Community discussions

MikroTik App
 
techdat
just joined
Topic Author
Posts: 4
Joined: Sat Nov 18, 2017 9:18 pm

N00b - protecting router from external access

Sat Mar 27, 2021 12:34 am

Hi,

We have a router that serves:
  • external customers with public IP addresses
  • internal networks with public IP addresses
  • and internal private networks.

I just became involved with this router and discovered that smtp is being abused from external sources by simply bouncing them on the router and making the router seem like it's running an open-relay (and this abuse is not being done through a socks proxy)

I searched around this forum and found a temporary solution at: autodetect and temporary block smtp out ... MTP_output

Analyzing the address lists helped provide insight into what is happening, and understandably the router's own WAN address is in the list.

Now, I am just going through the basics of securing the router and preventing input traffic from the internet, without affecting traffic destined for the downstream public networks that pass through this traffic. I have seen great advice of filter rules at the following places ... but just seeking confirmation that they will work in my scenario:

For example, in https://wiki.mikrotik.com/wiki/Tips_and ... c_internet, I am concerned that this rule will drop traffic going to downstream public networks since it's dependent on dst-nat (which is only applicable on internal private networks). Is this assumption correct?

There are also great suggestions here: https://wiki.mikrotik.com/wiki/Manual:S ... r#Firewall

Basically, I want to drop packets on the input chain that are not intended for:
  • downstream public networks (won't be nat'ed)
  • internal private networks (will be nat'ed)

Will appreciate any suggestions
 
techdat
just joined
Topic Author
Posts: 4
Joined: Sat Nov 18, 2017 9:18 pm

Re: N00b - protecting router from external access

Tue Mar 30, 2021 12:06 am

I guess my question was too generalized to attract helpful responses ... will try to ask better questions next time.

On the whole, I think I have been able to glean enough information from the so many useful MikroTik help and wiki articles to grasp the fundamentals, and will keep gaining better insight as I go along ... often from trying things out, and logging them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: N00b - protecting router from external access

Tue Mar 30, 2021 4:04 am

My problem is I dont understand serve external customers........ what the heck do you mean.

You can provide public IPs to folks behind the router, and you can provide internal networks private behind the router.
However I have no idea how you serve external customers. do you simply mean you have servers on your private LANs that external users access??
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: N00b - protecting router from external access

Tue Mar 30, 2021 8:51 am

I guess my question was too generalized to attract helpful responses ... will try to ask better questions next time.

The question was indeed very general.

On a side note: which particular Mikrotik device type are you using? SOHO devices (most Mikrotik devices except CCR, CRS and some high-end RB devices) come with default firewall which pretty much takes care of what you've seen on your device. However if your device came with older defaults (which had less optimal firewall settings) or if it came without default config, it's only too easy to have sub-optimal firewall rules. Unfortunately internet is full of how-tos which are based on old defaults and/or are done by individuals without enough knowledge ... and Mikrotik's own manuals don't document current defaults either.
 
DMCbr
just joined
Posts: 1
Joined: Thu Dec 02, 2021 4:55 pm

Re: N00b - protecting router from external access

Thu Dec 02, 2021 5:03 pm

Hi
I have started working on a small ISP and we have a few Mikrotik routers in here.
We have a problem that 4 internal IPs are visible for external access, making the security of some clients compromised.
So, how can we block these IPs from external access?

I think this topic covers my user case, so i will be reading and trying things.
But any specific suggestions will be welcome! I never used Mikrotik before...

Who is online

Users browsing this forum: No registered users and 43 guests