Transparent Firewall

bibawa · October 30, 2012, 9:52am

Hi Guys,

I’m new to Routerboard and I want to configure my Routerboard acting as a “transparant firewall” in the current network, something like this:

LAN (192.168.16.x /24) —> ETH1 RB (192.168.16.254 /24) ----> ETH2 RB ----> LAN 2 (192.168.16.x/24)

Clients that are connected to lan 2 are filtered by the Routerboards firewall.
I tried to creating to interfaces, defining ETH1 as WAN and ETH2 as LAN interface create some firewall policys but without luck.
Found also the method of bridging the 2 interfaces toghether but can’t find a way to get this working.

What is the best way to achieve the goal (both lan and WAN interface on same subnet), i need the capability to use the firewall functionallity to block open connections to specific ports/ip addresses.

with regards,

Sob · October 30, 2012, 3:03pm

Put both interfaces in bridge, enable Use IP Firewall in bridge settings and then you can use firewall. Also don’t miss Out. Bridge Port and In. Bridge Port there.

bibawa · October 30, 2012, 5:39pm

Hi,

So i now created a bridge called ‘Servers’, addes ETH1 and ETH2 to this bridge and assigned an ip address 192.168.16.254 to interface ETH1.
I also applied the “Use IP Firewall” setting in the bridge settings menu.

Now my network setup is as follow:

DESKTOP (192.168.16.2) → SWITCH → RB ETH1 <–>RB ETH2 —> SERVER 192.168.16.30

I created a Firewall rule “DROP INPUT ICMP” INCOMING Bridge int. ETH1, outgoing Bridge int ETH2.

When I start a ping from DESKTOP to 192.168.16.30 the ping is not dropped when I apply that rule to INPUT chain, when I switch to FORWARD CHAIN the packet is dropped.

Is it normal that in this situation I always need to apply FORWARD chain instead of input/output chain?
What is the function of the input/output bridge port? if I change port, the firewall rule still works, but I except the firewall rule is broken from the moment I switch in/out ports.. but not

Thanks for helping me out !

Feklar · October 31, 2012, 4:23pm

The chains mean different things depending on what the traffic is for.

Input means traffic for the router itself
Output means traffic leaving the router that the router itself generated
Forward means traffic flowing over the router

So yes in your case, yes forward is the chain to be using.

http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

Sob · October 31, 2012, 5:35pm

It selects traffic based on its source and destination interface. And it works. In your case you probably want something like this:

/ip firewall filter
add action=jump chain=forward in-bridge-port=eth1 jump-target=to-server \
    out-bridge-port=eth2
add action=jump chain=forward in-bridge-port=eth2 jump-target=from-server \
    out-bridge-port=eth1
add action=log chain=from-server
add action=log chain=to-server

And then add individual rules to from-server and to-server chains without the need to set destination and source interfaces for each of them. The log rules are there only as example.

linkwave · November 1, 2012, 1:52pm

You have to assign the IP address at the BRIDGE interface, not at some port of the bridge!

Lorenzo

bibawa · November 1, 2012, 3:12pm

Hi Guys,

Thanks for the feedback, that’s running smoothly now.
Next step is creating VLANS on the same network, as described here: http://gcharriere.com/blog/?p=620

Found this topic on the forum here from a guy trying to achieve the same as me http://forum.mikrotik.com/t/multiple-vlans-in-the-same-subnet-cisco-can-can-you/51268/1

→ Created VLAN with ID 10 and horizon 10
→ Assigned VLANS to bridge interface ‘Servers’
→ Assigned VLANS to port eth3

When I now in VMWare create a new VNetwork with VLAN ID 10 and send traffic from the host that uses that network the vlan tags didn’t arrive at MT router. When I do a torch of ETH3 I see something a vlan tag 10 over the logs but i guess that that is the issue.

Somebody can help me out ?

bibawa · November 1, 2012, 8:05pm

Hi again,

Got it working after a few hours of euh.. .
Now I got 2 servers which are in different broadcast domain and can’t access each other resources, now my last challenge is the following:

All servers need to have access to just 1 server (dns server), I tried to add routing stuff and so on but can’t get it working.

Probably this is a very small one , but I miss it..

kurio · February 26, 2014, 6:37pm

Hello,
Reading some related posts i came to my config which seems to work on my ipv4 and ipv6 network.
The setup is like this:

Internet
|
ISP router with NAT (192.168.1.1; ipv6: 2axx:x:x:x/64 prefix RouterAdvertised)
|
ether5
Mikrotik + wlan
ether4
|
LAN (192.168.1.0/24; ipv6: fe80:: ; 2axx:x:x:x/64)

Somebody has suggested to create additional chains (l2in, l2out, l2in6, l2out6) to distinguish the inbound and outbound traffic. This is awkward, but is the only workaround i know so far that allows to mitigate the absence of the security zones/levels and inbound/outbound directions in Mikrotik architecture. The good things that are possible in Cisco/Juniper are still to be implemented by Mikrotik.

So, i connected my LAN switch to the port 4 (ether4), and the router to the port 5. I went to the bridge/ports and left in the bridge only ether4, ether5 and wlan. This way i have isolated them from the default ether1-gateway and ether2-master-local interfaces.
Then i have adapted/added some more rules into the IP and IPv6 sections:

-----------------#IPv4--------------------------------
[admin@MikroTik] /ip firewall filter> export

feb/25/2014 19:27:18 by RouterOS 6.10

software id = 7KY2-EXIY

/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input connection-state=new src-address=192.168.1.0/24
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
add chain=forward protocol=icmp
add chain=forward dst-address=239.0.0.0/8 protocol=udp src-address=192.168.1.0/24
add chain=forward dst-address=224.0.0.0/16 src-address=192.168.1.0/24
add chain=forward dst-address=192.168.1.255 src-address=192.168.1.0/24
add chain=forward dst-address=255.255.255.255 src-address=192.168.1.0/24
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add chain=forward dst-address=255.255.255.255 dst-port=67,68 protocol=udp src-address=0.0.0.0
add chain=forward dst-address=239.0.0.0/8 protocol=igmp src-address=192.168.1.0/24
add action=jump chain=forward in-bridge-port=ether4 jump-target=l2out out-bridge-port=ether5
add action=jump chain=forward in-bridge-port=ether5 jump-target=l2in out-bridge-port=ether4
add action=jump chain=forward in-bridge-port=wlan1 jump-target=l2out out-bridge-port=ether5
add action=jump chain=forward in-bridge-port=ether5 jump-target=l2in out-bridge-port=wlan1
add action=log chain=forward
add action=drop chain=forward comment=“default configuration” connection-state=invalid
add action=drop chain=forward
add chain=l2out src-address=192.168.1.0/24
add chain=l2out
add action=log chain=l2out
add action=drop chain=l2out
add chain=l2in connection-state=established
add chain=l2in connection-state=related
add chain=l2in dst-address=192.168.1.xx dst-port=yy protocol=tcp
add chain=l2in dst-address=192.168.1.0/24 src-address=192.168.1.1
add action=log chain=l2in
add action=drop chain=l2in
[admin@MikroTik] /ip firewall filter>

-------------------#IPv6-------------------------------------
[admin@MikroTik] /ipv6 firewall filter> export

feb/25/2014 19:29:19 by RouterOS 6.10

software id = 7KY2-EXIY

/ipv6 firewall filter
add chain=input protocol=icmpv6
add chain=input dst-address=ff02::1/128 src-address=fe80::/10
add chain=input connection-state=established
add chain=input connection-state=related
add action=log chain=input
add chain=forward protocol=icmpv6
add action=jump chain=forward in-bridge-port=ether5 jump-target=l2in6 out-bridge-port=ether4
add action=jump chain=forward in-bridge-port=ether4 jump-target=l2out6 out-bridge-port=ether5
add action=jump chain=forward in-bridge-port=ether5 jump-target=l2in6 out-bridge-port=wlan1
add action=jump chain=forward in-bridge-port=wlan1 jump-target=l2out6 out-bridge-port=ether5
add action=drop chain=forward
add chain=l2out6
add action=log chain=l2out6
add action=reject chain=l2out6 connection-state=invalid reject-with=icmp-port-unreachable
add chain=l2in6 protocol=icmpv6
add chain=l2in6 dst-address=fe80::/10 src-address=fe80::/10
add chain=l2in6 dst-address=ff00::/8
add chain=l2in6 connection-state=established
add chain=l2in6 connection-state=related
add chain=l2in6 dst-address=2axx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128 dst-port=zzz protocol=udp
add chain=l2in6 dst-address=2axx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128 dst-port=55555 protocol=tcp
add chain=l2in6 connection-state=new dst-address=2axx:xxxx:xxxx:xxxx::/64 dst-port=zzz protocol=tcp
add chain=l2in6 connection-type=ftp dst-address=2axx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128 dst-port=20,21 protocol=tcp
add action=log chain=l2in6
add action=reject chain=l2in6 reject-with=icmp-address-unreachable
[admin@MikroTik] /ipv6 firewall filter>

Right before the denies i put the log lines to troubleshoot the possible errors.
Well, it works as i want it to. It filters the NATed ipv4 traffic and allows the open ports. In ipv6 mode, it allows ICMP and NS/NA/RS/RA packets both ways. Everything outbound is allowed.
Almost all the configuration was done using the web-based GUI.
There may be some unnesessary lines, redundant rules, errors, etc. Adapt and use. Propose better solutions.
I hope this ipv6 transparent config will be useful for somebody.