.
How is it more correct? Do I need to specify an interface? Better to specify the entire subnet / 24 or a specific range? Does it somehow affect access performance, security?
Thanks!
I would combine all this into one single rule to make sure both conditions are met simultaneously!
Using source address (or source address list) + input interface (or input interface list) in one rule.
If you have different IP ranges on different interfaces, create for each combo on accept rule and then
at the end you have the final drop all rule.
it is good/recommended/necessary to be as restrictive as possible on the input chain.
PS: Also ensure that login can only occur from an allowed IP range , this is in the user manager.
I dont like to think in solution space I prefer requirements space and solutions fall out naturally.
In this case the requirement should be, what access is required to the router?
Use Case1: Admin needs access to the router for configuration purposes
Use Case2: Users/devices on networks may need access to router provided services (dns, ntp, etc.)
Example of my relevant input chain rules…
/ip firewall filter
…
add action=accept chain=input comment=“Allow ADMIN to Router” log-prefix=
AdminAccess src-address-list=adminaccess
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow NTP service” connection-state=
new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=
NTPserver
add action=drop chain=input comment=“Drop All Else”
NOTE: I simply have an allowed access list of IP addresses which are specific to devices etc, that can access the router.
No harm in delineating that further…for example.
add action=accept chain=input comment=“Allow ADMIN to Router” log-prefix=
AdminAccess src-address-list=adminaccess in-interface-list=!WAN (or in-interface=bridge) (or in-interface-list=LAN)
And with anav example you can learn more filter rules. But I think his example is at this point in time too complex.
But fiddling a bit with firewall will soon get you there…
Here the feedback on your post:
1.) The example you show uses “source-address-list” . You can do use that, or directly the source-address.
If you only have one /24 address range you do not need a list.
An address list is needed/usefull if you have more IP subnets, like 192.168.88.0/24 + 192.168.100.0/24 for example.
Or individual IP addresses you want to select!
2.) It is always more exclusive (safe) to also add the interface or bridge or interface list from where you expect traffic to come + IP address in a filter rule!.
So keep the LAN AND the IP address.
basic rule is: only allow exactly what you want to allow!
You want to allow access from only LAN interfaces AND only specific IP address? → put both into the filter rule.
You think limiting access to router by IP address is enough and not locking the door twice? Only use the IP address.
I would add that one can make up INTERFACE Lists, Firewall ADDRESS Lists, use individual IPs, subnets etc.
Lots of flexibility.
Typically I use address lists when something else does not quite capture my intent. For example IP addresses that are a range within a subnet and not the whole subnet. Describing Users from different subnets. Basically anytime one has a mixed bag of users, address lists work really well.
Interface lists are also handy for example identifying which vlans are supposed to have internet access for example. (Whole sets of users)
Concur, in narrowing down what you allow is a good security practice.
I have no problem with the other firewall rules. My main question was - to access the router from the internal network subnet necessarily need to specify the interface? I realized that yes
Thank you so much for the answers!
