Community discussions

MikroTik App
 
g33kf3r
just joined
Topic Author
Posts: 2
Joined: Thu Jun 18, 2020 9:58 pm

Having trouble blocking Port 22

Mon Jul 19, 2021 1:11 am

Hello everyone

I am a newbie in this mikrotik enviroment.
I have this issue that I am not able to block/drop port 22 from one of my interfaces.

Here is the basics:
I have static block /29 from my ISP. I setup up a bridge which has port 8 and Port 1 as slaves.
I use port 8 as the WAN port and behind that I have SFP+ port connected to a mikrotik switch which connects everything in my homelab and any other devices.
I want to use Port 1 (Mikrotic Router) for an external server which will be runnning a basic website. I am able to assign the server with that public IP and everything looks good, the issue is that when I am trying to put a firewall rule to block any specific port (in this case port 22) the port stills open and I am able to see the port open from the outside.
I do not have any issues with my other server inside my priv network which I am blocking other ports as well as port 22 without any problems.

What am I missing with my configuration? What do you suggest?
Here is my configuration:
# jul/18/2021 14:50:57 by RouterOS 6.48.2
# software id = UPMJ-KQZH
#
# model = CCR1036-8G-2S+
# serial number = C6C90C01A2B1
/interface bridge
add name=bridge_Internet
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Mail-WebSite
set [ find default-name=ether8 ] name=ether8-WAN
set [ find default-name=sfp-sfpplus1 ] comment="VLANS TRUNK LINK"
/interface vlan
add interface=sfp-sfpplus1 name="Lab(vlan20)" vlan-id=20
add interface=sfp-sfpplus1 name="Home(vlan10)" vlan-id=10
add comment="This VLAN belongs to all the Devices(Switch and Routers) " \
    interface=sfp-sfpplus1 name="mgnt(VLAN5)" vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.1.2-172.16.1.250
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool2 ranges=10.20.0.50-10.20.0.150
add name=dhcp_pool3 ranges=10.30.0.50-10.30.0.200
add name=dhcp_pool4 ranges=192.168.0.2-192.168.0.252,192.168.0.254
add name=dhcp_pool5 ranges=172.16.1.10-172.16.1.250
add name=dhcp_pool6 ranges=172.16.1.10-172.16.1.150
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="Home(vlan10)" lease-time=\
    30m name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface="Lab(vlan20)" \
    lease-time=30m name=dhcp3
add address-pool=dhcp_pool6 disabled=no interface="mgnt(VLAN5)" lease-time=\
    30m name=dhcp1
/interface bridge port
add bridge=bridge_Internet interface=ether8-WAN multicast-router=disabled
add bridge=bridge_Internet interface=ether1-Mail-WebSite multicast-router=\
    disabled
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=172.16.1.1/24 interface="mgnt(VLAN5)" network=172.16.1.0
add address=192.168.1.1/24 interface="Home(vlan10)" network=192.168.1.0
add address=10.20.0.1/24 interface="Lab(vlan20)" network=10.20.0.0
add address=23.118.0.9/29 comment=WAN interface=bridge_Internet network=\
    23.118.0.8
add address=23.118.0.10/29 disabled=yes interface=ether1-Mail-WebSite \
    network=23.118.0.8
/ip dhcp-server lease
add address=10.20.0.57 client-id=1:80:61:5f:7:3f:3a mac-address=\
    80:61:5F:07:3F:3A server=dhcp3
add address=192.168.1.80 mac-address=0C:F4:D5:0E:80:E0 server=dhcp2
add address=192.168.1.79 client-id=1:1c:b9:c4:34:ad:0 mac-address=\
    1C:B9:C4:34:AD:00 server=dhcp2
/ip dhcp-server network
add address=10.20.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=172.16.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.1.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="Drop WinBox Port" dst-port=8291 \
    in-interface=bridge_Internet protocol=tcp
add action=drop chain=input dst-port=2000 in-interface=bridge_Internet \
    protocol=tcp
add action=drop chain=input dst-address=23.118.0.10 dst-port=22 in-interface=\
    bridge_Internet protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment=Inter-VLAN out-interface=\
    bridge_Internet
add action=accept chain=srcnat comment="NAT - For WAN"
add action=dst-nat chain=dstnat comment="Plex Forward Port - Entertaiment" \
    dst-port=32400 in-interface=bridge_Internet protocol=tcp to-addresses=\
    10.20.0.253 to-ports=32400
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
    in-interface=bridge_Internet protocol=udp to-addresses=10.20.0.253 \
    to-ports=51820
add action=dst-nat chain=dstnat comment=GNS3-VM-Consoles dst-port=5000-10000 \
    in-interface=bridge_Internet protocol=tcp to-addresses=10.20.0.56 \
    to-ports=5000-10000
add action=dst-nat chain=dstnat comment=GNS3-VM-Connect dst-port=3080 \
    in-interface=bridge_Internet protocol=tcp to-addresses=10.20.0.56 \
    to-ports=3080
add action=dst-nat chain=dstnat comment="Streaming Port" dst-port=\
    443 in-interface=bridge_Internet port="" protocol=tcp to-addresses=\
    10.20.0.65 to-ports=443
add action=dst-nat chain=dstnat comment=Barrier dst-port=24800 in-interface=\
    bridge_Internet protocol=tcp to-addresses=10.20.0.57 to-ports=24800
/ip route
add distance=1 gateway=23.118.0.14
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.20.0.0/24,172.16.1.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=America/Phoenix
/tool graphing interface
add
Thank you in advance
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: Having trouble blocking Port 22

Mon Jul 19, 2021 10:04 am

By default IP firewall doesn't filter traffic passing between bridged ports. If you want to enforce firewall rules on that traffic, you need in general two additional settings:
  1. set use-ip-firewall=yes in /interface bridge settings
  2. make sure traffic passing particular port (in your case ether1 with server where SSH should be blocked) is passing CPU. Which means that traffic must not be HW offloaded (i.e. handled by switch chip). This is achieved by setting hw=no on particular port under /interface bridge port.
    In your case where device (CCR1009) doesn't have switch chip, this step is not necessary as device can't HW offload traffic.

Who is online

Users browsing this forum: ganymede, genesispro, mtkvvv and 41 guests