I'm trying to understand the firewall filter input chain together with the best way of protecting my router from an untrusted guest.
As I understand it, the input chain comes into play when the router itself is an end point in a communication, say for talking to the router's management interface and/or using gateway type services provided by the router.
I have, incidentally, a hAP ac router running MikroTik RouterOS 6.48.1 and I have configured it with, almost exactly, the rule set published here by @pcunite viewtopic.php?f=23&t=143620 using the model: Router-Switch-AP (all in one)
The rule is here:
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
So how in principle do I make this more granular so that it offers some reasonable protection against malicious users on the guest VLAN ?
I imagine that Winbox must, somehow, be disabled. Is there anything else ?
I've seen this: https://help.mikrotik.com/docs/display/ ... t+Firewall but it doesn't really seem to address this issue, for example preventing access to management tools.
-
-
Cloudrunner
just joined
- Posts: 9
- Joined:
Re: RouterOS input chain / protection from malicious guests
To make it more granular, you can create accept rules for all services you need to use and then drop the rest.
Something like this (haven't tested, just from the top of my head):
Something like this (haven't tested, just from the top of my head):
Code: Select all
add action=accept chain=input comment="Input Accept DHCP from VLAN interfaces" \
dst-port=67 in-interface-list=VLAN protocol=udp src-port=68
add action=accept chain=input comment="Input Accept DNS from VLAN interfaces" \
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Input Accept Winbox from VLAN interfaces" \
dst-port=8291 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="Input Drop all other traffic from VLAN interfaces"\
in-interface-list=VLAN
-
-
Cloudrunner
just joined
- Posts: 9
- Joined:
Re: RouterOS input chain / protection from malicious guests
OK. Thanks. That looks like a good approach. I'll set up logging on the "drop" action, so I can see if anything is missing from the accept list, and let it run for a bit.
The Winbox accept rule will, of course, apply only to the base (management) VLAN.
I can set it up later on today.
The Winbox accept rule will, of course, apply only to the base (management) VLAN.
I can set it up later on today.
Re: RouterOS input chain / protection from malicious guests
Here is my minimalist but safe setup.
(1) The idea being, as stated move from default setup (which is safe but not targetted) and has a concept of allow all and block what you dont want.
TO what The previous poster and most who prefer to change the setup to BLOCK ALL by default and then state what is allowed.
(2) Correct in that the goal is to only allow the admin to have access to the router, but users/devices may need some services typically DNS.
(3) For VLAN to VLAN protection and any traffic to and from the LANs, the firewall rules in the forward chain come into play.
The same concept as above applies, modify the default rules, into a concept of block all except what you wish to allow.
All the rules above the +++++ line are default ones that we want to keep and the ones below are the ones the admin adds.
NOTE: In the input chain, do not put in the LAST RULE the DROP rule until the allow admin access rule is in place - otherwise one is locked out!
...
...
4. The input chain rule requiring the admin access firewall address list ensures only the LANIPs identified have access to the router (via winbox for example). Typically one sets ones IPs through the routers dhcp leases as static, fixed Ips.
/ip firewall address-list
add address=ip_admin-desktop list=adminaccess
add address=ip_admin- laptop list=adminaccess
add address=ip_admin-smartphone list=adminaccess
(5) The other part of this rule as you may have noted is an interface-list=MGMT
Typically this is the scenario.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT (optional)
add name=VlansWith-Internet (optional but if you dont allow all vlans to access internet this provides an easy way to config)
/interface list member
add comment=defconf interface=Ether1 list=WAN
add interface=bridge list=LAN
add interface=vlan10 list-MGMT (this identifies the management lan typically the home lan the admin user is on)
+++++++++++++++++++++++++++++++++++++
add interface=ether5 list=LAN (if you have an emergency access port on the router to reach it for config purposes if bridge or main LAN gets funky)
add interface=ether5 list=MGMT (so as to be able to reach router from emerg access for config purposes)
(6) Can you guess where else we use MGMT.
Correct Look at TOOLS MACSERVER.
Set WINBOX- MAC sever interface=MGMT.
(7) Go To IP Services and turn all services off except for WINBOX and possibly SSH as a backup
a. change default port to something else but write it down!
b. in the Available from, put in the subnets above that are applicable (vlan10 subnet and ether5 subnet)
(8) Go to SYSTEM USers and for the logins allowed to access winbox put in the same subnets as in b.
Thus you have in summary limited access to the router (for config purposes)
by login rules (username and password and subnets)
by winbox access (port number and subnets)
by firewall rules that limit access to winbox mac server
by firewall rules that limit access by subnets and IP addresses.
(1) The idea being, as stated move from default setup (which is safe but not targetted) and has a concept of allow all and block what you dont want.
TO what The previous poster and most who prefer to change the setup to BLOCK ALL by default and then state what is allowed.
(2) Correct in that the goal is to only allow the admin to have access to the router, but users/devices may need some services typically DNS.
(3) For VLAN to VLAN protection and any traffic to and from the LANs, the firewall rules in the forward chain come into play.
The same concept as above applies, modify the default rules, into a concept of block all except what you wish to allow.
All the rules above the +++++ line are default ones that we want to keep and the ones below are the ones the admin adds.
NOTE: In the input chain, do not put in the LAST RULE the DROP rule until the allow admin access rule is in place - otherwise one is locked out!
...
...
Code: Select all
/ip firewall filter
{input chain}
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment="Allow ADMIN to Router" =\
in-interface-list=MGMT src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
....
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="allow LAN to WAN traffic"
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \ {disable when not needed}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"4. The input chain rule requiring the admin access firewall address list ensures only the LANIPs identified have access to the router (via winbox for example). Typically one sets ones IPs through the routers dhcp leases as static, fixed Ips.
/ip firewall address-list
add address=ip_admin-desktop list=adminaccess
add address=ip_admin- laptop list=adminaccess
add address=ip_admin-smartphone list=adminaccess
(5) The other part of this rule as you may have noted is an interface-list=MGMT
Typically this is the scenario.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT (optional)
add name=VlansWith-Internet (optional but if you dont allow all vlans to access internet this provides an easy way to config)
/interface list member
add comment=defconf interface=Ether1 list=WAN
add interface=bridge list=LAN
add interface=vlan10 list-MGMT (this identifies the management lan typically the home lan the admin user is on)
+++++++++++++++++++++++++++++++++++++
add interface=ether5 list=LAN (if you have an emergency access port on the router to reach it for config purposes if bridge or main LAN gets funky)
add interface=ether5 list=MGMT (so as to be able to reach router from emerg access for config purposes)
(6) Can you guess where else we use MGMT.
Correct Look at TOOLS MACSERVER.
Set WINBOX- MAC sever interface=MGMT.
(7) Go To IP Services and turn all services off except for WINBOX and possibly SSH as a backup
a. change default port to something else but write it down!
b. in the Available from, put in the subnets above that are applicable (vlan10 subnet and ether5 subnet)
(8) Go to SYSTEM USers and for the logins allowed to access winbox put in the same subnets as in b.
Thus you have in summary limited access to the router (for config purposes)
by login rules (username and password and subnets)
by winbox access (port number and subnets)
by firewall rules that limit access to winbox mac server
by firewall rules that limit access by subnets and IP addresses.
-
-
Cloudrunner
just joined
- Posts: 9
- Joined:
Re: RouterOS input chain / protection from malicious guests
Thanks very much for that. It seems it covers all my needs, but I'll take some time to study it in detail to ensure I understand it all. The guest VLAN has DHCP configured so I guess I have to add that as well.
Re: RouterOS input chain / protection from malicious guests
VLANS should be created with their interface being the bridge.
DHCP, address etc reference the VLAN name itself.
The VLAN is thus covered under the firewall rules for LAN
Interface member
bridge list=LAN.
Its is also covered under LAN to WAN rules
in-interface-list=LAN out-interface-list=WAN
Now if you did have a whole bunch of VLANs and a few that didnt require internet one could create another interface called VLANwith-Internet
add vlan10 list=VLANwith-internet
add vlan20 list=VLANwith-internet
add vlan30 list=VLANwith-internet
and thus your lan to wan firewall rule would be
in-interface-list=VLANwith-Internet out-interface-list=WAN
I hope that helps you understand the config a bit more.
DHCP, address etc reference the VLAN name itself.
The VLAN is thus covered under the firewall rules for LAN
Interface member
bridge list=LAN.
Its is also covered under LAN to WAN rules
in-interface-list=LAN out-interface-list=WAN
Now if you did have a whole bunch of VLANs and a few that didnt require internet one could create another interface called VLANwith-Internet
add vlan10 list=VLANwith-internet
add vlan20 list=VLANwith-internet
add vlan30 list=VLANwith-internet
and thus your lan to wan firewall rule would be
in-interface-list=VLANwith-Internet out-interface-list=WAN
I hope that helps you understand the config a bit more.
-
-
Cloudrunner
just joined
- Posts: 9
- Joined:
Re: RouterOS input chain / protection from malicious guests
Thanks. Just on this point from the earlier post:
I suppose I should keep Webfig for accessing the Mikrotik directly from a PC without Winbox installed, but I'm not sure I like the Mikrotik having a (another) presence in the upstream network. I can, of course, restrict the networks Webfig can be used from but is there another way ?
I've noticed that the MikroTik aquires for itself another IP address from the upstream router (the Mikrotik is currently in cascaded downstream of the ISP's router). Available, on that address at port 80, is Webfig .(7) Go To IP Services and turn all services off except for WINBOX and possibly SSH as a backup
I suppose I should keep Webfig for accessing the Mikrotik directly from a PC without Winbox installed, but I'm not sure I like the Mikrotik having a (another) presence in the upstream network. I can, of course, restrict the networks Webfig can be used from but is there another way ?