Community discussions

MikroTik App
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Small home network with 2 AP

Mon Apr 19, 2021 12:54 am

Hi all.

Maybe this won't be like a big thing, but I have some doubts about my home network.

I bought a hAP (RB941-2nd) which I use as my main router. I have two more home routers from TP-Link (a TL-WR841N and a Arche-C60), which are in AP mode. One router is for the 2.4ghz, and the other just for the 5ghz band (I thought that having one device for each band was more reliable and optimal than having one device for both).

And that's it, at home we have around 5 phones, some at 2.4, others at 5 ghz, also 2 laptops, one at 5 and the other at 2.4, plus my two work laptops which are at 2.4.

Initially I wanted to do the following (all this before deciding to invest in mikrotik):
ether1 -> Internet
Firewall (good rules to prevent hacking and stuff)
Receive DHCP from ISP
Ad blocking? is a powerfull enough device, it could be nice to have instead of having the clients do the blocking.
Should I add an IP to have connection to the modem's interface? It would be a 192.168.100.x network, that's my guess so far.
Do traffic shaping? =D that would be awesome

ether2 -> to 2.4 AP
vlan 24
192.168.24.x/for around 10 devices network
192.168.24.1/28 (dhcp from 1 to 10)
ether3 -> to NAS
vlan 31
192.168.31.x/for around 01 device network
"aa", I have to choose, it would be for only 1 device anyways
192.168.31.0/31 (0 to 1)
ether4 -> to 5.8 AP
vlan 58
192.168.58.x/for around 10 devices network
192.168.58.1/28 (dhcp 1 to 15)

1 week life time.

ether3 must be reachable by ether2 and ether4.
But now that I have the device, I was like... do I really want to do it like that? I mean, I'm no network guy, I'm just a power user (yes, from the 80's, 90's), and so far, the network is fine, is fast, just added some rules for queue management, and that's all. The network is on 192.168.88.1/24, and so far, the adblocking is done by each device using the host file... I even downclocked a bit the device to avoid overheating... (I mean, it stays around less that 5% all day long so, you can figure out 100mbps internet is not stressed at all).

It is quite a good device, maybe I overdid it (I convinced my wife to buy it for me hehe and also the extra router/ap).

What do you think? am I just overthinking?, should I leave it as it is?

As for config, I have the following:

Firewall
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

3 ;;; defconf: accept ICMP rate limited 30/s
chain=input action=drop protocol=icmp limit=30,30:packet dst-limit=30,30,dst-address/1m40s log=no
log-prefix=""

4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,rel

6 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""

8 X ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec

9 X ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec

10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstna
log-prefix=""

11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
Mangle

Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough

1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough

3 chain=postrouting action=mark-packet new-packet-mark=streaming passthrough=no connection-mark=streaming packet-mark=no-mark

4 chain=postrouting action=mark-packet new-packet-mark=misc-fast passthrough=no tcp-flags=ack protocol=tcp packet-mark=no-mark packet-size=40

5 chain=postrouting action=mark-packet new-packet-mark=misc-fast passthrough=no protocol=udp out-interface=ether1 packet-mark=no-mark dst-port=53

6 chain=postrouting action=mark-packet new-packet-mark=http passthrough=no connection-mark=http packet-mark=no-mark

7 ;;; Streaming
chain=postrouting action=mark-connection new-connection-mark=streaming connection-state=new protocol=tcp connection-mark=no-mark
out-interface=ether1 dst-port=33001

8 ;;; Streaming
chain=postrouting action=mark-connection new-connection-mark=streaming connection-state=new protocol=udp connection-mark=no-mark
out-interface=ether1 dst-port=33001

9 ;;; Web Browsing
chain=postrouting action=mark-connection new-connection-mark=http connection-state=new protocol=tcp connection-mark=no-mark out-interface=ether1
dst-port=80,443
Queue
Flags: X - disabled, I - invalid
0 name="queue1" parent=ether1 packet-mark="" limit-at=9700k queue=default priority=8 max-limit=9700k burst-limit=0 burst-threshold=0 burst-time=0s
bucket-size=0.1

1 name="prio5-streaming" parent=queue1 packet-mark=streaming limit-at=6200k queue=default priority=5 max-limit=6200k burst-limit=0 burst-threshold=0
burst-time=0s bucket-size=0.1

2 name="prio8-untagged" parent=queue1 packet-mark=no-mark limit-at=100k queue=default priority=8 max-limit=9500k burst-limit=0 burst-threshold=0
burst-time=0s bucket-size=0.1

3 name="prio2-misc-fast" parent=queue1 packet-mark=misc-fast limit-at=1G queue=default priority=2 max-limit=1G burst-limit=0 burst-threshold=0
burst-time=0s bucket-size=0.1

4 name="prio6-http" parent=queue1 packet-mark=http limit-at=100k queue=default priority=6 max-limit=9100k burst-limit=0 burst-threshold=0 burst-time=0s
bucket-size=0.
I think the firewall could be optimized but I'm not sure, also some rules I have the feeling are duplicated (I read about the order in which they have to be but I'm all confunsed), I don't know. What do you think?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Mon Apr 19, 2021 3:26 pm

For a simple home network I would not use mangling or queuing.
However the diagrams provided are too difficult to read and incomplete.
Please post your config
/export hide-sensitive file=anynameyouwish

Also assuming the two APs you have are not able to read vlantags
Not sure what you mean by ad blocking??? Not really the domain of a plain MT router (do you have a Raspberry PI in the mix?)
Perhaps a network diagram would help in what your accomplishing.

There is no advantage by eliminating use of 2.4 or 5 on APs.
What is important is to put APs where they are needed, and thus if you have a WIRED home, then you can place APs for decent coverage.
5ghz works best with LOS and at most one wall separation.
2.4ghz works well through two walls

5ghz is best for video streaming
2.4ghz is best for maintaining connectivity at longer ranges (doorbells, and other iot devices, laptops etc).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Tue Apr 20, 2021 2:54 am

Sure, here:
Picture2.jpg
The NAS is not there because I have not bought it yet.

But yeah, that's all, I mean. I think it is the simplest home network ever.

For adblock, I was thinking on one script I saw that loads a host file and does redirections but I saw then that the devices needs to have a lot of memory to just load the address list, so nah, I decided not to stress the router more than necessary.

And here's my config so far:
anynameyouwish.rsc
Any advise is highly appreciated, I disabled the queue and all associated, so just the firewall rules remain. I worry that some may be duplicates or maybe in the wrong order.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Tue Apr 20, 2021 3:58 am

(1) You didnt make it clear but you are using the haplite to also provide wifi??

(2) Get rid of bridge filter settings, noise not needed.
/interface bridge filter
# wlan2 not ready
# in/out-bridge-port matcher not possible when interface (wlan2) is not slave
add action=drop chain=forward in-interface=wlan2
# wlan2 not ready
# in/out-bridge-port matcher not possible when interface (wlan2) is not slave
add action=drop chain=forward out-interface=wlan2


(3) why did you set everything to bridge and then the address to ether2? Should be bridge
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

(4) I would disable scripts and mangling and get router working first.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Tue Apr 20, 2021 3:59 pm

Sorry my bad, let me answer each one:
(1) You didnt make it clear but you are using the haplite to also provide wifi??
No, just for routing. that's why the wlan interface is disabled.


(2) Get rid of bridge filter settings, noise not needed.
/interface bridge filter
# wlan2 not ready
# in/out-bridge-port matcher not possible when interface (wlan2) is not slave
add action=drop chain=forward in-interface=wlan2
# wlan2 not ready
# in/out-bridge-port matcher not possible when interface (wlan2) is not slave
add action=drop chain=forward out-interface=wlan2
(3) why did you set everything to bridge and then the address to ether2? Should be bridge
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
It was default, do you mean the default config has some errors?

(4) I would disable scripts and mangling and get router working first.
Let me do that.
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Tue Apr 20, 2021 4:05 pm


(3) why did you set everything to bridge and then the address to ether2? Should be bridge
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
How in heck did that happen? I mean, I don't remember setting that to ether2, or could it be I clicked something by mistake, I mean you are right, it should be set to the bridge. But I do not know how it happen really.
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Tue Apr 20, 2021 4:16 pm

Ok, it should be all better now.
anynameyouwish.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Tue Apr 20, 2021 6:32 pm

No worries, set to ether2 is part of the default setup that catches most people i was just ribbing you LOL.
I dont see where the wlans on the hap are disabled but I believe you, just bit tired to read into the config.

Should be fine, is there a question/issue on something not working?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Wed Apr 21, 2021 3:10 am

Not really, thanks for the help and advise.

For context, is just me and my wife. We are in our 40's and we just want to have a calm internet experience.

I decided to buy mikrotik because
  • Altough I work in IT and with networking people, I did not see the point on buying a cisco router hehe
  • I had tp-link in the past, and seeing that some of their home routers seem to have some kind of bug or flaw and tp-link was not offering updates, I went to other brands
  • Openwrt did not support the router I was looking to buy or it was just too complicated to instal (good people and the software is good, but "I'm too old for this"
  • And there is was, a nice economical router, plus my wife said: "sure, why not?"
  • Also I had this weird episode with my isp cablemodem, I changed the default admin password and two days later it was back again to default, like the device was reset from the company so I said "oh hell no", brigde mode and send it
Anyways, this case is solved.

Btw, are the firewall rules ok? in the correct order? promise is my final question.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Wed Apr 21, 2021 5:31 am

yup they are the default ones and work on the premise of allow all traffic except what you have blocked.

Most of us graduate from the default rule and change the premise to block all traffic by default except what we allow.
Very easy to do with few rule changes.
IF interested we can tackle that next.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
za7
just joined
Posts: 9
Joined: Tue Mar 14, 2017 8:59 pm

Re: Small home network with 2 AP

Wed Apr 21, 2021 10:47 pm

mikrodoog,
If you have not done so already look at the following sites:
GRC Shields UP to check for open ports and UPnP status
https://www.grc.com
https://help.mikrotik.com/docs/display/ ... our+router
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Thu Apr 22, 2021 2:24 am

hi za7,
Many folks I know USE mac -winbox (yes turn plain mac off, but mac-winbox is a viable way to access the router from within the LAN).
What I would say is that
a. you dont use the default winbox port (change it in services) and
b. create an admin interface that helps one limit who on the router can access the winbox server based on interface list.
c. finally back to IP services an winbox you can drill down which IPs are allowed within the interface in b. to access winbox. (even room for certificate here but for home probably overkill)
d. in firewall input chain rules similar, limit full access to the router via interface list as the first leve and then a source address list of allowed IP addresses.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sat Apr 24, 2021 3:30 am

IF interested we can tackle that next.
Sure, I accept your offer.

From what I have read, I see that the rules follow 3 simple words, Input, Forward and Output.
From what I understand, the packet arrives, that's input.
The packet passes through the router, that is forward.
Goes out the router, that is output.

That's all I know, and that's before getting my headache just looking at the winbox hehe.
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sat Apr 24, 2021 3:31 am

mikrodoog,
If you have not done so already look at the following sites:
GRC Shields UP to check for open ports and UPnP status
https://www.grc.com
https://help.mikrotik.com/docs/display/ ... our+router
Ah yes, all checked and applied. So far so good.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Sat Apr 24, 2021 5:26 am

Have a look at this to see if you understand and want to accomplish.
INPUT rules are for traffic to and from the router itself.
FORWARD rules are for traffic across the router (wan to lan, lan to wan, lan to lan)
Output rules are rarely used.
NAT rules are typically used for port forwarding (dst nat) and assigning public IPs to private IPs before heading outbound (src nat), however in MT speak they can be used for a variety of different situations.
Ip Routes are used to determine the outbound path of packets.

Here is my minimalist but safe setup.
(1) The idea being, as stated move from default setup (which is safe but not targeted) and has a concept of allow all and block what you don't want.
TO what The previous poster and most who prefer to change the setup to BLOCK ALL by default and then state what is allowed.

(2) Correct in that the goal in the input chain, for security, is to only allow the admin to have access to the router, but users/devices may need some services typically DNS.

(3) For VLAN to VLAN protection and any traffic to and from the LANs, the firewall rules in the forward chain come into play.
The same concept as above applies, modify the default rules, into a concept of block all except what you wish to allow.
All the rules above the +++++ line are default ones that we want to keep and the ones below are the ones the admin adds.
NOTE: In the input chain, do not put in the LAST RULE the DROP rule until the allow admin access rule is in place - otherwise one is locked out!
...
...
/ip firewall filter
{input chain}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment="Allow ADMIN to Router" =\
    in-interface-list=MGMT src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
....
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="allow LAN  to WAN traffic"
    in-interface-list=LAN  out-interface-list=WAN 
add action=accept chain=forward comment="Allow Port Forwarding" \   {disable when not needed}
connection-nat-state=dstnat  connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"

4. The input chain rule requiring the admin access firewall address list ensures only the LANIPs identified have access to the router (via winbox for example). Typically one sets ones IPs through the routers dhcp leases as static, fixed Ips.
/ip firewall address-list
add address=ip_admin-desktop list=adminaccess
add address=ip_admin- laptop list=adminaccess
add address=ip_admin-smartphone list=adminaccess

(5) The other part of this rule as you may have noted is an interface-list=MGMT
Typically this is the scenario.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT (optional)
add name=VlansWith-Internet (optional but if you dont allow all vlans to access internet this provides an easy way to config)

/interface list member
add comment=defconf interface=Ether1 list=WAN
add interface=bridge list=LAN
add interface=vlan10 list-MGMT (this identifies the management lan typically the home lan the admin user is on)
+++++++++++++++++++++++++++++++++++++
add interface=ether5 list=LAN (if you have an emergency access port on the router to reach it for config purposes if bridge or main LAN gets funky)
add interface=ether5 list=MGMT (so as to be able to reach router from emerg access for config purposes)

(6) Can you guess where else we use MGMT.
Correct Look at TOOLS MACSERVER.
Set WINBOX- MAC sever interface=MGMT.

(7) Go To IP Services and turn all services off except for WINBOX and possibly SSH as a backup
a. change default port to something else but write it down!
b. in the Available from, put in the subnets above that are applicable (vlan10 subnet and ether5 subnet)

(8) Go to SYSTEM USers and for the logins allowed to access winbox put in the same subnets as in b.

Thus you have in summary limited access to the router (for config purposes)
by login rules (username and password and subnets)
by winbox access (port number and subnets)
by firewall rules that limit access to winbox mac server
by firewall rules that limit access by subnets and IP addresses.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sun Apr 25, 2021 3:26 pm

I understand...

After reading it like 10 times hehehe.

All the initial rules are clear to me, now, the only modification I would to so it fits my model is to change the emergency port to ether3, since I can actually plug the NAS to either AP anyways. but since I'm not having vlans for now then using ether3 (in my case) would be pointless anyways for me, since I'm not currently using vlans. But, Murphy's law, is nice to have and not needed it, than not having it and needing it.

I was able to change the mac port, almost soiled my pants when I was not able to access, because I though: "ok, still being recognized by the winbox, but why it not using the port I setup?", then I tried putting the IP:port in the "connect to" field, and it worked. Some foolish part of me thought that the winbox will "autodetect" the new port hehehehe.

Now, about this warning:
All the rules above the +++++ line are default ones that we want to keep and the ones below are the ones the admin adds.
NOTE: In the input chain, do not put in the LAST RULE the DROP rule until the allow admin access rule is in place - otherwise one is locked out!
If I understand correctly, you are talking about this rule:
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
That means, if my ip if not on the lan list, that means that the router will indeed just drop my packet, right?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Sun Apr 25, 2021 4:03 pm

No that would NOT be the last rule in the input chain LOL.
The last rule in the input chain would be
add chain=input action=drop

(note: the invalid rule you were referring to is to drop any malformed packets before they get too far).

Please post your config now, so I can see if its where it should be.............
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sun Apr 25, 2021 4:51 pm

Actually I haven't made any changes, I have all in a txt file, compiling to do it via terminal.

So far I have this:

I start with this first:
/ip firewall address-list
add address=ip_admin-desktop list=adminaccess comment=\"My PC"
add address=ip_admin- laptop list=adminaccess comment=\"Wife PC"
add address=ip_admin-smartphone list=adminaccess comment=\"My Phone"

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=Ether1 list=WAN

add interface=bridge list=LAN
add name=MGMT 

add interface=ether3 list=LAN 
add interface=ether3 list=MGMT 

Set WINBOX- MAC sever interface=MGMT
Then add this:
/ip firewall filter
{input chain}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment="Allow ADMIN to Router" =\
    in-interface-list=MGMT src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
....
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="allow LAN  to WAN traffic"
    in-interface-list=LAN  out-interface-list=WAN 
add action=accept chain=forward comment="Allow Port Forwarding" \   {disable when not needed}
connection-nat-state=dstnat  connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
Now, I wonder something, if I delete all my current rules, how will I communicate to the router? will the router accept the terminal/winbox connection with no firewal rules? (something tells me it will since there are no rules, right?)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Sun Apr 25, 2021 5:29 pm

Dont delete rules Until you have added the rules. No harm in adding extra rules ..........

Just keep the last rule in the input chain as the very last entry, AKA after you have added the new rules and deleted the old rules.
Then put in the last drop all rule in the input chain.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sun Apr 25, 2021 7:31 pm

Ok, I'll add a comment to the current ones because my sight is no as good as it used to be XD.

And here it is:
anynameyouwish.rsc
Believe me, it sucks to be getting old.


I forgot, I haven't applied this line:
set WINBOX- MAC server interface=MGMT
I have the feeling I will lose the connection to the winbox.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Sun Apr 25, 2021 10:15 pm

I dont see anything terribly wrong.
I do not understand why you have ether2 belonging to managment because it says tis going to the NAS.
If you wanted to limit the interface that YOU as admin were on, and that is ether3 as well, okay!!

You are going to screw up your firewall rules, I can sense it LOL.
You are deleting perfectly good rules that are in the correct order.

What you should do is look at the rules List I gave you and if its same as one of the ones you have and IN THE RIGHT ORDER, dont delete IT..........just keep it and move to the next rule.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sun Apr 25, 2021 10:36 pm

Ok, again, almost soiled my pants hehe

For some odd reason, I'm unable to connect via winbox using the ip address, but I can use the mac address.

I am looking at the rules and do not see anything related about blocking ip access. So weird.
Ok, I'll add a comment to the current ones because my sight is no as good as it used to be XD.

And here it is:

anynameyouwish.rsc

Believe me, it sucks to be getting old.


I forgot, I haven't applied this line:
set WINBOX- MAC server interface=MGMT
I have the feeling I will lose the connection to the winbox.
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Sun Apr 25, 2021 10:39 pm

Aaaaaaand now I'm late to reading your response hehehehehehe. Actually I disabled my rules now, and have your suggestions up.

The only difference is that mac access. I was under the assumption that the most common way to access was via ip, and not the mac. But I see why everyone keeps say mac this and mac that. Is because you use the mac address. hehe
I dont see anything terribly wrong.
I do not understand why you have ether2 belonging to managment because it says tis going to the NAS.
If you wanted to limit the interface that YOU as admin were on, and that is ether3 as well, okay!!

You are going to screw up your firewall rules, I can sense it LOL.
You are deleting perfectly good rules that are in the correct order.

What you should do is look at the rules List I gave you and if its same as one of the ones you have and IN THE RIGHT ORDER, dont delete IT..........just keep it and move to the next rule.

Another is (I guess obvious since you have a network background), your rules have made my router now have almost 0 cpu utilization. That's a plus.

Edit:

You know, with these new rules, I found something weird on my network, check this:

***DropAllElse*** input: in:bridge out:(unknown 0), src-mac 7c:5c:f8:9f:d1:b6, proto UDP, 192.168.88.250:55626->255.255.255.255:20561, len 50

The Drop All Else rule was filing up like crazy, decided to log it and found this. Sometimes the length changes to 150 or 250, but the majority is 50. And is coming from my laptop. I closed all browsers and stuff, and its still showing. I wonder what the heck is doing that traffic.

Another edit:
Used wireshark and found this
Screenshot 2021-04-25 185328.png
I wonder what's wrong with the dhcp???


Another edit:

Never mind, found the issue

viewtopic.php?p=846838
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6864
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Small home network with 2 AP

Mon Apr 26, 2021 1:17 am

I actually have no formal training LOL.
Just an old dog who drives real experts crazy with the same question over and over (slow learner).
Eventually something sinks in.
YES WINBOX access using mac is da bomb, it cuts through many an Admin error

You can use IP but you need to remember to then enter the winbox port.

IP_Address:XXXX
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrodoog
just joined
Topic Author
Posts: 14
Joined: Mon Apr 19, 2021 12:25 am

Re: Small home network with 2 AP

Mon Apr 26, 2021 8:54 pm

You can use IP but you need to remember to then enter the winbox port.

IP_Address:XXXX
Regarding that, I had to make a rule to allow that kind of access. With the current rules it does not allow it (from the wireless connection via any AP to the router).
In a sense, I feel is better that is blocking it, is more safe. Still I can connect via mac address on the winbox.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot] and 52 guests