PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

martin4030 · August 6, 2019, 2:44pm

My notes for a new install any changes?

2) 

/user add name=new user password=XXXXXXXX group=full
/user remove admin

3)
/user set 0 address=192.168.1.0/24
/ip service set winbox address=192.168.1.0/24

4)
/ip service disable telnet,ftp,api,api-ssl

5)
/tool mac-server set allowed-interface-list=none

6)
/tool mac-server mac-winbox set allowed-interface-list=none

7)
/tool mac-server ping set enabled=no

8)
/ip neighbor discovery-settings set discover-interface-list=none

9)
/tool bandwidth-server set enabled=no 

10)
/ip dns set allow-remote-requests=no

11)
/ip ssh set strong-crypto=yes

12)
/ip service set ssh port=2200

13)

Create address list which includes different subnets (basically all subnets which should not exist in public network):

/ip firewall address-list
 add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
 add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
 add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
 add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
 add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
 add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
 add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
 add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
 add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
 add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
 add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
 add address=240.0.0.0/4 comment=RFC6890 list=NotPublic

Create firewall filter rules to protect router from incoming (input) connections:

/ip firewall filter

add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"


14)
SSH acceass subnet.
/ip service set ssh address=192.168.1.0/24

15)
/system note set show-at-login=yes
/system note set note="This is a private network - Authorized administrators only. Access to this device is monitored."

16)
/ip settings set rp-filter=strict

17)
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

Sob · August 6, 2019, 4:14pm

It looks ok.

martin4030 · August 6, 2019, 4:26pm

I did change:

Firewall

/ip firewall filter
add action=accept chain=input connection-state=established,related comment=“Accept established related”
add action=accept chain=input in-interface=bridge1 → ether2 comment=“Allow LAN access to router and Internet”
add action=drop chain=input comment=“Drop all other input”
add action=accept chain=forward connection-state=established,related comment=“Accept established related”
add action=accept chain=forward connection-state=new in-interface=bridge1 → ether2 comment=“Allow LAN access to router and Internet”
add action=accept chain=forward connection-nat-state=dstnat comment=“Accept Port forwards”
add action=drop chain=forward comment=“Drop all other forward”

martin4030 · August 6, 2019, 4:26pm

Thanks for the help, and support and review

Sob · August 6, 2019, 4:30pm

Sorry, I missed that one, usually the LAN is bridge and I’m looking at too many configs at the same time.