Community discussions

MikroTik App
 
AquaL1te
just joined
Topic Author
Posts: 4
Joined: Mon Sep 16, 2019 9:05 am

Feedback on VLAN and firewall filter config please

Fri May 22, 2020 3:33 pm

Hi,


I would like some feedback on a firewall and VLAN configuration in development. I haven't tested it yet, since I don't have all the hardware yet. But I would like to know if there are any improvements, best practices or other feedback on it. First of all, my Mikrotik Hex PoE is configured as a layer 2 device. It's behind my ISP router, which has NAT for IPv4 and a firewall for IPv6. DHCP from my ISP router is used to allocate addresses to clients on the native VLAN. This should be possible because the interface between the Mikrotik and ISP router is included in the bridge and the DHCP server of the Mikrotik is disabled.

VLAN filtering will be enabled for the native, management and replication VLANs. The native VLAN (10) is the default set as PVID for all interfaces. Management and replication will be separated from the native VLAN.
/interface vlan add interface=br0 name=native vlan-id=10
/interface vlan add interface=br0 name=management vlan-id=11
/interface vlan add interface=br0 name=replication vlan-id=12

/ip address add address=172.16.10.1/24 interface=native
/ip address add address=172.16.11.1/24 interface=management
/ip address add address=172.16.12.1/24 interface=replication

/interface bridge vlan add bridge=br0 untagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=10
/interface bridge vlan add bridge=br0 tagged=ether2,ether3,ether4 vlan-ids=11
/interface bridge vlan add bridge=br0 tagged=ether2,ether3,ether4 vlan-ids=12

:foreach i in=[ /interface bridge port find where bridge="br0" ] do={ /interface bridge port set pvid=10 $i }
What I want to enforce with my firewall is some extra layer on top of the VLAN filtering. Everything in the native VLAN can be considered public, and should be reachable by the ISP router and potentially opened up via NAT on that router. Since that's all in layer 2, no routing is needed. The management and replication networks have statically assigned IPs and only need to be reachable between the nodes in the research-project interface list and address list. Via a static IP assignment in OpenVPN I'll be able to get a connection into the management VLAN (will be worked on later).

So the questions I have are the following:
  • Is the above VLAN configuration sane? As in, native should be separated from management and replication. While communication between all nodes should still be possible on the native VLAN.
  • I don't see a reason to use bridge filtering, or to enable the "use IP firewall" option, so I'll just leave that area blank. Quick skim through the docs made me believe that this is only needed when e.g. you want to tag traffic on layer 2 for QoS. Or layer 2 filtering, based on MAC. Since I already do VLAN filtering, I don't think it's needed to put extra focus on layer 2.
  • Is the firewall below efficient? In the sense of making filter decisions as fast as possible, to keep the CPU usage low? Of course the rules are not that big, but in terms of design, is this CPU efficient? How to improve?
  • Am I missing anything else? I suppose this would provide sufficient protection from other hosts on the network, even if there was no VLAN filtering.
  • FYI port 53 will be a DNS resolver and DNS authoritative host, security of that will be handled in more detail by the host firewalls / DNS configurations
/ip firewall filter
add action=accept chain=input dst-port=22 protocol=tcp in-interface-list=LAN

add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept broadcast" dst-address-type=broadcast
add action=accept chain=input comment="accept multicast" dst-address-type=multicast

add action=jump jump-target=native chain=input comment="jump to native rules" in-interface-list=LAN dst-address-list=native_subnet
add action=jump jump-target=management chain=input comment="jump to management rules for all research project nodes" in-interface-list=research-project out-interface-list=research-project src-address-list=replication_subnet dst-address-list=replication_subnet
add action=jump jump-target=replication chain=input comment="jump to replication rules for all research project nodes" in-interface-list=research-project out-interface-list=research-project src-address-list=replication_subnet dst-address-list=replication_subnet

add action=accept chain=native comment="accept mail relay, submission, imaps" connection-state=new dst-port=25,587,993 protocol=tcp
add action=accept chain=native comment="accept dns" connection-state=new dst-port=53 protocol=tcp
add action=accept chain=native comment="accept dns" connection-state=new dst-port=53 protocol=udp
add action=accept chain=native comment="accept http, https" connection-state=new dst-port=80,443 protocol=tcp
add action=accept chain=native comment="accept vpn" connection-state=new dst-port=1194 protocol=tcp
add action=accept chain=native comment="accept vpn" connection-state=new dst-port=1194 protocol=udp

add action=accept chain=management comment="accept ssh" connection-state=new dst-port=22 protocol=tcp
add action=accept chain=management comment="accept snmp, snmp trap" connection-state=new dst-port=161,162 protocol=udp

add action=accept chain=replication comment="accept lmtp" connection-state=new dst-port=24 protocol=tcp
add action=accept chain=replication comment="accept sasl" connection-state=new dst-port=2222 protocol=?
add action=accept chain=replication comment="accept mysql" connection-state=new dst-port=3308 protocol=tcp
add action=accept chain=replication comment="accept drbd" connection-state=new dst-port=7777-7899 protocol=tcp

action=drop chain=input comment="drop everything else" log=yes

add action=drop chain=forward comment="drop everything else" log=yes
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 503
Joined: Wed Mar 25, 2020 4:04 am

Re: Feedback on VLAN and firewall filter config please

Sun May 24, 2020 6:43 pm

@AquaL1te, your firewall setup looks ok.
Don't know if that applies to your device, but beware: on some devices "Hardware Offloading" is activated.
In such cases you should check also ACL (stateless HW FW).

Who is online

Users browsing this forum: Google [Bot], jebz, jvanhambelgium, Lifz, Majestic-12 [Bot] and 86 guests