Hi All,
I got a problem. I was swapping out an old traditional firewall with a Mikrotik CCR1072. We have probably about 45 firewall rules. This box is a short-timer, of about a 18 months and then all of the servers behind it are basically getting shutdown, virtualized somewhere else, etc. So we simply did not want to spend a crazy amount on a firewall like a fortinet for something with such a short-term life, however we had to do something as the last one died. anyways ...
On the CCR1072, I have setup a bunch of vlans where I have about 3-4 server vlans, a management vlan, and a vlan that goes out to the "Corp" network. Essentialy this beast should be doing some simple firewalling to segment the business users from this more restricted set of subnets.
The problem I am having is firewall conversion rules. From experience, normally I would use input rules, but the Mikrotik does not allow you to do a firewall rule based on outgoing interface on an input rule. So here is the problem. Let's say I have these vlans
Vlan 5 - ServerNet A
Vlan 6 - ServerNet A
Vlan 10 - MGMT
vlan 15 - MGMT 2
Vlan 20 - TocorpRouter
We have traditionally done firewalls rules where we are highly specific. so we make a rule like this
Rule #1
comment = IT MGMT (corp) to MGMT 1/2
Source Interface: Vlan20
DEstination Interface List: (Vlan 10 + Vlan 15)
Source Address = 10.22.1.0/24
Protocol = TCP
DEstination Port = 22
Rule #2
comment = Vmware Servers to Corp Active Directory
Source interface: vlan 5
Destination interface: Vlan 20
Source Address List: VmwareServers
Destination Address List: ActiveDirectory
That is not a rule I can use on an input because I cannot have an output interface. The only chain that seems to accept it is forwarding, but that is not getting traffic.
Is there a way to support this without having to rewrite all of our rules completely? Maybe a Mangle rule?
Re: Firewall Rules
Input is for traffic to router itself (for services running on router), see e.g. https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram. Forward is what you need for routing between interfaces. If there's no traffic in forward, there must be some mistake somewhere else.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
Re: Firewall Rules
So looking further, my problem seems to be with VRRP. So each of my vlans have a VRRP. What i am seeing is dispite the fact that i have put the VRRP5 and VLAN5 (as an example) in the same interface list. They are not being matched on a firewall rule.
Sample:
Imterface list:
INTLIST-VLAN5 VLAN 5
INTLIST-VLAN5 VRRP 5
Firewall
Rule #1
chain forward
Incoming interface list: INTLIST-VLAN5
action accept
Rule #2
chain forward
action accept
log
##
What i will see Rule #2 generating log entries always sourced from vrrp5. So even though i added the vrrp interface as part of the interface list. AS a result when i do a default drop rule, 90% of my traffic goes with it.
Make sense?
Sample:
Imterface list:
INTLIST-VLAN5 VLAN 5
INTLIST-VLAN5 VRRP 5
Firewall
Rule #1
chain forward
Incoming interface list: INTLIST-VLAN5
action accept
Rule #2
chain forward
action accept
log
##
What i will see Rule #2 generating log entries always sourced from vrrp5. So even though i added the vrrp interface as part of the interface list. AS a result when i do a default drop rule, 90% of my traffic goes with it.
Make sense?
Re: Firewall Rules
According to description it should work. But it depends on what you actually did. ;)
Doing:
and then posting content of myconfig.rsc in code tags should reveal more.
Doing:
Code: Select all
/export hide-sensitive file=myconfigExcessive quoting is useless and annoying. If you use it, please consider if you could do without it.
Re: Firewall Rules
Code: Select all
/interface bridge
add comment="Bridge SG Vlans" name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment="Link to PS HP Core"
set [ find default-name=sfp-sfpplus2 ] comment=\
"SG-PS Mikrotik SW Port 1"
set [ find default-name=sfp-sfpplus3 ] comment=\
"SG-PS Mikrotik SW Port 2" mac-address=48:8F:5A:D5:1E:6B
set [ find default-name=sfp-sfpplus4 ] comment=\
"Link to LS St Mikrotik Router Port \?"
set [ find default-name=sfp-sfpplus5 ] comment=\
"Link to LS St Mikrotik Router Port \?" mac-address=48:8F:5A:D5:1E:6D
set [ find default-name=sfp-sfpplus6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
comment="Link to Airport" speed=100Mbps
/interface vlan
add comment="Server MGMT" interface=bridge1 name=vlan112 vlan-id=112
add comment="AMI Servers" interface=bridge1 name=vlan113 vlan-id=113
add comment="TIBCO Prod" interface=bridge1 name=vlan114 vlan-id=114
add comment="TIBCO Test" interface=bridge1 name=vlan115 vlan-id=115
add comment="SG Oracle Servers" interface=bridge1 name=vlan116 vlan-id=116
add comment="SG Cell Routers" interface=bridge1 name=vlan300 vlan-id=300
add comment="Network MGMT" interface=bridge1 name=vlan400 vlan-id=400
add comment="Route between Mikrotiks" interface=bridge1 name=vlan500 vlan-id=\
500
add comment="PS Core" interface=sfp-sfpplus1 name=vlan700 vlan-id=700
/interface bonding
add comment="LAG for Mikrtoik SW @ Pine" mode=802.3ad name=bonding1 slaves=\
sfp-sfpplus2,sfp-sfpplus3 transmit-hash-policy=layer-2-and-3
add comment="LAG for Mikrotik Router Pine to LS St" mode=802.3ad name=\
bonding2 slaves=sfp-sfpplus4,sfp-sfpplus5
/interface vrrp
add interface=vlan300 name=VRRP30
add interface=vlan112 name=VRRP112 vrid=112
add interface=vlan113 name=VRRP113 vrid=113
add interface=vlan114 name=VRRP114 vrid=114
add interface=vlan115 name=VRRP115 vrid=115
add interface=vlan116 name=VRRP116 vrid=116
add interface=vlan400 name=VRRP400 vrid=40
/interface list
add name=NMGMT
add name=SMGMT
add name=CORP
add name=TIBCO
add name=SERVR
add name=CRTRS
add name=ROUTE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf area
add area-id=0.0.0.20 name=area-sg
/interface bridge port
add bridge=bridge1 interface=bonding1
add bridge=bridge1 interface=bonding2
/interface list member
add interface=vlan400 list=NMGMT
add interface=vlan112 list=SMGMT
add interface=vlan114 list=TIBCO
add interface=vlan115 list=TIBCO
add interface=vlan113 list=SERVR
add interface=vlan114 list=SERVR
add interface=vlan115 list=SERVR
add interface=vlan116 list=SERVR
add interface=vlan700 list=CORP
add interface=vlan700 list=ROUTE
add interface=vlan300 list=CRTRS
/ip address
add address=10.7xx.1.1/30 interface=vlan700 network=10.7xx.1.0
add address=10.xx2.1.2/24 interface=vlan112 network=10.xx2.1.0
add address=10.xx3.1.2/24 interface=vlan113 network=10.xx3.1.0
add address=10.xx4.1.2/24 interface=vlan114 network=10.xx4.1.0
add address=10.xx5.1.2/24 interface=vlan115 network=10.xx5.1.0
add address=10.xx6.1.2/24 interface=vlan116 network=10.xx6.1.0
add address=10.3xx.1.2/24 interface=vlan300 network=10.3xx.1.0
add address=10.4xx.1.2/24 interface=vlan400 network=10.4xx.1.0
add address=10.3xx.1.1 interface=VRRP30 network=10.3xx.1.1
add address=10.4xx.1.1 interface=VRRP400 network=10.4xx.1.1
add address=10.xx2.1.1 interface=VRRP112 network=10.xx2.1.1
add address=10.xx3.1.1 interface=VRRP113 network=10.xx3.1.1
add address=10.xx4.1.1 interface=VRRP114 network=10.xx4.1.1
add address=10.xx5.1.1 interface=VRRP115 network=10.xx5.1.1
add address=10.xx6.1.1 interface=VRRP116 network=10.xx6.1.1
add address=10.1.1.1/24 interface=vlan500 network=10.1.1.0
/ip dns
set servers=10.1.4.7,10.1.2.7
/ip firewall address-list
add address=10.x.x.7 list=NTP_SERVERS
add address=10.x.x.7 list=NTP_SERVERS
add address=10.x.x.12 list=NTP_SERVERS
add address=10.x.x.13 list=NTP_SERVERS
add address=10.xx6.1.26 list=ODA
add address=10.xx6.1.27 list=ODA
add address=10.xx6.1.36 list=ODA
add address=10.xx6.1.37 list=ODA
add address=10.x.x.0/24 list=ENDUSER-VLAN24
add address=10.x.x.7 list=ACTIVEDIRECTORY
add address=10.x.xx.7 list=ACTIVEDIRECTORY
add address=10.xx3.1.12 list=AMI_OWCE
add address=10.xx3.1.112 list=AMI_OWCE
add address=10.x.0.0/24 list=CORP_ENDPOINTS
add address=10.x.1.0/24 list=CORP_ENDPOINTS
add address=10.x.2.0/24 list=CORP_ENDPOINTS
add address=10.x.3.0/24 list=CORP_ENDPOINTS
add address=10.xx3.1.36 list=MDM_JMS
add address=10.xx3.1.136 list=MDM_JMS
add address=10.x1.x2.136 list=DMS
add address=10.x1.x2.135 list=DMS
add address=10.xx3.1.0/24 list=SG_SERVERS
add address=10.xx2.1.0/24 list=SG_SERVERS
add address=10.xx3.1.251 list=CERTICOM
add address=10.xx3.1.253 list=CERTICOM
add address=10.xx3.1.34 list=MDM_JAVA
add address=10.xx3.1.134 list=MDM_JAVA
add address=10.1.2.45 list=ISMGMT_SERVERS
add address=10.1.2.43 list=ISMGMT_SERVERS
add address=10.x.xx5.0/24 list=ISMGMT
add address=10.254.xx.0/24 list=ISMGMT
add address=10.254.xx4.0/24 list=ISMGMT
add address=10.xx2.1.101 list=SGVM
add address=10.xx2.1.102 list=SGVM
add address=10.1.xx.102 list=BACKUP_SERVERS
add address=10.1.xx4.102 list=BACKUP_SERVERS
/ip firewall filter
add action=accept chain=comment comment="#### GLOBAL #####"
add action=accept chain=forward comment=IS_MGMT_SERVERS in-interface-list=\
CORP src-address-list=ISMGMT_SERVERS
add action=accept chain=forward comment="IS_MGMT\r\
\n" in-interface-list=CORP out-interface-list=NMGMT src-address-list=\
ISMGMT
add action=accept chain=forward comment="allow ping\r\
\n" protocol=icmp
add action=accept chain=forward comment="Allow SNMP\r\
\n" dst-port=161 in-interface-list=CORP protocol=udp src-address=\
10.1.2.77
add action=accept chain=forward comment="ROUTEtoCORP\r\
\n" in-interface-list=ROUTE out-interface-list=CORP
add action=accept chain=forward comment="SERVRtoNMGMT\r\
\n" in-interface-list=SERVR out-interface-list=NMGMT
add action=accept chain=forward comment="NMGMTtoSERVR\r\
\n" in-interface-list=NMGMT out-interface-list=SERVR
add action=accept chain=forward comment="Allow NTP\r\
\n" dst-address-list=NTP_SERVERS dst-port=123 out-interface-list=CORP \
protocol=udp
add action=accept chain=forward comment="MAIL RELAY\r\
\n" dst-address=10.1.2.58 dst-port=25 out-interface-list=CORP protocol=\
tcp
add action=accept chain=forward comment="ALLOW TO AD\r\
\n" dst-address-list=ACTIVEDIRECTORY out-interface-list=CORP
add action=accept chain=comment comment="#### VPN ####"
add action=accept chain=forward comment="VPN_TO_MDM_JAVA\r\
\n" dst-address-list=MDM_JAVA dst-port=443 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address=10.xx.0.0/16
add action=accept chain=forward comment="VPNIStoAMINET-SERVR\r\
\n" dst-port=22,1521,3389 in-interface-list=CORP out-interface-list=SERVR \
protocol=tcp src-address=10.xx4.4.0/24
add action=accept chain=forward comment=VPNIStoAMINET-CRTRS dst-port=\
22,1521,3389 in-interface-list=CORP out-interface-list=CRTRS protocol=tcp \
src-address=10.254.4.0/24
add action=accept chain=forward comment="ALLOW VPN OWCE\r\
\n" dst-address-list=AMI_OWCE dst-port=443 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address=10.254.0.0/16
add action=accept chain=comment comment="#### CORP ####"
add action=accept chain=forward comment="CORPtoROUTE\r\
\n" in-interface-list=CORP out-interface-list=ROUTE
add action=accept chain=forward comment="MSSQL_TOODA\r\
\n" dst-address-list=ODA dst-port=1521 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address=10.1.2.20
add action=accept chain=forward comment="PSQLTEST_TOODA\r\
\n" dst-address-list=ODA dst-port=1521 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address=10.xxx.x.44
add action=accept chain=forward comment="SHINY TO ODA\r\
\n" dst-address-list=ODA dst-port=1521 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address=10.1.2.127
add action=accept chain=forward comment="ALLOW OWCE\r\
\n" dst-address-list=AMI_OWCE dst-port=443 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address-list=CORP_ENDPOINTS
add action=accept chain=forward comment="DMS_TO_JMS\r\
\n" dst-address-list=MDM_JMS in-interface-list=CORP out-interface-list=\
SERVR src-address-list=DMS
add action=accept chain=forward comment="EEWEB_TO_EEAPP\r\
\n" dst-address=10.xx3.1.52 dst-port=80,443,8080,8443 in-interface-list=\
CORP out-interface-list=SERVR protocol=tcp src-address=10.106.1.40
add action=accept chain=forward comment="ADUDPtoSG-SERVR\r\
\n" dst-address-list=SG_SERVERS in-interface-list=CORP \
out-interface-list=SERVR src-address-list=ACTIVEDIRECTORY
add action=accept chain=forward comment="ADUDPtoSG-NMGMT\r\
\n" dst-address-list=SG_SERVERS in-interface-list=CORP \
out-interface-list=NMGMT src-address-list=ACTIVEDIRECTORY
add action=accept chain=forward comment="CORPVLAN34toCERTICOM\r\
\n" dst-address-list=CERTICOM dst-port=22 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address-list=ENDUSER-VLAN24
add action=accept chain=forward comment="VLAN34_TO_ODA_SQL\r\
\n" dst-address-list=ODA dst-port=80,443,8080,8443 in-interface-list=CORP \
out-interface-list=SERVR protocol=tcp src-address-list=ENDUSER-VLAN34
add action=accept chain=forward comment="VLAN34_TO_MDM_JAVA_WEB\r\
\n" dst-address-list=MDM_JAVA dst-port=80,443,8080,8443 \
in-interface-list=CORP out-interface-list=SERVR protocol=tcp \
src-address-list=ENDUSER-VLAN24
add action=accept chain=forward comment="APPASSUREtoSERVR\r\
\n" dst-address=10.xx3.1.0/24 in-interface-list=CORP out-interface-list=\
SERVR protocol=tcp src-address-list=BACKUP_SERVERS
add action=accept chain=comment comment="#### SERVR ####"
add action=accept chain=forward comment="JMS_TO_DMS\r\
\n" dst-address-list=DMS in-interface-list=SERVR out-interface-list=CORP \
src-address-list=MDM_JMS
add action=accept chain=forward comment="MDMJAVAPRODtoTBCOP\r\
\n" in-interface-list=SERVR out-interface-list=TIBCO protocol=tcp \
src-address=10.xx3.1.35
add action=accept chain=forward comment="MDMJAVATESTtoTBCOT\r\
\n" in-interface-list=SERVR out-interface-list=TIBCO protocol=tcp \
src-address=10.xx3.1.135
add action=accept chain=forward comment="OWCEtoCRTRS\r\
\n" in-interface-list=SERVR out-interface-list=CRTRS src-address-list=\
AMI_OWCE
add action=accept chain=forward comment="SGREPO_TO_CORP_REPO\r\
\n" dst-address=10.xx.x.25 dst-port=80 in-interface-list=SERVR \
out-interface-list=CORP protocol=tcp src-address=10.xx3.1.25
add action=accept chain=forward comment="ALLOW_TO_WSUSSG\r\
\n" dst-address=10.106.1.59 in-interface-list=SERVR protocol=tcp \
src-address=10.xx3.1.0/24
add action=accept chain=forward comment="VMWareHosttoSMGMT\r\
\n" dst-address-list=SGVM in-interface-list=SERVR out-interface-list=\
SMGMT protocol=tcp
add action=accept chain=forward comment="SERVRtoAPPASSURE\r\
\n" dst-address-list=BACKUP_SERVERS in-interface-list=SERVR \
out-interface-list=CORP protocol=tcp src-address=10.xx3.1.0/24
add action=accept chain=comment comment="#### TIBCO ###"
add action=accept chain=forward comment="TBCOPtoMDMJAVAPROD\r\
\n" dst-address=10.xx3.1.35 in-interface-list=TIBCO out-interface-list=\
SERVR protocol=tcp
add action=accept chain=forward comment="TBCOTtoMDMJAVATEST\r\
\n" dst-address=10.xx3.1.135 in-interface-list=TIBCO out-interface-list=\
SERVR protocol=tcp
add action=accept chain=comment comment="#### CRTS ####"
add action=accept chain=forward comment="CRTRStoOWCE\r\
\n" dst-address-list=AMI_OWCE in-interface-list=CRTRS out-interface-list=\
SERVR protocol=tcp
add action=accept chain=comment comment="#### SMGMT ####"
add action=accept chain=forward comment="SMGMTtoVMWareHost\r\
\n" in-interface-list=SMGMT out-interface-list=SERVR src-address-list=\
SGVM
/lcd interface pages
set 0 interfaces="sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpp\
lus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8"
/routing ospf interface
add interface=vlan700 network-type=broadcast
add network-type=broadcast passive=yes
/routing ospf network
add area=backbone network=10.7xx.1.0/30
add area=area-sg network=10.3xx.1.0/24
add area=area-sg network=10.4xx.1.0/24
add area=area-sg network=10.xx2.1.0/24
add area=area-sg network=10.xx3.1.0/24
add area=area-sg network=10.xx4.1.0/24
add area=area-sg network=10.xx5.1.0/24
add area=area-sg network=10.xx6.1.0/24
/system identity
set name=PineSG-MikrotikRouter
Re: Firewall Rules
That's quite a lot of stuff for quick understanding. One possible problem I see is that you don't use stateful firewall. Basic version of that would be:
Your current rules allow traffic in one way, but they don't always allow responses. They may be allowed by some other rules, but it's difficult to keep track of that if they are not symmetric. It's hard to say what will happen when you add unconditional drop at the end, what will work and what will not.
Code: Select all
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
<your rules that allow stuff>
add chain=forward action=dropExcessive quoting is useless and annoying. If you use it, please consider if you could do without it.