Community discussions

MikroTik App
 
nradu
just joined
Topic Author
Posts: 15
Joined: Sat Feb 17, 2018 8:55 pm

Advanced configuration for a home network

Sat Dec 29, 2018 1:29 pm

Guys,

I'm still a beginner user of Mikrotik, I have basically setup my home network using one 750G r3 hEX router & 2 wAP AC access points; router is CAPsMAN for the 2 APs.
I would need some expert advice on my current configuration as I have 3 major open points:
- Is my firewall configuration safe enough? I need to block all possible attacks, allowing access from outside for VPN (currently testing OpenVPN and L2TP/IPSec) & to my Synology NAS.
- I cannot setup L2TP/IPSec to reach higher transfer speeds: I can barely get 10Mbps while my WAN is 1Gbps and hEX processor load is just 5% - I suspect configuration issues, not HW limitations. I know Open VPN is slow as it uses only TCP, but I expected L2TP to be much faster (currently I have almost same speed on OpenVPN as on L2TP).
- I use Local Forwarding in CAPsMAN for my main WiFi networks, as the CAPsMAN forwarding affects dramatically the transfer speed - is this a HW limtation or can I improve the configuration to achieve better speed with CAPsMAN forwarding?

I attached my configuration for the hex and one wap (2nd wap config is similar) - if anyone is willing to take a look and give me advice I would really appreciate.
I know there are a lot of topics on these subjects, I have read almost everything but still I'm confused (clearly I'm still a noob).

Big thanks,
Radu
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Advanced configuration for a home network

Sat Dec 29, 2018 8:46 pm

I have a similar setup, one hex, two capACs, no Capsman yet as managing two APs is dirt simple as I use winbox to access all three units.

You seem to be missing an IP firewall filter rule you will need for port forwarding.
I also set my rp filter to loose not strict but cannot remember why.
I recommend you only have one bridge and put your guest access, wired and wireless on a VLAN on the same bridge.
I like allow rules for what is needed and drop everything else at the end of input and forward chains.

After the first input allow rule follow with this (you have one for forward chain but not for input chain):
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid


This can be simplified and made more practical
add action=accept chain=input comment="accept access only from LAN" \
in-interface=!WAN src-address=192.168.0.0/24
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess

*** Create a firewall address list of IPs etc that you want to have access to the router (or subnet).
In this regard its easy to change address list entries and not change rules.

What about allowing DNS queries which is standard fare..........
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp


This last input rule can be made more accurate
add action=drop chain=input comment="defconf: drop all from WAN"
add action=drop chain=input comment="defconf: drop all else"

**** Using IP DNS you can dictate what is being accessed for example,
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
and then for each dhcp-server network-server something like
add address=192.168.0.0/24 comment=HomeLAN_Network dns-server=192.168.0.1 \
gateway=192.168.0.1
{if you want to be really anal you can redirect users no matter what DNS they attempt to use with the following in IP Firewall NAT rules, currently disabled -
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address-list=your_choice_of_interfaces
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address-list=your_choice_of_interfaces

On the Forward chain you need to allow LAN to WAN traffic if that is your intent.
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
localBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
guestBridge log-prefix="ALLOWED Guest 2 WAN TRAFFIC" out-interface-list=WAN \
*** if you move to one bridge you would still need a VLAN to WAN rule vice guestbridge for in-interface.

To allow DSTNAT rules to work get rid of existing rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN

and add:
add action=accept chain=forward comment=\
"Allow Port Forwarding - " connection-nat-state=dstnat


For IPSEC I believe you need these two in the forward chain.
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec


You need a drop all else rule at end of forward chain.
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic" log-prefix="FORWARD DROP ALL"


Finally I think your DSTNAT rules with multiple masquerade entries is EFFED!!
Only should have ONE per WAN in general, so the first rule is probably the only one needed.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
nradu
just joined
Topic Author
Posts: 15
Joined: Sat Feb 17, 2018 8:55 pm

Re: Advanced configuration for a home network

Sun Dec 30, 2018 9:20 pm

Thanks Anav.

I do the port forwarding in NAT, not via Filter Rules - that's why I miss IP Firewall Filter rules for port forwarding and that's why I have more dstnat rules (one for each port forwarding opened for NAS). Is it better to implement firewall rules for this instead of NAT?

Regards,
Radu
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Advanced configuration for a home network

Mon Dec 31, 2018 5:10 am

Yes,
Use NAT for port forwarding rules. Even better if you know the source wanip or a list of source wanips, you can add them in the NAT rule so that there is limited access to servers if possible.
Only need one firewall rule for DSTNAT as I described. Its an overall rule that permits all the dstNAT rules to function.

As stated masquerade is simply there for the purpose of telling the router which WAN, the outbound traffic should use for translating your private IPs (LAN IPs) to public IP (the WANIP).
It doesnt route traffic thats a different function (/ip route)

ALSO IF YOUR DESTINATION PORTS (what traffic is hitting your router with upon arrival) is the same as your TO-PORTS (no port translation then). YOu can remove the to-ports entry as it is implied without any to-ports entry.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=Digi
add action=dst-nat chain=dstnat comment="DS Audio and File" dst-port=xxx \
log-prefix=DSAudioFile protocol=tcp to-addresses=192.168.0.145 to-ports=\
xxx

add action=dst-nat chain=dstnat comment="DS Photo" dst-port=yyy log-prefix=\
DSPhoto protocol=tcp to-addresses=192.168.0.145 to-ports=yyy
add action=dst-nat chain=dstnat comment="DS Cloud" dst-port=zzz log-prefix=\
DSCloud protocol=tcp to-addresses=192.168.0.145 to-ports=zzz

What did you intend or mean with these four rules???????????????
add action=masquerade chain=srcnat comment="DS Photo - LOCAL" dst-address=\
192.168.0.145 dst-port=yyy log-prefix=DSPhoto-LOCAL out-interface=\
LocalBridge protocol=tcp src-address=192.168.0.0/24

add action=masquerade chain=srcnat comment="DS Audio and File - LOCAL" \
dst-address=192.168.0.145 dst-port=xxx log-prefix=DSAudioFile-LOCAL \
out-interface=LocalBridge protocol=tcp src-address=192.168.0.0/24

add action=masquerade chain=srcnat comment="DS Cloud - LOCAL" dst-address=\
192.168.0.145 dst-port=zzz log-prefix=DSCloud-LOCAL out-interface=\
LocalBridge protocol=tcp src-address=192.168.0.0/24

add action=masquerade chain=srcnat comment="VPN to LAN access" dst-address=\
192.168.0.0/24 log-prefix=VANtoLAN src-address=192.168.0.0/24
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
nradu
just joined
Topic Author
Posts: 15
Joined: Sat Feb 17, 2018 8:55 pm

Re: Advanced configuration for a home network

Mon Dec 31, 2018 4:19 pm

the rules you marked with green are for hairpin - without them I couldn't access the NAS from LAN using the external name & I couldn't access any LAN device when connected via VPN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Advanced configuration for a home network

Mon Dec 31, 2018 4:52 pm

Ahh okay, I have never used hairpin, looks good then. I usually go direct from the internal lan (lanip to lanip).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
fredo
just joined
Posts: 1
Joined: Thu Jan 03, 2019 5:08 am

Re: Advanced configuration for a home network

Thu Jan 03, 2019 6:30 am

RE: the rules you marked with green are for hairpin - without them I couldn't access the NAS from LAN using the external name & I couldn't access any LAN device when connected via VPN.

For accessing a local server with external name, I do only add the local DNS entry, to be answered locally, and not by external IP. ex.
/ip dns static add address=192.168.24.10 comment="External name" enabled=yes name=connect.mine.ddns.com

Who is online

Users browsing this forum: No registered users and 34 guests