Community discussions

MikroTik App
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Using mikrotik Firewall Feature

Sat Jun 30, 2018 9:52 pm

Hi Members
I have recently purchased RB750 for my office use. I have an internet router installed in my office with 2 LAN ports. 1st LANA port is connected with Wifi device for giving internet access to users. From second LAN port I have to connect a device that needs to get connected to its peer device installed at Head office and head office device needs to get connected with my device. Head Office device can be accessed globally .
I now want to use mikrotik in such a manner that my users still have internet access available my device must be accessible over internet but it accepts connections from my Head Office device only. All other requests to my device must be dropped. Can anyone help me in developing in this scenario.

Usmani
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: Using mikrotik Firewall Feature

Sun Jul 01, 2018 8:11 pm

Hi Members
I have recently purchased RB750 for my office use. I have an internet router installed in my office with 2 LAN ports. 1st LANA port is connected with Wifi device for giving internet access to users. From second LAN port I have to connect a device that needs to get connected to its peer device installed at Head office and head office device needs to get connected with my device. Head Office device can be accessed globally .
I now want to use mikrotik in such a manner that my users still have internet access available my device must be accessible over internet but it accepts connections from my Head Office device only. All other requests to my device must be dropped. Can anyone help me in developing in this scenario.

Usmani
Okay, let's see here....

The "internet router installed in my office" is that the RB750 or another device?

Are you referring to the RB750 here?
1st LANA port is connected with Wifi device for giving internet access to users.



What exactly do you mean? Is this a VPN, or some other protocol for this communication?
From second LAN port I have to connect a device that needs to get connected to its peer device installed at Head office and head office device needs to get connected with my device.
What is the type of connection that is coming from your head office?
I now want to use mikrotik in such a manner that my users still have internet access available my device must be accessible over internet but it accepts connections from my Head Office device only.
For starters you can setup the first couple of rules such as:

Permits 80 and 443 traffic out of network but drops everything else
chain=forward action=accept protocol=tcp src-address=[Wifi Users Subnet] out-interface=[WAN Port] dst-port=80,443 log=no log-prefix=""
chain=forward action=drop protocol=ip src-address=[Wifi Users Subnet] out-interface=[WAN Port] log=no log-prefix="" 
chain=forward action=accept connection-state=established,related in-interface=ether5 log=no log-prefix=""
Drop everything inbound except head office
chain=input action=accept protocol=tcp src-address=[Head Office Public IP] in-interface=[WAN Port] dst-port=[Port used] log=no log-prefix=""
chain=drop action=accept protocol=ip src-address=0.0.0.0/0 in-interface=[WAN Port] log=no log-prefix=""
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Mon Jul 02, 2018 9:03 am

Thanks a lot for your response and helping me out on this. Kindly find response to queries below:

Internet router installed at my office is not RB 750 it is a satellite router provided by ISP.

[Are you referring to the RB750 here?

1st LANA port is connected with Wifi device for giving internet access to users.]

The satellite router has 2 LAN ports. From 1st LAN port a wifi router is connected to provide internet to users in office.
From 2nd LAN port I will connect RB750. From RB750 a device will be connected for accessing PABX lines from Head Office. The device installed at head office is configured to transport PABX extensions to remote sites.

As of now I have only a /30 Public IP pool available from ISP.


I can also see some default firewall configuration in RB750 can you help me in understanding that configuration.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: Using mikrotik Firewall Feature

Tue Jul 03, 2018 3:02 pm

Internet router installed at my office is not RB 750 it is a satellite router provided by ISP.

1st LANA port is connected with Wifi device for giving internet access to users.

The satellite router has 2 LAN ports. From 1st LAN port a wifi router is connected to provide internet to users in office.
From 2nd LAN port I will connect RB750.
Okay, I have a better understanding of your network. Why the insertion of the RB750? What are you trying to achieve with adding it to your network? Why would you not have your users and your "PABX" both connect to the RB750 and only your Mikrotik connects to the ISP's router? This would allow you to run the ISP's modem in bridge mode and have the Public IP live on the Mikrotik - if your ISP allows such a setup.
From RB750 a device will be connected for accessing PABX lines from Head Office. The device installed at head office is configured to transport PABX extensions to remote sites.
I don't know what "PABX Lines" are so you are going to have to be more descriptive and provide much more detail if you are going to get help on this issue.
As of now I have only a /30 Public IP pool available from ISP.
Is that a /30 where you have all 4 IP addresses available and you use OSPF or BGP to advertise that network to your ISP or is that a /30 where one IP is assigned to your ISP and one IP is assigned to your router? Further, if the later is true, and the router is assigned the IP then this doesn't matter. Even if you run the ISP's router bridge mode to get the Pubic IP on the Mikrotik, it's all the same.
I can also see some default firewall configuration in RB750 can you help me in understanding that configuration.
You're going to have to post those as I don't know what they are.
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Thu Jul 05, 2018 2:55 pm

Dear Member
Thanks for your response. Attached please find my network diagram. As per network diagram at point A and point B I am trying to add mikrotik to use it as firewall. I dont want my both devices to be exposed to internet so trying to insert firewall. Kindly help me on configuring this scenario.
Test scenario.jpg
You do not have the required permissions to view the files attached to this post.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: Using mikrotik Firewall Feature

Thu Jul 05, 2018 10:00 pm

I'm not sure why you are choosing to not answer my questions, yet you still ask for help....

Based on what you have and have not provided, your answers are in my first post. When you decide to answer my questions I will revisit this thread an provide additional details that I think you will need to get things working properly. Until such time I refuse to play guessing games.
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Thu Jul 05, 2018 10:07 pm

Dear Member

To explain you the scenario i have attached diagram and tried to explain why I am trying to achieve. My basic purpose is to conbect RB750 with my ISP router and then connect my VOIP device with mikrotik and configure mikrotik as firewall to protect my voice device.

Kindly let me know if further explanation required
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Fri Jul 06, 2018 2:16 pm

Dear Member

Kindly find my response below

[Okay, I have a better understanding of your network. Why the insertion of the RB750? What are you trying to achieve with adding it to your network? Why would you not have your users and your "PABX" both connect to the RB750 and only your Mikrotik connects to the ISP's router? This would allow you to run the ISP's modem in bridge mode and have the Public IP live on the Mikrotik - if your ISP allows such a setup]

Response: I am adding mikrotik to use it as a firewall for security of my voice device. Yes I also want to use same configuration where my users and PABX both gets connected to mikrotik. No change in configuration of my ISP router is possible.


[ As of now I have only a /30 Public IP pool available from ISP.

Is that a /30 where you have all 4 IP addresses available and you use OSPF or BGP to advertise that network to your ISP or is that a /30 where one IP is assigned to your ISP and one IP is assigned to your router? Further, if the later is true, and the router is assigned the IP then this doesn't matter. Even if you run the ISP's router bridge mode to get the Pubic IP on the Mikrotik, it's all the same.]

Response: Yes later is the case one IP assigned to ISP router and one is assigned to my router.


[ From RB750 a device will be connected for accessing PABX lines from Head Office. The device installed at head office is configured to transport PABX extensions to remote sites.

I don't know what "PABX Lines" are so you are going to have to be more descriptive and provide much more detail if you are going to get help on this issue. ]

Response: These are simple VOIP devices and devices at both HQ and Branch end needs to be accessible for communication. No data link exist between branch and HQ so the only way for both devices to communicate is over internet.


[ I can also see some default firewall configuration in RB750 can you help me in understanding that configuration.

You're going to have to post those as I don't know what they are.]

Response: configuration pasted below:



/ip firewall filter

add chain=input comment="default configuration" protocol=icmp

add chain=input comment="default configuration" connection-state=established,related

add action=drop chain=input comment="default configuration" in-interface=ether1-gateway

add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related

add chain=forward comment="default configuration" connection-state=established,related

add action=drop chain=forward comment="default configuration" connection-state=invalid

add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Using mikrotik Firewall Feature

Fri Jul 06, 2018 3:30 pm

The answer is easy and takes a few steps to be done.

You need one new RJ45 connection RJ45 cable and then

A. Prepare RB750 with default configuration.
B. Configure VOIP device to use DHCP
C Disconnect VOIP device from your LAN
D. Connect just disconnected cable to WAN port of RB750
E. Connect new cable to any LAN port of RB750.
F. Connect new cable second end to VOIP device instead of already disconnected cable.
G. Restart VOIP device to be sure that it receives new IP from RB750
H. Voilà ... done.

VOIP device will be operating from behind of router, as it does not care where it is connected if it has access to Internet, which prevents access from any office's LAN device to it.
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Fri Jul 06, 2018 3:39 pm

Dear Member

I am looking for a config to allow users at branch site to use internet and call to other extensions by getting connected with VOIP. VOIP device installed at HQ and branch ends can communicate over public IP. I need to insert firewall before VOIP devices at both ends and only enable them to communicate each other and drop all other traffic. I am trying to use mikrotik as firewall at both ends to make sure none of the devices are attacked over internet.

I am looking for configuration to use mikrotik as firewall.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Using mikrotik Firewall Feature

Fri Jul 06, 2018 3:46 pm

What is wrong with my solution?
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Thu Jul 26, 2018 2:11 pm

Dear Fellow Members
Following is my Mikrotik Configuration. I have connected my ISP router to mikrotik WAN port. Now I have to config firewall rules so that my desktop users are allowed to access internet.Further server connect on interface 2 of mikrotik must be able to access only server located at 43.240.95.96 and all other traffic must be dropped. also this server must accept requests from 43.240.95.96 and must drop all other requests. Kindly help me out in configuring firewall.


[admin@MikroTik] > export

# jul/26/2018 15:02:35 by RouterOS 6.42.6

# software id = 6MP5-PTVK

#

# model = RouterBOARD 750 r2

# serial number = 63BD05F385CE

/interface bridge

add name=bridge1_INTERNET

/interface ethernet

set [ find default-name=ether1 ] name="ether1-WAN Port"

set [ find default-name=ether2 ] name="ether2 _ Server"

set [ find default-name=ether5 ] name="ether5_desktop Users"

/interface list

add name=WAN

add name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip pool

add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254

/ip dhcp-server

add address-pool=dhcp_pool1 disabled=no interface="ether5_desktop Users" name=dhcp1

/interface bridge port

add bridge=bridge1_INTERNET interface="ether1-WAN Port"

add bridge=bridge1_INTERNET interface="ether2 _ Server"

/interface list member

add interface="ether1-WAN Port" list=WAN

add interface="ether2 _ Server" list=LAN

add interface=ether3 list=LAN

add interface=ether4 list=LAN

add interface="ether5_desktop Users" list=LAN

/ip address

add address=103.244.135.170/29 interface=bridge1_INTERNET network=103.244.135.168

add address=192.168.10.1/24 interface="ether5_desktop Users" network=192.168.10.0

/ip dhcp-server network

add address=192.168.10.0/24 gateway=192.168.10.1

/ip dns

set servers=172.30.152.140,172.30.152.141

/ip firewall nat

add action=masquerade chain=srcnat out-interface=bridge1_INTERNET

/ip route

add distance=1 gateway=103.244.135.169

/ip service

set telnet disabled=yes

set ftp disabled=yes

set ssh disabled=yes

/system clock

set time-zone-name=Asia/Dubai

/system routerboard settings

set silent-boot=no

[admin@MikroTik] >


Regards
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11445
Joined: Thu Mar 03, 2016 10:23 pm

Re: Using mikrotik Firewall Feature

Thu Jul 26, 2018 2:52 pm

The solution to your problem largely depends on IP address that your server (hooked to ether2) is using. If it's some private IP address, then solution will be completely different from solution where your server is using public IP address.
To have FW any governance over traffic of your server you'll probably have to remove bridge1_INTERNET and set-up things directly on ether interfaces.
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Thu Jul 26, 2018 3:39 pm

Ethernet 2 will have public IP .
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Fri Jul 27, 2018 3:26 pm

The solution to your problem largely depends on IP address that your server (hooked to ether2) is using. If it's some private IP address, then solution will be completely different from solution where your server is using public IP address.
To have FW any governance over traffic of your server you'll probably have to remove bridge1_INTERNET and set-up things directly on ether interfaces.
Yes I will be using Public IP on Ethernet 2. Can you help out with the configuration
 
msusmani
newbie
Topic Author
Posts: 29
Joined: Thu Jun 29, 2017 10:45 am

Re: Using mikrotik Firewall Feature

Thu Aug 02, 2018 10:35 am

I'm not sure why you are choosing to not answer my questions, yet you still ask for help....

Based on what you have and have not provided, your answers are in my first post. When you decide to answer my questions I will revisit this thread an provide additional details that I think you will need to get things working properly. Until such time I refuse to play guessing games.
Hi Member

I have modified my configuration and has tried to apply filter rules but its not working . Attached please find the config can you check and recommend something:


Configuration.

MikroTik RouterOS 6.42.6 (c) 1999-2018 http://www.mikrotik.com/

[admin@MikroTik] > export
# jul/30/2018 22:10:10 by RouterOS 6.42.6
# software id = 6MP5-PTVK
#
# model = RouterBOARD 750 r2
# serial number = 63BD05F385CE
/interface bridge
add name=bridge1_Internet
/interface ethernet
set [ find default-name=ether1 ] name="ether1_WAN (Connected to ISP Router)"
set [ find default-name=ether2 ] name="ether2 (Connected to Server )"
set [ find default-name=ether5 ] name="ether5 (Desktop Users)"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether5 (Desktop Users)" lease-time=3d10m name=dhcp1
/interface bridge port
add bridge=bridge1_Internet interface="ether1_WAN (Connected to ISP Router)"
add bridge=bridge1_Internet interface="ether2 (Connected to Server )"
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface="ether1_WAN (Connected to ISP Router)" list=WAN
add interface="ether2 (Connected to Server )" list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface="ether5 (Desktop Users)" list=LAN
/ip address
add address=203.244.135.171/29 interface=bridge1_Internet network=203.244.135.168
add address=192.168.10.1/24 interface="ether5 (Desktop Users)" network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-port=80,443 out-interface=bridge1_Internet protocol=tcp src-address=192.168.10.0/29
add action=drop chain=forward out-interface=bridge1_Internet src-address=192.168.10.0/29
add action=accept chain=forward connection-state=established,related in-interface="ether5 (Desktop Users)"
add action=accept chain=input in-interface=bridge1_Internet protocol=icmp src-address=83.225.98.42
add action=accept chain=input in-interface=bridge1_Internet protocol=tcp src-address=83.225.98.42
add action=drop chain=input in-interface=bridge1_Internet src-address=0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1_Internet
/ip route
add distance=1 gateway=203.244.135.169
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Asia/Dubai
/system routerboard settings
[admin
@Mikro
Tik] >
[admin@MikroTik] >

Who is online

Users browsing this forum: cmmike and 60 guests