Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

blocking 10.10.0.1 from 10.20.0.1

Sat Jun 19, 2021 6:50 am

Hi guys I would like to ask your opinion on this:

I have 2 networks 10.10.0.0/24 - Main and 10.20.0.0/24 guest

I am using firewall filters to block 10.10.0.0/24 from 10.20.0.0/24 and visa versa

add action=drop chain=forward comment="drop all else coming from main to guest " dst-address-list=guest_network src-address-list=\
main_network
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=\
guest_network


the hosts cannot access each other on the different networks which is what I want, however the guest network can still ping 10.10.0.1 and from the main i can ping 10.20.0.1 I assume this is because my drop rules above are forward rules and I guess I need a set of rules in INPUT chain as well

Has anyone noticed that as well?

ps

I know I can use the routing rules to isolate the networks completely, but I need the media server on 10.10.0.5 to be accessible from the guest 10.20.0.0/24

/ip firewall address-list
add address=10.10.0.0/24 list=main_network
add address=10.20.0.0/24 list=guest_network
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address=10.20.0.0/24 protocol=tcp \
    src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp \
    src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule  for guest network" connection-state=established,related \
    dst-address-list=guest_network
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related \
    src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address-list=guest_network src-address-list=\
    main_network
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=\
    guest_network
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=_ISP1
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=_ISP2
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: blocking 10.10.0.1 from 10.20.0.1  [SOLVED]

Sat Jun 19, 2021 1:32 pm

ROS treats every own address (i.e. addresses configured as router's own regardless the interface or subnet) pretty much the same way ... and they're all treated in chain=input (unless connection is DST-NATed). If you want to block connections to "the wrong router's address" (e.g. ping from 10.20.0.x to 10.10.0.1), you'll have to add drop rules in input chain

add chain=input action=drop src-address=10.20.0.0/24 dst-address=10.10.0.1

or something like that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: blocking 10.10.0.1 from 10.20.0.1

Sat Jun 19, 2021 5:06 pm

Lets be clear mkx,
a. you are stating that even though subnets are blocked at the forward chain, a device can always access another subnets gateway aka ping it?
b. this seems to be consistent in that and please confirm, one can use any subnet gateway for DNS aka vlan20 can use vlan30 gateway IP for DNS server settings in ip dhcp-network etc.
c. MOST IMPORTANTLY of all, there is no security risk here of device/users on vlan20 or vlan30 seeing each other - in other words the forward chain blocking is sufficient ????

If true then what is the real advantage or use of making the additional input chain rule????
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: blocking 10.10.0.1 from 10.20.0.1

Sat Jun 19, 2021 10:24 pm

a. seems this way
b. my limited experience says yes
c. as I wrote: ROS basically treats all packets (connections) targeting any of its IP interfaces the same way. The only difference that might show is due to different firewall rules (both raw and filter). This is pretty clear even from default firewall settings: it's using in-interface-list as selection criteria for certain (allow) rules. Indeed default setup only knows LAN and WAN but the same principle applies to other interface lists and to individual interfaces (both in- and out-).

The real advantage of the input chain rule I showed is to comfort an anxieted administrator ... just like OP who's worried that his inter-LAN block rules are somehow leaky because he's able to ping router's IP address from the "forbidden" subnet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: blocking 10.10.0.1 from 10.20.0.1

Sat Jun 19, 2021 10:44 pm

Okay that was put politely LOL, so there is no security risk without the input chain rule and the only reason to shut it down with an input chain rule is paranoia LOL.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: blocking 10.10.0.1 from 10.20.0.1

Sun Jun 20, 2021 2:20 am

Okay that was put politely LOL, so there is no security risk without the input chain rule and the only reason to shut it down with an input chain rule is paranoia LOL.


Thanks guys but this is not just for comforting, lol, there is some risk associated with it as well, it's not just the pings it leaks, you can also access the router via winbox, ssh etc whichever the services you enabled from the different subnet (guest as an example), so it's good to filter the management interfaces of the router from the permitted ips/ subnets only.

Having filters in input chain will drop the requests to the router from the unwanted networks, eliminating the need to use allowed ips/subnets in the IP services lists
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: blocking 10.10.0.1 from 10.20.0.1

Sun Jun 20, 2021 9:42 am

Indeed one has to filter access to router from certain subnets. But as I wrote the filter has to cover all router's interfaces, not only the "native" one ... and in this case the approach of "ultimate drop all rule" comes handy. This means that input chain contains a few rules allowing access to few select services (e.g. DNS server) and drop everything else.
I still don't see a point in allowing access to 10.20.0.1 and not 10.10.0.1 from guest network though.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: blocking 10.10.0.1 from 10.20.0.1

Sun Jun 20, 2021 11:52 am

Indeed one has to filter access to router from certain subnets. But as I wrote the filter has to cover all router's interfaces, not only the "native" one ... and in this case the approach of "ultimate drop all rule" comes handy. This means that input chain contains a few rules allowing access to few select services (e.g. DNS server) and drop everything else.
I still don't see a point in allowing access to 10.20.0.1 and not 10.10.0.1 from guest network though.
thank you mkx, the fewer the rules, the better I agree with you, I am not that familiar with firewall, do you have anything in mind how I can reduce the amount of entries in the input chain? Thank you anyway
/ip firewall address-list
add address=10.10.0.0/24 list=main_network
add address=10.20.0.0/24 list=guest_network
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow guest network to resolve local hosts via webproxy port 80" dst-address=10.10.0.1 \
    dst-port=80 protocol=tcp src-address-list=guest_network
add action=drop chain=input comment="Block guest network from accessing main gateway address" dst-address=10.10.0.1 \
    src-address-list=guest_network
add action=drop chain=input comment="Block main network from accessing guest gateway address" dst-address=10.20.0.1 \
    src-address-list=main_network
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp \
    src-address-list=guest_network
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address-list=guest_network protocol=tcp \
    src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule  for guest network" connection-state=established,related \
    dst-address-list=guest_network
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related \
    src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address-list=guest_network src-address-list=\
    main_network
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=\
    guest_network
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=isp_1
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=isp_2
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: blocking 10.10.0.1 from 10.20.0.1

Sun Jun 20, 2021 12:39 pm

I don't think you can reduce number of firewall rules in input chain.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: blocking 10.10.0.1 from 10.20.0.1

Sun Jun 20, 2021 4:48 pm

Access to winbox and the router is not predicated upon just input chain rules.
a. input chain rules
b. user settings
c. macserver winbox mac server interface settings
d. winbox services settings.

As for your firewall rules.........
I would change them to this....

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=management and potentially source-address-list=admin_access
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input ALLOW DNS 53 UDP in-inteface-list=LAN
add action=accept chain=input ALLOW DNS 53 TCP in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept comment="lan to wan traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp \
src-address-list=guest_networw
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new \
in-interface-list=WAN
add action=drop comment="drop all else"

Discussion:
I left these out because I have not seen them in any other vpn configurations and they look unsafe to me!
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
(as an aside: There is no need to put the winbox port on the input chain and I hope you are not actually using the default winbox port value...........)

For access to the router limit it to your home subnet like so
guestlan list=LAN
homelan list=LAN
homelan list=management
VPN list=management

Ensure that in tools ---> winbox mac server setting interface is to management

If you want to narrow down your list of those on the homelan that can access the router then use a firewall address list
IP of admin desktop list=admin_access
IP of admin laptop list=admin_access
IP of admin smartphone list=admin_access
IP of VPN incoming connection list=admin_access

Recommending start with the above and get it working.
Then see if changes are required..........

Who is online

Users browsing this forum: 4l4R1, Ahrefs [Bot], Bing [Bot], svh79 and 78 guests