Community discussions

MikroTik App
 
Nazralte
just joined
Topic Author
Posts: 19
Joined: Wed Jun 06, 2018 3:34 pm

Basic firewall setup (going off wiki post)

Mon Jun 11, 2018 4:10 pm

Hello again,

First off, thank you to Anav again for helping me get my router going. Today I just need to get the firewall going, and I believe I should be good to go.

Now, as I stated in my last post, I have 3 networks. Two of those networks will have another router (one router is a home Linksys router the other is a Fortinet managed by another company). The third network is basically an open wifi for guests. So really, I don't need anything too harsh for a firewall setup, just the basics.

I was looking at using this https://wiki.mikrotik.com/wiki/Basic_un ... all_script as it seems like it covers the little I need. If you guys think this is a good way to go, let me know and I shall use it as is. If there is something else you think is really important, I would love to hear it.

Thanks!

Just for reference, this is my other post with the setup Anav helped me with. viewtopic.php?f=13&t=135387
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic firewall setup (going off wiki post)

Mon Jun 11, 2018 5:32 pm

Nope dont recommend it. Its old for one thing.
As discussed on a previous thread the bogon list is not a concern for home owners and with default drop rules, covered anyway.

The rest is much noise as well.
simplicity is for input and forward chains.

- accept established, related, untracked
- drop invalid
- allow rules required (input chain for admin to router, forward chain for lan to internet)
- drop everything else

The jury is still out whether its better to put invalid first or second. Any takers that are smarter (like 95% of posters here LOL)

If you want to get fancy find a good source of blacklists as an address list and
/ip raw add chain=prerouting in-interface(-list)=WAN action=drop

As far as ICMP one can either enable or disable a simple rule for when one wants to have it be used.
/ip firewall filter add chain=input protocol=1-icmp action=accept (disable when not required)
 
squeeze
Member Candidate
Member Candidate
Posts: 145
Joined: Thu Mar 22, 2018 7:53 pm

Re: Basic firewall setup (going off wiki post)

Mon Jun 11, 2018 7:01 pm

These are the default firewall rules on SOHO Mikrotik devices. They are sufficient for all basic purposes:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

You can disable the ICMP and IPSEC rules, especially ICMP if the device's WAN is on the Internet.

@anav, it is relatively easy to tell where a rule should be placed by default. Rules are processed top-down, so unless you are setting up an exception for another rule further down (or some other dependency between rules), the default order should always be whichever rule matches the most packets is listed before others. This minimizes time spent by the CPU in the slow firewall stage and therefore decreases the load on the CPU. So, for almost any configuration or context, established connections should be far greater than invalid packets, making established a higher priority.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic firewall setup (going off wiki post)

Mon Jun 11, 2018 7:36 pm

Thanks squeeze but I am so bad at networking that most of my packets are invalid LOL.

As for the basic setup that is the default that mikrotik provides and is quite good.

As noted I tend to prefer and have gravitated towards a drop all approach, and allow traffic, vice what is supplied
as default which is on a premise of accept all except for what one blocks!

In the end, the worst case scenario for me is that I block wanted traffic and through logging and such I can figure it out and adjust.
In the allow model, i shudder at the consequences, ;-)
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Basic firewall setup (going off wiki post)

Tue Jun 12, 2018 5:20 pm

The default firewall is decent enough. I have re-written it to suit my own tastes but the basic framework was common sense combined with that.

If you wanted to try it on your own, use the basics of the default and try to stick to block all, accept only what you want.
 
Nazralte
just joined
Topic Author
Posts: 19
Joined: Wed Jun 06, 2018 3:34 pm

Re: Basic firewall setup (going off wiki post)

Tue Jun 12, 2018 5:29 pm

Thanks all.

One last thing. I would like to make it so only by plugging into port 5 can you access the admin functions of the router. So that way people like random guests, can't get to the webgui just by guessing at the right IP address or something.

I remember seeing something about that on that older wiki post, but since you say its old, there may be a better way of doing it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic firewall setup (going off wiki post)

Tue Jun 12, 2018 7:07 pm

Hi Naz.

You have scary people working behind your router that want to do such damage!!

First - is i would assume your admin pC is on a 'friendly lan" not on the guest wifi subnet or less sensitive network,
Second - is I would assume you have locked down winbox access to ssh strong and winbox on INPUT CHAIN RULES only to the subnet where the admin uses PCs
Third - is under iP services you have narrowed down the actual IP addresses of admin PCs that need access to winbox ssh (you could do this also in input chain rules).
Fourth- is I assume you have static leases for the admin PCs ( I have static leases for all devices on my subnets).

Finally, there is also nothing wrong with keeping port 5 for a separate interface, with an IP pool of one, to plug in your PC to administer the network.
However, you are limiting yourself to one physical location in that regard, whereas if one of your admin PCs is a laptop, you cannot move around and plug into the network..........
 
Nazralte
just joined
Topic Author
Posts: 19
Joined: Wed Jun 06, 2018 3:34 pm

Re: Basic firewall setup (going off wiki post)

Tue Jun 12, 2018 9:55 pm

Its not scary people, its random people. You never know what people may try to do cause they are trying to be malicious or they are just dumb.

Just so I am clear and so I don't lock myself out.. Under the User list, it has the default admin (of which I have changed the name and password) and when you open that up you can put in an 'Allowed address". So if I were to make said address 192.168.6.0/24 that would allow any address like 192.168.6.52/24 access to the router, but anything else, not?
This way I could make port 5 address 192.168.6.1/24 and only be able to log into the router when plugged in to that port right?

We have a small office here, and I live close by anyways. I don't need to log in remotely really, so it shouldn't be an issue.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic firewall setup (going off wiki post)

Tue Jun 12, 2018 11:16 pm

Its not scary people, its random people. You never know what people may try to do cause they are trying to be malicious or they are just dumb.

Just so I am clear and so I don't lock myself out.. Under the User list, it has the default admin (of which I have changed the name and password) and when you open that up you can put in an 'Allowed address". So if I were to make said address 192.168.6.0/24 that would allow any address like 192.168.6.52/24 access to the router, but anything else, not?
This way I could make port 5 address 192.168.6.1/24 and only be able to log into the router when plugged in to that port right?

We have a small office here, and I live close by anyways. I don't need to log in remotely really, so it shouldn't be an issue.
I get quickly lost in subnetting but if your admin access list included 192.168.6.0/24 then 192.168.6.2-192.168.6.254 would be permitted.
If you define address to interface for that subnet and also allow pool of 1, then only one pc can access interface via ethernet and since there is only one actual port limited to one physical connection as well.

Who is online

Users browsing this forum: BioMax, cdblue, PeterWiebing and 46 guests