Community discussions

MikroTik App
  4. RouterOS
  5. General

Block "guest" management IPS from guest network  [SOLVED]

Post Reply
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Block "guest" management IPS from guest network

Sat May 22, 2021 1:36 am

Hi guys,

Please advise what I do wrong

Main router RB4011 has ip of 10.10.0.1 (vlan 10 main network) and 10.20.0.1 (vlan 20 guest network) --> firewall rules work fine for this router (use input chain) guest ip addresses (10.20.0.x) cannot access it for 10.10.0.1 and 10.20.0.1 as well

However MikroTik Audience and MikroTik RBM33G ips 10.20.0.2 and 10.20.0.3 can still be opened from the guest network, I know I could probably block with individual firewall rules on each on them, but I prefer to keep the firewall on one router only RB4011

this rule has not hits, why?

add action=drop chain=forward comment="drop all requests from guest network to management ports of these routers" dst-address-list=\
Audience&RBM33G_MGT_VLAN20 dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24

thanks a lot for your help
Code: Select all
/ip firewall address-list
add address=10.20.0.0/24 comment="For QOS" list=guest_simple_queue
add address=10.10.0.1 comment="MikroTik RB4011 Management IPs for firewall input chain for VLAN 10 and 20" list=RB4011_MGT_VLAN10&20
add address=10.20.0.1 comment="MikroTik RB4011 Management IPs for firewall input chain for VLAN 10 and 20" list=RB4011_MGT_VLAN10&20
add address=10.20.0.2/31 comment="MikroTik Audience&RBM33G Management IPs for firewall forward chain for VLAN 20" list=\
    Audience&RBM33G_MGT_VLAN20
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="drop all requests from guest network to management ports of this router" dst-address-list=\
    RB4011_MGT_VLAN10&20 dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address=10.20.0.0/24 protocol=tcp \
    src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp \
    src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule  for guest network" connection-state=established,related \
    dst-address-list=guest_simple_queue
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related \
    src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address=10.20.0.0/24 src-address=10.10.0.0/24
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=drop chain=forward comment="drop all requests from guest network to management ports of these routers" dst-address-list=\
    Audience&RBM33G_MGT_VLAN20 dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2Degrees_ISP
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Block "guest" management IPS from guest network

Sat May 22, 2021 3:00 am

Very confusing to read your firewall rules.
Consider simplifying

Use drop all else at the end of the input chain and forward chain and then you only
need to add in the traffic you want to allow. Much more efficient.
LAN to WAN
is pretty much all you need.
Top
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: Block "guest" management IPS from guest network

Sat May 22, 2021 7:12 am

Very confusing to read your firewall rules.
Consider simplifying

Use drop all else at the end of the input chain and forward chain and then you only
need to add in the traffic you want to allow. Much more efficient.
LAN to WAN
is pretty much all you need.
yes i will consider simplifying, however in my current setup, what might have gone wrong, you guys think?

thank you
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 989
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Block "guest" management IPS from guest network

Sat May 22, 2021 8:43 am

Can you try not to use /31 in your definition of the management IP's ?
Try with 2 lines, each adding 1 IP into that ACL.

Then, apart from the ACL, did you configure in your ip > services that ports 22,88,8291 are available but also limited from a certain range ? Or is it fully accessible on that level and are you trying to filter out on another level ?

As a test you can always move the rule all the way to the top and see if that does anything and offcourse have logging enable.
(I have logging enable for any drop rule)
Top
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: Block "guest" management IPS from guest network

Sat May 22, 2021 12:01 pm

Can you try not to use /31 in your definition of the management IP's ?
Try with 2 lines, each adding 1 IP into that ACL.

Then, apart from the ACL, did you configure in your ip > services that ports 22,88,8291 are available but also limited from a certain range ? Or is it fully accessible on that level and are you trying to filter out on another level ?

As a test you can always move the rule all the way to the top and see if that does anything and offcourse have logging enable.
(I have logging enable for any drop rule)
Thank you for your advice jvanhambelgium.


Tried to change it to just 1 ip 10.20.0.2 - same issue.
tried tor move all the way to the top before input - same ikssue
i ma not using any range limiting for management access, did not even know that feature existed)) and it won't work for the main router as it's already blocked nicely, the issue with the remaining 2 routers that have no firewall rules
logs are aloes clear - there are literally no logs
the rule shows 0 hits
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 989
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Block "guest" management IPS from guest network  [SOLVED]

Sat May 22, 2021 12:15 pm

The problem we are missing a schematic overview with the different elements.
But, you are talking about 2 IP's 10.20.0.2 and 10.20.0.3 which are IN the range of the Guest IP's themselves ?
Sooo...when a Guest user (also having 10.20.0.x) connects to these IP's does it even pass by the device for which you have listed rules ?!
Are these rules coming from the RB4011 ?

I would guess you have to block on on these device ?
how are they place into the path/dataflows ?

Audience = Wireless AP ?
RBM33G = Routerboard
Top
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: Block "guest" management IPS from guest network

Sat May 22, 2021 12:22 pm

The problem we are missing a schematic overview with the different elements.
But, you are talking about 2 IP's 10.20.0.2 and 10.20.0.3 which are IN the range of the Guest IP's themselves ?
Sooo...when a Guest user (also having 10.20.0.x) connects to these IP's does it even pass by the device for which you have listed rules ?!
Are these rules coming from the RB4011 ?

I would guess you have to block on on these device ?
how are they place into the path/dataflows ?

Audience = Wireless AP ?
RBM33G = Routerboard

I applied subnet filtering to management to all the routers and it did the trick
thank you for your help
Top
Post Reply

Who is online

Users browsing this forum: actomobile, lubara and 47 guests
  4. RouterOS
  5. General