Problem with default firewall rules

RouterOS Beginner Basics
1

Hello everyone, just got my Hex S today!

I think I’ve sorted out the basic configuration but can’t seem to get the firewall rules down. I’ve used @anav’s default rules and as soon as I input them my connections never complete. Without them the internet works fine. Some guidance is highly appreciated. Here’s my bootstrap config - ignore lines with >>

Create LAN
/interface bridge add name=bridge0
/interface bridge port add interface=ether1 bridge=bridge0
/interface bridge port add interface=ether2 bridge=bridge0
/interface bridge port add interface=ether3 bridge=bridge0
/interface bridge port add interface=ether4 bridge=bridge0
/ip address add address=10.10.10.3/24 interface=bridge0
/interface list add name=LAN include=static comment=“Local Area Network”
/interface list member add interface=bridge0 list=LAN

Create WAN
/interface list add name=WAN include=static comment=“Wide Area Network”
/interface list member add interface=ether5 list=WAN
/ip address add address=192.168.0.60/24 interface=ether5
/ip route add gateway=192.168.0.1
/ip dns set servers=10.10.10.4

Setup Security
/system identity set name=HexS
/user set 0 password=“******”
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool mac-server ping set enabled=no
/ip service disable telnet,ftp,api,api-ssl
/ip service set winbox address=10.10.10.0/24
/ip service set ssh address=10.10.10.0/24
/ip service set www address=10.10.10.0/24
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip ssh set strong-crypto=yes

Configure Firewall
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment=“accept established,related,untracked”
add chain=input action=drop connection-state=invalid comment=“drop invalid”
add chain=input action=accept protocol=icmp comment=“accept ICMP”
add chain=input action=accept dst-address=127.0.0.1 comment=“accept to local loopback (for CAPsMAN)”
add chain=input action=drop in-interface-list=!LAN comment=“drop all not coming from LAN”
add chain=forward action=accept ipsec-policy=in,ipsec comment=“accept in ipsec policy”
add chain=forward action=accept ipsec-policy=out,ipsec comment=“accept out ipsec policy”
add chain=forward action=fasttrack-connection connection-state=established,related comment=“fasttrack”
add chain=forward action=accept connection-state=established,related,untracked comment=“accept established,related, untracked”
add chain=forward action=drop connection-state=invalid comment=“drop invalid”
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment=“drop all from WAN not DSTNATed”

Configure NAT
/ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade

Thank you!!

2

If there is a problem, it is not with the default firewall rules, it is with the admin monkeying with them. :stuck_out_tongue_winking_eye:
I will take a look.
Nothing seems amiss off the top.
I would set this to DISABLE>
ip service set www address=10.10.10.0/24

I would set this to NONE
tool mac-server set allowed-interface-list=LAN

However the format of your post is not helpful.
Please post config as per
/export hide-sensitive file=anynameyouwish

3

****I agree that

/tool mac-server set allowed-interface-list=LAN

is not ideal if your LAN is not trusted, but I can’t count how many times a MAC server (and ROMON) saved me from locked device (e.g. misconfigured ipsec policy). It is good to have a backup way of accessing your device.

4

Thank you so much for the help everyone. Here’s the exported config

# aug/21/2021 21:35:34 by RouterOS 6.48.3
# software id = T8PW-SJIA
#
# model = RB760iGS
# serial number = E1F20D0FBD22
/interface bridge
add name=bridge0
/interface list
add comment="Local Area Network" include=static name=LAN
add comment="Wide Area Network" include=static name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge0 interface=ether1
add bridge=bridge0 interface=ether2
add bridge=bridge0 interface=ether3
add bridge=bridge0 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether5 list=WAN
add interface=bridge0 list=LAN
/ip address
add address=10.10.10.3/24 interface=bridge0 network=10.10.10.0
add address=10.0.0.60/24 interface=ether5 network=10.0.0.0
/ip dns
set servers=10.10.10.4
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for LAN to WAN" \
    out-interface-list=WAN
/ip route
add comment="Routing Table to reach VPN Gateway" distance=1 gateway=\
    10.10.10.7 routing-mark=vpn
add distance=1 gateway=10.0.0.1
/ip route rule
add action=lookup-only-in-table comment=\
    "Send CORGI IP through VPN" src-address=10.10.10.55/32 \
    table=vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.10.10.0/24
set ssh address=10.10.10.0/24
set api disabled=yes
set winbox address=10.10.10.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

I added the firewall config line by line and it looks like the problem occurred with the last line:

add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
5

My LAN is trusted (for now) :slight_smile: but I do plan to implement an IoT VLAN which will be untrusted. I’ll disable all insecure admin methods once I’m in steady state and know more about what I’m doing.

6

Winbox mac server is how one gets back to the router.
Additionally reserve one port on the router for an independent IP address NOT on the bridge but on any management interface or input chain rules, that way you can get at the router.


add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN is the defaut one and yours seems to be no different??

7

Okay the problem may be your interface list it looks different
/interface list
add comment=“Local Area Network” include=static name=LAN
add comment=“Wide Area Network” include=static name=WAN

Mine… ( i dont have an y of that include static shit! )
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

8

This was it! I’ll chalk this one up to the learning curve. This option sets this list to only members from another predefined list, not, as I thought to members statically defined. So adding my wan interface after to the list did nothing.

Thank you anav!