I have RB2011, ROS 6.45.8 configured as a home router.
Internet through an ADSL router in bridge mode, NAT, firewall, Wifi AP - pretty normal config.
The one additional thing is a virtual wireless access point configured to have only internet connection, no access to the LAN - for visitors.
Today I noticed on the RB, there is one PC in my LAN and it has an IP from the range of the virtual AP.
It is pingable but to high reply time for LAN, around 100ms.
It has an MAC address and hostname of one of my laptops - probably spoofed.
I have tried to disconnect all LAN cables, disable the APs, still pingable.
After disabling the ADSL connection - no reply to a ping, so it from the "outside"
I have created a firewall rule to log the traffic to and from this IP, so far only mi ping is logged but it goes through the WAN connection.
Int1 - my internal address
Int2 - internal address of the virtual AP
WAN - my WAN IP
Log looks like
to: Int1->Int2, NAT (Int1->WAN)->Int2
from: Int2->Int1, NAT Int2->(WAN->Int1)
I have no clue what's going on, but I would really like to.
Has anybody any ideas?
Re: Security problem?
None without seeing the actual configuration. See my automatic signature below. Is the ADSL device a modem in bridge mode or is it a router too? Does it have a wireless interface as well?Has anybody any ideas?
Re: Security problem?
The ADSL is a router switched to bridge, It has a wireless interface but it's disabled.
Will post the export later ...
Will post the export later ...
Re: Security problem?
Here is the export:
I added this line to the firewall:
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=internal-nets
and the offending address was not pingable anymore and after the DHCP lease timed out, it was gone.
It was 192.168.241.1 on the interface VWLAN.
Code: Select all
# apr/30/2020 21:12:10 by RouterOS 6.45.8
# software id = xxx
#
# model = 2011UiAS-2HnD
# serial number = xxx
/interface bridge
add fast-forward=no name=BRIDGE
/interface ethernet
set [ find default-name=ether5 ] name=BAD
set [ find default-name=ether2 ] name=DC01
set [ find default-name=ether3 ] name=Duo2
set [ find default-name=ether6 ] name=Epson
set [ find default-name=ether1 ] name=G1
set [ find default-name=ether9 ] name=HP
set [ find default-name=ether4 ] name=NetGear
set [ find default-name=sfp1 ] disabled=yes name=Optika
set [ find default-name=ether8 ] name=Panasonic
set [ find default-name=ether10 ] name=ZYXEL poe-out=off
set [ find default-name=ether7 ] name=eGreat
/interface pppoe-client
add add-default-route=yes disabled=no interface=ZYXEL keepalive-timeout=disabled max-mru=1492 max-mtu=1492 name=WIA use-peer-dns=yes user=user
/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5,6,7 band=2ghz-b/g/n country="czech republic" disabled=no distance=indoors frequency=2437 mode=ap-bridge name=WLAN ssid=TEST wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface list
add name=BRIDGELIST
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" mode=static-keys-required name=legacy static-algo-0=40bit-wep supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=MAC master-interface=WLAN multicast-buffering=disabled name=VWLAN security-profile=legacy ssid=legacy wps-mode=disabled
/ip pool
add name=Pool ranges=192.168.242.51-192.168.242.100
add name=PoolL ranges=192.168.241.1-192.168.241.50
/ip dhcp-server
add add-arp=yes address-pool=Pool disabled=no interface=BRIDGE lease-time=3d name=DHCP
add add-arp=yes address-pool=PoolL disabled=no interface=VWLAN lease-time=3d name=DHCPL
/interface bridge port
add bridge=BRIDGE interface=G1
add bridge=BRIDGE interface=DC01
add bridge=BRIDGE interface=Duo2
add bridge=BRIDGE interface=NetGear
add bridge=BRIDGE interface=BAD
add bridge=BRIDGE interface=Epson
add bridge=BRIDGE interface=eGreat
add bridge=BRIDGE interface=Panasonic
add bridge=BRIDGE interface=HP
add bridge=BRIDGE interface=WLAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface list member
add interface=BRIDGE list=LAN
add interface=VWLAN list=LAN
add interface=ZYXEL list=LAN
add interface=G1 list=BRIDGELIST
add interface=DC01 list=BRIDGELIST
add interface=Duo2 list=BRIDGELIST
add interface=NetGear list=BRIDGELIST
add interface=BAD list=BRIDGELIST
add interface=Epson list=BRIDGELIST
add interface=eGreat list=BRIDGELIST
add interface=Panasonic list=BRIDGELIST
add interface=HP list=BRIDGELIST
add interface=WLAN list=BRIDGELIST
/ip address
add address=192.168.242.254/24 interface=BRIDGE network=192.168.242.0
add address=192.168.240.254/24 interface=ZYXEL network=192.168.240.0
add address=192.168.241.254/24 interface=VWLAN network=192.168.241.0
/ip dhcp-server lease
add address=192.168.242.55 mac-address=MAC1 server=DHCP
add address=192.168.242.60 mac-address=MAC2 server=DHCP
/ip dhcp-server network
add address=192.168.241.0/24 dns-server=192.168.241.254 gateway=192.168.241.254 netmask=24
add address=192.168.242.0/24 dns-server=192.168.242.254 gateway=192.168.242.254 netmask=24 wins-server=192.168.242.10
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
/ip firewall address-list
add address=WANIP comment=Internet list=public-add
add address=192.168.242.0/24 comment="Admin access to RB" list=Spravce
add address=192.168.240.0-192.168.242.255 comment="LAN + Zyxel + Legacy Wifi" list=internal-nets
add address=0.0.0.0/8 comment="RFC6890 Self-Identification - This host on this network" list=not_in_internet
add address=127.0.0.0/8 comment="RFC6890 Loopback" list=not_in_internet
add address=169.254.0.0/16 comment="RFC6890 Link Local" list=not_in_internet
add address=10.0.0.0/8 comment="RFC6890 Private - CLASS A" list=not_in_internet
add address=172.16.0.0/12 comment="RFC6890 Private - CLASS B" list=not_in_internet
add address=192.168.0.0-192.168.239.255 comment="RFC6890 Private - CLASS C1" list=not_in_internet
add address=192.168.243.0-192.168.255.255 comment="RFC6890 Private - CLASS C2" list=not_in_internet
add address=224.0.0.0/4 comment="Multicast, Class D, IANA" list=not_in_internet
add address=192.0.2.0/24 comment="RFC6890 Reserved - IANA - TestNet1" list=not_in_internet
add address=198.51.100.0/24 comment="RFC6890 Reserved - IANA - TestNet2" list=not_in_internet
add address=203.0.113.0/24 comment="RFC6890 Reserved - IANA - TestNet3" list=not_in_internet
add address=192.88.99.0/24 comment="RFC6890 6to4 Relay Anycast" list=not_in_internet
add address=198.18.0.0/15 comment="RFC6890 Network Interconnect Device Benchmark Testing" list=not_in_internet
add address=100.64.0.0/10 comment="RFC6890 Shared Address Space" list= not_in_internet
add address=192.0.0.0/24 comment="RFC6890 Reserved - IANA - IETF Protocol Assignments" list=not_in_internet
add address=240.0.0.0/4 comment="RFC6890 Reserved for Future Use" list=not_in_internet
/ip firewall filter
add action=passthrough chain=input comment="Input counter"
add action=tarpit chain=input comment="Tarpit port-scan address list" protocol=tcp src-address-list=port-scan
add action=add-src-to-address-list address-list=syn-flood address-list-timeout=30m chain=input comment="Add Syn Flooders to syn-flood address list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=input comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=input comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=input comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=input comment="Drop all access to the winbox - except list" dst-port=8291 protocol=tcp src-address-list=!internal-nets
add action=drop chain=input comment="Drop new from WIA" connection-state=new in-interface=WIA
add chain=input comment="Established, Related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="From LAN" in-interface=!WIA src-address-list=internal-nets
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface=BRIDGE protocol=udp src-port=68
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface=VWLAN protocol=udp src-port=68
add action=drop chain=input comment="Drop all packets which are not destined to routers IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which don't have unicast source IP address" src-address-type=!unicast
add action=log chain=input comment="Log everything else" log-prefix=Log
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=passthrough chain=forward comment="Forward counter"
add action=log chain=forward log=yes log-prefix="From Boogie" src-address=192.168.241.1
add action=log chain=forward dst-address=192.168.241.1 log=yes log-prefix="To Boogie"
add action=drop chain=forward comment="Drop access from VWLAN to LAN" in-interface=VWLAN out-interface=!WIA
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=internal-nets
add action=drop chain=forward comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=BRIDGE src-address=!192.168.242.0/24
add action=drop chain=forward comment="Drop packets from ZYXEL that do not have ZYXEL IP" in-interface=ZYXEL src-address=!192.168.240.0/24
add action=drop chain=forward comment="Drop packets from VWLAN that do not have VWLAN IP" in-interface=VWLAN src-address=!192.168.241.0/24
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=WIA
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Drop bogon list" dst-address-list=not_in_internet
add action=drop chain=forward comment="Drop Windows ports" port=135-139 protocol=tcp
add action=log chain=forward comment="Drop new from WIA" connection-state=new in-interface=WIA
add action=fasttrack-connection chain=forward comment="Fasttrack Established, Related" connection-state=established,related
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="From LAN" in-interface=!WIA src-address-list=internal-nets
add action=log chain=forward comment="Log everything else" log-prefix=Log
add action=drop chain=forward comment="Drop everything else" disabled=yes
add action=passthrough chain=output comment="Output counter"
add chain=output comment="Established, Related" connection-state=established,related
add action=drop chain=output comment="Drop invalid" connection-state=invalid
add chain=output comment="DNS query" dst-port=53 out-interface=WIA protocol=tcp
add chain=output comment="DNS query" dst-port=53 out-interface=WIA protocol=udp
add chain=output comment="NTP query" dst-port=123 out-interface=WIA protocol=udp
add action=log chain=output comment="Log everything else" log-prefix=Log
add action=drop chain=output comment="Drop everything else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WIA
/ip firewall raw
add action=drop chain=prerouting comment="Drop inbound FTP, SSH, Telnet, http, Winbox" dst-port=21,22,23,80,8291 protocol=tcp src-address-list=!Spravce
add action=jump chain=prerouting comment="From LAN Jump for ICMP input flow" in-interface=!WIA jump-target=ICMP protocol=icmp
add action=jump chain=prerouting comment="Accept up to 50 pings in 5 seconds and jump for ICMP input flow" in-interface=WIA jump-target=ICMP limit=50/5s,5:packet protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=prerouting comment="Add all other ICMP input into icmp-attack address list" in-interface=WIA protocol=icmp
add action=drop chain=prerouting comment="Drop excessive ICMP traffic" protocol=icmp src-address-list=icmp-attack
add action=drop chain=prerouting comment="Drop port-scan address list" src-address-list=port-scan
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="Add port scannes to port-scan list" in-interface=WIA protocol=tcp psd=21,3s,3,1 src-address-list=!internal-nets
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=prerouting comment="Drop syn-flood address list" src-address-list=syn-flood
add action=drop chain=prerouting comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=drop chain=prerouting comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting comment="Drop FIN,SYN" protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting comment="Drop FIN,RST" protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting comment="Drop FIN,!ACK" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting comment="Drop FIN,URG" protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting comment="Drop SYN,RST" protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting comment="Drop RST,URG" protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="Drop src Port 0 TCP" protocol=tcp src-port=0
add action=drop chain=prerouting comment="Drop dst Port 0 TCP" dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="Drop src Port 0 UDP" protocol=udp src-port=0
add action=drop chain=prerouting comment="Drop dst Port 0 UDP" dst-port=0 protocol=udp
add action=drop chain=prerouting comment="Drop DNS queries from the internet" dst-port=53 in-interface=WIA protocol=udp
add action=drop chain=prerouting comment="Drop DNS queries from the internet" dst-port=53 in-interface=WIA protocol=tcp
add action=drop chain=prerouting comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=prerouting comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=prerouting comment="Drop bogon list" dst-address-list=not_in_internet
add action=drop chain=prerouting comment="Drop packets from LAN that do not have LAN IP" in-interface=BRIDGE src-address=!192.168.242.0/24
add action=drop chain=prerouting comment="Drop packets from ZYXEL that do not have ZYXEL IP" in-interface=ZYXEL src-address=!192.168.240.0/24
add action=drop chain=prerouting comment="Drop packets from VWLAN that do not have VWLAN IP" in-interface=VWLAN src-address=!192.168.241.0/24
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop Windows ports" port=135-139 protocol=tcp
add action=drop chain=ICMP comment="Drop excessive ICMP traffic" protocol=icmp src-address-list=icmp-attack
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=ICMP comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=ICMP comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=ICMP comment="Allow source quench" icmp-options=4:0 protocol=icmp
add chain=ICMP comment="Allow echo request" icmp-options=8:0 protocol=icmp
add chain=ICMP comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=ICMP comment="Drop all other types"
/ip service
set telnet address=192.168.242.0/24 disabled=yes
set ftp address=192.168.242.0/24 disabled=yes
set www address=192.168.242.0/24
set ssh address=192.168.242.0/24 disabled=yes
set www-ssl address=192.168.242.0/24
set api address=192.168.242.0/24 disabled=yes
set winbox address=192.168.242.0/24
set api-ssl address=192.168.242.0/24 disabled=yes
/ip smb
set allow-guests=no domain=XXX
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/lcd
set backlight-timeout=1h default-screen=interfaces read-only-mode=yes time-interval=hour
/lcd pin
set hide-pin-number=yes pin-number=xxx
/lcd interface
set Optika disabled=yes
set G1 disabled=yes
set DC01 disabled=yes
set Duo2 disabled=yes
set NetGear disabled=yes
set BAD disabled=yes
set Epson disabled=yes
set eGreat disabled=yes
set Panasonic disabled=yes
set HP disabled=yes
add interface=WIA max-speed=100.0Mbps
/lcd interface pages
set 0 interfaces=WIA,WLAN,ZYXEL
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RB2011
/system leds
add interface=WIA leds="" type=interface-status
/system logging
add disabled=yes topics=pppoe
/system ntp client
set enabled=yes server-dns-names=cz.pool.ntp.org
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.242.0/24 interface=WIA store-on-disk=no
add allow-address=192.168.242.0/24 interface=WLAN store-on-disk=no
/tool graphing resource
add allow-address=192.168.242.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=BRIDGELIST
/tool mac-server mac-winbox
set allowed-interface-list=BRIDGELIST
/tool mac-server ping
set enabled=no
I added this line to the firewall:
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=internal-nets
and the offending address was not pingable anymore and after the DHCP lease timed out, it was gone.
It was 192.168.241.1 on the interface VWLAN.
Re: Security problem?
Your WAN is a PPPoE one which is an L3 interface, so no MAC address can be seen on a packet coming in via PPPoE.It has an MAC address and hostname of one of my laptops - probably spoofed.
There is no DHCP server attached to the ZYXEL (ether10) interface directly, so the DHCP lease could not be given out through it.
So what exactly did you have to do to see the MAC address, have you seen it in the dhcp lease or somewhere else?
If it wasn't for the MAC address, the explanation may be quite simple, I have seen ISPs not blocking customers' connections to private IP address ranges the ISPs use internally, so you may have been pinging some WIA's own device.
Re: Security problem?
I have seen the MAC address in the ARP table and in the DHCP lease table.
Re: Security problem?
In that case I'd think it's two unrelated things or a very weird bug. As now the DHCP lease is not there any more, if you disable the firewall rule you have added and ping that address again while the APs are disabled and nothing is connected to the LAN, will the pings to that address be responded?
Re: Security problem?
Yes, I can ping it.
And it's not in the ARP or DHCP lease table.
And it's not in the ARP or DHCP lease table.
Re: Security problem?
OK, so it's indeed two issues:Yes, I can ping it.
And it's not in the ARP or DHCP lease table.
- one is that something with that address is reachable via WAN, which can be solved by not allowing traffic to and from the RFC1918 range to be routed out via WAN and accepted from there (as you've already done using that firewall address-list and rule),
- the other one is that you've seen a DHCP assignment with the MAC address of your laptop but with an IP address from the range used by the DHCP server assigned to the virtual AP interface for visitors, VWLAN.
Regarding this one: I can see that the security-profile assigned to the visitors' AP, legacy, is open. Since RouterOS doesn't mind to lease an IP address to a client using one DHCP server while the same client already has got a lease from another server, would it be possible that the laptop could not connect to the main AP, TEST, and registered with legacy instead, at least for a while? I don't exclude that one of your neighbours has spoofed your MAC address - on-air sniffing has become a no-brainer a couple of years ago and the MAC addresses of the stations are visible in plaintext; it is clear from the AP's MAC addresses and frequencies that TEST and legacy are on the same hardware, and legacy advertises that password-less connection is possible, but a temporary connection of your own laptop to legacy seems more realistic to me at the moment.
And double-checking, when you've seen the MAC address in the ARP table associated to the IP address from the VWLAN range, was the INTERFACE shown on that row VWLAN or BRIDGE?
Re: Security problem?
Thank you for all the information.
The interface in the ARP table was associated to the VWLAN interface.
Another thing I noticed, there were two IPs in the DHCP lease table associated with the MAC of the laptop, one on the VWLAN interface from VWLAN range and a second one on the BRIDGE interface from the BRIDGE range, there was only a couple of minutes of difference between the lease times and the VWLAN was older.
When I:
1) enable the firewall rule again
2) disable the VWLAN interface and enable it only when needed
I should be safe?
The interface in the ARP table was associated to the VWLAN interface.
Another thing I noticed, there were two IPs in the DHCP lease table associated with the MAC of the laptop, one on the VWLAN interface from VWLAN range and a second one on the BRIDGE interface from the BRIDGE range, there was only a couple of minutes of difference between the lease times and the VWLAN was older.
When I:
1) enable the firewall rule again
2) disable the VWLAN interface and enable it only when needed
I should be safe?
Re: Security problem?
Whenever you enable a password-less WiFi, anyone close enough can use it. If you don't mind, that's OK. If you do, set up a password an give it only to the guests you know (i.e. not those behind the wall whom you have never seenWhen I:
1) enable the firewall rule again
2) disable the VWLAN interface and enable it only when needed
I should be safe?
).Regarding your firewall, I don't like it at all, in its current state it is overly complex while it protects you from nonsense but not from the real threats.
In my opinion, the best approach to stay safe is to drop almost everything and accept a few exceptions if necessary. The idea is that if you forget to allow something that should have been allowed, your legal users will be unhappy and will let you know quickly; if you forget to forbid something that should have been forbidden, your illegal users will be happy and will never let you know.
So the chain=input of your firewall could be as simple as:
chain=input connection-state=established,related action=accept
chain=input connection-state=invalid action=drop
chain=input in-interface=BRIDGE action=accept
chain=input in-interface=!WIA protocol=udp dst-port=53 action=accept
chain=input in-interface=!WIA protocol=tcp dst-port=53 action=accept
chain=input protocol=icmp action=accept
chain=input action=drop
This way, the firewall will only allow establishing new connections to the router itself from member ports of BRIDGE, access to the Tik's own DNS service from any interface except WAN (WIA), and ICMP from anywhere. So no need to list all the various ranges of non-public addresses and use tens of drop rules.
With this firewall, you'll be still able to ping that 192.168.241... via WAN - the reason is that the connection will be initiated by the Tik. In the opposite direction, it won't be possible to ping your device if you disable the "accept icmp" rule.
chain=forward can be reconfigured in a similar way. The firewall rules from the default configuration (/system default-configuration print) are a very good inspiration.
If you decide to redo the firewall this way, make sure that you don't add (or enable) the "drop the rest rule" before you check that your management connections to the router pass thanks to the "accept anything from BRIDGE" rule. Or before adding/enabling it, activate Safe mode, then add/enable the rule, try to establish a new management connection, and only if it succeeds, exit the safe mode.
Re: Security problem?
Thank you very much, for all your help.
You are absolutely right, the FW is overcomplicated, it's a remainder from the time, I have experimented and tested a lot and I was fascinated what all the RB can do
Maybe it's time to take my good old RB532 and try some simple FW config.
VWLAN is not really free, it's "protected" by WEP (I know Worst Ever Protection ...) and I use it occasionally for some legacy devices, which are not capable anything better than WEP.
You are absolutely right, the FW is overcomplicated, it's a remainder from the time, I have experimented and tested a lot and I was fascinated what all the RB can do
Maybe it's time to take my good old RB532 and try some simple FW config.
VWLAN is not really free, it's "protected" by WEP (I know Worst Ever Protection ...) and I use it occasionally for some legacy devices, which are not capable anything better than WEP.
Who is online
Users browsing this forum: No registered users and 161 guests