question 1:
I see this on startup of WinBox … is this a problem?
jan/02/1970 00:04:14 dhcp,critical,error dhcp-client on ether1 lost IP address 192
.168.100.11 - lease expired
I enter the recommended command below and get the error below:
/user set 0 allowed-address=192.168.88.0/24
expected end of command (line 1 column 13)
question 3:
If I do the steps below per the above link, how is the Internet traffic going to get in? It looks like the router will be dropping everything that is not from 192.168.88.x.
/ip firewall filter
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
… plus … the above seems redundant to this rule that is already in the firewall:
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
jan/02/1970 00:04:14 This tell me that you have not setup NTP at your router. You should do.
.
Not sure what your DHCP problem is, but is not ether1 your outside? how come your router list a private address like 192.168.100.11?
.
.
Do you have a user with name “0”? I guess not.
So to set address you need to give the user name like this
/user set [b]admin [/b]address=192.168.88.0/24
And for me its some strange that you can give name directly like this. Normal when working with script I would have done:
/user set [/user find where name="admin"] address=192.168.88.0/24
.
.
.
question 3:
If I am correct, this part connection-state=established,related means that if its going out it will be allowed in since its already established.
firewall filter rules are inspected and actioned from top to bottom. so order is important. once the traffic matches one rule, it will be actioned accordingly and the reset of the rules will not apply
this probably answers Question 4.
also , for the same reason, when adding firewall rules, try note what is already there and the order of rules, so you don’t mess things up
use safe mode and safe backups every step of the way. this method saved me a lot of time. you can always easly go back to a working router
More clearly stick with the default rules until
a. you understand what the default rules actually do and mean
b. you understand what any rules you are going to add really do and mean and how they interact with the other rules.
question 1:
Today when I logged in, the dhcp error was not there.
Not sure what that was about.
question 2:
I figured this one out myself.
There is an error in the page wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
The command should be…
/user set 0 address=192.168.88.0/24
… not …
/user set 0 allowed-address=192.168.88.0/24
question 3a:
nobody answered this so I will restate it.
The firewall advised in the above link looks like it will…
allow established connections
allow LAN connections
allow ICMP
drop everything else
… which looks like there won’t be any internet
My understanding of established connections are connections in progress when the firewall is activated, but not new connections.
question 3b:
the firewall advised in the above link looks redundant to the firewall that’s already installed (below), doesn’t it?
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
export file attached
I am still re-reading the links you supplied.
So am I understanding correctly, the INPUT chain is for data that is directed to the router, which would only be router control info?
So Internet traffic would be handled by the FORWARD chain, which I am not messing with. thing.rsc (3.78 KB)
(1) No harm in turning this on if its desired.
/ip neighbor discovery-settings
set discover-interface-list=none (change list to LAN).
(2) Typical rookie mistake. See if you can see it.
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
Hint1 - look at your /ip dhcp-server
Hint2 - look at your bridge port assignements
(3) When you are comfortable will wean you off these decent starter rules to something better in terms of input and forward chain.
Will depend if you can figure out (2)
Can this error come from upgrading from older version where we did have a master port?
So an upgrade of OS did this, or is it just normal that so many do this wrong?
Here is the config so no need to download file
# may/28/2020 18:26:55 by RouterOS 6.46.6
# software id = M5G0-EMYD
#
# model = RB4011iGS+
# serial number = D1270BAB95CE
/interface bridge
add admin-mac=C4:AD:34:DA:90:CB auto-mac=no comment=defconf name=bridge
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I did not add the line mentioned:
(2) Typical rookie mistake. See if you can see it.
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
But I did upgrade the software, so like Jotne said, perhaps it was a result of the upgrade.
Is there a recommended optimal firewall config on file somewhere I can copy and install?
I realize everyone’s use case is different, but I’m talking about a generic starter firewall.
If so, how would I wipe the existing firewall?
If not, how would I fix/remove the offending line?
I gave explicit instructions on getting help, and hints. It is not an unreasonable request…
Figure it out and then I can help with the rest.
You have to be able to think and understand firewall rules and config to work in MT, otherwise might as well buy a Netgear
There is only one other ip address line and it is associated with the WAN.
What is the purpose of the bridge? I don’t know. It’s a brand new router and I didn’t create any bridges, or give them any responsibilities, or attach anything to them.
I am simply trying to secure a new router.
You picked out a line in my config, blamed me for it, and want me to fix it, which I cannot do, since I didn’t create it.
And when someone else wanted to help, or provide some clarity, you shut them down.
I see you providing clear concise answers on other questions. It is frustrating that you have decided to only provide hints, references, insults, and recommendations to buy other products on this one.
