Community discussions

MikroTik App
 
pyko
just joined
Topic Author
Posts: 1
Joined: Mon Jan 11, 2021 9:03 pm

Basic firewall filter rules

Mon Jan 11, 2021 9:30 pm

Hello!

I'm new to mikrotik routers. I bought one RB1100x4 for my SOHO environment. Router OS Version 6.46.1.

Router is connected to my ISP modem over ether1. ISP modem is my gateway 192.168.0.1, Mikrotik router address 192.168.0.2. So this is my WAN side.
LAN side I have devided into 3 bridges.
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN
add interface=bridge3 list=LAN
And I have one VPN interface created.
/ip address
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
add address=192.168.3.1/24 interface=bridge3 network=192.168.3.0
My needs are following:
1. all devices should bo connected to internet.
2. devices from bridge1 should not communicate to bridge2 and vice versa
3. bridge1 can communicate to bridge3 and bridge2 can communicate to bridge3
4. just one particular PC can connect to VPN

All devices are connected to this mikrotik router, no other switches, so I did not configure any VLANs.

I have got over all basic configuration described in documentation and managed to configure everything and basically it works. What I'm not sure, is, if I set firewall rules 100% correct. It's basic configuration from mikrotik documentation site, to which I added some my needs.

in address list I'm not sure, if it's ok that all my addresses allowed_to_router should be there?
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=192.168.2.2-192.168.2.254 list=allowed_to_router
add address=192.168.3.2-192.168.3.254 list=allowed_to_router
Firewall filter rules: is the order of this rules correct?
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=forward comment="Alow VPN traffic from 192.168.1.33" out-interface=VPN src-address=192.168.1.33
add action=drop chain=forward comment="Deny trafic between bridge1 and bridge2" in-interface=bridge2 out-interface=bridge1
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN 
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!allowed_to_router
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input
I have web server and ftp server, this are my nat rules:
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Web server" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.22 to-ports=80
add action=dst-nat chain=dstnat comment="Ftp server" dst-port=21 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.22 to-ports=21
add action=masquerade chain=srcnat comment="VPN" out-interface=VPN
Is there any correction to be made in firewall and/or any suggestion for additional setting to these basic rules?

Many thank in advance.

Who is online

Users browsing this forum: clydie and 48 guests