Good day. I have router CCR-1036(12g-4s). Actually, everything started normally by analogy with other routers (Nat, vlan, 2 providers for failure, etc.).
I started to look at setting up the firewall and the couple came up with an absolutely incomprehensible moment:
In the standard list of Firewall Protocols - there are not almost all major ones.
From obviously necessary there tcp, udp and rdp. The rest are rare because the network is unpretentious.
It turns out that to me to start certain traffic between vlan, I need to create a lot of rules by type (for DNS): allow 53 port tcp from vlan1 to vlan2. Then another rule: allow 53 port udp from vlan1. TCP and UDP in one rule do not give even.
The protocols are dark and every time re-write rules in this style it will take a lot of time.
Has it been so peculiarly done or am I simply not seeing a more correct solution?
I planned a firewall on the principle that everything that is not allowed is forbidden. But seeing such a thought is already danced from the opposite …
You can create minimal rules to allow traffic out to the internet and provide basic protection from the internet but the more complex your network is, the more rules you will have to create.
Generally you want to create rules that prevent attacks from the outside on your wan interface. then depending on how you want to do things you can as has been said have less or more rules. There is no reason to protect 1 lan vlan from another. you want to protect your lan vlans from the outside world. For instance I have a total of 136 rules. I only allow the ports I require and block the rest. I could reduce it down to 100 as there are some services that are not necessary any more. we can post examples of firewalls if you like. but if you can give more information on what you trying to achieve it will help us to advise you better.
In fact, explain the structure of the network.
Mikrottik as a router on a stick. There are 2 providers, 1 vlan where is the Exchange Edge and the site (this vlan is something like DMZ).
Further on vlan: custom vlan for the users’ computers, separate vlan for external ip-telephony. And the last vlan for server and network equipment.
Key questions 2:
1.no clear understanding of how to restrict traffic between users and servers vlans. After all, in one way or another, a user’s PC needs access to that network (DHCP + relay, DNS, LDAP, printers,share, etc …) and servers vlan.
Whether to allow everything between these networks and explicitly prohibit telnet and ssh, for example, or to ban everything and allow multiple protocols, which obviously begs the second question.
There are not many protocols in the firewall filter (there are not even standard dhcp and dns), but there are a lot of Windows protocols. Moreover, many protocols - even from the listed ones, use both tcp and upd protocols and different directions. Gets a very large list of protocols that need to be created by hand!
Is there any way to systematize this? At least create a protocol as a template and specify it in the rules?