, HELP YOU.

Greetings,

Here is the actual configuration, please note that I made a lot of tests, so there might be irrelevant lines or some no longer needed:

# 2023-08-02 17:49:18 by RouterOS 7.10.2
# software id = CENSORED (unsure)
#
# model = RB750Gr3
# serial number = CENSORED (serial number)
/interface bridge
add admin-mac=CENSORED (MAC) auto-mac=no comment=defconf name=bridge
add name=bridge-access
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Trusted
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=CENSORED (domain name) regexp=CENSORED (domain name)
/ip pool
add name=dhcp ranges=10.0.0.200-10.0.0.249
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf relay=\
    255.255.255.255
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5-access list=Trusted
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.1/8 comment=defconf interface=bridge network=10.0.0.0
add address=10.0.6.0/8 interface=bridge network=10.0.0.0
add address=172.16.6.0/12 interface=bridge network=172.16.0.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=*7 lease-time=10m name=dhcp1
/ip dhcp-server lease
CENSORED (static IPs)
/ip dhcp-server network
add address=10.0.0.0/8 dns-server=172.16.0.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=CENSORED (external IP),172.16.0.1
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat protocol=tcp
add action=accept chain=forward disabled=yes dst-port=21,49152-65534 \
    protocol=tcp
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input in-interface=ether5-access src-address=\
    192.168.5.55
add action=accept chain=input in-interface=ether5-access src-address=\
    192.168.5.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input disabled=yes src-address-list=Authorized
add action=accept chain=input disabled=yes src-address-list=Authorized
add action=accept chain=input disabled=yes in-interface=ether5-access \
    src-address=192.168.5.55
add action=accept chain=input disabled=yes src-address-list=Authorized
add action=accept chain=input disabled=yes in-interface=ether5-access \
    src-address=192.168.5.55
add action=accept chain=input disabled=yes in-interface=ether5-access \
    src-address=192.168.5.0/24
add action=accept chain=input disabled=yes src-address-list=Authorized
add action=accept chain=input disabled=yes in-interface=ether5-access \
    src-address=192.168.5.55
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.0.0.1 dst-port=53 \
    layer7-protocol=CENSORED (domain name) new-connection-mark=\
    CENSORED (domain name)-forward passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address=10.0.0.1 dst-port=53 \
    layer7-protocol=CENSORED (domain name) new-connection-mark=\
    CENSORED (domain name)-forward passthrough=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/8 src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=HTTP/HTTPS dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.32 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp to-addresses=10.0.0.32 to-ports=443
add action=dst-nat chain=dstnat comment=MySQL dst-address=172.16.0.1 \
    dst-port=3306 protocol=tcp src-port="" to-addresses=10.0.0.32 to-ports=\
    3306
add action=dst-nat chain=dstnat comment=Mail dst-address=172.16.0.1 dst-port=\
    465 protocol=tcp to-addresses=10.0.0.32
add action=dst-nat chain=dstnat dst-address=172.16.0.1 dst-port=587 protocol=\
    tcp to-addresses=10.0.0.32
add action=dst-nat chain=dstnat dst-address=172.16.0.1 dst-port=143 protocol=\
    tcp to-addresses=10.0.0.32
add action=dst-nat chain=dstnat dst-address=172.16.0.1 dst-port=25 protocol=\
    tcp to-addresses=10.0.0.32 to-ports=25
add action=dst-nat chain=dstnat comment=Synology dst-address=172.16.0.1 \
    dst-port=5001 protocol=tcp to-addresses=10.0.5.0
add action=dst-nat chain=dstnat comment=RDP dst-port=3389 in-interface=bridge \
    protocol=tcp to-addresses=10.0.0.70 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3390 in-interface=bridge protocol=\
    tcp to-addresses=10.0.0.32 to-ports=3390
add action=dst-nat chain=dstnat dst-port=3391 in-interface=bridge port="" \
    protocol=tcp to-addresses=10.0.0.71 to-ports=3391
add action=dst-nat chain=dstnat comment=FTP disabled=yes dst-address=\
    172.16.0.1 dst-port=49152-65534 protocol=tcp to-addresses=10.0.0.32 \
    to-ports=49152-65534
add action=dst-nat chain=dstnat dst-address=172.16.0.1 dst-port=21 protocol=\
    tcp to-addresses=10.0.0.32
add action=dst-nat chain=dstnat connection-mark=CENSORED (domain name)-forward \
    disabled=yes to-addresses=172.16.0.1
add action=masquerade chain=srcnat connection-mark=CENSORED (domain name)-forward \
    disabled=yes
add action=dst-nat chain=dstnat disabled=yes dst-port=53 in-interface-list=\
    WAN protocol=tcp to-addresses=172.16.0.1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=172.16.0.0/12 gateway=10.0.0.254 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.254
add disabled=yes distance=1 dst-address=CENSORED (external IP)/32 gateway=10.0.0.254 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=17.16.0.1/32 gateway=10.0.0.254
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=America/Toronto
/system logging
add disabled=yes topics=debug
add disabled=yes topics=dns
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Trusted

I was not aware that you could add three addresses to the bridge?
How do devices know which subnet they belong too??
Not the usual config I am used to seeing, why the strange approach?

add address=10.0.0.1/8 comment=defconf interface=bridge network=10.0.0.0
add address=10.0.6.0/8 interface=bridge network=10.0.0.0
add address=172.16.6.0/12 interface=bridge network=172.16.0.0

Even worse why is the WAN address part of the bridge.???
add address=172.16.6.0/12 interface=bridge network=172.16.0.0

Forward chain is not used for port forwarding information…
add action=accept chain=forward disabled=yes dst-port=21,49152-65534 \


protocol=tcp

Duplicate Entries?
add action=accept chain=input in-interface=ether5-access src-address=
192.168.5.55
add action=accept chain=input in-interface=ether5-access src-address=
192.168.5.0/24

Mangle rules for layer7 what??? Never seen that either.
WHat does this have to do with your setup??

Missing the out-interface=WAN or out-interface-list=WAN in the standard sourcenat rule.
add action=masquerade chain=srcnat
Okay thats another part duplicate and you can rid of this complete line as you have the correct entry further down.

Dst NAT port forwarding rules will not work with in-interface-list=WAN, Very much discussed in the article provided.
add action=dst-nat chain=dstnat comment=HTTP/HTTPS dst-port=80
in-interface-list=WAN protocol=tcp to-addresses=10.0.0.32 to-ports=80

Not making any sense of your WAN situation how many…

++++++++++++++++++++++++++++++++++++++++++++++++

I would get rid of any unneeded rules as they are really cluttering up the config.
The firewall rules, dst nat rules and source nat rules are a mess.

I think I can look at a more cleaned up config. recommend that you stick all the input chain rules together and then all the forward chain rules together…

You can’t dstnat through a routing layer like that. For a rule like this:

add action=dst-nat chain=dstnat comment=MySQL dst-address=172.16.0.1 \
dst-port=3306 protocol=tcp src-port="" to-addresses=10.0.0.32 to-ports=3306

…to work as expected, the RouterOS box would have to have 172.16.0.1 on its WAN port because it says, “When traffic comes to 172.16.0.1 on TCP port 3306, send it to the same port on host 10.0.0.32.” As your network is currently designed, the traffic arrives at the RouterOS box on a different 172.16.x.y address.

Now, if you have your “Firewall” box doing port-forwarding as well, you might simply be able to rewrite that as:

add action=dst-nat chain=dstnat comment=MySQL dst-address=172.16.0.2 \
dst-port=3306 protocol=tcp src-port="" to-addresses=10.0.0.32 to-ports=3306

That is, using the RouterOS’s box WAN-side IP as the dst-address, given here as 172.16.0.2 for the sake of the example, since you didn’t give it on your diagram. This will at least get the TCP SYN packet to your 10.0.0.32 server, but whether the reply survives through this double-NAT layer is a separate question.

Given all of the sensitive services you’re exposing to the big bad Internet, I wonder if what you want is a VPN to some secured remote site, not a bunch of port-forwards. I’d tell you this even if what you had now worked, because as a network admin, your proposed config scares the hell out of me.

tangent, thats awful. I hate to see you scared, how can I help!

I’m not the one who needs help, it’s the one who’s exposing several unencrypted protocols — HTTP, SMTP, IMAP, inbound (!) DNS, and FTP — to the naked Internet. Add to that RDP and MySQL, both of which might be made secure, but so often are not that they’re perennial targets, particularly given that they’re high-value services.

This configuration says, “Yes, I would love to host a botnet today!”

I would like to know where the OP got his advice from to construct such a config??

Greetings,

As requested, I made a “cleaned-up” working and “far from optimal or according to best practices since I am learning” config as requested.

# 2023-08-04 01:05:20 by RouterOS 7.10.2
# software id = 
#
# model = 
# serial number = 
/interface bridge
add admin-mac=08:55:31:91:1F:8E auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge vlan-ids=1
add bridge=bridge vlan-ids=2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan1 list=VLAN
add interface=vlan2 list=VLAN
/ip address
add address=10.0.0.1/8 interface=bridge network=10.0.0.0
add address=172.16.0.2/12 interface=ether1 network=172.16.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/8 comment=defconf dns-server=172.16.0.1 gateway=10.0.0.1 \
    netmask=8
/ip dns
set allow-remote-requests=yes servers=172.16.0.1
/ip dns static
add address=172.16.0.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

From what I could read, according to provided links and other topics on the forums, I would need to use VLANs to “isolate” the subnets, which is something that was already suggested, I started the configuration but I do not know how to finish it, hence why I am still posting my configuration and asking for help once again. I think I need to set tagged, untagged ports and then activate VLAN filtering on the bridge.

Also, before you ask:

• This is temporary, because if I use WAN as the out interface-list, every internet communication is way slower:
  /ip firewall nat
  add action=masquerade chain=srcnat

I will also try to answer as much comments and/or questions as possible, sorry if I missed any:

I’m not the one who needs help, it’s the one who’s exposing several unencrypted protocols — HTTP, SMTP, IMAP, inbound (!) DNS, and FTP — to the naked Internet. Add to that RDP and MySQL, both of which might be made secure, but so often are not that they’re perennial targets, particularly given that they’re high-value services.

What are you recommendations to use and or forward these ports to the outside then? I have a DB server, web server and FTPS, I do admit that the FTP and the DNS were probably leftovers for testing purposes, so it was my mistake to not remove them sooner.

You can’t dstnat through a routing layer like that. For a rule like this:

Code: Select all

add action=dst-nat chain=dstnat comment=MySQL dst-address=172.16.0.1
dst-port=3306 protocol=tcp src-port=“” to-addresses=10.0.0.32 to-ports=3306

That was a leftover test, since port forwarding was not working, I tried a lot of stuff.

I was not aware that you could add three addresses to the bridge?
How do devices know which subnet they belong too??
Not the usual config I am used to seeing, why the strange approach?

This is a mix of lack of knowledge and partial information from other network admins I spoke with. As I said above, I think VLAN is the way to resolve the subnet issue. THis was also, originally, configured like that as a temporary measure to eventually learn and get some help with VLANs.

Even worse why is the WAN address part of the bridge.???
add address=172.16.6.0/12 interface=bridge network=172.16.0.0

I was told by someone working with Cisco routers that, since my WatchGuard (firewall) was in the 172.16.X.X range and that it was already configured with WAN access, that I would not need the MikroTik port, this is probably a bad configuration from my part, but this is the only way I was able to use internet for the moment, I will gladly take your recommendations, this is why I actually created this topic.

Forward chain is not used for port forwarding information…
add action=accept chain=forward disabled=yes dst-port=21,49152-65534 \

This is a test I made when I originally configured the router, I saw the NAT rules afterward, forgot to remove it, completely my bad.

Duplicate Entries?
add action=accept chain=input in-interface=ether5-access src-address=
192.168.5.55
add action=accept chain=input in-interface=ether5-access src-address=
192.168.5.0/24

Taken from: https://forum.mikrotik.com/viewtopic.php?t=181718
Copy/paste mistake (not an error by the OP), I was trying to configure a “management” port at some point because I kept losing access to the router with bad VLAN configurations.

Mangle rules for layer7 what??? Never seen that either.
WHat does this have to do with your setup??

I had DNS issues at some point, I followed a guide online to set up a domain name, I tried to find the link, but I was not able to, it was a while back.

Dst NAT port forwarding rules will not work with in-interface-list=WAN, Very much discussed in the article provided.
add action=dst-nat chain=dstnat comment=HTTP/HTTPS dst-port=80
in-interface-list=WAN protocol=tcp to-addresses=10.0.0.32 to-ports=80

That was another test.

Sorry if I missed anything or if I took time to answer. I wanted to provide as much information as possible.

Good. Let the nit-picking begin.

We can begin with the fact that your new config is so clean it doesn’t have any dstnat rules at all. How were you planning to allow inbound connections?

add address=172.16.0.2/12 interface=ether1 network=172.16.0.0

You’ve assigned the entire RFC1918 “172” space to your DMZ. (The subnet between your “Firewall” box and the private 10-dot LAN.) The intent is that you use /16 at biggest, and in your case, /24 more than suffices unless you’ve left out over 251 DMZ hosts from your diagram. /16 is 64k IPs, and /12 is over a million.

Likewise, assigning the entire 10/8 subnet to the private LAN is an overreach, particularly given your stated plan to subnet it with VLANs later. (A topic we’ll revisit next.) Using a /24 is quite common here as well.

use VLANs to “isolate” the subnets

That isn’t going to solve the security concerns you buy with all of this.

Think about it: you put the DB server on one VLAN, the DNS server on another, the mail server on another…and then you add routing and NAT rules to allow everyone outside into each VLAN separately? What have you bought?

The point of VLANs is indeed to isolate one VLAN from the other, but then you go purposefully punching holes between them!

The best you could accomplish with that move is reduce the risk of, say, a hole in the DNS server from allowing island-hopping into your mail server. But, since the mail server will need DNS, and it’s cheaper to contact a local cache than the public DNS servers, you’ll likely end up with your mail server’s VLAN routed to the DNS server’s VLAN, risking a total removal of the isolation advantage.

None of this is easy. It’s why infosec is a field unto itself. You can spend an entire career learning and practicing its precepts.

What are you recommendations to use and or forward these ports to the outside then?

These are basic, covered by every infosec IT organization. (e.g. OWASP.) But briefly:

• You should’ve stopped using FTP decades ago. FTPS is basically obsolescent by this point as well. Switch either to SFTP or one of the many other file-sharing schemes based on HTTPS. There are half a zillion to choose from.
• Unencrypted client access to IMAP and SMTP should’ve been shut off at least a decade ago. Every reasonable mail client can do encrypted receive/send these days. I speak not of encryption of the message payload itself, protecting privacy-at-rest as with S/MIME, but encryption of the mail transport, where the main risks are the privacy of the email in flight plus the user credentials used to authenticate legitimate access to the services. The only case where unencrypted email is suitable these days is SMTP delivery between MTAs, and then only under strict controls to keep spam under control. If you want an “easy button” on this, outsource your email service entirely. It’s becoming too complicated to handle locally these days. If your email setup is easy to administer, I guarantee there are problems you’re overlooking as a consequence.
• The only remaining legitimate use for unencrypted HTTP to a proper server (as opposed to a stupid IoT lightbulb or similar) is to allow ACME exchanges. Everything else should redirect hard to HTTPS, both by HSTS and permanent redirects. If you aren’t using ACME, I strongly suggest turning HTTP off entirely in favor of pure HTTPS.
• I flagged inbound DNS because there’s almost never a legitimate reason for outside entities to access your internal DNS servers these days at the small-LAN server scale. Unless you’re doing something tricky there, delegating your public DNS to a third-party provider is a much smarter move. Your domain name host will often hook you up with an easy-to-administer DNS hosting solution for negligible cost. Go ahead and keep running local DNS if that’s helpful; all I’m saying is, there’s rarely a legitimate need for outsiders to do zone transfers from your internal DNS.
• RDP is a perennial risk. If you have Windows boxes that you need remote management access to, set up a VPN and allow RDP only from the VPN subnet and the local management subset. There’s no legitimate reason to allow botnets to be banging on your RDP servers, or to allow your DNS server to make RDP conns to your email server, etc.
• MySQL is, likewise a common remote access risk. (OWASP’s take.) Additionally, it’s rarely necessary to allow arbitrary Internet hosts to access your DB server directly. Almost always, the access goes through a web app of some kind, and it is this that you expose to the Internet, not the DBMS itself. Often the DBMS runs on the same host as the app server, bound to localhost.

I’ll stop here. That’s enough for one post.

Greetings,

I understand that the VLANs will not fix the port forwarding and some other issues, I was speaking about it for traffic management mostly. Particularly the issue with the subnets “speaking” with each others.

I will completely review how I handle most of my services (I do not mean services to clients here, I meant web server, DB, FTP, etc.) with your recommendations and by reading on what you posted, really helpful by the way!

As for port forwarding, I plugged in the cable going from to the MikroTik in the WAN port as it was also discussed earlier, I assigned a static IP in the range of the firewall to the MikroTik WAN port ether1.

I tried to do a port forward as you recommended:

add action=dst-nat chain=dstnat comment=RDP dst-address=172.16.0.2 \
dst-port=3389 protocol=tcp src-port="" to-addresses=10.0.0.70 to-ports=3389

No success so far though, I think I am still missing something but I did read online and watched a few tutorials, they mostly all suggest a rule similar to yours, but they are never “hit” and the counter always stays at 0 when I try to connect from a completely external network. Am I missing something here?

If I use use the Torch tool, I never see anything going to the tcp protocol on port 3389.

Thank you for all the information again!

Do you mean you have this WatchGuard box out of the way entirely now?

Another option is to swap their roles, making the hEX the border router and putting the WatchGuard box between it and the private LAN. That would let you put it in bridge mode, avoiding a double-NAT layer.

This may solve your dstnat problem, because your current rules depend on the inbound packets to be directed to 172.16.0.2, but you don’t say how the WatchGuard box or the “Internet” box (presumably a modem of some kind) does that. If you put the modem into bridge mode and set the hEX up as a border router, then you wouldn’t need the dst-address rule at all. You’d say something more like:

add action=dst-nat chain=dstnat comment=HTTPS in-interface-list=WAN \
dst-port=443 protocol=tcp to-addresses=10.0.0.70 to-ports=443

Now it works even if your public IP changes.

Greetings,

Do you mean you have this WatchGuard box out of the way entirely now?

I might have not been clear enough with me explication earlier, the cable from the WatchGuard now goes from its ether2 port to the port ether1 of the MikroTik. Earlier, it was still plugged in the port ether2 of the WatchGuard, but also plugged in the port ether2 of the MikroTik, disregarding completely the ether1 port of the MikroTik. As stated by anav the ether2 port on the MikroTik was part of the bridge, so the WAN port as well, now that it is plugged in ether1, the WAN port is no longer in the bridge as well.

Then I repeat: swap their roles and put the WatchGuard box and the Internet modem into bridge mode. That will let the hEX “see” the Internet directly, where it can best do dstnat type stuff. It will also give it the best possible vantage for providing VPN service.

Greetings,

I understand what you mean by that, let me provide more information about what is “beyond” the MikroTik:

• I have static IPs from my ISP, the only way to have that with them and also access to ports like 80, 443 and the like, they needed to put a modem and router, both of which I do not have access to.
• My public IP is not supposed to change.
• The WAN port of the WatchGuard is plugged in the ether2 port of the ISP’s.
• I also do understand that my setup is not ideal, I would gladly remove the WatchGuard but it was a gift, I really wanted to explore it and try to use it as a firewall before the MikroTik, I do understand that this creates a problem and is unconventional. I was able to make the port forwarding work at some point, but if I recall correctly, internet was slow because I had a routing triangle at the time and I was told to look at the VLAN alternative for a configuration such as what I was doing. I will start to look at the options you suggested.

Your ISP requires unencrypted HTTP management access to the modem/router from the WAN side? Run away, run away!

Security aside, this means you can never port-forward 80 and 443 inside the LAN, because the modem/router is going to catch it, every time.

If you can convince yourself you don’t need HTTP/S inside (e.g. you’re dropping HTTP and moving your public HTTPS service(s) out into the cloud somewhere) then you still need to configure the ISP modem to do port-forwarding separately, since it’s acting as a NAT layer.

I would gladly remove the WatchGuard but it was a gift

I asked whether you removed it, but I advised that you swap its role with the MikroTIk router, putting it between the router and the private LAN, in bridge mode, so that it behaves transparently until it needs to step in and filter something.

But, that advice was based on the idea that this would put the public IP on the hEX’s WAN port, vastly simplifying dstnat, which sounds like it is not the case.