Community discussions

MikroTik App
 
atuxnull
newbie
Topic Author
Posts: 35
Joined: Tue Feb 07, 2017 10:02 pm

Firewall setup for small office

Mon Sep 14, 2020 2:59 pm

I have a small network and i would like to ask if my firewall is OK. My setup has a pppoe connection through eth1 and it is named pppoe-out1. Then i have bridge that has ports eth2-5 and it is named bridge1.
here are my firewall rules
/ip firewall filter
add action=drop chain=input comment="Drop connections from 117.202.127.0/24" \
    src-address=117.202.0.0/16
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface=!bridge1
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface=!bridge1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=reject chain=forward icmp-options=8:0-255 in-interface=!bridge1 \
    out-interface=pppoe-out1 protocol=icmp reject-with=icmp-host-unreachable
add action=reject chain=forward icmp-options=17:0-255 in-interface=!bridge1 \
    out-interface=pppoe-out1 protocol=icmp reject-with=icmp-host-unreachable
add action=reject chain=forward icmp-options=15:0-255 in-interface=!bridge1 \
    out-interface=pppoe-out1 protocol=icmp reject-with=icmp-host-unreachable
add action=reject chain=forward icmp-options=30:0-255 in-interface=!bridge1 \
    out-interface=pppoe-out1 protocol=icmp reject-with=icmp-host-unreachable
add action=drop chain=forward port=0 protocol=tcp
add action=drop chain=forward port=0 protocol=udp
[admin@MikroTik] /ip firewall filter> 
Is it OK, or am i missing something?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall setup for small office

Mon Sep 14, 2020 3:19 pm

They are complete garbage.
Your best bet is to learn tons more before adjusting the default.
Put the default back in!

THis should be the default that comes up..............
/ip firewall filter

Input chain:
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

Forward chain:
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

DONT FORGET your default source nat rule as well and for port forwarding any destination nat rules.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

Which you will have to modify for pppoe / static wanip.
Last edited by anav on Mon Sep 14, 2020 3:31 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
atuxnull
newbie
Topic Author
Posts: 35
Joined: Tue Feb 07, 2017 10:02 pm

Re: Firewall setup for small office

Mon Sep 14, 2020 3:29 pm

They are complete garbage.
Your best bet is to learn tons more before adjusting the default.
Put the default back in!
I do not have the default since i removed the default config. May i ask for it, please?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall setup for small office

Mon Sep 14, 2020 3:32 pm

See above already done.
You should understand what each rule does as well........
The capsman one on the input chain can be removed if you dont use capsman.

For static IP nat rule I think looks like this.............
add chain=srcnat action=scrnat out-interface-list=WAN to-address=yourstaticWANIP.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall setup for small office

Mon Sep 14, 2020 3:41 pm

Now once you understand all the rules from the default, you can consider doing some tweaking.
For example, I take the default firewall rules which have a concept of allow everything unless its blocked TO, block everything unless I allow it. To me its safer and easier to read and I know that if I haven't permitted it, it ain't going to go through (vice relying on me knowing everything to block).

INPUT CHAIN
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" src-address-list=adminaccess {note: &&&&}
{add optional ***}
add action=drop chain=input comment="Drop All Else"

Notes:
note: &&&&&
to allow admin access to config the router from fixed static IPs for example on any subnet).
/ip firewall address-list
add address=admin-desktop_IP list=adminaccess
add address=admin-laptop_IP list=adminaccess
add address=admin-ipad_IP list=adminaccess

note: *** optional:
Provide access to lan users ONLY for any services they require that the router provides (examples):
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp


Discussion: The last rule ensures that no other traffic is permitted that wasn't explicitly allowed above, which includes for example any wan to router traffic. Ensure that the admin access rules are in place before putting in the last rule otherwise one will lock themselves out of the router.

FORWARD CHAIN
/ip firewall filter
{Optional 1 +++}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
{Optional 2 ###}
{Optional 3 ===}
add action=drop chain=forward comment="drop all else"

Notes:
Option1 +++ If you do use IPSEC you will need......
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec


Option 2 ###
This is where you place traffic you wish to allow examples:

(a) allow lan to wan traffic (by subnet, by vlan, by interface etc.)
add action=accept chain=forward comment="ENABLE HomeLAN to WAN" \
in-interface=Home-LAN_V12 out-interface-list=WAN src-address=192.168.0.0/24


(b) allow subnet A to access shared printerS on subnet B
add action=accept chain=forward comment="allow VlanA Users_TO_Printers \
dst-address-list=House_Printers in-interface=VLANA src-address=192.168.0.0/24


Option 3===
If you need port forwarding for any reason you can add this rule.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN


Discussion: The last rule automatically blocks all traffic not allowed above including WAN to LAN traffic and it blocks any subnet to subnet or vlan to vlan traffic at Layer 3. For me done, no other rules are needed in the standard security config. Most other stuff is bloatware.
Last edited by anav on Wed Sep 16, 2020 5:40 pm, edited 3 times in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
atuxnull
newbie
Topic Author
Posts: 35
Joined: Tue Feb 07, 2017 10:02 pm

Re: Firewall setup for small office

Wed Sep 16, 2020 10:15 am

Thanks for @anav for the post. Could you edit the post and put the coding format, please?
Also i am adding a pppoe-client connection to a 2nd WAN. What other changes do i need to do?
 
kalamaja
newbie
Posts: 41
Joined: Wed May 23, 2018 3:13 pm

Re: Firewall setup for small office

Wed Sep 16, 2020 10:59 am

Trick about default fw rules is that they are cleverly written using interface lists. So to change or use non-standard WAN port, you just change interface list members.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall setup for small office

Wed Sep 16, 2020 2:39 pm

Nothing tricky about it. Just ensure that any additional interfaces are identified in the interface list. Straight configuration management.

Not sure what you mean atux??
You have to enter in the config not me LOL.
(the notes and notes symbols are not part of the config if that is what is confusing you!)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
atuxnull
newbie
Topic Author
Posts: 35
Joined: Tue Feb 07, 2017 10:02 pm

Re: Firewall setup for small office

Wed Sep 16, 2020 3:43 pm

Not sure what you mean atux??
You have to enter in the config not me LOL.
(the notes and notes symbols are not part of the config if that is what is confusing you!)
All i am saying is, if it' s possible to edit your post and put the comments as coding [ ] since it is not easy to read.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall setup for small office

Wed Sep 16, 2020 5:41 pm

What dont you understand? I could care less how it looks as its just a few lines and not a complete config, but I made it prettier for your.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
felodimul
just joined
Posts: 1
Joined: Wed Aug 12, 2020 5:59 pm

Re: Firewall setup for small office

Wed Sep 16, 2020 11:29 pm

anav - thanks. Your posts are extremely useful.

Who is online

Users browsing this forum: 18701870, Google [Bot] and 58 guests