[SOLVED] Sanity check firewall rules

gide · February 9, 2023, 2:11am

Hello All,
I have just tried to login via web interface with the ip address and it is not possible. Fine via Winbox MAC address only, not IP
Then I checked the firewall rules and the “hacker” entries look new to me. The ISP setup the router initially.
Additionally I had tried to install Proton VPN though it failed, see the entry. The are also entries in the router config file though want to look at these later.
Would someone be able to help me with this?
Thanks

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input src-address-list=Management
add action=add-src-to-address-list address-list=Hackers address-list-timeout=1d chain=input comment="Add port scan to hackers" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Hackers address-list-timeout=5m chain=input comment="Add excessive SSH to hackers" connection-limit=3,32 dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=Hackers address-list-timeout=1d chain=input comment="SSH added to Hackers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=5m chain=input comment="SSH Stage2" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m chain=input comment="SSH Stage1" connection-state=new dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_protonvpn passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-Backhaul
/ip firewall raw
add action=drop chain=prerouting src-address-list=Hackers

erlinden · February 9, 2023, 7:00am

If your MikroTik has a public IP address, the firewall is not complete. But it would help if you supply us with a complete network diagram (clients are not relevant). And also supply us the complete export:

/export file=anynameyoulike

Make sure to remove serial/public IP/anything als personal

gide · February 9, 2023, 7:57am

If your MikroTik has a public IP address, the firewall is not complete. But it would help if you supply us with a complete network diagram (clients are not relevant). And also supply us the complete export:
/export file=anynameyoulike
Make sure to remove serial/public IP/anything als personal

Thanks @erlinden
The graph will take a bit more time. Will try over the next 24hrs

# feb/09/2023 20:45:16 by RouterOS 6.48.6
# software id = JKFI-AD2J
#
# model = RB960PGS
# serial number = "    "
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether5 ] name=ether5-Backhaul
/caps-man configuration
add channel.band=5ghz-n/ac channel.control-channel-width=20mhz \
    channel.extension-channel=eC channel.frequency=5200,5240,5280,5320 \
    channel.skip-dfs-channels=yes country="new zealand" datapath.bridge=\
    bridge-local datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=no distance=indoors hw-protection-mode=rts-cts \
    hw-retries=4 mode=ap name=5GHz security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm security.passphrase=~"  "/ ssid=\
    "  "
add channel.band=2ghz-g/n channel.control-channel-width=20mhz \
    channel.extension-channel=disabled channel.frequency=2412,2437,2462 \
    channel.tx-power=18 country="new zealand" datapath.bridge=bridge-local \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=no \
    distance=indoors hw-protection-mode=rts-cts hw-retries=4 mode=ap name=\
    2.4GHz security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.passphrase=~Bl00dP00l/ ssid="GA WiFi"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=under_protonvpn name="Proton VPN mode config" responder=\
    no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256 name="Proton VPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=\
    "Proton VPN proposal" pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.xx-192.xx
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-local name=dhcp1
/snmp community
set [ find default=yes ] addresses=xx/24
/caps-man manager
set enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    2.4GHz name-format=identity
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    5GHz name-format=identity
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=XX/24 interface=bridge-local network=XX
add address=XX/24 interface=ether5-Backhaul network=XX
/ip arp
add address=XX comment="Logitech Server" interface=bridge-local \
    mac-address=xx
add address=xx comment="PC Ethernet" interface=bridge-local \
    mac-address=xx
/ip dhcp-server lease
add address=xx mac-address=xx server=dhcp1
add address=xx client-id=xx mac-address=\
    xx server=dhcp1
/ip dhcp-server network
add address=xx/24 dns-server=xx gateway=xx
/ip dns
set servers=xx,xx
/ip firewall address-list
add address=xx/24 list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx/24 list=Management
add address=xx/24 list=under_protonvpn
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input src-address-list=Management
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="Add port scan to hackers" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    5m chain=input comment="Add excessive SSH to hackers" connection-limit=\
    3,32 dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="SSH added to Hackers" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=input comment="SSH Stage2" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="SSH Stage1" \
    connection-state=new dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
    under_protonvpn passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-Backhaul
/ip firewall raw
add action=drop chain=prerouting src-address-list=Hackers
/ip route
add distance=1 gateway=xx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=xx/16
set ssh address=xx/16
set api disabled=yes
set winbox address=xx/16
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system identity
set name="GreenPen-*******-PoE"
/system logging
add topics=ipsec,!packet
/system ntp client
set enabled=yes primary-ntp=xx
/system package update
set channel=long-term

Here I now have the graph

and the firewall complete

# feb/09/2023 22:06:14 by RouterOS 6.48.6
# software id = JKFI-AD2J
#
# model = RB960PGS
# serial number = "  "
/ip firewall address-list
add address=xx/24 list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx/24 list=Management
add address=xx/24 list=under_protonvpn
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input src-address-list=Management
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="Add port scan to hackers" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    5m chain=input comment="Add excessive SSH to hackers" connection-limit=\
    3,32 dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="SSH added to Hackers" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=input comment="SSH Stage2" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="SSH Stage1" \
    connection-state=new dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
    under_protonvpn passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-Backhaul
/ip firewall raw
add action=drop chain=prerouting src-address-list=Hackers

gide · February 20, 2023, 4:35pm

Would be nice to have some further information/feedback.

anav · February 20, 2023, 7:04pm

I would change the config drastically, if you are ready to do that, then I can be of assistance. Step one would be to get rid of any rules you dont need such as hacker nonsense.

gide · February 21, 2023, 3:27am

Thanks @anav
Yes I am ready for that.
Do I go to Winbox> IP> Firewall> Rules and delete the Hacker entries?

anav · February 21, 2023, 3:26pm

(1) Comment: hiding your private IPs throughout the config is useless from a security perspective and actually gets in the way of detecting errors one has made in the config.

(2) Why do you have this setup… as such???
/ip dns
set servers=xx,xx

Should be something like.
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,8.8.4.4 ( pick a couple of decent dns servers on the net )

(3) Firewall address list you use is WHACK!
Use interface lists to identify subnets that the admin may come from to config the router, but use address list to narrow down to specific IP addresses.
There is no point in identifying subnets of users to identify admin IPs in an address list.

/ip firewall address-list
add address=xx/24 list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx/24 list=Management
/ip firewall filter
add action=accept chain=input src-address-list=Management

better to have
/interface list
add name=WAN
add name=LAN
add name=MANAGE ( and then add appropriate interfaces in list members )

WHICH by the way is also weird you have TWO subnets associated with the source address list but ONLY one subnet and that is on the bridge,
Where are you getting this second subnet??
Surely it cannot be proton VPN because that is an outgoing service aka VPN to the outer world ???

/interface list members
add interface=ether5-backhaul list=WAN
add interface=bridge list=LAN
add interface=bridge list=MANAGE

then
add action=accept chain=input in-interface-list=MANAGE src-address-list=AdminAccess

(4) RAW RULES REMOVED / Mangle left alone as you need it for VPN for some reason, but not clear why???

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(admin rules)
add action=accept chain=input in-interface-list=MANAGE src-address-list=Management
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53,123* in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp}
add action=drop chain=input comment=“drop all else” { put this rule in last otherwise you could lock yourself out }**
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat { disable if not required }
add action=drop chain=forward comment=“drop all else”
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=
under_protonvpn passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface-list=WAN

(5) Also go into IP FIREWALL, select TAB Connections and below the TAB line, find the button and select “Tracking”
In the pop-up menu ensure the checkbox is NOT checked, we dont want loose here.

(6) DISABLE www, unless required for some reason, its not a secure service and should not be enabled.
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=xx/16
set ssh address=xx/16
set api disabled=yes
set winbox address=xx/16
set api-ssl disabled=yes

gide · February 21, 2023, 5:28pm

(1) Comment: hiding your private IPs throughout the config is useless from a security perspective and actually gets in the way of detecting errors one has made in the config.
(2) Why do you have this setup… as such???
Thanks @anav
I may should’ve explained this here below right at the beginning. My apology if it had/has any importance.
The whole setup was done by a local startup ISP. The system is a"WIFI"network and I have here below the : IP>Neighbours with wiped out names and 90% of the MAC addresses. Initially I did not get access to the setup so I asked the ISP that I would want to buy my own gear and they set it up(imported the settings) for me.
The password, moving the DNS server to Pihole and if I remember right, the removal of the support IP address are my only contributions to date.
I am not an expert at all though like to learn and have my “own” working setup.

gide · February 23, 2023, 8:33am

Hi Anav
I like to start with the first three points;
(1) Do you mean my hiding of the private IP’s in the reply to @erlinden?
(2) As mentioned before the setup was by the ISP
(i)/ip dns : I have the dns server on the Pihole
(3) Firewall address list you use is WHACK! : Again the FW setup was done the ISP though I am keen to work on this. Not sure what I would enter here below.
/ip firewall address-list
add address=xx/24 list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx list=Management
add address=xx/24 list=Management

gide · March 2, 2023, 7:57am

Is anyone willing to help me to continue on this? Would be nice

anav · March 2, 2023, 12:16pm

Yes, private IPs are private not public so they can be displayed in a config.
Meaning they have no signficance from a security perspective. Its the public IP which one must protect.

The IPs you put in for managment are ALL the ones you use as the admin.
laptop
desktop
ipad/iphone
remote like wireguard IP.

All the local ones you make static under dhcp leases so the IPs never change.

gide · March 2, 2023, 5:02pm

Thanks @anav
Here below I have two exports.
Note the screen print from the neighbourhood above. This is the ISP’s network in the(rural) area where we are.
Firewall:

# mar/03/2023 05:39:39 by RouterOS 6.48.6
# software id = JKFI-AD2J
#
# model = RB960PGS
# serial number = **
/ip firewall address-list
add address=192.168.65.0/24 list=Management
add address=103.105.20.18 list=Management
add address=103.105.20.20 list=Management
add address=192.168.210.1 list=Management
add address=192.168.200.0/24 list=Management
add address=192.168.178.0/24 list=under_protonvpn
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input src-address-list=Management
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="Add port scan to hackers" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    5m chain=input comment="Add excessive SSH to hackers" connection-limit=\
    3,32 dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="SSH added to Hackers" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=input comment="SSH Stage2" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="SSH Stage1" \
    connection-state=new dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
    under_protonvpn passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-Backhaul
/ip firewall raw
add action=drop chain=prerouting src-address-list=Hackers

Config:

# mar/03/2023 05:23:28 by RouterOS 6.48.6
# software id = J**
#
# model = RB960PGS
# serial number = XX
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether5 ] name=ether5-Backhaul
/caps-man configuration
add channel.band=5ghz-n/ac channel.control-channel-width=20mhz \
    channel.extension-channel=eC channel.frequency=5200,5240,5280,5320 \
    channel.skip-dfs-channels=yes country="**" datapath.bridge=\
    bridge-local datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=no distance=indoors hw-protection-mode=rts-cts \
    hw-retries=4 mode=ap name=5GHz security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm security.passphrase=**/ ssid=\
    "**"
add channel.band=2ghz-g/n channel.control-channel-width=20mhz \
    channel.extension-channel=disabled channel.frequency=2412,2437,2462 \
    channel.tx-power=18 country="**" datapath.bridge=bridge-local \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=no \
    distance=indoors hw-protection-mode=rts-cts hw-retries=4 mode=ap name=\
    2.4GHz security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.passphrase=**/ ssid=**
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=under_protonvpn name="Proton VPN mode config" responder=\
    no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256 name="Proton VPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=\
    "Proton VPN proposal" pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.178.100-192.168.178.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-local name=dhcp1
/snmp community
set [ find default=yes ] addresses=192.168.200.0/24
/caps-man manager
set enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    2.4GHz name-format=identity
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    5GHz name-format=identity
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.178.1/24 interface=bridge-local network=192.168.178.0
add address=192.168.212.10/24 interface=ether5-Backhaul network=192.168.212.0
/ip arp
add address=192.168.178.107 comment="Logitech Server" interface=bridge-local \
    mac-address=DC:A6:32:4A:AA:54
add address=192.168.178.2 comment="PC Ethernet" interface=bridge-local \
    mac-address=F8:63:3F:75:37:F8
/ip dhcp-server lease
add address=192.168.178.199 mac-address=7C:2F:80:D5:5A:B3 server=dhcp1
add address=192.168.178.100 client-id=1:0:4:20:12:73:ff mac-address=\
    00:04:20:12:73:FF server=dhcp1
/ip dhcp-server network
add address=192.168.178.0/24 dns-server=192.168.178.36 gateway=192.168.178.1
/ip dns
set servers=208.67.222.123,9.9.9.9
/ip firewall address-list
add address=192.168.65.0/24 list=Management
add address=103.105.20.18 list=Management
add address=103.105.20.20 list=Management
add address=192.168.210.1 list=Management
add address=192.168.200.0/24 list=Management
add address=192.168.178.0/24 list=under_protonvpn
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input src-address-list=Management
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="Add port scan to hackers" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    5m chain=input comment="Add excessive SSH to hackers" connection-limit=\
    3,32 dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
    1d chain=input comment="SSH added to Hackers" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=input comment="SSH Stage2" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="SSH Stage1" \
    connection-state=new dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
    under_protonvpn passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-Backhaul
/ip firewall raw
add action=drop chain=prerouting src-address-list=Hackers
/ip route
add distance=1 gateway=192.168.212.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/**
/system identity
set name="**"
/system logging
add topics=ipsec,!packet
/system ntp client
set enabled=yes primary-ntp=192.168.200.100
/system package update
set channel=long-term

anav · March 3, 2023, 1:25am

The extra blocking firewall and raw rules are unnecessary and you have no forward chain firewall rules.
I provided a suitable firewall setup and you chose to ignore it so will not comment further on firewalls.

So the only thing I can think of is getting data to the capacs…
What vlans are you passing to the two CAPACs or do you only have one flat network (one subnet)??

gide · March 4, 2023, 3:09am

Thanks.
It is not that I ignore it. I have been reading it again and again and trying to understand it. First time MT user.

So the only thing I can think of is getting data to the capacs…
What vlans are you passing to the two CAPACs or do you only have one flat network (one subnet)??

We have ethernet and wifi.

gide · March 8, 2023, 1:16am

Thanks @anav
The firewall and a few other bits have been looked at and updated by a local MT accred. tech.
I might try to figure out one more item in due course.
All good for now.