Community discussions

MUM Europe 2020
 
RB951G2HnD
newbie
Topic Author
Posts: 29
Joined: Mon Oct 21, 2013 9:52 am

Firewall common configuration rules

Mon Oct 21, 2013 10:21 am

Greetings,

I had purchased my first MikroTik Routerboard and made upgrade it to RouterOS v. 6.4. Yesterday I configured it first time. I can see that PPPoE connection is up but ping to any IP from the router is not possible neither from PCs in LAN. During the router configuration I used a manuals from wiki.mikrotik.com website. I think that my firewall rules was configured incorrect. I'm asking experts to look at my config is shown below and correct me if I made a mistake. Moreover this may be usefully for others routers' owners to configure a common firewall rules.

Thank you in advance. Looking forward to get an answer and solve this issue.
/interface ethernet
set 0 auto-negotiation=no comment=WAN
set 1 auto-negotiation=no comment=LAN
set 2 auto-negotiation=no master-port=ether2
set 3 auto-negotiation=no master-port=ether2
set 4 auto-negotiation=no master-port=ether2

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=disabled name=pppoe-out \
    password=*** use-peer-dns=yes user=***
	
/interface wireless
set 0 l2mtu=2290

/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=LAN

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d

/ip pool
add name=DHCP_POOL ranges=1.10.10.5-1.10.10.30

/ip dhcp-server
add address-pool=DHCP_POOL disabled=no interface=ether2 name=DHCP

/ip address
add address=1.10.10.1/27 interface=ether2 network=1.10.10.0

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server network
add address=1.10.10.0/27 dns-server=8.8.8.8,8.8.4.4 gateway=1.10.10.1

/ip firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Accept related connection packets" connection-state=related
add chain=input comment="Allow access to router from LAN" in-interface=!ether1 src-address=1.10.10.0/27
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop ICMP" protocol=icmp
add action=drop chain=input comment="Drop everything else"
add action=drop chain=input comment="Detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 protocol=tcp \
    src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=\
    "Detect DoS attack" connection-limit=10,32 protocol=tcp
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid protocol=tcp
add chain=forward comment="Allow already established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny CIFS" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny Back Oriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="Deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="Deny Back Oriffice" dst-port=3133 protocol=udp
add chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=icmp comment="Allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="Allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=1.10.10.0/27

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system leds
set 0 interface=wlan1
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: Firewall common configuration rules

Mon Oct 21, 2013 1:45 pm

You nat rule is wrong. You are masquerading out ether1 put are using a pppoe client for your internet. Masquerade out your pppoe-client interface.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
RB951G2HnD
newbie
Topic Author
Posts: 29
Joined: Mon Oct 21, 2013 9:52 am

Re: Firewall common configuration rules

Mon Oct 21, 2013 2:05 pm

Should I keep two strings or just one for PPPoE client?
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=1.10.10.0/27
add action=masquerade chain=srcnat out-interface=pppoe-out src-address=1.10.10.0/27
And the same what about a Firewall filter string?
/ip firewall filter
add chain=input comment="Allow access to router from LAN" in-interface=!ether1 src-address=1.10.10.0/27
add chain=input comment="Allow access to router from LAN" in-interface=!pppoe-out src-address=1.10.10.0/27
---------------
Andrew
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Firewall common configuration rules

Mon Oct 21, 2013 3:43 pm

keep only the rules with pppoe-out
 
RB951G2HnD
newbie
Topic Author
Posts: 29
Joined: Mon Oct 21, 2013 9:52 am

Re: Firewall common configuration rules

Wed Oct 23, 2013 9:27 am

Yesterday evening I had enough time for the troubleshooting. I found that my default route was also incorrect. So I changed the following strings into my configuration shown below. More over I kept both NAT rules. Because when PPPoE connection is not active my traffic flows thru the ether1 port.
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=disabled name=pppoe-out password=*** use-peer-dns=yes user=***

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1

/ip firewall filter
add chain=input comment="Allow access to router from LAN" in-interface=!ether1 src-address=1.10.10.0/27
add chain=input comment="Allow access to router from LAN" in-interface=!pppoe-out src-address=1.10.10.0/27

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=1.10.10.0/27
add action=masquerade chain=srcnat out-interface=pppoe-out src-address=1.10.10.0/27 to-addresses=0.0.0.0

/ip route
add distance=1 gateway=pppoe-out
Thank you all for help!
---------------
Andrew

Who is online

Users browsing this forum: No registered users and 42 guests