Allow management only on a specific (lan) port

Talionet · Fri Oct 13, 2017 5:45 pm

Hi,

I bought a hEX and I would like to make it even safer.
Can we disable or blcok access to management (ssh, winbox, et al.) from all but a specific port?

So far, using raw filter, I could block all IP access to 192.168.1.1, which is the LAN IP of hEX.
At least, no ssh, telnet, web interface, etc.

/ip firewall raw
add action=drop chain=prerouting dst-address=192.168.1.1 in-interface=\
       ether2-master log=yes

And using /tool mac-server, I could change the interface from all for mac-server (mac-telnet).
For mac-binbox, I had to add bridge1 and disable all, as I had an error message telling that we can't modify this all.

/tool mac-server 
set [ find default=yes ] interface=bridge1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge1

With htese, I can at least use winbox (mac) or mac-telnet on ether4 (under bridge1, for now), and all other ports have no access to management.

But I still like to use SSH and maybe snmp on this port (ether4), as mac-telnet is somehow unstable (logoff automatically, very often...) and I would like to do batch processing from controler machine via SSH.

Is it possible to connect only this port to SSH server on hEX?
How should I do?

And are there better way to do all these?

Fri Oct 13, 2017 11:10 pm

See this thread:
viewtopic.php?f=13&t=122279

It's exactly the same issue except that you'll do the blocking in the input chain instead of the forward chain

Talionet · Sun Oct 15, 2017 9:16 pm

Hi,

Thank you for the information.
I have been reading the thread, but I was not sure which of the method is better.

I tried bridge method, and it seems I'm getting what I wanted with following setup.
With these, no management on any port other than ether4 (mac or IP), NAT masquarade, and blocking WAN trafic are working.

I guess there are settings not really correct and/or needed, and I'd appreciate any suggestion.
For example, I put 192.168.1.1 in winbox to block management access and it was modified to 192.168.1.1/32 when I exported.
I don't know why and if I should change something.

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan1
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether5 ] name=ether5-Wan2
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge filter
add action=accept chain=forward in-interface=ether4
add action=drop chain=forward dst-address=192.168.1.1/32 in-interface=!ether4 \
    log=yes mac-protocol=ip
add action=drop chain=input dst-address=192.168.1.1/32 in-interface=!ether4 \
    mac-protocol=ip
add action=drop chain=input dst-address=192.168.11.12/32 mac-protocol=ip
add action=accept chain=input
/interface bridge nat
add action=accept chain=srcnat out-interface=ether1-Wan1
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5-Wan2
add bridge=bridge1 interface=ether1-Wan1
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge1 network=\
    192.168.1.0
add address=192.168.11.12/24 interface=ether1-Wan1 network=192.168.0.0
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=bridge1 src-address=!192.168.1.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=bridge1 src-address=!192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.1.0/24
/ip route
add distance=1 gateway=192.168.11.1
/ip service
set www-ssl disabled=no
/system identity
set name=Rbox1
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether4
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether4

Mon Oct 16, 2017 6:21 pm

The drop rule in the bridge filter is not going to help.

add action=drop chain=forward dst-address=192.168.1.1/32 in-interface=!ether4 log=yes mac-protocol=ip

forward chain only applies to traffic going through the bridge - e.g. in ether1 and out ether2. If you're trying to filter traffic to/from the router itself, then you must use the input chain to prevent "lan -> router" or the output chain "router -> lan"

Don't forget that this is a bridge, so the input/output chains will also apply to traffic that has been forwarded to/from the Internet by the router.
I think the packet marking solution is the easiest to do if you simply want to block admin access.

on your bridge filter, there should be an input chain rule that marks packets if in-interface is the "limited access" interface. The name of the mark doesn't matter, it's just there to flag stuff as having come from a specific bridge port.
Then the IP filter INPUT chain can be used to drop admin access if the packets have the mark from the bridge filter rule
/ip firewall filter
add chain=input action=drop packet-mark=NoAdminAccess protocol=tcp dst-port=21-23,80,443,8291,8728,8729

Talionet · Tue Oct 17, 2017 7:15 pm

Thank you, again, for the suggestion.
I'll continue to read different thread and check out mangling method.
(I may have to use it for Dual Wan failover, too.)

----
I have tried another setup because I was pretty sure I was doing something not quit right in the previous setup.
This time, I updated from 6.36.1 to 6.40.4 thinking that the new feature may make thing easier. (I'm not sure if there is any difference, yet)
Also, I wanted to see the default firewall configuration to compare against the previous setup (to see what I was doing wrong).

So,I started in "Quick set", checked on "Bridge All LAN Ports" and NAT options, to see what Quick set would do. (And I left the Quick set, there)
After that, I removed ether4 from slave and added it in bridge1, And I added an IP address for ether1 (Wan)

Once I added a bridge filter for INPUT chain like this, no more access to management (by IP) other than ether4.

/interface bridge filter
add action=drop chain=input dst-address=192.168.88.1/32 in-interface=!ether4 \
    log=yes mac-protocol=ip

Also, modified MAC-server and MAC-Winbox to be used only via ether4 as before.

/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether4
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether4

So, it is pretty simple if this kind of setup is really correct.
Also, the default security configuration, Fast-track, masquarade and others are already there and I don't have to worry too much if I've put basic things right..

The entire /export result:

# oct/16/2017 14:55:07 by RouterOS 6.40.4
# software id = AYF2-EAEN
#
# model = RouterBOARD 750G r3
# serial number = 6F390765XXXX
#
# Needs delay to import after reset ... (Known bug/issue?)
:delay 15s
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set ether5 discover=no
/interface bridge filter
add action=drop chain=input dst-address=192.168.88.1/32 in-interface=!ether4 \
    log=yes mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=ether4
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
add address=192.168.11.2/24 interface=ether1 network=192.168.11.0
add address=192.169.33.1 interface=ether5 network=192.169.33.1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether5
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input in-interface=ether5
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
/ip route
add distance=1 gateway=192.168.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=192.168.88.1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MBox2
/system routerboard mode-button
set enabled=no on-event=""
/tool mac-server
add interface=ether4
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
add interface=ether4
set [ find default=yes ] disabled=yes

Edit: I changed the order of commands for mac-server and mac-winbox becuse we can't disable the default (all) before to add another interface.

Also, I guess we can use the waiting loop for the interfaces to come up instead of :delay 15s at the beginning.
It may take less time, and it works if the required delay is a bit longer (up to 30sec)
(But :dealy is easier, shorter, and probably enough for many of us.)

:local count 0; 
:while ([/interface ethernet find] = "") do={ 
	:if ($count = 30) do={
		:log warning "DefConf: Unable to find ethernet interfaces";
		/quit;
	}
	:delay 1s; 
	:set count ($count +1); 
};

Thu Oct 19, 2017 6:14 pm

The new style of bridging is currently only operational in the 6.41rcXX train (RC = release candidate - i.e. "beta")

Looks like you're getting a good handle on things otherwise, though.

Allow management only on a specific (lan) port

Allow management only on a specific (lan) port

Re: Allow management only on a specific (lan) port

Re: Allow management only on a specific (lan) port

Re: Allow management only on a specific (lan) port

Re: Allow management only on a specific (lan) port

Re: Allow management only on a specific (lan) port

Who is online