Page 1 of 1
My first Mikrotik Router - Firewall Help
Posted: Wed Jun 12, 2019 7:06 am
by starwebmanagement
Hello. I've spent the last 5 hours trying to figure out why my firewall isn't working for port forwarding. I have a webserver that uses port 8181 for some testing purposes so I'm trying to forward any requests on that port to that machine (192.168.1.100). Any help would be greatly appreciated.
Here's my firewall export. The public IP for this post is PUBLICIP
Code: Select all
# model = RouterBOARD 3011UiAS
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=drop chain=input comment="drop all invalid requests to router" \
connection-state=invalid src-address-list=""
add action=drop chain=forward comment="drop all invalid requests from WAN" \
connection-state=invalid
add action=accept chain=forward comment="allow NAT dstnat " \
connection-nat-state=dstnat connection-state=established,related \
disabled=yes log=yes
add action=accept chain=input comment=\
"accept any LAN connections to the router" src-address-list=LAN
add action=accept chain=input comment=\
"accept established connections to the router" connection-state=\
established
add action=drop chain=input comment="drop all OTHER attempt to the router"
add action=accept chain=forward comment=\
"forward any NEW connections from LAN" connection-state=new \
src-address-list=LAN
add action=accept chain=forward comment="forward any RELATED connections" \
connection-state=related
add action=accept chain=forward comment="forward any ESTABLISHED connections" \
connection-state=established
add action=drop chain=forward comment="drop all other traffic" log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="beta sites" dst-address=\
PUBLICIP dst-port=8181 log=yes protocol=tcp to-addresses=\
192.168.1.100 to-ports=8181
The network has Internet access, but the port forwarding doesn't seem to work.
Re: My first Mikrotik Router - Firewall Help
Posted: Wed Jun 12, 2019 8:57 am
by mducharme
Your port forwarding is not working because there is no firewall filter forward chain rule that allows that traffic.
Re: My first Mikrotik Router - Firewall Help
Posted: Wed Jun 12, 2019 9:09 am
by mkx
Your port forwarding is not working because there is no firewall filter forward chain rule that allows that traffic.
Actually there is one, but it's wrong and disabled:
add action=accept chain=forward comment="allow NAT dstnat " \
connection-nat-state=dstnat connection-state=established,related \
disabled=yes log=yes
If would work if it was rewritten as follows:
add action=accept chain=forward comment="allow NAT dstnat" connection-nat-state=dstnat connection-state=new log=yes
As written, it will only affect new connections. Already established connections will be dealt by the two rules many lines below (chain=forward connection-state=related and established).
Performance-wise it would be beneffitial to replace those two rules with single one
add action=accept chain=forward comment="forward any ESTABLISHED and RELATED connections" \
connection-state=related,established
and push this rule upwards (perhaps right after the first rule in chain=forward, the one with comment="drop all invalid requests from WAN" ). BTW, this comment is misleading as rule also drops any invalid connections originating from LAN and targeting anything but router itself (another LAN if it existed or WAN).
Re: My first Mikrotik Router - Firewall Help
Posted: Wed Jun 12, 2019 11:50 pm
by ingdaka
When you setup portfw and try to access this port from WAN that means there are "new connection" not related or established! You are not allowing new connections to initiate 3 way handshake to make those connections established!
Re: My first Mikrotik Router - Firewall Help
Posted: Thu Jun 13, 2019 7:49 pm
by starwebmanagement
Thank you for the help. I've made the changes and now it looks like this;
Code: Select all
# jun/13/2019 09:32:35 by RouterOS 6.44.3
# software id = xxxxxxx
#
# model = RouterBOARD 3011UiAS
# serial number = xxxxxxx
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=drop chain=input comment="drop all invalid requests to router" \
connection-state=invalid src-address-list=""
add action=drop chain=forward comment="drop all invalid requests from WAN" \
connection-state=invalid
add action=accept chain=forward comment=\
"forward any ESTABLISHED and RELATED connections" connection-state=\
established,related
add action=accept chain=forward comment="allow NAT dstnat " \
connection-nat-state=dstnat connection-state=new log=yes
add action=accept chain=input comment=\
"accept any LAN connections to the router" src-address-list=LAN
add action=accept chain=input comment=\
"accept established connections to the router" connection-state=\
established
add action=drop chain=input comment="drop all OTHER attempt to the router" \
log=yes
add action=accept chain=forward comment=\
"forward any NEW connections from LAN" connection-state=new \
src-address-list=LAN
add action=drop chain=forward comment="drop all other traffic" log=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="beta sites" disabled=yes \
dst-address=PUBLICIPADDRESS dst-port=8181 log=yes protocol=tcp \
to-addresses=192.168.1.100 to-ports=8181
add action=dst-nat chain=dstnat dst-port=8181 protocol=tcp to-addresses=\
192.168.1.100
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-port=8181 out-interface=bridgeLocal \
protocol=tcp src-address=192.168.1.0/24
The port forwarding seems to work correctly. Thank you for the explanations. It makes sense now.
I have some more questions to learn more about managing this firewall.
- I've read about bogons lists in the firewall. Should I be concerned with this and implement rules for this?
- I have another question. I also have a second router behind this router. It's a CISCO home router. It's IP address is static at 192.168.1.44. Nothing behind this router seems to work now and I'm pretty sure I have to tell the Mikrotik that traffic coming from this is okay. I figured it would just work like any other device on the network but it does not.
- Also, a second issue which is strange. I have one computer with IP address 192.168.1.108 that cannot perform DNS lookups after changing to the Mikrotik. The adapter is configured with two IP addresses on it (.108 and .105). The gateway is 192.168.1.1. DNS is set to 192.168.1.1
Thank you to those who've helped thus far! Could the second two issues be related that it's not allowing DNS for devices which have hard coded DNS?
Re: My first Mikrotik Router - Firewall Help
Posted: Thu Jun 13, 2019 8:02 pm
by starwebmanagement
It looks like I was able to solve both issues by checking the box "allow remote requests" in the DNS settings. Is this okay or is this making my system vulnerable? The firewall rules above shouldn't allow outside devices to use DNS off this router correct?
Re: My first Mikrotik Router - Firewall Help
Posted: Thu Jun 13, 2019 10:07 pm
by ingdaka
Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage!
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 12:45 am
by Sob
It's not too bad. Firewall blocks all incoming requests from internet. They would be only accepted if someone spoofed the source address, but that's very unlikely. You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>.
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 8:33 am
by mkx
You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>.
Or, to stick with concept used in default firewall setup by MT: use "in-interface
-list=LAN"
I've read about bogons lists in the firewall. Should I be concerned with this and implement rules for this?
My personal view is that bogon lists concept
does improve firewall, but only slightly. I'm not sure if it's worth bothering. Default firewall blocks almost everything originating from WAN and if there are not many ports forwarded, the "bogon list concept" doesn't do much. It does protect LAN services, exposed to internet (forwarded ports), to some extent. And it protects, if implemented carefully, internet from evil LAN users. There's another concept (black listing of port knockers) which seems to be popular and also adds only little to actual firewall security (due to very same reasons).
BTW, I don't think your first firewall rule
add action=drop chain=input comment="drop all invalid requests to router" \
connection-state=invalid src-address-list=""
actually does anything ... because it matches invalid requests against empty src address list ... so it never blocks anything. Run command
/ip firewall filter unset [ find src-address-list="" ] src-address-list
to fix the rule.
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 9:42 am
by AidanAus
Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage!
As ongdaka said you ave made your system vulnerable at the moment, I would recommend adding the following rules to your list if you do not have them already, just swap out where it says wan interface with the actual name of your wan interface
/ip firewall filter add chain=input proto=tcp dst-port=53 in-interface=(wan interface) action=drop
/ip firewall filter add chain=input proto=udp dst-port=53 in-interface=(wan interface) action=drop
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 11:03 am
by mkx
Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage!
As ongdaka said you ave made your system vulnerable at the moment,
That's not the case. Combination of these two firewall rules keep OPs router safe from internet:
add action=accept chain=input comment="accept any LAN connections to the router" src-address-list=LAN
add action=drop chain=input comment="drop all OTHER attempt to the router" log=yes
And there isn't any other FW rule accepting DNS requests originating from WAN.
OK, there's the first above quoted rule which would be better written by filtering according to in-interface-list (or in-interface as already indicated by @Sob) because right now router is open for some DOS attack involving spoofed IP addresses ... which actually uses router to possibly break connections of LAN hosts, but hardly to compromise either router or LAN.
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 2:07 pm
by Sob
Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long. Just to make it clear.
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 2:18 pm
by mkx
Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long.
You're not saying you're old, are you?
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 3:21 pm
by Sob
Nah, only when I have to get out of bed too soon, then I feel like twice my age.
It's just that I've been playing with RouterOS for several years and most of the time interface lists didn't exist. They are great when you need to quickly add another LAN/WAN and make them use common rules. Not exactly what I do daily. I sometimes use them, but most of the time not (I won't be converting old configs to interface lists, it wouldn't help anything). So when I don't see them much, they are not the first thing that comes to my mind.
Re: My first Mikrotik Router - Firewall Help
Posted: Fri Jun 14, 2019 7:21 pm
by starwebmanagement
add action=accept chain=input comment="accept any LAN connections to the router" src-address-list=LAN
add action=drop chain=input comment="drop all OTHER attempt to the router" log=yes
OK, there's the first above quoted rule which would be better written by filtering according to in-interface-list (or in-interface as already indicated by @Sob) because right now router is open for some DOS attack involving spoofed IP addresses ... which actually uses router to possibly break connections of LAN hosts, but hardly to compromise either router or LAN.
Are you saying this rule:
add action=accept chain=input comment="accept any LAN connections to the router" src-address-list=LAN
Would be better served to use in-interface-list=LAN? Like this?
add action=accept chain=input comment="accept any LAN connections to the router" in-interface-list=LAN
And this is because it then eliminates spoofing from the WAN interface?
Re: My first Mikrotik Router - Firewall Help
Posted: Sat Jun 15, 2019 10:19 am
by mkx
Yes. You just have to keep LAN interface list updated.
Generally when constructing some rules one should use criteria which has least possibility of spoofing. Remote attacker can easily spoof src-address but can hardly spoof ingress interface.
Re: My first Mikrotik Router - Firewall Help
Posted: Sat Jun 15, 2019 10:22 pm
by anav
Yes. You just have to keep LAN interface list updated.
Generally when constructing some rules one should use criteria which has least possibility of spoofing. Remote attacker can easily spoof src-address but can hardly spoof ingress interface.
That is GOLD advice.......... IF only MT would put gems like that into the WIKI.......