Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1315
Joined: Sun Sep 18, 2011 7:00 pm

Block Connection to router

Sun Jan 31, 2021 1:17 pm

Hello ,
need some guidance
I have a router and I want to block connection to him , not to the network he connected (I have many NAT rules behind him)

is what I did is good to avoid \ block unwanted connection to him?
/ip firewall filter
add action=add-src-to-address-list address-list=Connection address-list-timeout=none-dynamic chain=input comment=InsertToRouter dst-port=21,8291 protocol=tcp
add action=accept chain=input dst-port=21,8291 protocol=tcp
add action=add-src-to-address-list address-list=Connection address-list-timeout=none-dynamic chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=1194 protocol=tcp
add chain=input action=accept protocol=gre log=no log-prefix="" comment=GRETunnel
add action=add-src-to-address-list address-list=DropTCP address-list-timeout=none-dynamic chain=input comment="Drop Unknwon TCP Connection to Router" protocol=tcp
add action=drop chain=input protocol=tcp
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block Connection to router

Sun Jan 31, 2021 3:34 pm

Here is where you should start!!!!!!!

Default rules.........

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(if not using capsman this rule can be removed)
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN


Now you want to add own rules.
1. admin access to the router
2. users access to services if required (DNS,NTP)
3. drop all other traffic (and remove not all coming from LAN rule above as it will be covered by the drop rule),

Ex.
Default rules........
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access" \
in-interface-list=LAN src-address-list=adminaccess

add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

{ ADD back your VPN rules here }
add action=drop chain=input comment="Drop All Else"


NOTES:
You do not need to detail the ports in the input chain for winbox access.
Also why would you want FTP (21) to have anything to do with external access to the router it is not a secure protocol, not winbox direct (only from within the LAN).
Add back in whatever you need for IPSEC (VPN).

But hold on!!
What is the purpose of this rule........ ????? What does it accomplish??? Are you allowing anyone trying to connect on a certain port access to the router???
add action=add-src-to-address-list address-list=Connection address-list-timeout=none-dynamic chain=input comment=OpenVPN dst-port=1194 protocol=tcp
This seems inherently wrong and dangerous. Typically VPN connection allows one to connect to an internal network and then and only then do you allow that connection access to the router (From behind the router) what you are doing may be a huge security risk.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1315
Joined: Sun Sep 18, 2011 7:00 pm

Re: Block Connection to router

Tue Feb 02, 2021 9:24 am

When I disable this rule
add action=add-src-to-address-list address-list=Connection address-list-timeout=none-dynamic chain=input comment=OpenVPN dst-port=1194 protocol=tcp
my VPN connection from remote computer was disconnect ,
when I enable it - the connection was up again

so how could it be ?

Thanks,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block Connection to router

Tue Feb 02, 2021 7:39 pm

You will have to ask someone who is familiar with VPN.
I only use vpn to access the router from my smartphone when away from the house. IKEv2.
I do not connect to the router. I connect to the LAN and from the LAN IP then ensure I have admin permission to access the router.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1976
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Block Connection to router

Tue Feb 02, 2021 8:05 pm

From the export you provided, I cant see any reason why disabling that rule will drop VPN connections, unless the export is not all info
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: lolow and 65 guests