@mkx yes but as you can see I allowed webfig from the management VLAN and the port that I was connecting to (ether2) is on the bridge, and the bridge is on the LAN interface list. Shouldn’t that be enough?
No, firewall sees MgmtVLAN interface as in-interface … because that’s the interface that breaks out IP packets to ROS subsystems. Firewall doesn’t care about underlying logical (bridge interface) interfaces or physical (ether2) ports .
Can you print a log-message when the packet is captured by the “drop-all-else” rule?
It should work, I also have 1 rule in the input-chain combined with an ACL on the www-services section to narrow down allowed IP-ranges.
The problem must be in the “LAN-list” I think. Can you try to add interface “ether2” to the LAN-list and try again?
Basics…
FROM
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether4 list=LAN
TO
/interface list
add name=LAN
add name=WAN
add name=MANAGE
/interface list member
add interface=HomeVLAN list=LAN
add interface=GuestVLAN list=LAN
add interface=MgmtVLAN list=LAN
add interface=MgmtVLAN list=MANAGE
add interface=ether4 list=LAN
add interface=ether4 list=MANAGE
add interface=ether5 list=WAN
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
REMOVE THIS (no longer required)
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.88.1 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.88.1 gateway=192.168.30.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
GET RID OF :
set www address=192.168.20.0/24,192.168.99.0/24 (not secure)
set winbox disabled=yes??
and replace with
set winbox address=192.168.20.0/24,192.168.99.0/24
When you do…
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
+++++++++++++++++++++++++++++++++++++++
Now for firewall rules lets massage…
TO
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“allow admin access” in-interface-list=Manage src-address-list=Authorized
add action=accept chain=input comment=“allow user services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment=“allow user services” in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else”
WITH
/ip firewall address-list
add address=admin_Desktop-IP list=Authorized
add address=admin_Laptop-IP list=Authorized { when attached to the bridge aka a vlan }
add address=192.168.99.x/32 list=Authorized { when attached to ether 4 }
add address=admin_Tablet/Smartphone-IP list=Authorized
The layers of security.
(1) Through Services list for each ‘secure’ service we allow the subnet (management vlan, and ether4 etc) - in this case access to www-ssl, and winbox
(2) We only allow winbox access via the interface list Manage (aka management vlan and ether4)
(3) We use input chain firewall rules to REFINE access to only those IPs on the authorized list.
(4) Finally logging into the router is the last layer USER name and Password (via the secure methods above).
Thanks for the reminders @anav. I must have forgot to add the VLANs to the LAN list after rebuilding everything.
BTW I have been using webfig instead of winbox, don’t plan to use winbox ever. I am planning to set up ssl on webfig…tried a few times with self-signed cert as well as with a CA but got browser errors.
Thank you too @mkx
The point of winbox as I understand it is, ease of access, security etc…
Www by itself is not secure, but I suppose www with ssl is a reasonable method from the lan.