web and mail server on the network.

Msgas · April 15, 2021, 10:12am

Hi
I am using 3011 router and is setting it up, I have internett on all my stuff so that part works great, I have also made a separate network for my server that host web and mail server.

The server is running is own firewall so I just want to dmz the server, how can I do that?

Here is my config.

apr/15/2021 12:00:34 by RouterOS 6.49beta27

software id = 61BP-NFIR

model = RB3011UiAS

serial number = E14E0D97D028

/interface bridge
add name=local
add name=server
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.150.2-192.168.150.254
add name=dhcp_pool2 ranges=192.168.150.2-192.168.150.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=local name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=server name=dhcp2 relay=
192.168.150.1
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=server interface=ether6
/interface list member
add interface=ether1 list=WAN
add interface=local list=LAN
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.150.1/24 interface=server network=192.168.150.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
add address=192.168.150.0/24 dns-server=1.1.1.1 gateway=192.168.150.1
/ip firewall filter
add action=accept chain=input comment="accept established,related"
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1
protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=
ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp
to-addresses=192.168.150.100
/system clock
set time-zone-name=Europe/Oslo

Do I need to move the last rule up?

Best regards
The newbie

anav · April 15, 2021, 11:42am

What do you mean you want to DMZ the server?

Did you mean you want others to be able to use the server that are coming from the internet (port forwarding??)

Msgas · April 15, 2021, 12:08pm

HI
This is my web server that host many sites, and I am running a mail server on it to. I want the server open to the net so people can see the pages and mail will be passed as it did before.

It has been a long time since i did any microtik configs so i dont remember what I did to make it work back then. I have done some changes but it did not work... I put the server on a different network as this is the best practice. But I would like to RDP into it from my main network.

Here is the changes I did.
apr/15/2021 13:57:24 by RouterOS 6.49beta27

software id = 61BP-NFIR

model = RB3011UiAS

serial number = E14E0D97D028

/interface bridge
add name=local
add name=server
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.150.2-192.168.150.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=local name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=server name=dhcp2
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=server interface=ether6
/interface list member
add interface=ether1 list=WAN
add interface=local list=LAN
add interface=server list=LAN
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.150.1/24 interface=server network=192.168.150.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
add address=192.168.150.0/24 gateway=192.168.150.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=
established,related
add action=accept chain=input comment="accept established,related"
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow Winbox" in-interface=ether1
port=8291 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=
ether1
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established protocol=tcp
add action=accept chain=input dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=input src-address-list=local
add action=accept chain=input src-address-list=server
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host"
dst-port=1024-65535 in-interface=ether1 protocol=tcp to-addresses=
192.168.150.100 to-ports=80-65535
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host"
dst-port=80-65535 in-interface=ether1 protocol=udp to-addresses=
192.168.150.100 to-ports=80-65535
add action=netmap chain=dstnat dst-address=my wan ip/24 to-addresses=
192.168.150.0/24
/system clock
set time-zone-name=Europe/Oslo

anav · April 15, 2021, 1:28pm

(1) Don;t need two bridges and although i normally recommend vlans for most cases you dont need those either.

/interface bridge
add one-bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.150.2-192.168.150.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=one-bridge name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether6-server server name=dhcp2
/interface bridge port
add one-bridge interface=ether2
add one-bridge interface=ether3
add one-bridge interface=ether4
add one-bridge interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=one-bridge list=LAN
add interface=ether6-server list=LAN
/ip address
add address=192.168.88.1/24 interface=one-bridge network=192.168.88.0
add address=192.168.150.1/24 interface=ether6-server network=192.168.150.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
add address=192.168.150.0/24 gateway=192.168.150.1  dns-server=192.168.150.1

(2) This rule has no business on the config… as its a huge secuirty risk
.add action=accept chain=input comment=“allow Winbox” in-interface=ether1
port=8291 protocol=tcp
USE VPN to access the router from the WAN side. and dont use the default winbox port…

(3) FIREWALL RULES NEED A TON OF WORK
Because you have a drop rule at the end of your input chain, before you remove the above rule PUT IN PLACE the actual required rule to
access the router for the admin person on the LAN.
Ex.
add chain=input action=allow in-interface=one-bridge source-address-list=adminaccess
WHERE
/ip firewall address list {assuming these have been statically set/fixed}
add address=ip of admin desktop list=adminaccess
add address=ip of admin laptop list=adminaccess
add adddress=ip of admin smartphone list=adminaccess

(4) THis rule does nothing…
add action=accept chain=input connection-state=established protocol=tcp

(5) THIS rule is duplicated
add action=accept chain=forward connection-state=established,related

(6) This rule is not required to permit FTP traffic from the WAN to the LAN side (server) etc…
add action=accept chain=input dst-port=22 in-interface=ether1 protocol=tcp

(7) These rules are FAR TOO WIDE especially for the server side, NO one or devices need full access to the router, only the admin does and the rule stated above in (3) handles that requirement.
Instead, delineate ONLY the services that users need, and in this case I suspect its only for DNS services??
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

(8) This rule is duplicated
add action=drop chain=input

(9) Missing any sort of drop all from forward chain or drop all not dst-natted!!! (thus no security on LAN from WAN very bad!!!
(10) Missing any rule allow port forwarding

(11) ORDER and clarity Matters within firewall filter chains!

/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface=one-bridge src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp	
add action=drop chain=input comment='Drop all else'
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow homelan to WAN traffic" \
     in-interface=one-bridge out-interface-list=WAN
add action=accept chain=forward comment="allow server to WAN traffic" \
     in-interface=ether6-server out-interface-list=WAN
add action=accept chain=forward comment="allow admin to server traffic"
     in-interface=one-bridge source-address-list=adminaccess out-interface=ether5-server
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
add action=drop comment="drop all else"

(12) NAT rules… not sure the purpose of your netmap rule so would get rid of it for now…
Also I am not sure in blocks of ports how its handled by the router and I think your setup will NOT work.

For example, for the TCP first rule, these are non-matching block 1024-65535 translated to 80-65535.
To put this in perspective it is not clear to me how the router would handle traffic coming over (5 ports) dst-ports 5-10 translated to ports 8-10 ?
Clearly the router would run out after 2 incoming ports had been assigned/translated.
Also note that its not a direct sequential 1:1 translation either, 1024 does not get assigned necessarily to 80 and so forth

WHY are the UDP and TCP port assignments different???

Msgas · April 15, 2021, 3:21pm

(1) Don;t need two bridges and although i normally recommend vlans for most cases you dont need those either.
/interface bridge
add one-bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.150.2-192.168.150.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=one-bridge name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether6-server server name=dhcp2
/interface bridge port
add one-bridge interface=ether2
add one-bridge interface=ether3
add one-bridge interface=ether4
add one-bridge interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=one-bridge list=LAN
add interface=ether6-server list=LAN
/ip address
add address=192.168.88.1/24 interface=one-bridge network=192.168.88.0
add address=192.168.150.1/24 interface=ether6-server network=192.168.150.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
add address=192.168.150.0/24 gateway=192.168.150.1  dns-server=192.168.150.1
(2) This rule has no business on the config… as its a huge secuirty risk
.add action=accept chain=input comment=“allow Winbox” in-interface=ether1
port=8291 protocol=tcp
USE VPN to access the router from the WAN side. and dont use the default winbox port…

(3) FIREWALL RULES NEED A TON OF WORK
Because you have a drop rule at the end of your input chain, before you remove the above rule PUT IN PLACE the actual required rule to
access the router for the admin person on the LAN.
Ex.
add chain=input action=allow in-interface=one-bridge source-address-list=adminaccess
WHERE
/ip firewall address list {assuming these have been statically set/fixed}
add address=ip of admin desktop list=adminaccess
add address=ip of admin laptop list=adminaccess
add adddress=ip of admin smartphone list=adminaccess

(4) THis rule does nothing…
add action=accept chain=input connection-state=established protocol=tcp

(5) THIS rule is duplicated
add action=accept chain=forward connection-state=established,related

(6) This rule is not required to permit FTP traffic from the WAN to the LAN side (server) etc…
add action=accept chain=input dst-port=22 in-interface=ether1 protocol=tcp

(7) These rules are FAR TOO WIDE especially for the server side, NO one or devices need full access to the router, only the admin does and the rule stated above in (3) handles that requirement.
Instead, delineate ONLY the services that users need, and in this case I suspect its only for DNS services??
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

(8) This rule is duplicated
add action=drop chain=input

(9) Missing any sort of drop all from forward chain or drop all not dst-natted!!! (thus no security on LAN from WAN very bad!!!
(10) Missing any rule allow port forwarding

(11) ORDER and clarity Matters within firewall filter chains!
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface=one-bridge src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp	
add action=drop chain=input comment='Drop all else'
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow homelan to WAN traffic" \
     in-interface=one-bridge out-interface-list=WAN
add action=accept chain=forward comment="allow server to WAN traffic" \
     in-interface=ether6-server out-interface-list=WAN
add action=accept chain=forward comment="allow admin to server traffic"
     in-interface=one-bridge source-address-list=adminaccess out-interface=ether5-server
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
add action=drop comment="drop all else"
(12) NAT rules… not sure the purpose of your netmap rule so would get rid of it for now…
Also I am not sure in blocks of ports how its handled by the router and I think your setup will NOT work.

For example, for the TCP first rule, these are non-matching block 1024-65535 translated to 80-65535.
To put this in perspective it is not clear to me how the router would handle traffic coming over (5 ports) dst-ports 5-10 translated to ports 8-10 ?
Clearly the router would run out after 2 incoming ports had been assigned/translated.
Also note that its not a direct sequential 1:1 translation either, 1024 does not get assigned necessarily to 80 and so forth

WHY are the UDP and TCP port assignments different???

Thank you so much, I will take some time to study and do as you say tonight, I think Mikrotik has a very good system and I want to learn as much as I can. Thank you for your guide.