Community discussions

MikroTik App
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

trying to isolate ether5 from bridge on ether2-4

Fri Jun 04, 2021 8:24 am

I know this has been hashed over many times here, but I have been unable to duplicate any of those suggestions with success.
I have about 30 hours of part time routeros experience but I am a slow learner.
I have a RB750Gr3, I am trying to have wan on ether1, my network on ether 2,3,4 and a "guest" network on ether5, internet available on ether 2,3,4,5
I reset the router and removed ether5 from the ether 2,3,4,5 bridge as was present when reset, this resulting in "my network" doing all I need on ether 2,3,4
this router is on an existing network(for my education and testing) but will ultimately replace my main router at some point.
On the existing network the routers address is 192.186.1.27
My dhcp server using pool_quantar is red on the DHCP dropdown, and no luck getting any connection on ether5
I am very very confused as far as what this second dhcp server requires
this is a export of where I am at this point

any help appreciated

Wayne
# model = RB750Gr3
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: trying to isolate ether5 from bridge on ether2-4

Fri Jun 04, 2021 12:29 pm

You are missing a IP address for the new network on ether5
/ip address
add address=192.168.89.1/24 interface=ether5


then the DHCP server network has been incorrectly/incompletely defined
add gateway=0.0.0.1
should be
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to isolate ether5 from bridge on ether2-4

Fri Jun 04, 2021 2:13 pm

tdw captured the glaring ether5 errors.

To answer your requirement, the last thing left to do is block traffic between the the bridge and eth5 at L3 (Firewall rules).
What we are going to do is take this rule, that allows port forwarding and stops all other WAN traffic and make it far clearer to read
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Instead of only blocking other WAN traffice we are going to stop ALL traffic, and only allow what you specifically state should be allowed, and make a clear rule for port forwarding which you can disable for now:

add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else"

what you should pick up is that if we are dropping all other traffic then we need to also add internet access rules........ assuming both bridge and ether5 need this then add a rule before the drop rule
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 06, 2021 9:44 pm

Thank you TDW and ANAV for getting back to me!!!
A few explanations: I thought I would get a email telling me my thread was posted, either missed it or whatever, so I have been busy trying things and resetting the router over and over, the result being I am not sure I have it exactly as it was in that first post. I implemented(I think) the information from TDW and here is an export. I will say for the first time a machine on port5 now has a lease and is connected just no internet, I will keep looking things over to see what I left out, ANAV I thought I would hold on the firewall stuff until I get things working.
Thanks so much for the help!!
serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
[admin@MikroTik] > 
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 06, 2021 10:06 pm

OK! I added interface list member = ether5 and got internet!!

still trying to get my feet on the ground with this but looking a lot better!

Thanks
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Thu Jun 10, 2021 7:06 am

Getting to the firewall now, Do I understand correctly, delete this:
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

and replace it with these three lines in its place?
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else"

and add this line also ahead of the other three?
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

Any help appreciated, here is my current code
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 lease-time=5d name="Guest_Ether5 DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to isolate ether5 from bridge on ether2-4

Thu Jun 10, 2021 2:25 pm

Quick answer, yes!
The one rule drops all traffic coming from the WAN except for port forwarded traffic (assumes you will be doing port forwarding).

I prefer the drop all rule that drops ALL unwanted traffic not just WAN to LAN but LAN to LAN and LAN to WAN (better security).
Separates the port forwarding rule so that its clearer just for reading purposes but also able to disable until you need itl.
SInce the last rule blocks all traffic, if one wants internet then one needs the lan to wan rule.


(1) Missing dns server listing
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1

(2) This static listing can be removed as its a carry over from the default config.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan


(3) Last thing you may want to consider is a bit better security access to the router.
These default rule can be improved/replaced/removed. The capsman rule is only if you intend on using MT wifi via capsman (I dont as I config separately) and can be removed.
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
This rule basically stops all traffic hitting the router except from the LAN. But do we want that?? NO.
We want to stop all traffic to the router and then only allow the admin to the router, for configuration purposes, and then folks on the LAN that need access to SERVICES on the router and not to the router itself.

So we first make a rule allowing the admin (after the ICMP rule)
add action=accept chain=input in-interface=bridge source-address-list=admin_access
Where admin_access is a firewall address list
address=IPofadmin PC list=admin_access
address=IPofadmin LAPTOP list=admin_access
address=IPofadmin SMARTPHONE list=admin_access

This rule firstly, removes eth5 from any access to the router and then secondly, only allows a fewadmin IPs to access the router. ALL GOOD!
But, what about DNS services the router provides. SO after the above rule you need to add access to the lan for DNS services.
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp


Finally add a drop all else rule LAST, otherwise you will lock yourself out!
add action=drop chain=input comment="drop all else"
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 13, 2021 9:09 am

OK, I made all the changes other than improving router security here is a export, I think it is correct
# model = RB750Gr3
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 lease-time=5d name="Guest_Ether5 DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new \
    in-interface-list=WAN
add action=accept chain=forward comment="Allow Internet " in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=" drop  All  else  "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=NetgearMik
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@NetgearMik] >> 
My main concerns are attacks from the wan, the guy connected to ether5 has had access to my network for a few years so the horse is out of the barn anyway.
All other lan connections(ether2-ether4) are me and my wife only no employees or "guests"
I was just going to change admin to some other name and dream up a good password.
I appreciate what ever you suggest.
Wayne
do you think I should go ahead with the increased security for the router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 13, 2021 1:03 pm

Yes, you should, and definitely change the admin name and password and also the winbox port number.

(1) this can be set to NONE
/tool mac-server
set allowed-interface-list=LAN

(2) Add management interface to cut off ether5 from access to the router via winbox as follows:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MNGMT
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
add comment=defconf interface=bridge list=LAN
add comment=routeraccess interface=bridge list=MNGMT

(3) Then add to the rules.........
/tool mac-server mac-winbox
set allowed-interface-list=MNGMT

You could now leave your input chain rules as they are as ether5 is no longer able to use winbox to get to the router however if the person on ether5 knew the winbox port they could still access by IPaddress:winbox port and thus why I suggest changing the input chain rules.
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Tue Jun 15, 2021 8:41 am

Thank You! I think I have implemented everything other than the additional firewall rules, not sure whats going on, went to /ip firewall filter and attempted to enter:

add action=accept chain=input in-interface=bridge source-address-list=admin_access

but I keep getting a "expected end of command"

I also am not sure how to get that line, and those following it in the correct position in the / ip firewall filter section

Do a print and use line numbers to move?

Stuck as usual
Wayne



# software id = ZS56-J9I0
#
# model = RB750Gr3
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGEMENT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 lease-time=5d name="Guest_Ether5 DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
add comment=routeraccess interface=bridge list=MANAGEMENT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new \
    in-interface-list=WAN
add action=accept chain=forward comment="Allow Internet " in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=" drop  All  else  "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=NetgearMik
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
[admin@NetgearMik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to isolate ether5 from bridge on ether2-4

Tue Jun 15, 2021 4:31 pm

Thank You! I think I have implemented everything other than the additional firewall rules, not sure whats going on, went to /ip firewall filter and attempted to enter:

add action=accept chain=input in-interface=bridge source-address-list=admin_access

but I keep getting a "expected end of command"

I also am not sure how to get that line, and those following it in the correct position in the / ip firewall filter section

Do a print and use line numbers to move?

Stuck as usual
Wayne
Yeah thats weird try in-interface-list=Management (instead of in-interface=bridge)

Okay also missing the firewall address list!!!!
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Wed Jun 23, 2021 6:23 am

I am comfortable with all bridge connected devices having access to the router as I am the only person who has access to the bridge network, and if someone broke in they would still require the username and password,correct?
I think I have implemented everything other than the admin list(it will be changing so I hate to implement it) and the drop all else rule. at this time ether5 still can access the router. In general does this code look like it will fly?
# model = RB750Gr3
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGEMENT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 lease-time=5d name="Guest_Ether5 DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
add comment=routeraccess interface=bridge list=MANAGEMENT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new \
    in-interface-list=WAN
add action=accept chain=forward comment="Allow Internet " in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=" drop  All  else  "
add action=accept chain=input in-interface-list=MANAGEMENT
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=NetgearMik
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
Thanks Again, Wayne
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to isolate ether5 from bridge on ether2-4

Wed Jun 23, 2021 12:32 pm

I would move the input chain rules found mixed into the forward chain rules, UP drag and move with the rest of the input rules.
Then it will easier to read how the packets are checked.

For me you can already get rid of this rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

a. because you have management interface accepted to the router so that as admin you can access the router
b. because you have DNS rules for all the LAN to access this server on the router.

c. the rule really is blocking wan to router traffic and can be replaced by a last rule DROP ALL in input chain,
which blocks all traffic (wan to router, lan to router etc) that you have not specifically allowed, better security.
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 27, 2021 7:40 am

OK, cannot access the router from ether5, internet is available on ether2-ether5, can't ping anything on ether2-ether4 from ether5
add a password and I think I am good to go.
Is the consensus that this current firewall is as secure as a off the shelf 10 year old netgear?
[admin@NetgearMik] > export
# jun/26/2021 21:37:53 by RouterOS 6.48.3
# software id = ZS56-J9I0
#
# model = RB750Gr3
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGEMENT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 lease-time=5d name="Guest_Ether5 DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
add comment=routeraccess interface=bridge list=MANAGEMENT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input in-interface-list=MANAGEMENT
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=drop chain=input comment=" drop  all  else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new \
    in-interface-list=WAN
add action=accept chain=forward comment="Allow Internet " in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=" drop  All  else  "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=NetgearMik
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
[admin@NetgearMik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 27, 2021 7:03 pm

Almost there.......
(1) This rule can be dropped as its not bad in of itself but it kinda defeats other rules that follow it. (its now extra).

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Which basically tells the router any packet coming from the LAN is accepted.
So all LAN queries from ALL lan users will be allowed but remember we want to limit FULL access to the router to only the admiin
Hence the following rule.we inserted to identify that group...
add action=accept chain=input in-interface-list=MANAGEMENT

We also allow access to the router for all LAN users for dns service so thats covered and another reason we can get rid of that rule above.

(2) In terms of the order of forward chain firewall rules, I would put the access to the internet rule before port forwarding as far more packets will apply to the access to the internet rule then port forwarding so logicallly we dont want the router checking all those internet bound packets for port forwarding first (not efficient).

ALso, if you dont have any port forwardings that I see, I recommend you dont get rid of the rule just DISABLE it for now as you dont need it.
 
User avatar
waynger
just joined
Topic Author
Posts: 19
Joined: Mon May 31, 2021 10:56 pm

Re: trying to isolate ether5 from bridge on ether2-4

Sun Jun 27, 2021 8:33 pm

OK done, I am embarrassed to admit I don't understand port forwarding and my need or lack of need? In any event I did disable it.

# model = RB750Gr3
# serial number = C55D0BA9E24C
/interface bridge
add admin-mac=C4:AD:34:93:E6:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGEMENT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.110
add name=dhcp_pool_quantar ranges=192.168.89.10-192.168.89.110
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=defconf
add address-pool=dhcp_pool_quantar disabled=no interface=ether5 lease-time=5d name=\
    "Guest_Ether5 DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=quantar interface=ether5 list=LAN
add comment=routeraccess interface=bridge list=MANAGEMENT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.89.1/24 comment=quantar interface=ether5 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=quantar dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=MANAGEMENT
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=drop chain=input comment=" drop  all  else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Internet " in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment=" drop  All  else  "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=NetgearMik
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
[admin@NetgearMik] >> 

Who is online

Users browsing this forum: jfox, mszru, tesme33 and 36 guests