Community discussions

MikroTik App
 
JJT211
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sun Apr 28, 2019 9:01 pm

help.mikrotik.com's advanced firewall

Tue Nov 17, 2020 5:17 pm

I run a WISP and started out with Mikrotik about a year ago. Im light years of where I was then and my current firewall is crap. My primary motivation though is that im pushing to move our sites to dual stack IPv6.

There's loads of different firewall examples, but the one I do like the most and seems to work well at home (with some caveats, there's of course a few typos) is the official firewall example at Building your First Firewall (advanced).

Im reading line by line to make sure I FULLY understand everything thats going on before I deploy to production and I have a few questions. And maybe we might motivate whomever maintains the help.mikrotik.com page to make some corrections as well. Its of course entirely possible its just me ;)

I like that the example uses the RAW table and it keeps the main Filter rules neat and lean. I understand that there's no true DDOS protection, but I'd still like to implement some basic mitigation and be lenient enough to prevent any false positives. Our first order of business in the ISP world is passing packets of course.

My questions are primarily regarding the RAW section in the optional ICMP chains. Lets start with the IPv4 section.

In the RAW section, there's a disclaimer:

And another chain for ICMP. Note that if you want a very strict firewall then such strict ICMP filtering can be used, but in most cases, it is not necessary and simply adds more load on the router's CPU. ICMP rate limit in most cases is also unnecessary since the Linux kernel is already limiting ICMP packets to 100pps.

And here's the associated IPv4 rules with rate limits in question:

add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp


The 5pps rate limits are major problem in my testing and seem wayyy to restrictive. Ive noticed I have ping drops and it appears to affect DNS as well. I first thought about raising the rate limit a bit to 25pps or even 98pps. Is there any advantage to doing that, or should I just drop the rate limit together? If I drop it, is the Linux Kernel rate limit at 100pps enough?


And then in the DDoS Protection section, there appears to be some typos.

/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers

Looks like its missing a jump rule as is evident in the explanation right below it. Im not 100% sure, but the first rule is "return", return from what??

My question here also is where would be the best placement of these DDoS rules in the entire firewall rule set? And also where would the best placement for the SYN-ACK Flood? Right after first set of jump and return rules above??

Like this?? (I omitted the fasttrack rule because im using queues)

/ip firewall filter
  add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  [b]add chain=forward connection-state=new action=jump jump-target=detect-ddos
  add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
  add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
  add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
  add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos[/b]
  add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  add action=drop chain=forward src-address-list=no_forward_ipv4 comment="defconf: drop bad forward IPs"
  add action=drop chain=forward dst-address-list=no_forward_ipv4 comment="defconf: drop bad forward IPs"

And then in the IPv6 section, im having issues with the ICMP chain in the RAW rules. IPv6 doesnt work at all unless I disable the bolded "in-interface-list=LAN" part of these rules like so. I also omitted the limit portion for on IPv6 as from what I understand is that DDoS is rare on IPv6 due to the sheer size of the address space. Am I missing something? Is this a big deal or am I nitpicking?

/ipv6 firewall raw
add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 [b]in-interface-list=LAN[/b]  protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 [b]in-interface-list=LAN[/b] protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 [b]in-interface-list=LAN[/b] protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 [b]in-interface-list=LAN[/b] protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 [b]in-interface-list=LAN[/b]  protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 [b]in-interface-list=LAN[/b]  protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: help.mikrotik.com's advanced firewall

Thu Jul 22, 2021 6:48 pm

ICMP rate limited to 100pps is sufficient really, I'd avoid filtering ICMP manually and just stick to what the MikroTik firewall guide has suggested.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: help.mikrotik.com's advanced firewall

Thu Jul 22, 2021 7:32 pm

just stick to what the MikroTik firewall guide has suggested.
I 100% Agree with @DarkNate === without one shadow of doubt
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help.mikrotik.com's advanced firewall

Thu Jul 22, 2021 7:50 pm

Some thoughts from left field, (not much experience but read a lot)

I would go back to the standard default firewall rules as baseline and change a few minor things,
basically an accept all and reject what I think is bad, to a concept of block all and allow only the things I need approach.

Then add additional items if problems arise.
The one item that seems to make sense is the common firewall address list/addition of private IPs (other than the ones used on your LANs) that are typically listed and one
can ensure that on the forward chain they are blocked outbound just prior to allowing LAN to WAN internet traffic.

Another issue could be email bots or abuse.
Will leave it to others to solve that one suffice to say you probably host a mail server and turn off smpt 25?
One solution Ive read is to create a firewalll address list for users legitimate mail servers for an allow rule on the forward chain.

As far as raw goes, it can have unintended consequences, blocking more than you thought it would. I avoid it because i dont have the depth of knowledge to know what destruction I may be causing LOL.

Before getting too fancy also check out this excellent security helper program that is very cost effective....
https://itexpertoncall.com/promotional/moab.html#prime
It may be very helpful in running your WISP, saving time and grief!!!

Who is online

Users browsing this forum: Google [Bot] and 85 guests