Community discussions

MUM Europe 2020
 
shibs
just joined
Topic Author
Posts: 2
Joined: Sat Jan 04, 2020 6:33 pm

Do I have my firewall rules and VLANs correct?

Sat Jan 04, 2020 7:21 pm

My router (hAP AC2) is set up but restored to default incase something is quite wrong.

VLAN10: Main (it will get a rule for intervlan access)
VLAN20: Another VLAN setup, nothing yet, maybe Chromecast and related devices here or in iot
VLAN30: No initiating connections out, smart devices that seem to sniff network/upload, no WAN/intervlan
VLAN40: Regular iot, no intervlan
VLAN50: Guest network, no intervlan, default forwarding off
VLAN99: management vlan

Right now, management vlan has ether4 and wifi, wifi will be removed once everything is set up, it was good incase access was lost via ethernet. All vlans can access the router right now to change settings.

Ether5-trunk goes to a L2 switch. Everything might get moved to it for a router on a stick.

My config:
#RouterOS 6.46.1
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether4 ] name=ether4-mgmt
set [ find default-name=ether5 ] name=ether5-trunk
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name=wlan-2ghz ssid=main wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan-5ghz ssid=main \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=home-vlan vlan-id=10
add interface=bridge name=additional-vlan vlan-id=20
add interface=bridge name=block-vlan vlan-id=30
add interface=bridge name=iot-vlan vlan-id=40
add interface=bridge name=guest-vlan vlan-id=50
add interface=bridge name=mgmt-vlan vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=mgmt
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=iot \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=mgmt \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=block \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    xx:xx:xx:xx:xx:xx master-interface=wlan-2ghz multicast-buffering=disabled \
    name=wlan-block security-profile=block ssid=block wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    xx:xx:xx:xx:xx:xx master-interface=wlan-5ghz multicast-buffering=disabled \
    name=wlan-guest security-profile=guest ssid=guest wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    xx:xx:xx:xx:xx:xx master-interface=wlan-2ghz multicast-buffering=disabled \
    name=wlan-iot security-profile=iot ssid=iot wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=xx:xx:xx:xx:xx:xx master-interface=\
    wlan-5ghz name=wlan-mgmt security-profile=mgmt ssid=mgmt
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=home-pool ranges=10.0.10.10-10.0.10.150
add name=guest-pool ranges=10.0.50.10-10.0.50.150
add name=iot-pool ranges=10.0.40.10-10.0.40.150
add name=mgmt-pool ranges=192.168.99.10-192.168.99.150
add name=blocked-pool ranges=10.0.30.10-10.0.30.150
add name=additional-pool ranges=10.0.20.10-10.0.20.150
/ip dhcp-server
add address-pool=home-pool disabled=no interface=home-vlan name=home-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=additional-pool disabled=no interface=additional-vlan name=\
    additional-dhcp
add address-pool=mgmt-pool disabled=no interface=mgmt-vlan name=mgmt-vlan
add address-pool=blocked-pool disabled=no interface=block-vlan name=\
    blocked-dhcp
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4-mgmt pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether5-trunk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-2ghz pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-5ghz pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-guest pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-iot pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-mgmt pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-block pvid=30
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5-trunk untagged=\
    ether3,ether4-mgmt,wlan-2ghz,wlan-5ghz vlan-ids=10
add bridge=bridge tagged=bridge,ether5-trunk vlan-ids=20
add bridge=bridge tagged=bridge untagged=wlan-guest vlan-ids=50
add bridge=bridge tagged=bridge,ether5-trunk untagged=wlan-iot,ether2 \
    vlan-ids=40
add bridge=bridge tagged=bridge untagged=wlan-mgmt vlan-ids=99
add bridge=bridge tagged=bridge untagged=wlan-block vlan-ids=30
/interface list member
add interface=ether1-WAN list=WAN
add interface=mgmt-vlan list=VLAN
add interface=guest-vlan list=VLAN
add interface=home-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=additional-vlan list=VLAN
add interface=block-vlan list=VLAN
/ip address
add address=192.168.99.1/24 interface=mgmt-vlan network=192.168.99.0
add address=192.168.1.10/24 interface=ether1-WAN network=192.168.1.0
add address=10.0.10.1/24 interface=home-vlan network=10.0.10.0
add address=10.0.20.1/24 interface=additional-vlan network=10.0.20.0
add address=10.0.30.1/24 interface=block-vlan network=10.0.30.0
add address=10.0.40.1/24 interface=iot-vlan network=10.0.40.0
add address=10.0.50.1/24 interface=guest-vlan network=10.0.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-WAN use-peer-dns=no
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1
add address=10.0.50.0/24 gateway=10.0.50.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="[INVALID]"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Full access mgmt" in-interface=\
    mgmt-vlan
add action=accept chain=input comment=\
    "VLANs can access router services like DNS, Winbox" in-interface-list=\
    VLAN
add action=accept chain=input comment="allow lans to use router dns" \
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="allow lans to use router dns" \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from mgmt" \
    in-interface=!mgmt-vlan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="[INVALID]"
add action=drop chain=forward comment=\
    "Block Internet access from blocked-vlan" in-interface=block-vlan \
    out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow mgmt-vlan, maybe temp, will be home" in-interface=mgmt-vlan \
    out-interface-list=VLAN
add action=accept chain=forward comment=\
    "Allows port forwarding with the drop all rule" connection-nat-state=\
    dstnat log=yes log-prefix="[PFwd]"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix="[!NAT]"
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
    catchall-forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=proxy dst-port=443 in-interface=\
    ether1-WAN log-prefix=proxy protocol=tcp to-addresses=10.0.10.150
add action=dst-nat chain=dstnat comment=proxy dst-port=80 in-interface=\
    ether1-WAN log-prefix=proxy protocol=tcp to-addresses=10.0.10.150
   
DNS couldn't resolve until I added these I believe.
add action=accept chain=input comment="allow lans to use router dns" \
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="allow lans to use router dns" \
dst-port=53 in-interface-list=VLAN protocol=tcp

Connection state has just ""? Should it be new, left alone or, it's not needed at all?
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state="" in-interface-list=VLAN out-interface-list=WAN

Because of the drop rule at the end this one can get removed:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix="[!NAT]"

I'll see if its better to allow intervlan and block or just allow certain vlans access and have the drop rule take care of the rest
add action=accept chain=forward comment="VLAN inter-VLAN routing" in-interface-list=VLAN
or is out interface also needed?

Do you have any recommendations or concerns with my router connecting to the internet?

I'll try getting the Chromecast working in iot to the main and guest vlans.

Using iperf3, I take a hit to intervlan routing speed and the CPU can spike to 25%, there might have been a hit for intravlan between ports.
I didn't get the switch chip on the router working. Would it only give wirespeed for intravlan?
If bridge filtering is used, would a L3 switch have to handle the routing with the L2 hanging off it?
Would one of these work or is there another recommendation?
CRS106-1C-5S
CRS305-1G-4S+IN
 
shibs
just joined
Topic Author
Posts: 2
Joined: Sat Jan 04, 2020 6:33 pm

Re: Do I have my firewall rules and VLANs correct?

Mon Jan 13, 2020 10:59 pm

Just bumping this.

Who is online

Users browsing this forum: No registered users and 40 guests