Community discussions

MikroTik App
 
User avatar
SecCon
newbie
Topic Author
Posts: 49
Joined: Mon May 03, 2021 10:52 am
Location: Skåne, Sweden

Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 4:38 pm

So i will be buying RB1100AHx4 Dude Edition https://mikrotik.com/product/RB1100Dx4 .
It is probably a bit overkill for my SOHO, but better safe than sorry and make sure it will last a few years ahead.

The thing I have been pondering the most is the ability to control the Firewall and I have read some of the relevant articles for this: https://help.mikrotik.com/docs/display/ ... t+Firewall but i am also curious as to if any of the community members have exported firewalls with pre defined rules one might look in to? Perhaps saving some work by using a tried and tested configuration?
CLI is so 1984 and should be obsolete
- - -
My Mikrotik Devices:
  • Router RB1100AHx4 Dude Edition
  • Switch CRS326-24G-2S+RM
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 7:04 pm

Best thing is to accept the default firewalls as they work out of the box quite safely.
Then work to understand all the default rules.
Then state your requirements and folks will likely chime in to give some advice.
Do not use quickset.
Do use the safe mode button at all times.
Clear requirements with a network diagram = useful assistance.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 6020
Joined: Thu Mar 03, 2016 10:23 pm

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 7:23 pm

Best thing is to accept the default firewalls as they work out of the box quite safely.

SOHO-line of Mikrotik routers comes with very decent default firewall rule set. RB1100AHx4, however, is not from that line and comes with pretty plain defaults, hence it's wise to get some decent starting setttings elsewhere.

@SecCon: you can either wait for somebody to publish default settings and risk (probably low risk though) that it won't really be complete or not really MT default. Or you can get yourself cheapest possible MT device (that would likely be hEX lite with suggested price of $40) and use that both as playground and as trustworthy source of default settings.
BR,
Metod
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3930
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 7:26 pm

search tag # rextended default firewall rules

WARNING: default WAN and LAN interface list must be already defined

WARNING: if you do not know what you are doing, you probably lose control of your device

The MikroTik RouterOS 6.46.8, 6.47.9 and 6.48.2 default firewall rules are:

for IPv4
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

for IPv6 is also created address-list bad_ipv6 before creating firewall rules
/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
add list=bad_ipv6 address=::1 comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
add list=bad_ipv6 address=::/104 comment="defconf: other"
add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"

/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
Last edited by rextended on Sun Jun 06, 2021 10:08 pm, edited 13 times in total.
Sorry, but I'm Italian and I not have full control of what I'm writing on English...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 7:43 pm

Nice!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
SecCon
newbie
Topic Author
Posts: 49
Joined: Mon May 03, 2021 10:52 am
Location: Skåne, Sweden

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 9:04 pm

Best thing is to accept the default firewalls as they work out of the box quite safely.
Then work to understand all the default rules.
Then state your requirements and folks will likely chime in to give some advice.
Do not use quickset.
Do use the safe mode button at all times.
Clear requirements with a network diagram = useful assistance.
I would accept the default of course but i guess there is room for improvement if you know your network and what can be blocked/allowed.
CLI is so 1984 and should be obsolete
- - -
My Mikrotik Devices:
  • Router RB1100AHx4 Dude Edition
  • Switch CRS326-24G-2S+RM
 
User avatar
SecCon
newbie
Topic Author
Posts: 49
Joined: Mon May 03, 2021 10:52 am
Location: Skåne, Sweden

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 9:07 pm

Best thing is to accept the default firewalls as they work out of the box quite safely.
SOHO-line of Mikrotik routers comes with very decent default firewall rule set. RB1100AHx4, however, is not from that line and comes with pretty plain defaults, hence it's wise to get some decent starting setttings elsewhere.

@SecCon: you can either wait for somebody to publish default settings and risk (probably low risk though) that it won't really be complete or not really MT default. Or you can get yourself cheapest possible MT device (that would likely be hEX lite with suggested price of $40) and use that both as playground and as trustworthy source of default settings.
What would be the SOHO line of routers in your opinion? Mikrotik sure doesn't list any...

I have a Xeon server standing by for custom solutions and plenty of server power for virtual solutions that I can connect anyhow I like, but I am going with this for now.
CLI is so 1984 and should be obsolete
- - -
My Mikrotik Devices:
  • Router RB1100AHx4 Dude Edition
  • Switch CRS326-24G-2S+RM
 
User avatar
SecCon
newbie
Topic Author
Posts: 49
Joined: Mon May 03, 2021 10:52 am
Location: Skåne, Sweden

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 9:30 pm

BTW, also got this switch: https://mikrotik.com/product/CRS326-24G-2SplusRM

Weird this is at it apperas both as Router and as Switch on many shop sites... very confusing. Fortunately Mikrotik has it listed as "switch".

Delivery May 20.
CLI is so 1984 and should be obsolete
- - -
My Mikrotik Devices:
  • Router RB1100AHx4 Dude Edition
  • Switch CRS326-24G-2S+RM
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 10:23 pm

THe RB4011 would be the router of choice if looking at current or future 1gig ISP connections.
But not familiar with the 1100 that may be a step down in terms of number of ports and throughput
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Paternot
Forum Veteran
Forum Veteran
Posts: 840
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 10:55 pm

BTW, also got this switch: https://mikrotik.com/product/CRS326-24G-2SplusRM

Weird this is at it apperas both as Router and as Switch on many shop sites... very confusing. Fortunately Mikrotik has it listed as "switch".

Delivery May 20.
The CRS switches can run both SwOS and ROS. When running ROS they may be used as routers and/or switches: they will route packages, and have all the possibilities of a Mikrotik router.

BUT

They have a VERY weak CPU. So, they would route - but quite slowly. This CRS326, as an example, can pass L2 traffic at wirespeed, in all ports at the same time. As a router it would barely get as high as 750Mbps.
 
Paternot
Forum Veteran
Forum Veteran
Posts: 840
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 10:57 pm

THe RB4011 would be the router of choice if looking at current or future 1gig ISP connections.
But not familiar with the 1100 that may be a step down in terms of number of ports and throughput
The 1100AxH4 is just the 4011 with 3 switches, 13 gigabit ports and no SFP+. Same RAM, and I think one has 128MB of flash and the other 512MB. The 1100 Dude edition has two SATA ports.
 
mkx
Forum Guru
Forum Guru
Posts: 6020
Joined: Thu Mar 03, 2016 10:23 pm

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Mon May 10, 2021 11:17 pm

What would be the SOHO line of routers in your opinion?

All devices apart from: CHR, CRS line, CCR line, RB1100 line and possibly RB3011 (not sure about this one).

I'm not talking about SwOS devices here.
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 5:32 am

@mkx can you send me an email please.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
SecCon
newbie
Topic Author
Posts: 49
Joined: Mon May 03, 2021 10:52 am
Location: Skåne, Sweden

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 10:03 am

All devices apart from: CHR, CRS line, CCR line, RB1100 line and possibly RB3011 (not sure about this one).

I'm not talking about SwOS devices here.
I would certainly wish for that being clearly stated when looking at product purchase.The again, we look mostly at port speed, cpu power and ram when choosing I guess.
CLI is so 1984 and should be obsolete
- - -
My Mikrotik Devices:
  • Router RB1100AHx4 Dude Edition
  • Switch CRS326-24G-2S+RM
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 2:06 pm

In any case, the more you can clearly define your current and likely future requirements the better advice can be provided.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 6020
Joined: Thu Mar 03, 2016 10:23 pm

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 4:55 pm

@mkx can you send me an email please.
where to? ;-)
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 5:26 pm

The email address when you click on my icon.........
Just below where it says I am a Mikrotik slow learner! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 6020
Joined: Thu Mar 03, 2016 10:23 pm

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 6:46 pm

No kidding, one can actually click on icon? Who ever came up with that great idea must be a genious ;-)
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 8:20 pm

and a genius!!
Normis je genije.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 6020
Joined: Thu Mar 03, 2016 10:23 pm

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 9:56 pm

You meant to write "Normis ir ģēnijs"?
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7425
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Tue May 11, 2021 11:24 pm

Mana kļūda, ko es pieņēmu horvātu valodā, ir tā, ka LOL ir slikta lieta
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
SecCon
newbie
Topic Author
Posts: 49
Joined: Mon May 03, 2021 10:52 am
Location: Skåne, Sweden

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Wed May 12, 2021 9:40 am

Are we having language lessons for the rats? :lol:
CLI is so 1984 and should be obsolete
- - -
My Mikrotik Devices:
  • Router RB1100AHx4 Dude Edition
  • Switch CRS326-24G-2S+RM
 
mkx
Forum Guru
Forum Guru
Posts: 6020
Joined: Thu Mar 03, 2016 10:23 pm

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Thu May 13, 2021 8:39 am

I think we're rather having fun with our favourite on-line translating tools.
BR,
Metod

Who is online

Users browsing this forum: PiPon93939 and 72 guests