I am a newbie in this mikrotik enviroment.
I have this issue that I am not able to block/drop port 22 from one of my interfaces.
Here is the basics:
I have static block /29 from my ISP. I setup up a bridge which has port 8 and Port 1 as slaves.
I use port 8 as the WAN port and behind that I have SFP+ port connected to a mikrotik switch which connects everything in my homelab and any other devices.
I want to use Port 1 (Mikrotic Router) for an external server which will be runnning a basic website. I am able to assign the server with that public IP and everything looks good, the issue is that when I am trying to put a firewall rule to block any specific port (in this case port 22) the port stills open and I am able to see the port open from the outside.
I do not have any issues with my other server inside my priv network which I am blocking other ports as well as port 22 without any problems.
What am I missing with my configuration? What do you suggest?
Here is my configuration:
Code: Select all
# jul/18/2021 14:50:57 by RouterOS 6.48.2
# software id = UPMJ-KQZH
#
# model = CCR1036-8G-2S+
# serial number = C6C90C01A2B1
/interface bridge
add name=bridge_Internet
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Mail-WebSite
set [ find default-name=ether8 ] name=ether8-WAN
set [ find default-name=sfp-sfpplus1 ] comment="VLANS TRUNK LINK"
/interface vlan
add interface=sfp-sfpplus1 name="Lab(vlan20)" vlan-id=20
add interface=sfp-sfpplus1 name="Home(vlan10)" vlan-id=10
add comment="This VLAN belongs to all the Devices(Switch and Routers) " \
interface=sfp-sfpplus1 name="mgnt(VLAN5)" vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.1.2-172.16.1.250
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool2 ranges=10.20.0.50-10.20.0.150
add name=dhcp_pool3 ranges=10.30.0.50-10.30.0.200
add name=dhcp_pool4 ranges=192.168.0.2-192.168.0.252,192.168.0.254
add name=dhcp_pool5 ranges=172.16.1.10-172.16.1.250
add name=dhcp_pool6 ranges=172.16.1.10-172.16.1.150
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="Home(vlan10)" lease-time=\
30m name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface="Lab(vlan20)" \
lease-time=30m name=dhcp3
add address-pool=dhcp_pool6 disabled=no interface="mgnt(VLAN5)" lease-time=\
30m name=dhcp1
/interface bridge port
add bridge=bridge_Internet interface=ether8-WAN multicast-router=disabled
add bridge=bridge_Internet interface=ether1-Mail-WebSite multicast-router=\
disabled
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=172.16.1.1/24 interface="mgnt(VLAN5)" network=172.16.1.0
add address=192.168.1.1/24 interface="Home(vlan10)" network=192.168.1.0
add address=10.20.0.1/24 interface="Lab(vlan20)" network=10.20.0.0
add address=23.118.0.9/29 comment=WAN interface=bridge_Internet network=\
23.118.0.8
add address=23.118.0.10/29 disabled=yes interface=ether1-Mail-WebSite \
network=23.118.0.8
/ip dhcp-server lease
add address=10.20.0.57 client-id=1:80:61:5f:7:3f:3a mac-address=\
80:61:5F:07:3F:3A server=dhcp3
add address=192.168.1.80 mac-address=0C:F4:D5:0E:80:E0 server=dhcp2
add address=192.168.1.79 client-id=1:1c:b9:c4:34:ad:0 mac-address=\
1C:B9:C4:34:AD:00 server=dhcp2
/ip dhcp-server network
add address=10.20.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=172.16.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.1.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="Drop WinBox Port" dst-port=8291 \
in-interface=bridge_Internet protocol=tcp
add action=drop chain=input dst-port=2000 in-interface=bridge_Internet \
protocol=tcp
add action=drop chain=input dst-address=23.118.0.10 dst-port=22 in-interface=\
bridge_Internet protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment=Inter-VLAN out-interface=\
bridge_Internet
add action=accept chain=srcnat comment="NAT - For WAN"
add action=dst-nat chain=dstnat comment="Plex Forward Port - Entertaiment" \
dst-port=32400 in-interface=bridge_Internet protocol=tcp to-addresses=\
10.20.0.253 to-ports=32400
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
in-interface=bridge_Internet protocol=udp to-addresses=10.20.0.253 \
to-ports=51820
add action=dst-nat chain=dstnat comment=GNS3-VM-Consoles dst-port=5000-10000 \
in-interface=bridge_Internet protocol=tcp to-addresses=10.20.0.56 \
to-ports=5000-10000
add action=dst-nat chain=dstnat comment=GNS3-VM-Connect dst-port=3080 \
in-interface=bridge_Internet protocol=tcp to-addresses=10.20.0.56 \
to-ports=3080
add action=dst-nat chain=dstnat comment="Streaming Port" dst-port=\
443 in-interface=bridge_Internet port="" protocol=tcp to-addresses=\
10.20.0.65 to-ports=443
add action=dst-nat chain=dstnat comment=Barrier dst-port=24800 in-interface=\
bridge_Internet protocol=tcp to-addresses=10.20.0.57 to-ports=24800
/ip route
add distance=1 gateway=23.118.0.14
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.20.0.0/24,172.16.1.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=America/Phoenix
/tool graphing interface
add