Community discussions

 
seyyx4n2sc
just joined
Topic Author
Posts: 8
Joined: Tue Jul 10, 2018 9:50 am

Firewall rule for accessing winbox

Tue Jun 25, 2019 3:19 pm

I want be be able to access winbox in following ways:

1) Remotely
2) From within VLAN 10


So I add the following rules to filter
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 in-interface=pppoe-out protocol=tcp
/ip firewall filter add action=drop chain=input disabled=no dst-port=8291 in-interface=!vlan-10 protocol=tcp

So the first rule will accept packets coming from internet (interface pppoe-out) destined for port 8291
second rule will drop whatever packets not coming from vlan 10. Pretty straight forward.

But now the complicated part that I am cracking my head for several hours now. I am accessing internet from within VLAN 60. My understanding is that I should still be able to access winbox REMOTELY. However the firewall is dropping my packages because by trying to access winbox, I am not going in from in-interface=pppoe-out but from in-interface=vlan60.

How can I add a rule that generally allow remote connection?
 
mkx
Forum Guru
Forum Guru
Posts: 3190
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall rule for accessing winbox

Tue Jun 25, 2019 3:33 pm

Generally you can allow or deny acess to some service (in your case winbox) using in-interface just fine. On the other hand you can not dissect behaviour of a pair of rules without knowing the context (i.e. the rest of firewall rules) which might change the story.

BTW, without knowing the context ... the first rule of the two is refundant as in-interface=pppoe-out is a subset of in-interface=(not vlan-10).

BTW, exposing winbox interface to the whole of internet is not recommended.
BR,
Metod
 
seyyx4n2sc
just joined
Topic Author
Posts: 8
Joined: Tue Jul 10, 2018 9:50 am

Re: Firewall rule for accessing winbox

Tue Jun 25, 2019 4:14 pm

Generally you can allow or deny acess to some service (in your case winbox) using in-interface just fine. On the other hand you can not dissect behaviour of a pair of rules without knowing the context (i.e. the rest of firewall rules) which might change the story.

BTW, without knowing the context ... the first rule of the two is refundant as in-interface=pppoe-out is a subset of in-interface=(not vlan-10).

BTW, exposing winbox interface to the whole of internet is not recommended.
Thanks for the input! I have a question, when a firewall accept a package, is it for both incoming and outgoing packet of that connection? If so then the first rule is not that redundant. For outgoing package that go through interface not vlan 10 will be drop. But for the package that is coming from internet will be accepted
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 253
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Firewall rule for accessing winbox

Tue Jun 25, 2019 4:48 pm

chain=input is for incoming packets destined for router itself.
---
Karlis
 
mkx
Forum Guru
Forum Guru
Posts: 3190
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall rule for accessing winbox

Tue Jun 25, 2019 5:39 pm

I have a question, when a firewall accept a package, is it for both incoming and outgoing packet of that connection?
Custommary is to have the following rule one of top-most rules in the rule list:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
This rule takes care of all packets targeting router itself (chain=input!) or leaving it (being answers to incoming packets) and which belong to already established connections.

Further rules then only consider new connection attempts ... and according to that interface pppoe-out is a subset of !vlan10 and the later rule would take care also of connection requests which are now dealt by the former rule.

When you have the above rule you only have to care about outgoing packets when they represent a connection initiated by router ... and you do that in chain=output (and usually you don't care about that at all because you trust that your router won't do anything nasty ... if it does, it's because it's been compromised and your biggest worry is to uncompromise it).
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall rule for accessing winbox

Tue Jun 25, 2019 8:14 pm

Will echo the sentiments being made here, that external access to your router BUT NOT via VPN is not a recommended security practice.
As for others giving you advice without even seeing your config makes me shake my head.
Not that the learning bits provided are not stuff of gold, but basing advice on assumptions is just plain silly.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
seyyx4n2sc
just joined
Topic Author
Posts: 8
Joined: Tue Jul 10, 2018 9:50 am

Re: Firewall rule for accessing winbox

Tue Jun 25, 2019 10:18 pm

Thanks I just ready up INPUT and OUTPUT chain. Let’s ignore the existing rule for now and ignore the security risks, I am just trying to learn new materials:)

So for input chain I am trying to access winbox remotely via Example 1234.sn.mynetname.net from two places

1) outside local network
2) within local network

So obviously outside local network will have in-interface=pppoe

But I still don’t really know how to distinguish the connection made from within the network that connecting to 1234.sn.mynetname.net because no matter what the source address or in-interface is gonna be the one from inside the network. I don’t want to be able to connect via 10.0.60.1 to winbox but I want to be able to connect using 1234.sn.mynetname.net

Any idea how I can fine grain the filter to catch this minor details?
 
mkx
Forum Guru
Forum Guru
Posts: 3190
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall rule for accessing winbox

Wed Jun 26, 2019 12:03 am

IP address and in-interface are two distinct things. You can connect to router's WAN address through any of router's interfaces.
I don't think you can limit connectivity to only some of its IP addresses (and the benefit of being able to do so completely escapes me).

I don't understand what is it you want to achieve here, but here's a general advice: make a general rule which drops all connections to router (be careful to place it at the bottom of rules before you enable it or else you'll instantly lock yourself out of your device - enable safe mode before setting the rule) and then place a few rules which accept exactly the connections you want to allow ... above the aforementioned drop all rule.

Example: if you want to allow winbox connections via pppoe-out and vlan60, but not other interfaces (such as ether13, vlan42 or what not), have the following rules (in such order)

- allow established,related
- allow winbox from in-interface=pppoe-out
- allow winbox from in-interface=vlan60
- deny all

Or, you can use interface lists, construct an interface list called "winbox", add pppoe-out and vlan60 as members of that interface list, and replace the middle two pseudo-rules above with a single one:

- allow winbox from in-interface-list=winbox
BR,
Metod

Who is online

Users browsing this forum: No registered users and 23 guests