Hello,
I recently replaced my pfSense router with a CCR2004-16G-2S+PC. I’m working on getting everything setup, including firewall rules, port forwards and the like.
Router:
- CCR2004-16-2X+PC
- ROS: 7.10.2
My networks:
- LAN: 192.168.1.0/24
- Servers: 192.168.2.0/24
- Cameras: 192.168.3.0/24
- IoT: 192.168.20.0/24
- WireGuard: 192.168.100.0/24
I’m trying to get port forwarding working along with my reverse proxy. I’ve done tons of searching and forum/post reading prior to posting and I am still having issues getting things working. I’m using a status monitor docker container (Uptime Kuma) within the 192.168.2.0/24 subnet. It only shows a handful of monitored items as “Up” and everything else as “Down”, yet I can reach everything from my 192.168.1.0/24 subnet. I have rules setup to allow LAN, IoT and WireGuard subnets to reach all other subnets, but to block cross subnet traffic from Cameras and Servers. I have added some exception rules for certain devices to communicate cross subnets from the isolated subnets.
For my NAT rules, I have created a few hairpin rules along with a number of port forwards. I had to make some changes because it appeared my port forward rules were “intercepting” traffic to other destinations (ie: a phone on my network was trying to reach Google IMAP servers, but the traffic was being redirected to my local IMAP server instead causing errors). I added an Address List of WanIPs as I will soon have WAN failover setup with 2 static IPs. Only 1 is active at this time.
What i’m trying to do is ensure all LANs can reach the web from their perspective LAN, but also be able to identify when traffic is coming through the reverse proxy and my port forwards and other rules are setup correct.
Thanks in advance
/ip firewall address-list
add address=192.168.0.0/16 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=192.168.1.244 list=PCCOMWEB1_Destinations
add address=192.168.2.0/24 list=Subnets
add address=192.168.3.0/24 list=Subnets
add address=192.168.1.0/24 list=Subnets
add address=192.168.20.0/24 list=Subnets
add address=192.168.100.0/24 list=Subnets
add address=<WAN IP HIDDEN> list=WanIPs
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 log=yes protocol=udp
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface="ether1 - WAN - <WAN IP HIDDEN>" protocol=icmp
add action=accept chain=input comment="allow Winbox" disabled=yes port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" disabled=yes in-interface="ether1 - WAN - <WAN IP HIDDEN>" port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface="ether1 - WAN - <WAN IP HIDDEN>"
add action=accept chain=forward comment="Starting Rules for Subnet Isolation" dst-address-list=Subnets src-address=192.168.1.0/24
add action=accept chain=forward comment="WireGuard Rules" dst-address-list=Subnets src-address=192.168.100.0/24
add action=accept chain=forward dst-address-list=Subnets src-address=192.168.20.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.2.233
add action=accept chain=forward dst-address=192.168.1.244 dst-port=22 protocol=tcp src-address=192.168.2.109
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=192.168.2.233
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop subnet communication if it's not an above rule" dst-address-list=Subnets src-address-list=Subnets
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN - <WAN IP HIDDEN>"
add action=masquerade chain=srcnat comment="Hairpin for LAN" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin for Servers" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Hairpin for IoT" dst-address=192.168.20.0/24 src-address=192.168.20.0/24
add action=dst-nat chain=dstnat comment="Virtualmin TCP Ports" disabled=yes dst-port=21 protocol=tcp to-addresses=192.168.2.109 to-ports=21
add action=dst-nat chain=dstnat comment="Reverse Proxy" dst-address-list=WanIPs dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.2.233
add action=dst-nat chain=dstnat comment="Reverse Proxy" dst-address-list=WanIPs dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.2.233
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=25 protocol=tcp to-addresses=192.168.2.110 to-ports=25
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=110 protocol=tcp to-addresses=192.168.2.110 to-ports=110
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=143 protocol=tcp to-addresses=192.168.2.110 to-ports=143
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-address-type=local dst-port=993 protocol=tcp to-addresses=192.168.2.110
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=995 protocol=tcp to-addresses=192.168.2.110 to-ports=995
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=587 protocol=tcp to-addresses=192.168.2.110 to-ports=587
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=465 protocol=tcp to-addresses=192.168.2.110 to-ports=465
add action=dst-nat chain=dstnat comment="Mail Server" dst-address-list=WanIPs dst-port=4190 protocol=tcp to-addresses=192.168.2.110 to-ports=4190
add action=dst-nat chain=dstnat comment="Synology Apps" dst-address-list=WanIPs dst-port=5501 protocol=tcp to-addresses=192.168.1.244 to-ports=5501
add action=dst-nat chain=dstnat comment="Synology Apps" dst-address-list=WanIPs dst-port=6690 protocol=tcp to-addresses=192.168.1.244 to-ports=9960
add action=dst-nat chain=dstnat comment="Synology Apps" dst-address-list=WanIPs dst-port=9901 protocol=tcp to-addresses=192.168.1.244 to-ports=9901