Community discussions

 
User avatar
Oroachi
just joined
Topic Author
Posts: 4
Joined: Fri Mar 17, 2017 7:56 am

Default Mikrotik Firewall config (RouterOS 6.38.5)

Fri Mar 17, 2017 8:09 am

Hello,

I recently bought an RB750Gr3 and upon installing and upgrading it to 6.38.5, I saw that the default firewall config leaves the RB's WAN interface set to accept connections on all ports (according to nmap)?

This is the current firewall config that I have at the moment, however, I'm not sure if the final drop rule is appropriate?

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Default Mikrotik Firewall config (RouterOS 6.38.5)

Fri Mar 17, 2017 8:40 am

The last input drop rule is appropriate only if you use eth1 as the WAN interface.
If you add a PPPoE or similar interface (meaning you do not have the default config anymore), you need to drop that interface instead of eth1.
The same is true for the last forward drop rule.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
Oroachi
just joined
Topic Author
Posts: 4
Joined: Fri Mar 17, 2017 7:56 am

Re: Default Mikrotik Firewall config (RouterOS 6.38.5)

Fri Mar 17, 2017 8:50 pm

OK.

Now, the issue that I'm running into (and I'm not entirely sure if it's an issue or not) is that whenever I run an external TCP port scan via nmap to the address assigned to ether1 (my WAN interface), I see that the Mikrotik responds to ALL TCP requests (no ports are being filtered). Is this intentional or am I misinterpreting these results?
 
janus20
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Nov 03, 2016 10:31 am
Location: Pitesti, Romania

Re: Default Mikrotik Firewall config (RouterOS 6.38.5)

Fri Mar 17, 2017 9:07 pm

Hi,

Could you post your config? Please post content of output command;
/export hide-sensitive
kind regards,
 
User avatar
Oroachi
just joined
Topic Author
Posts: 4
Joined: Fri Mar 17, 2017 7:56 am

Re: Default Mikrotik Firewall config (RouterOS 6.38.5)

Sat Mar 18, 2017 8:16 pm

Here you go:

# mar/18/2017 13:15:15 by RouterOS 6.38.5
# software id = QXJH-05EV
#
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=ether2-master name=defconf
/ppp profile
add dns-server=192.168.88.1 local-address=192.168.2.1 name=ipsec_vpn
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery settings
set default=no
/ip settings
set rp-filter=strict
/ipv6 settings
set max-neighbor-entries=1024
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.200 mac-address=32:EE:86:C6:19:B6 server=defconf
add address=192.168.88.2 always-broadcast=yes client-id=1:4c:5e:c:95:3:ca comment="Mikrotik Switch" mac-address=4C:5E:0C:95:03:CA server=defconf
add address=192.168.88.100 client-id=1:90:e2:ba:18:a0:88 comment="Proxmox Host" mac-address=90:E2:BA:18:A0:88 server=defconf
add address=192.168.88.101 mac-address=32:2E:C5:72:95:D3 server=defconf
add address=192.168.88.102 mac-address=66:4F:00:BF:15:9F server=defconf
add address=192.168.88.4 client-id=1:0:18:dd:5:26:1e comment="HD HomeRun" mac-address=00:18:DD:05:26:1E server=defconf
add address=192.168.88.3 client-id=1:4:18:d6:c0:cd:11 comment="Unifi AP" mac-address=04:18:D6:C0:CD:11 server=defconf
add address=192.168.88.220 mac-address=54:04:A6:7E:AD:15 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d query-server-timeout=1s servers=74.82.42.42,2001:470:20::2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="IPsec Server" connection-state=new dst-port=500,1701,4500 in-interface=ether1 log-prefix=vpn protocol=udp src-port=""
add action=accept chain=input comment=Plex dst-port=32400 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat comment=Plex in-interface=ether1 protocol=tcp to-addresses=192.168.88.101 to-ports=32400
add action=dst-nat chain=dstnat comment="DNS Proxy (redirects all DNS to RB)" dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256 exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha256 send-initial-contact=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24 disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2-master type=internal
/ipv6 address
add from-pool=pool_v6 interface=ether2-master
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=pool_v6 request=address,prefix
/ipv6 firewall filter
add action=accept chain=forward comment="allow forwarding established, related" connection-state=established,related
add action=accept chain=forward comment="allow forward lan->wan" in-interface=ether2-master out-interface=ether1
add action=accept chain=forward comment="allow ICMPv6 forwarding" in-interface=ether1 protocol=icmpv6
add action=reject chain=forward comment="reject every other forwarding request" reject-with=icmp-port-unreachable
add action=accept chain=input comment="accept established, related" connection-state=established,related
add action=accept chain=input comment="allow ICMPv6" in-interface=ether1 protocol=icmpv6
add action=accept chain=input comment="allow DHCPv6 renew" dst-address=fc00::/6 dst-port=546 in-interface=ether1 protocol=udp src-address=fc00::/6
add action=accept chain=input comment="allow lan" in-interface=ether2-master
add action=reject chain=input comment="reject everything else" reject-with=icmp-port-unreachable
/ipv6 nd
set [ find default=yes ] advertise-dns=yes interface=ether2-master managed-address-configuration=yes other-configuration=yes
/ppp secret
add name=username profile=ipsec_vpn remote-address=192.168.2.2 service=l2tp
/system clock
set time-zone-name=America/Chicago
/system ntp client
set enabled=yes primary-ntp=171.66.97.126 secondary-ntp=137.190.2.4
/system ntp server
set enabled=yes manycast=no
/system routerboard settings
# Warning: memory not running at default frequency
set memory-frequency=1200DDR
/system scheduler
add comment="Update No-IP DDNS" interval=5m name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test start-date=jan/14/2017 start-time=13:37:46
/system script
add name=" no-ip_ddns_update" owner=admin policy=read,write,test source="#No-IP automatic Dynamic DNS update for RouterOS v6.x\r\
\n\r\
\n#--------------- Change Values in this section to match your setup ------------------\r\
\n\r\
\n# No-IP User account info\r\
\n:local noipuser \"username\"\r\
\n:local noippass \"password\"\r\
\n\r\
\n# Workaround - find IP of a single dynamic host for IP prior to update\r\
\n# Only enter a single hostname for this variable\r\
\n:local previphost \"test.ddns.net\"\r\
\n\r\
\n# Set the hostname or label of network to be updated.\r\
\n# Hostnames with spaces are unsupported. Replace the value in the quotations below with your host names.\r\
\n# To specify multiple hosts, separate them with commas.\r\
\n:local noiphost \"test.ddns.net\"\r\
\n\r\
\n# Change to the name of interface that gets the dynamic IP address\r\
\n:local inetinterface \"ether1\"\r\
\n\r\
\n#------------------------------------------------------------------------------------\r\
\n# No more changes need\r\
\n\r\
\n:global previousIP\r\
\n\r\
\n:if ([/interface get \$inetinterface value-name=running]) do={\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-path=\"dyndns.checkip.html\"\r\
\n:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n:local resultLen [:len \$result]\r\
\n:local startLoc [:find \$result \": \" -1]\r\
\n:set startLoc (\$startLoc + 2)\r\
\n:local endLoc [:find \$result \"</body>\" -1]\r\
\n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n:log info \"Update NO-IP.com: currentIP = \$currentIP\"\r\
\n\r\
\n# Get the current IP on the interface\r\
\n# :local currentIP [/ip address get [find interface=\"\$inetinterface\" disabled=no] address]\r\
\n\r\
\n# Strip the net mask off the IP address\r\
\n# :for i from=( [:len \$currentIP] - 1) to=0 do={ \r\
\n# :if ( [:pick \$currentIP \$i] = \"/\") do={\r\
\n# :set currentIP [:pick \$currentIP 0 \$i]\r\
\n# }\r\
\n# }\r\
\n\r\
\n# Get your previous IP address\r\
\n :set previousIP [:resolve \$previphost]\r\
\n \r\
\n :if (\$currentIP != \$previousIP) do={\r\
\n :log info \"No-IP: Current IP \$currentIP is not equal to previous IP \$previousIP, update needed\"\r\
\n :set previousIP \$currentIP\r\
\n\r\
\n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Required since \? is a special character in commands.\r\
\n :local url \"https://dynupdate.no-ip.com/nic/update\ ... rentIP\"\r\
\n :local noiphostarray\r\
\n :set noiphostarray [:toarray \$noiphost]\r\
\n :foreach host in=\$noiphostarray do={\r\
\n :log info \"No-IP: Sending update for \$host\"\r\
\n /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuser password=\$noippass mode=https keep-result=no;\r\
\n :log info \"No-IP: Host \$host updated on No-IP with IP \$currentIP\"\r\
\n }\r\
\n } else={\r\
\n :log info \"No-IP: Previous IP \$previousIP is equal to current IP, no update needed\"\r\
\n }\r\
\n} else={\r\
\n :log info \"No-IP: \$inetinterface is not currently running, so therefore will not update.\"\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server ping
set enabled=no
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: Default Mikrotik Firewall config (RouterOS 6.38.5)

Sun Mar 19, 2017 3:26 pm

Are you doing scan from inside the network to your WAN IP? From routers LAN? If this is the case this is normal.

Checked your config once more you have any TCP port NATed to internal 192.168.88.101 32400
 
User avatar
Oroachi
just joined
Topic Author
Posts: 4
Joined: Fri Mar 17, 2017 7:56 am

Re: Default Mikrotik Firewall config (RouterOS 6.38.5)

Sun Mar 19, 2017 6:26 pm

I was doing the scan from outside my network (from my workplace) to my WAN IP, however, thanks for highlighting the error in my port forward rule. I switched like so and my issue appears to be resolved:

OLD
chain=dstnat action=dst-nat to-addresses=192.168.88.101 to-ports=32400 protocol=tcp in-interface=ether1 dst-port=32400 log=no log-prefix=""

NEW
chain=dstnat action=dst-nat to-addresses=192.168.88.101 to-ports=32400 protocol=tcp dst-port=32400

Thanks again for your help!

Who is online

Users browsing this forum: No registered users and 24 guests