Using mikrotik Firewall Feature

msusmani · June 30, 2018, 6:52pm

Hi Members
I have recently purchased RB750 for my office use. I have an internet router installed in my office with 2 LAN ports. 1st LANA port is connected with Wifi device for giving internet access to users. From second LAN port I have to connect a device that needs to get connected to its peer device installed at Head office and head office device needs to get connected with my device. Head Office device can be accessed globally .
I now want to use mikrotik in such a manner that my users still have internet access available my device must be accessible over internet but it accepts connections from my Head Office device only. All other requests to my device must be dropped. Can anyone help me in developing in this scenario.

Usmani

Revelation · July 1, 2018, 5:11pm

Okay, let’s see here…

The “internet router installed in my office” is that the RB750 or another device?

Are you referring to the RB750 here?

1st LANA port is connected with Wifi device for giving internet access to users.

What exactly do you mean? Is this a VPN, or some other protocol for this communication?

From second LAN port I have to connect a device that needs to get connected to its peer device installed at Head office and head office device needs to get connected with my device.

What is the type of connection that is coming from your head office?

I now want to use mikrotik in such a manner that my users still have internet access available my device must be accessible over internet but it > accepts connections from my Head Office device only.

For starters you can setup the first couple of rules such as:

Permits 80 and 443 traffic out of network but drops everything else

chain=forward action=accept protocol=tcp src-address=[Wifi Users Subnet] out-interface=[WAN Port] dst-port=80,443 log=no log-prefix=""
chain=forward action=drop protocol=ip src-address=[Wifi Users Subnet] out-interface=[WAN Port] log=no log-prefix="" 
chain=forward action=accept connection-state=established,related in-interface=ether5 log=no log-prefix=""

Drop everything inbound except head office

chain=input action=accept protocol=tcp src-address=[Head Office Public IP] in-interface=[WAN Port] dst-port=[Port used] log=no log-prefix=""
chain=drop action=accept protocol=ip src-address=0.0.0.0/0 in-interface=[WAN Port] log=no log-prefix=""

msusmani · July 2, 2018, 6:03am

Thanks a lot for your response and helping me out on this. Kindly find response to queries below:

Internet router installed at my office is not RB 750 it is a satellite router provided by ISP.

[Are you referring to the RB750 here?

1st LANA port is connected with Wifi device for giving internet access to users.]

The satellite router has 2 LAN ports. From 1st LAN port a wifi router is connected to provide internet to users in office.
From 2nd LAN port I will connect RB750. From RB750 a device will be connected for accessing PABX lines from Head Office. The device installed at head office is configured to transport PABX extensions to remote sites.

As of now I have only a /30 Public IP pool available from ISP.

I can also see some default firewall configuration in RB750 can you help me in understanding that configuration.

Revelation · July 3, 2018, 12:02pm

Okay, I have a better understanding of your network. Why the insertion of the RB750? What are you trying to achieve with adding it to your network? Why would you not have your users and your “PABX” both connect to the RB750 and only your Mikrotik connects to the ISP’s router? This would allow you to run the ISP’s modem in bridge mode and have the Public IP live on the Mikrotik - if your ISP allows such a setup.

From RB750 a device will be connected for accessing PABX lines from Head Office. The device installed at head office is configured to transport PABX extensions to remote sites.

I don’t know what “PABX Lines” are so you are going to have to be more descriptive and provide much more detail if you are going to get help on this issue.

As of now I have only a /30 Public IP pool available from ISP.

Is that a /30 where you have all 4 IP addresses available and you use OSPF or BGP to advertise that network to your ISP or is that a /30 where one IP is assigned to your ISP and one IP is assigned to your router? Further, if the later is true, and the router is assigned the IP then this doesn’t matter. Even if you run the ISP’s router bridge mode to get the Pubic IP on the Mikrotik, it’s all the same.

I can also see some default firewall configuration in RB750 can you help me in understanding that configuration.

You’re going to have to post those as I don’t know what they are.

msusmani · July 5, 2018, 11:55am

Dear Member
Thanks for your response. Attached please find my network diagram. As per network diagram at point A and point B I am trying to add mikrotik to use it as firewall. I dont want my both devices to be exposed to internet so trying to insert firewall. Kindly help me on configuring this scenario.
Test scenario.jpg

Revelation · July 5, 2018, 7:00pm

I’m not sure why you are choosing to not answer my questions, yet you still ask for help…

Based on what you have and have not provided, your answers are in my first post. When you decide to answer my questions I will revisit this thread an provide additional details that I think you will need to get things working properly. Until such time I refuse to play guessing games.

msusmani · July 5, 2018, 7:07pm

Dear Member

To explain you the scenario i have attached diagram and tried to explain why I am trying to achieve. My basic purpose is to conbect RB750 with my ISP router and then connect my VOIP device with mikrotik and configure mikrotik as firewall to protect my voice device.

Kindly let me know if further explanation required

msusmani · July 6, 2018, 11:16am

Dear Member

Kindly find my response below

[Okay, I have a better understanding of your network. Why the insertion of the RB750? What are you trying to achieve with adding it to your network? Why would you not have your users and your “PABX” both connect to the RB750 and only your Mikrotik connects to the ISP’s router? This would allow you to run the ISP’s modem in bridge mode and have the Public IP live on the Mikrotik - if your ISP allows such a setup]

Response: I am adding mikrotik to use it as a firewall for security of my voice device. Yes I also want to use same configuration where my users and PABX both gets connected to mikrotik. No change in configuration of my ISP router is possible.

[ As of now I have only a /30 Public IP pool available from ISP.

Is that a /30 where you have all 4 IP addresses available and you use OSPF or BGP to advertise that network to your ISP or is that a /30 where one IP is assigned to your ISP and one IP is assigned to your router? Further, if the later is true, and the router is assigned the IP then this doesn’t matter. Even if you run the ISP’s router bridge mode to get the Pubic IP on the Mikrotik, it’s all the same.]

Response: Yes later is the case one IP assigned to ISP router and one is assigned to my router.

[ From RB750 a device will be connected for accessing PABX lines from Head Office. The device installed at head office is configured to transport PABX extensions to remote sites.

I don’t know what “PABX Lines” are so you are going to have to be more descriptive and provide much more detail if you are going to get help on this issue. ]

Response: These are simple VOIP devices and devices at both HQ and Branch end needs to be accessible for communication. No data link exist between branch and HQ so the only way for both devices to communicate is over internet.

[ I can also see some default firewall configuration in RB750 can you help me in understanding that configuration.

You’re going to have to post those as I don’t know what they are.]

Response: configuration pasted below:

/ip firewall filter

add chain=input comment=“default configuration” protocol=icmp

add chain=input comment=“default configuration” connection-state=established,related

add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway

add action=fasttrack-connection chain=forward comment=“default configuration” connection-state=established,related

add chain=forward comment=“default configuration” connection-state=established,related

add action=drop chain=forward comment=“default configuration” connection-state=invalid

add action=drop chain=forward comment=“default configuration” connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway

/ip firewall nat

add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway

BartoszP · July 6, 2018, 12:30pm

The answer is easy and takes a few steps to be done.

You need one new RJ45 connection RJ45 cable and then

A. Prepare RB750 with default configuration.
B. Configure VOIP device to use DHCP
C Disconnect VOIP device from your LAN
D. Connect just disconnected cable to WAN port of RB750
E. Connect new cable to any LAN port of RB750.
F. Connect new cable second end to VOIP device instead of already disconnected cable.
G. Restart VOIP device to be sure that it receives new IP from RB750
H. Voilà … done.

VOIP device will be operating from behind of router, as it does not care where it is connected if it has access to Internet, which prevents access from any office’s LAN device to it.

msusmani · July 6, 2018, 12:39pm

Dear Member

I am looking for a config to allow users at branch site to use internet and call to other extensions by getting connected with VOIP. VOIP device installed at HQ and branch ends can communicate over public IP. I need to insert firewall before VOIP devices at both ends and only enable them to communicate each other and drop all other traffic. I am trying to use mikrotik as firewall at both ends to make sure none of the devices are attacked over internet.

I am looking for configuration to use mikrotik as firewall.

BartoszP · July 6, 2018, 12:46pm

What is wrong with my solution?

msusmani · July 26, 2018, 11:11am

Dear Fellow Members
Following is my Mikrotik Configuration. I have connected my ISP router to mikrotik WAN port. Now I have to config firewall rules so that my desktop users are allowed to access internet.Further server connect on interface 2 of mikrotik must be able to access only server located at 43.240.95.96 and all other traffic must be dropped. also this server must accept requests from 43.240.95.96 and must drop all other requests. Kindly help me out in configuring firewall.

[admin@MikroTik] > export

jul/26/2018 15:02:35 by RouterOS 6.42.6

software id = 6MP5-PTVK

model = RouterBOARD 750 r2

serial number = 63BD05F385CE

/interface bridge

add name=bridge1_INTERNET

/interface ethernet

set [ find default-name=ether1 ] name="ether1-WAN Port"

set [ find default-name=ether2 ] name="ether2 _ Server"

set [ find default-name=ether5 ] name="ether5_desktop Users"

/interface list

add name=WAN

add name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip pool

add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254

/ip dhcp-server

add address-pool=dhcp_pool1 disabled=no interface="ether5_desktop Users" name=dhcp1

/interface bridge port

add bridge=bridge1_INTERNET interface="ether1-WAN Port"

add bridge=bridge1_INTERNET interface="ether2 _ Server"

/interface list member

add interface="ether1-WAN Port" list=WAN

add interface="ether2 _ Server" list=LAN

add interface=ether3 list=LAN

add interface=ether4 list=LAN

add interface="ether5_desktop Users" list=LAN

/ip address

add address=103.244.135.170/29 interface=bridge1_INTERNET network=103.244.135.168

add address=192.168.10.1/24 interface="ether5_desktop Users" network=192.168.10.0

/ip dhcp-server network

add address=192.168.10.0/24 gateway=192.168.10.1

/ip dns

set servers=172.30.152.140,172.30.152.141

/ip firewall nat

add action=masquerade chain=srcnat out-interface=bridge1_INTERNET

/ip route

add distance=1 gateway=103.244.135.169

/ip service

set telnet disabled=yes

set ftp disabled=yes

set ssh disabled=yes

/system clock

set time-zone-name=Asia/Dubai

/system routerboard settings

set silent-boot=no

[admin@MikroTik] >

Regards

mkx · July 26, 2018, 11:52am

The solution to your problem largely depends on IP address that your server (hooked to ether2) is using. If it’s some private IP address, then solution will be completely different from solution where your server is using public IP address.
To have FW any governance over traffic of your server you’ll probably have to remove bridge1_INTERNET and set-up things directly on ether interfaces.

msusmani · July 26, 2018, 12:39pm

Ethernet 2 will have public IP .

msusmani · July 27, 2018, 12:26pm

Yes I will be using Public IP on Ethernet 2. Can you help out with the configuration

msusmani · August 2, 2018, 7:35am

Hi Member

I have modified my configuration and has tried to apply filter rules but its not working . Attached please find the config can you check and recommend something:

Configuration.

[admin@MikroTik] > export

jul/30/2018 22:10:10 by RouterOS 6.42.6

software id = 6MP5-PTVK

model = RouterBOARD 750 r2

serial number = 63BD05F385CE

/interface bridge
add name=bridge1_Internet
/interface ethernet
set [ find default-name=ether1 ] name="ether1_WAN (Connected to ISP Router)"
set [ find default-name=ether2 ] name="ether2 (Connected to Server )"
set [ find default-name=ether5 ] name="ether5 (Desktop Users)"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether5 (Desktop Users)" lease-time=3d10m name=dhcp1
/interface bridge port
add bridge=bridge1_Internet interface="ether1_WAN (Connected to ISP Router)"
add bridge=bridge1_Internet interface="ether2 (Connected to Server )"
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface="ether1_WAN (Connected to ISP Router)" list=WAN
add interface="ether2 (Connected to Server )" list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface="ether5 (Desktop Users)" list=LAN
/ip address
add address=203.244.135.171/29 interface=bridge1_Internet network=203.244.135.168
add address=192.168.10.1/24 interface="ether5 (Desktop Users)" network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-port=80,443 out-interface=bridge1_Internet protocol=tcp src-address=192.168.10.0/29
add action=drop chain=forward out-interface=bridge1_Internet src-address=192.168.10.0/29
add action=accept chain=forward connection-state=established,related in-interface="ether5 (Desktop Users)"
add action=accept chain=input in-interface=bridge1_Internet protocol=icmp src-address=83.225.98.42
add action=accept chain=input in-interface=bridge1_Internet protocol=tcp src-address=83.225.98.42
add action=drop chain=input in-interface=bridge1_Internet src-address=0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1_Internet
/ip route
add distance=1 gateway=203.244.135.169
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Asia/Dubai
/system routerboard settings
[admin
@Mikro
Tik] >
[admin@MikroTik] >