Ok, I have a RB2011UiAS

Port 3 is upstream to my CoLoc (just the way it got wired up)

Port 2 is connected to the primary interface of a vmware-box.

Port 5 is connected to the IPMI interface of my box.

Port 1-3 is assigned to "bridge-outside" and all seem well.

What I would like to do now is:

1. Be able to use bridge firewall to only allow access to some ports from certain IP's (In other word, filter vmware management trafic)

2. Be able to NAT traffic to the IPMI On Port 5

But, I cannot find a definitive guide on Bridging firewalls. At least not one that I can follow.
I started by enabling ip-firewall but that seemed to block all traffic (Thanks safe mode )



[admin@MikroTik] > export
# feb/05/2016 00:34:48 by RouterOS 6.34
# software id = UN2F-4MM3
#
/interface bridge
add admin-mac=E4:8D:8C:1E:41:56 auto-mac=no name=bridge-local
add name=bridge-outside
/interface ethernet
set [ find default-name=ether1 ] comment=Upstream name=ether1-gateway
set [ find default-name=ether2 ] comment="wmnic0 - vmware Prod" master-port=\
ether1-gateway name=ether2-vmware
set [ find default-name=ether3 ] name=ether3-AxbyteUpstream
set [ find default-name=ether5 ] comment=wmic1 disabled=yes
set [ find default-name=ether6 ] comment=IPMI name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
/ip neighbor discovery
set ether1-gateway comment=Upstream discover=no
set ether2-vmware comment="wmnic0 - vmware Prod"
set ether5 comment=wmic1
set ether6-master-local comment=IPMI
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-outside interface=ether1-gateway
add bridge=bridge-outside interface=ether2-vmware
add bridge=bridge-outside interface=ether3-AxbyteUpstream
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
bridge-local network=192.168.88.0
add address=46.27.120.142/28 interface=bridge-outside network=46.27.120.128
add address=192.168.89.0/24 interface=ether4 network=192.168.89.0
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.89.0 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment=SNMP-access dst-port=161 protocol=udp src-address=\
46.27.120.128/28
add chain=input comment="default configuration" connection-state=\
established,related
add chain=input dst-port=28291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
bridge-outside
add chain=forward comment="default configuration" connection-state=\
established,related
add action=drop chain=forward comment="default configuration" connection-state=\
invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=\
bridge-outside
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1-gateway) is slave -
use master instead (bridge-outside)
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
# in/out-interface matcher not possible when interface (ether1-gateway) is slave -
use master instead (bridge-outside)
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \
protocol=tcp src-address=94.234.170.167 to-addresses=192.168.88.254 \
to-ports=80
# in/out-interface matcher not possible when interface (ether1-gateway) is slave -
use master instead (bridge-outside)
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway \
protocol=tcp src-address=94.234.170.167 to-addresses=192.168.88.254 \
to-ports=443
/ip route
add distance=1 gateway=46.27.120.129
/ip service
set winbox port=28291
/lcd pin
set pin-number=[removed before post]
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-vmware
add interface=ether3-AxbyteUpstream
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-vmware
add interface=ether3-AxbyteUpstream
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool romon port
add
[admin@MikroTik] >

Why are you trying to bridge the firewall instead of simply creating rules that permit and or deny traffic?

Use the "chain=forward" for the internal traffic.

Configure a srcNAT with relevant networks being allowed to access the internet via it - ensure that you use masquerade.

Why are you trying to bridge the firewall instead of simply creating rules that permit and or deny traffic?

Use the "chain=forward" for the internal traffic.

Configure a srcNAT with relevant networks being allowed to access the internet via it - ensure that you use masquerade.

That won't work. Some VMs have static IPs that simply can not be changed. The MT has been dropped in front of the machine to filter traffic as some of the VMs are exploitable.

That won't work. Some VMs have static IPs that simply can not be changed. The MT has been dropped in front of the machine to filter traffic as some of the VMs are exploitable.

You haven't provided any information on why it won't work. There's no need to change IPs; you're already filtering traffic....

That won't work. Some VMs have static IPs that simply can not be changed. The MT has been dropped in front of the machine to filter traffic as some of the VMs are exploitable.

You haven't provided any information on why it won't work. There's no need to change IPs; you're already filtering traffic....

OK, I thought I either needed to use a NAT or a route or bridge to filter.

So, what SHOULD I do to, for instance block all incoming traffic to port 53 (traffic enters on ether 3 and exits on ether 2 both members on bridge-outside.

OK, I thought I either needed to use a NAT or a route or bridge to filter.

Nope, NATing can be used for various things, most commonly it is to mask an internal (private) IP address with an external (Public) IP address. Bridges, on Mikrotiks, are like SVI's on Cisco. It allows you to create a virtual interface and assign an IP address to it. You can then "slave" vlans/ports to it to create a traffic flow within a subnet. At least that is how I have done it on my CCR1009.

So, what SHOULD I do to, for instance block all incoming traffic to port 53 (traffic enters on ether 3 and exits on ether 2 both members on bridge-outside.

My understanding of your network is that you have multiple subnets, correct?

If that is the case you only need to create firewall rules. These rules will use the chain=forward rule and you can annotate source IP/network / destination IP/network and port. There are many more options to dig into for filter via the built in firewall. You can use the input/output for bridge interfaces, just not necessary.

The forwarding chain rule applies to traffic that is not destined to or sourced from the router itself. So if you are trying to deny DNS traffic to say 10.10.10.0/24 it would look something like this:

So with the code above all traffic destined for the network 10.10.10.0/24 on port 53 would be denied, other traffic would be permitted unless additional rules were created.

If you can provide more details on your network, we can give you better advice on how to achieve your desired goals.

OK, I thought I either needed to use a NAT or a route or bridge to filter.

Nope, NATing can be used for various things, most commonly it is to mask an internal (private) IP address with an external (Public) IP address. Bridges, on Mikrotiks, are like SVI's on Cisco. It allows you to create a virtual interface and assign an IP address to it. You can then "slave" vlans/ports to it to create a traffic flow within a subnet. At least that is how I have done it on my CCR1009.

So, what SHOULD I do to, for instance block all incoming traffic to port 53 (traffic enters on ether 3 and exits on ether 2 both members on bridge-outside.

My understanding of your network is that you have multiple subnets, correct?

If that is the case you only need to create firewall rules. These rules will use the chain=forward rule and you can annotate source IP/network / destination IP/network and port. There are many more options to dig into for filter via the built in firewall. You can use the input/output for bridge interfaces, just not necessary.

The forwarding chain rule applies to traffic that is not destined to or sourced from the router itself. So if you are trying to deny DNS traffic to say 10.10.10.0/24 it would look something like this:

Code: Select all

chain=forward action=drop src-address-list=0.0.0.0/0 dst-address=10.10.10.0/24 dst-port=53 log=no log-prefix=""

So with the code above all traffic destined for the network 10.10.10.0/24 on port 53 would be denied, other traffic would be permitted unless additional rules were created.

If you can provide more details on your network, we can give you better advice on how to achieve your desired goals.

No, not multipe subnets.

I have a single /240 with a single upstream IP provided by my coloc provider.

All virtual machines are using the Coloc upstream as gateway. And for reasons I cannot go into changing the addresses on certain machines simply is not an option. So, what is required is a "transparent" firewall that can still allocate an IP for management. And provide NAT functionality for a second internal subnet.

There is a way to do this with layer3 forwarding and not having to renumber anything.

The ethernet interface which is connected to the servers can work as an unnumbered interface. Let's say ether2 is this interface, and ether1 is the ISP interface. On these two interfaces, set arp=proxy-arp

Configure ether1 as normal, and configure NAT for the rest of the LAN as normal, but then for each IP address on ether2, create a static route:
x.x.x.4/32 gateway=ether2
x.x.x.6/32 gateway=ether2
etc.

The /29 will still officially live on ether1, but the /32 "exceptions" can live on ether2 in this manner.

There is a way to do this with layer3 forwarding and not having to renumber anything.

The ethernet interface which is connected to the servers can work as an unnumbered interface. Let's say ether2 is this interface, and ether1 is the ISP interface. On these two interfaces, set arp=proxy-arp

Configure ether1 as normal, and configure NAT for the rest of the LAN as normal, but then for each IP address on ether2, create a static route:
x.x.x.4/32 gateway=ether2
x.x.x.6/32 gateway=ether2
etc.

The /29 will still officially live on ether1, but the /32 "exceptions" can live on ether2 in this manner.

Okay, tjat is an interesting aproach. And the machines would have no issue talking internally via this approach?

And how do I implement firewalling with this approach?

Firewalling in this approach is just a normal layer 3 thing - just as any forwarded packets would be filtered.

All this solution does is make the router answer ARP requests to the hosts on behalf of the real ISP router, and on behalf of any of your other public iP addresses. What's interesting about this solution is that it doesn't even have to be done on the same router - 192.0.2.2 can be 5 hops away from 192.0.2.3 and the hosts will communicate just fine. (of course, all 5 hops need the /32 route pointing toward every "roaming" host.)

A traceroute from 192.0.2.2 to 192.0.2.3 could look like this:
Tracing the route to 192.0.2.3 over a maximum 255 hops:
1) 10.14.201.98 - 3ms 3ms 4ms
2) 10.14.175.18 - 6ms 5ms 6ms
3) 10.21.94.5 - 8ms 9ms 7ms
4) 192.0.2.3 - 9ms 9ms 7ms

Done

Isn't that funny? This happens because (in this example) when 192.0.2.2 sends an ARP request for 192.0.2.3, then the router 10.14.201.98 answers the ARP request, and so .2 hands the packet to the router. At this point, normal routing takes over and the router sees a packet from .2 with a destination of .3, and finds that in the routing table, there is a /32 for .3 which goes to 10.14.175.18 so it just forwards the packet. It doesn't even think it's doing something sneaky - it's just forwarding packets.

When 192.0.2.3 receives the packet, it replies to 192.0.2.2, and so it sends an ARP request for 192.0.2.2 - where the router at hop 3 replies with its own MAC address (in proxy for the real 192.0.2.2) and the same process happens going the other way. If you were to look at the ARP cache in 192.0.2.3, you would see that all 5 IPs of its local network hosts have the same MAC address - the router's MAC address.

Ok... Now i feel silly, but i found the problem with my original bridging firewall. I just needed a catch-all rule for the bridge to allow all traffic that was not blocked by previous rules... I messed up my sequencing of rules..

However.. Live and learn i guess?