Community discussions

MikroTik App
 
wassy83
newbie
Topic Author
Posts: 41
Joined: Fri Jul 21, 2017 5:41 pm

which rules prevents access to services on the mikrotik?

Tue Feb 09, 2021 4:07 pm

Hi everyone,
I'm trying to understand some basic concepts following this basic guide on mikrotik's documentation
https://wiki.mikrotik.com/wiki/Tips_and ... f_RouterOS

which of these rules prevents access to services on the mikrotik itself (winbox, webfig, ssh etc)?

Create firewall filter rules to protect router from incoming (input) connections:
/ip firewall filter
 add chain=input comment="Accept established and related packets" connection-state=established,related
 add chain=input comment="Accept all connections from local network" in-interface=LAN
 add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
 add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
 add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
 add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
 


Create firewall filter rules to protect your local network from passing (forwards) connections:
/ip firewall filter
 add chain=forward comment="Accept established and related packets" connection-state=established,related
 add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
 add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
 add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
 add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN
 add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN src-address=!192.168.88.0/24
 

Cause with this configuration I can still access webfig from the outside, so I added this rule to drop traffic directed to non local networks
/ip firewall filter 
 add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN dst-address-list=NotPublic
 
many thanks
 
mkx
Forum Guru
Forum Guru
Posts: 5422
Joined: Thu Mar 03, 2016 10:23 pm

Re: which rules prevents access to services on the mikrotik?

Tue Feb 09, 2021 4:37 pm

which of these rules prevents access to services on the mikrotik itself (winbox, webfig, ssh etc)?

None actually. Default firewall filter rules have this stanza et the end of rules for chain=input:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

which is similar (or not, depending on interface list membership) to what you added. The rule above can actually replace rule #2 in your list of rules for chain=input, just be careful about it's placement, if misplaced it could block something you would like to allow.
BR,
Metod
 
WeWiNet
Long time Member
Long time Member
Posts: 523
Joined: Thu Sep 27, 2018 4:11 pm

Re: which rules prevents access to services on the mikrotik?  [SOLVED]

Tue Feb 09, 2021 4:48 pm

You started form an "old" manual. At least the rules make no sense...
There is a newer and better one under this link: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

But the ultimate best is to start with the default FW rules on most devices after reset!

Apparently you have not yet read the Wiki and docs in more depth. You will have to do that to better understand all this.
Tweaking something without knowing what you do is very dangerous...

To make it short:
Input: Router itself, like Winbox/Webfig/Files/SSH... this should be closed as much as possible...
Forward: Traffic through the router, either LAN-LAN or LAN-WAN or WAN-LAN...

To start from a safe basis, do SW upgrade to last stable (or long term) SW release, and start with a full reset and use default config.
With that it is impossible to access the router from WAN.

As quick start, Mikrotik security has 3 aspects:
- User and access rights (incl. password, allowed address range etc.)
- IP services, enable/disable those not needed and define IP address from where available
- Firewall, preventing the connection by itself.

And: adapt as needed bandwidth server, those MAC-servers not used, and neighbourhood discovery
WeWiNet

**
MTCNA
I like a new challenge, I migrate to ROS7... :? no way, finally I stay with 6.48! I am NOT crazy :lol: !!!
 
wassy83
newbie
Topic Author
Posts: 41
Joined: Fri Jul 21, 2017 5:41 pm

Re: which rules prevents access to services on the mikrotik?

Tue Feb 09, 2021 4:58 pm

Thank you so much for your suggestions, you were very clear.
thank you
You started form an "old" manual. At least the rules make no sense...
There is a newer and better one under this link: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

But the ultimate best is to start with the default FW rules on most devices after reset!

Apparently you have not yet read the Wiki and docs in more depth. You will have to do that to better understand all this.
Tweaking something without knowing what you do is very dangerous...

To make it short:
Input: Router itself, like Winbox/Webfig/Files/SSH... this should be closed as much as possible...
Forward: Traffic through the router, either LAN-LAN or LAN-WAN or WAN-LAN...

To start from a safe basis, do SW upgrade to last stable (or long term) SW release, and start with a full reset and use default config.
With that it is impossible to access the router from WAN.

As quick start, Mikrotik security has 3 aspects:
- User and access rights (incl. password, allowed address range etc.)
- IP services, enable/disable those not needed and define IP address from where available
- Firewall, preventing the connection by itself.

And: adapt as needed bandwidth server, those MAC-servers not used, and neighbourhood discovery
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: which rules prevents access to services on the mikrotik?

Tue Feb 09, 2021 6:08 pm

The easy answer for both input chain and forward chain is to put a simpler last rule.

add chain=forward (or) input action=drop comment="Drop All Else"

What this does is drop all traffic to the router (input chain) OR across the router wan to lan, lan to wan, lan to lan, that you have not EXPLICITLY stated above the drop rule as allowable traffic.

In the input chain the minimum is
a. allow admin to router (to be able to config router) and this needs to be done prior to invoking drop rule or you will lock yourself out.
b. allow services for users if required (optional: DNS port 53, NTP etc...)

In the forward chain the most usual ones are:
a. lan to wan traffic
b. any vlan to vlan traffic one wants to allow
c. port forwarding as a separate rule (plus commensurate dst nat rules)
d. admin to all subnets0

One only needs the default rules and remove the default !LAN rule on the input chain
and the default !dstnat rule in the forward chain.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Joe1962, pcunite, uiblogit and 63 guests