Community discussions

 
pedroSwan
just joined
Topic Author
Posts: 18
Joined: Fri Jun 28, 2019 11:01 pm

Help needed with config

Tue Jul 02, 2019 9:01 pm

Hi all

I really am learning (steeply) with the MikroTik Router and I don't have enough fingers to count the times I have 'Reset Configuration' to get where I am but you will think this is not very far.

I can't help that I am missing something... Firewalls rules for a start.

Here is my current config
[Pie@MikroTik] > /export hide-sensitive
# jul/02/2019 18:54:40 by RouterOS 6.44.3
# software id = 0273-900J
#
# model = 2011UiAS
# serial number = 444000000003
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=\
    xxx@xxxxxxx.com
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.5-192.168.1.120
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether3 name=dhcp1
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=8x.xxx.xxx.xxx dst-port=xxxx protocol=udp to-addresses=\
    192.168.1.75 to-ports=xxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
So here is what I am looking to achieve:

1. Secure the router with some sensible Firewall rules
2. Installing a Squid Server on Ether2
3. Running a separate subnet on Ether4 10.0.0.0/24

I can help but think my PPPoE at Ether1 needs a local address on a separate subnet to Ether3 which is my main home LAN.

I will be adding a port forwards to 80, 161, 445 and 1094 for some VMware instances that site on the Ether3 LAN

Any and all help would be appreciated.

Thanks
MikroTik RB2011UiAS-RM
Firmware Type: ar9344
Current Firmware: 6.45.6
------
MikroTik RB2011UiAS-2HnD-IN
Current Firmware: 6.45.6
 
anav
Forum Guru
Forum Guru
Posts: 3134
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help needed with config

Wed Jul 03, 2019 8:31 pm

This is not a factory refresh, where are all the default firewall rules??
I hope you realize that the default rules are there to protect your router from being hacked!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
pedroSwan
just joined
Topic Author
Posts: 18
Joined: Fri Jun 28, 2019 11:01 pm

Re: Help needed with config

Wed Jul 03, 2019 9:17 pm

Sorry yes. I had selected "No Default Configuration"

Here is what I have - correctly have!
[Pie@MikroTik] > /export
# jul/03/2019 19:12:04 by RouterOS 6.44.3
# software id = 02xx-xxxx
#
# model = 2011UiAS
# serial number = 44444444443
/interface bridge
add admin-mac=D4:xx:6D:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=xxxx use-peer-dns=yes \
    user=xxxx@xxxx.com
    /interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=xxx.xxx.1.21 dst-port=1148 protocol=udp to-addresses=\
    192.168.1.xx to-ports=11488
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[Pie@MikroTik] > 
MikroTik RB2011UiAS-RM
Firmware Type: ar9344
Current Firmware: 6.45.6
------
MikroTik RB2011UiAS-2HnD-IN
Current Firmware: 6.45.6
 
anav
Forum Guru
Forum Guru
Posts: 3134
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help needed with config

Wed Jul 03, 2019 10:55 pm

I am curious why you elected to have /ip dhcp-server set to the bridge,
but then, assign /ip address to ether2

I am just curious as how assigning it to ether2 is going to magically translate to all the other ether ports?? ;-)

/ip neighbor discovery-settings
set discover-interface-list=LAN
I have seen this setting cause nothing but problems in the past.
Not sure why its in the defaults but I would set it to none or something. Perhaps someone else can chime in??

As for firewall rules........
input chain.
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

This rule prevent any traffic to the router itself from anywhere but the LAN, this is good but not best. No device on the LAN should have unfettered access (all devices all ports) to the router.
There are two cases, where it makes sense. A. Access for the admin (you) to manage the router (lmit by IP or network), and B. for devices to use the router for DNS (limited by port)
suggest replacing the above rule with the following three rules.
- allow admin access in-interface-list=LAN, source address (your PC IP) or use source address list if you want to give access to your router from several PCs (your pc desktop and tables and laptop for example).
- allow DNS access from the LAN for port 53 both TCP and UDP
- block everything else catchall last rule
add chain=input action=drop comment='drop all other traffic'

Forward Chain
Seems okay for the most part.
I dont see where you have specifically allowed LAN to WAN traffic so suggesting two rules.
- allow lan to wan traffic
- block everything else catchall rule last
add chain=forward action=drop comment='drop all other traffic'

The only other basic rules I normally include is the admin access to other networks or vlans if there are any.
In your case with only one network it is not necessary all connected via layer2.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
pedroSwan
just joined
Topic Author
Posts: 18
Joined: Fri Jun 28, 2019 11:01 pm

Re: Help needed with config

Wed Jul 03, 2019 11:31 pm

I am curious why you elected to have /ip dhcp-server set to the bridge,
but then, assign /ip address to ether2
I am just curious as how assigning it to ether2 is going to magically translate to all the other ether ports?? ;-)
:D If you are curious then I certainly am. I'm not really sure how I have done that. What would you suggest as a better config for this.

As I say I'm looking to achieve

Ether2 Installing a Squid Server on Ether2 192.168.3.1 to capture all traffic
Ether3 Seperate Subnet with DHCP in the network 192.168.1.0
Ether4 Seperate subnet with DHCP in the network 10.0.0.0/24
/ip neighbor discovery-settings
set discover-interface-list=LAN
I have seen this setting cause nothing but problems in the past.
Not sure why its in the defaults but I would set it to none or something. Perhaps someone else can chime in??
Will do.


Think the bottom line is I have come into this in the hope of learning but the curve is steep. Really very grateful for the assistance though.
Last edited by pedroSwan on Wed Jul 03, 2019 11:37 pm, edited 1 time in total.
MikroTik RB2011UiAS-RM
Firmware Type: ar9344
Current Firmware: 6.45.6
------
MikroTik RB2011UiAS-2HnD-IN
Current Firmware: 6.45.6
 
anav
Forum Guru
Forum Guru
Posts: 3134
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help needed with config

Thu Jul 04, 2019 4:43 am

No worries sometimes I think I am only one config step ahead of you LOL.
The point being is that do not even consider different designs on the other ethers until you understand what you are doing with one ether.
So, that being said you decided to make the BRIDGE responsible for DHCP networking but then are not consistent and assign IP addressing of the network to ether 2 where it should have been to the bridge also forgetting you had your network in the simple setup being served up on all the other etherports.

However as per the references provided I dont subscribe to having the bridge doing anything else than bridging/vlan filtering.
Thus I would create a VLAN for my first network (think of this as your main home lan). Call it vlan11.
Then for all your other LANS, decide on another VLAN number and go from there.
That way neither etherports (nor bridge) are not saddled with dhcp servers or ip addresses or the like, they are simply ports that vlans run on.

First though suggest you read........
viewtopic.php?t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3223
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help needed with config

Thu Jul 04, 2019 8:26 am

No worries sometimes I think I am only one config step ahead of you LOL.
I'd hate to think that @pedroSwan might be at the edge of an abyss ... ;-)

Ether2 Installing a Squid Server on Ether2 192.168.3.1 to capture all traffic
Ether3 Seperate Subnet with DHCP in the network 192.168.1.0
Ether4 Seperate subnet with DHCP in the network 10.0.0.0/24
When running separate IP subnets (call them L3 or layer-3 networks) they might, but really should not, share same broadcast domain (call it L2 or layer-2) - mind that bridge more or less intelligently joins different interfaces to same L2 domain. Proper separation of L3 subnets calls for distinct L2 domains. You can do it in two ways:
  1. if you will only use one ethernet interface per L2 domain, then you can remove those interfaces from bridge and set L3 (IP) functions directly on those interfaces. In this case your RB2011 will router between L3 subnets (depending on firewall rules)
  2. if you'll use RB2011 as a switch for some of those L2 subnets as well (i.e. more than one port will be part of same L2 domain serving same L3 subnet), then you should follow path recommended by @anav. The idea behind this is that by using VLANs one can partition smart ethernet switch into two or more logical switches, but all interfaces are actually untagged - devices connected to them know nothing about VLANs.
    In this case you'll have to create vlan interfaces and you'll add L3 (IP) setup to those interfaces.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3134
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help needed with config

Thu Jul 04, 2019 2:26 pm

@mkx the effing comedian. Thanks for my morning chuckle mate!!
As for the OP, see how quickly one can go down a rabbit hole.............. you have to watch out for these experts, they usually work in thin air and find it hard to relate to normal people.

As for future plans the best thing is to provide a diagram of your intended network which helps take some guesswork out of written explanations.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
pedroSwan
just joined
Topic Author
Posts: 18
Joined: Fri Jun 28, 2019 11:01 pm

Re: Help needed with config

Thu Jul 04, 2019 5:21 pm

Thanks guys... I'm head over to the link you sent anav..... via my ever deepening rabbit hole :)

Hands on learning is definitely the way for me (with you guys help). Thanks again for the patience!
MikroTik RB2011UiAS-RM
Firmware Type: ar9344
Current Firmware: 6.45.6
------
MikroTik RB2011UiAS-2HnD-IN
Current Firmware: 6.45.6
 
anav
Forum Guru
Forum Guru
Posts: 3134
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help needed with config

Thu Jul 04, 2019 7:28 pm

Thanks guys... I'm head over to the link you sent anav..... via my ever deepening rabbit hole :)

Hands on learning is definitely the way for me (with you guys help). Thanks again for the patience!
No worries, you are doing better than I already. I completely ignored mkx at the beginning LOL. ( it was if though we were already married ;-P )
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 27 guests