Community discussions

 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Securing Mikrotik router using firewall rules causing issues.

Fri Mar 01, 2019 5:02 am

I was trying to secure my router by following this firewall rules https://wiki.mikrotik.com/wiki/Manual:S ... our_Router . But, after implementing this rules I have issues with an application name Game Ranger. Sometimes I can sign in, but after few times Game Ranger lost connection and then it was unable to connect. I've reverted to an old state before the implementation of rules. And the application remained sign in. But, then when I again added those rules it lost its connection again. Will highly appreciate if some one could help me identify the problem.
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Securing Mikrotik router using firewall rules causing issues.

Fri Mar 01, 2019 7:43 am

That Wiki post lists a large number of various rules and settings. Many of which need to be customized to your situation. Therefore, without you posting your configuration, we would only be guessing. Export and post your configuration.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Fri Mar 01, 2019 3:14 pm

Here is the configuration:
# mar/01/2019 18:37:27 by RouterOS 6.43.12
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=xxxxx use-peer-dns=yes user=xxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=bad wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=5765 mode=\
    ap-bridge ssid=bad wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    xxxxxxxxx wpa2-pre-shared-key=xxxxxxxxx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.245 client-id=x:xx:xx:xx:xx:xx:x mac-address=\
    xx:xx:xx:xx:xx:xx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Fri Mar 01, 2019 4:31 pm

Try this with set to "loose" vice strict.
/ip settings
set rp-filter=strict

This is a problem..........
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
The interface should be your bridge!!! not ether2

Remove and disable upnp , not required and a security risk.
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external

If this is your actual ssh port change it now and show false port number like XX in configs posted here.

Dont see anything wrong with firewall rules except a number of duplicate entries in your input chain

I have to ask you....... do you know what this rule is doing?
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge

If a rule is written in such a way that its confusing and not clear change it or get rid of it.
If need be break it into two rules so that its clear to you and the reader..........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Fri Mar 01, 2019 7:46 pm

Thank you for the reply.
/ip settings
set rp-filter=strict
changed from strict to loose

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
The interface is changed from ether2 to bridge.

"Remove and disable upnp , not required and a security risk.
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external"

I kept the upnp enabled because its required for torrent and Game Ranger. Though, Gameranger requires UDP port 16000. But, in firewall it opened a port at UDP 15745.

ssh port changed.

Can you please mention the duplicates.

add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge

The rule was taken from that manual. To my understanding its means that packets from LAN that were not destined for internet address will be dropped. So, should I remove this rule, and disable the upnp and manually forward port?
Thank you again.
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.  [SOLVED]

Fri Mar 01, 2019 9:13 pm

Duplicate rules in red (which you can delete)
out of order rules in blue (put in order ie input chain first then forward chain)
Drop rules in green or parts of rules
add rules pink

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=iinvalid\
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
****
Note1: **** Before you delete this rule,ensure you put in the better admin access rule you should put in place first so you keep your access to the router.
You will need to create the firewall address list first in my rule example is called adminaccess. It could be your PC and your laptop etc........ or a number of PCs.... or the subnet if you wish.
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess


Note2: The rule we are replacing has two parts, the first one above was admin access and the other part is DNS access to the LAN which we still need to keep. So instead of the original rule basically allowing anyone on LAN to access router. Instead use the next two rules which only allow LAN access to DNS which is perfectly normal.
add action=accept chain=input protocol=tcp port=53\
in-interface-list=LAN
add action=accept chain=input protocol=udp port=53\
in-interface-list=LAN


add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

Note: Very confusing way of only allowing DSTNAT from WAN......... Instead add the following which is much clearer
add action=accept chain=forward comment=\
" Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat
connection-state=new in-interface-list=WAN


add action=accept chain=input comment="default configuration" \
connection-state=established,related

add action=accept chain=input src-address-list=allowed_to_router
Note: Besides out of order the rule is too loose, note we created a better rule addressing access to the router above already

add action=accept chain=input protocol=icmp
add action=drop chain=input
Note: This drop rule should be the last rule in the input chain.

add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge

add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet

add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

Note: The above rules are needlessly complicated and can be covered by the following rules.....
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
"yourbridge" out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"


Thusly, we state we allow established and related connections
We allow dstnat (and if you dont port forward and at all you dont need this rule)
We allow lan to wan traffic
We drop everything else.

Technical point, for all rules we allow they can also include connection state=new because the next time the packet hits the firewall as return traffic it will get matched to the first rule of established or related. I would like an expert to chime in why its necessary or unnecessary to state connection=new for all allow rules. What is the danger of omitting this part of allow rules in the input and forward chain is the question??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Fri Mar 01, 2019 9:22 pm

You do not need upnp enabled.
In fact sometimes you dont need a port fowarding for torrenting, I have no idea about Game Ranger.

In any case, for port forwarding if you cannot nail down the external WANIPs that need access to your server (unsolicited entry ie not due to reply packets coming in through the WAN).
I highly recommend especially for torrenting that you have a separate VLAN just for that PC that is not connected to the HOMELAN and just has internet access. If you need to move files do it thru usb stick after passing antivirus checking.

To port forward you need to create the Firewall forward filter rules which is done in the previous post.
THen you need to create the specific DST nat rules in ip firewall nat.

By the way your masquerade rule................
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1 out-interface-list=WAN
I believe you simply can use out-interface-list=WAN and it should work (in other words you dont need out-interface=pppoe-out1). Test it to see.

Format for dstnat rule
add action=dst-nat chain=dstnat comment=Purpose dst-port=zz \
in-interface-list=WAN protocol=tcp src-address-list=IfYouHaveOne\
to-addresses=192.168.z.zz

So if there is no port translation you dont need Too ports entered, no harm if you do.
But if you wanted people coming in on port=zz but you actually wanted the traffic to go port aa on the router you would add
"to addressses=192.168.zz to ports=aa"

If you have a source address list, the port(s) are invisible to scanning, if you dont, then they appear are visible during scans and are reported as closed.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 4:48 am

Based on your suggestion here is the new configuration with upnp disabled and port forwarded:

# mar/02/2019 08:13:35 by RouterOS 6.43.12
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=xxxxxx use-peer-dns=yes user=xxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=xxx wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=5765 mode=\
ap-bridge ssid=xxx wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
xxxxxxx wpa2-pre-shared-key=xxxxxx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.xxx client-id=xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex Media Server" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface=ether1 protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="NoMachine UDP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface=ether1 protocol=tcp to-addresses=\
192.168.88.xx to-ports=xxxx
add action=dst-nat chain=dstnat comment="NoMachine TCP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface=ether1 protocol=tcp to-addresses=\
192.168.88.xx to-ports=xxxx
add action=dst-nat chain=dstnat comment="Torrent TCP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface=ether1 protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Torrent UDP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface=ether1 protocol=udp to-addresses=\
192.168.88.xxxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxx \
in-interface=ether1 protocol=udp to-addresses=192.168.88.xxxx to-ports=\
xxxxx
add action=dst-nat chain=dstnat comment="Resilio Sync (TCP)" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface=ether1 protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Resilio Sync (UDP)" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface=ether1 protocol=udp to-addresses=\
192.168.88.xxx to-ports=xxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 5:18 am

My recommendations are to get rid of all those silly filter rules as I stated in a previous post.
Get rid of all those source address lists except you need one for your admin access as stated in a previous post.

The only comment I will make on your latest config
is to use 'in-interface-list=wan" vice ether1 unless ether1 works for you........

Get rid of all the destination addresses in your Destination Nat rules they are not required.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 11:57 am

Should I delete the green rules too? Going to try the the WAN settings in NAT . Actually I did was copy the upnp NAT rules, then disabled the upnp. It seems upnp took the ether1 by default.

Update: Updated the In. Interface list to WAN. But, weird thing is that not after the implementation of rules, but since always there is no Bytes or Packets count in the NAT section, why is that? Only the masquerade shows Bytes and packet counts. Also, still facing the gameranger disconnection issue and once disconnected, I cant sign in back again. Again, rebooting the router broke down the internet connection, lan part work though.Rebooting again(2nd time) restores the internet.
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 4:23 pm

@anav
why is it deleted - ''untracked'' ?
Good question, its a side case IF.........
In other words its rarely used but is needed if doing something funky in raw rules.
In other words its not a basic setting but for me an advanced setting and not required.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 4:24 pm

Should I delete the green rules too? Going to try the the WAN settings in NAT . Actually I did was copy the upnp NAT rules, then disabled the upnp. It seems upnp took the ether1 by default.

Update: Updated the In. Interface list to WAN. But, weird thing is that not after the implementation of rules, but since always there is no Bytes or Packets count in the NAT section, why is that? Only the masquerade shows Bytes and packet counts. Also, still facing the gameranger disconnection issue and once disconnected, I cant sign in back again. Again, rebooting the router broke down the internet connection, lan part work though.Rebooting again(2nd time) restores the internet.
What I am attempting to do is get you up and running with a much simplified and practical setup without excess garbage and noise and an easy to read and understand configuration.
Later if you want to play and learn with different settings, that is great but right now its too confusing.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 6:24 pm

So, the green colored rules should be removed?
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sat Mar 02, 2019 7:09 pm

Confirmed --> Yes but please use safe mode for all configuration changes.
Wait a few secs after each apply and if the router doesnt kick out your good to proceed.
If it does kick you out, the offending action is not applied and you can re-connect to the point just before.

Duplicate rules in red (which you can delete)
out of order rules in blue (put in order ie input chain first then forward chain)
Drop rules in green or parts of rules
add rules pink
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 7:36 pm

@anav
Sorry for the delay needed some time to test the new settings. I changed the firewall rules as per your suggestion. Though, didn't changed the "allowed_to_router" list, cause every device on my network were dynamic. And it seems that assigning a static ip address to a Mac computer causes some issue. But, the problem with game ranger still persists. It lost it connection to the server randomly. Any idea how can I trace the cause. Please, note that everything else was unchanged and sometimes I need to reboot the router for Game Ranger to work.

Code: Select all

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex Media Server" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="NoMachine UDP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="NoMachine TCP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxx
add action=dst-nat chain=dstnat comment="Torrent TCP" dst-address=0.0.0.0 \
dst-port=59022 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Torrent UDP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface-list=WAN protocol=udp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxxx \
in-interface-list=WAN protocol=udp to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Resilio Sync (TCP)" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface-list=WAN protocol=tcp to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Resilio Sync (UDP)" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface-list=WAN protocol=udp to-ports=xxxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Image
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 7:41 pm

So I understand game ranger you need to forward ports because..... :
a. You run a game ranger server on your LAN, or
b. You need to open a port to your PC that is a client for Game Ranger (the server is on the internet)

looking at your config,
I would add connection-state=new for another entry argument for the DNS rules on the input chain but probably not necessary (not a show stopper).

You forgot to remove the duplicate entries..........
the second instance of these...............
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid

Lets take a look at your destination nat rules...........

add action=dst-nat chain=dstnat comment="Plex Media Server" dst-address=\
0.0.0.0
dst-port=xxxxx in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="NoMachine UDP" dst-address=0.0.0.0 \
dst-port=xxxxx
in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="NoMachine TCP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxx
add action=dst-nat chain=dstnat comment="Torrent TCP" dst-address=0.0.0.0 \
dst-port=59022 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Torrent UDP" dst-address=0.0.0.0 \
dst-port=xxxxx in-interface-list=WAN protocol=udp to-addresses=\
192.168.88.xxx to-ports=xxxxx
add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxxx \
in-interface-list=WAN protocol=udp to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Resilio Sync (TCP)" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface-list=WAN protocol=tcp to-ports=xxxxx
add action=dst-nat chain=dstnat comment="Resilio Sync (UDP)" dst-address=\
0.0.0.0 dst-port=xxxxx in-interface-list=WAN protocol=udp to-ports=xxxxx

Basically, there is no requirement from my understanding to state destination address. In addition, if the destination ports is the same as the too ports, you can omit the too ports.
In one case (Torrent TCP), your rule indicates translation and thus you need both as to-ports is different from destination ports.

Are you sure you only need one entry for GameRanger? I only see one for udp ports???
Okay I read the following........
Network Changes in GameRanger
GameRanger has introduced a significant new feature that bypasses the common problems that modems and routers cause with hosting (and sometimes joining) games. No setup or configuration is required, and all just works automatically.
In rare cases, some users with certain types of routers may still have problems joining or hosting, particularly if they have firewalls that are explicitly blocking ports. You will know if you are having network issues before you even launch the game because your name will remain in italics in the game room even after 10 seconds after joining the game room. If you can join other rooms or host games for other people just fine, it may be that host that has the network problems.
If you do have a troublesome router, you can fix the problem by configuring the router to enable Universal Plug and Play (UPnP), or manually do port forwarding for UDP port 16000. See Hosting Help for information about port forwarding. If you have a firewall, you'll need to stop it from blocking that port.

Based on your MT config, it should work!
I trolled the net and indeed udp 16000 is confirmed.
There is some talk of these ports but I think they are game specific??
TCP 47624
TCP and UDP 2300-2400
UDP 6073
Last edited by anav on Sun Mar 03, 2019 8:14 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 8:06 pm

Gameranger is a client, it needed an UDP port to open, that I did. Then, if some one host the game, the server will be on the internet and if I host then I will be the server.

Code: Select all

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxxx \
in-interface-list=WAN protocol=udp to-ports=xxxx
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 8:16 pm

Just noticed the fact that your are missint the TOO ADDRESS for your gameranger rule!!!

add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxxx \
in-interface-list=WAN protocol=udp to-ports=xxxx

add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxxx \
in-interface-list=WAN protocol=udp to address=IPofmac
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 8:22 pm

Done,

Code: Select all

add action=dst-nat chain=dstnat comment=GameRanger dst-port=xxxx \
in-interface-list=WAN protocol=udp to-addresses=192.168.88.xxx to-ports=\
xxxx
Lets wait and see whats happens. Btw, what about the new DNS rule? Allow remote request is turned off.
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 10:38 pm

I would turn remote requests back on.
You have your firewall rule that DNS to the router is ONLY allowed from the LAN interface, so you are covered.
For your dhcp-server you have setup that gateway and DNS is your main LANIP
you should put in a few servers, such as 8.8.8.8, 1.1.1.1, 208.67.222.222
If you want to feel more secure you can always add these ones in the forward chain.
add chain=forward action=drop destport=53 protocol=tcp/udp \
in-interface-list=wan

Funny thing about smart devices and maybe gaming apps is that they want to resolve IPs themselves so having it work well is important.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
shafiqrahman
just joined
Topic Author
Posts: 23
Joined: Wed Apr 12, 2017 1:42 am

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 11:14 pm

Thank You, Allow remote request enabled, All Dns servers added and add chain=forward action=drop destport=53 protocol=tcp/udp \
in-interface-list=wan also added to the firewall filter. So far gameranger still holding its connection, will let you know. Thank you again :D
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing Mikrotik router using firewall rules causing issues.

Sun Mar 03, 2019 11:48 pm

Awesome!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 100 guests