Simple Bridge with Firewall rules for Ether1 (internet))

Volker · January 2, 2025, 7:42am

Dear Forum,

please assist me to configure a Mikrotik RB750Gr3 with RouterOs v7.16.2 as a Bridge with Firewall. Ether1 is connected to the internet. Ether 2 to 5 are the internal networt which should be secured. No connection from the internet (ether1) should be initiated to the internal network (ether 2 to 5 ports). However the internal network should be able to establish communication to the internet. DHCP and ntp server is provided through Ether1 (internet side).

Following config does not allow devices on Ether2 to 5 to communicate to the Internet (Ether1)

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input connection-state=invalid action=drop
add chain=forward in-interface=bridge out-interface=bridge action=accept
add chain=forward out-interface=ether1 action=accept
add chain=input in-interface=ether1 action=drop

Thank you

BartoszP · January 2, 2025, 7:52am

Is it all? Pleaese export whole config to be checked? Where are addresses assigned to LAN & WAN interfaces?
If you want to test your router just reset it to the defaults and everything should work as you want as default configuration is quite good.

anav · January 2, 2025, 2:22pm

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Volker · January 2, 2025, 3:00pm

Hi, please find attached the default bridge setup. However it has no firewall config and Ether1 is part of the bridge1.
Should Ether1 be removed from the bridge and or disabled from hardware switch (Hardware Offload = False)?
https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features

Copilot has created attached configuration, however the bridge can’t reach the internet, as Ether1 is not part of the bridge.

Which is the best approach?
ai-switch-setup.rsc (792 Bytes)
defaultBridgeV7.16.2.rsc (797 Bytes)

TheCat12 · January 2, 2025, 4:24pm

If the default bridge config is the exported one, remove ether1 from the bridge, set the DHCP client on ether1 and add some firewall rules

Default ones:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Additionally, add a LAN address on the bridge and perhaps a DHCP server and not to forget a NAT masquerading rule:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

anav · January 2, 2025, 4:32pm

cat12 are you better than AI>>> COpilot copying does not equal learning!!

jaclaz · January 2, 2025, 5:06pm

Essentially the same advice Cat12 just provided a little more detailed:

/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

OK.

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

ether1 needs to be made independent (removed from bridge).

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=bridge1 list=LAN

You are going to have only two interfaces, a single one (ether1) which is WAN and a grouped one (bridge1) that is LAN (and includes ether2-5)

/ip dhcp-client
add interface=> bridge1 > > ether1

the dhcp client should get an IP from the ISP for ether1

/system identity
set name=Mikrotik
/system note
set show-at-login=no

OK.

Before physically connecting ether1 to the internet, do add the default firewall settings:

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

Then you need to add an address to the bridge (that will be the gateway for the devices on the LAN).

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

Usually a DHCP server is configured on the bridge, so that devices connected on the LAN side will automatically get from it their address and gateway (and DNS):

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
 /ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

Then you need a firewall nat rule to make the LAN devices be natted to the the WAN:

/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN

Please do study the provided corrections before applying the changes, you need to understand what they do, rather than blindly applying them.

They should be enough to get you a very basic configuration.

A good idea would be (if you don’t really-really need it) to take also ether5 out of the bridge, assign to it a static address in a /30 network and have it as a dedicated “management” port, so that later you can improve the security of your setup without risking to be locked out of the router, example (once ether5 is removed from the bridge):

/interface list
add comment=Management name=MGMT
/interface list member
add interface=ether5 list=LAN
add interface=ether5 list=MGMT
/ip address
add address=192.168.65.1/30 interface=ether5 network=192.168.65.0

The above will allow connection from a PC with a static IP of 192.168.65.2 that later can be made the only access (you will need to add an accept rule in firewall filter for in-interface-list=MGMT placed before the drop one for !LAN) .

Be very careful, the port (if the interface is independent) or the bridge (if the interface is part of a bridge) MUST be part of the LAN in /interface list member otherwise the default firewall rule:

add chain=input action=drop in-interface-list=!LAN comment=“defconf: drop all not coming from LAN”

could lock you out of the router access .

Volker · January 3, 2025, 1:30pm

Thank you very much for your feedback and help.
Attached config is working (Firewall needs to be implemented still).
However, /ip dns servers=1.0.0.1 is not accepted and brings an error.
Would it be possible to setup the bridge, that external access of a webpage (port 80) on the LAN side is possible? For example 192.168.88.50:80?
How may this be accomplished?
Appreciate very much your expertise and help
CustomBridgeV7.16.2.rsc (1.28 KB)

TheCat12 · January 3, 2025, 1:54pm

You need to disconnect from the internet and implement at least the default firewall ASAP because now you’re an open door to the world. After that we can talk about port forwarding (allowing access to internal service through public IP)

anav · January 3, 2025, 10:09pm

That is the intent of CO-PILOT, to CO-OPT every mikrotik new user device, as they rely on AI, instead of real people.

Volker · January 7, 2025, 10:04am

Hello TheCat12,
thank you for the security input. The firewall was added successful and is working fine. I have made an Zenmap scan.
Please further advice on allowing access to internal service through public IP.
Custom2BridgeV7.16.2.rsc (2.57 KB)

Steveocee · January 7, 2025, 12:53pm

It was /thread at this point. Why is AI needed to generate really poor configuration when the default config meets 95% of the use case?

jaclaz · January 7, 2025, 3:24pm

To prove - once again - that AI is not (yet ) capable of doing anything good?

TheCat12 · January 7, 2025, 6:36pm

Per your example from a previous post, to port forward 192.168.88.50:80, you would need to add the following NAT rule:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.50

Before adding it, you would need to consider whether you have a public IP or not. If it’s the latter, you’d have to talk to your ISP to give you one such or put their device in bridge mode. If it’s the former and the IP is dynamic, you would need to enable DDNS and reference it when connecting from the outside. If the public IP is static, you could change the rule to the following:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address="public_IP" dst-port=80 protocol=tcp to-addresses=192.168.88.50

Also, if you want the access the address on the inside with the external address, a hairpin NAT rule would be needed, placed before the other rules:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24

Volker · January 10, 2025, 3:28pm

thank you very much. It works beautiful.
I used:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=“public_IP” dst-port=80 protocol=tcp to-addresses=192.168.88.50

May I ask: Is there a way that I could limit who can access this port? For instance allow just a specific network range as 1.2.3.0/24? Everyone else should not access the port.

anav · January 10, 2025, 3:48pm

add a firewall address list
add src-address-list=Name of firewall list above to the dsntnat rul

Volker · January 13, 2025, 9:23am

Thank you, works perfect