Community discussions

MikroTik App
 
josey
just joined
Topic Author
Posts: 13
Joined: Tue Jun 26, 2012 9:42 am

help to setup firewall

Wed Jun 30, 2021 12:49 pm

I think im missing something in firewall and i cant get this.

rb433gl,
WLAN 10.70.180.1/24
LAN1.10.20.0.180/24 (default gw 0.0.0.0/0 -- 10.20.0.254/24)

second router
LAN2 10.20.0.0/24 (10.20.0.254/24)
LAN3 XXXXX
LAN4 10.30.0.0/24
LAN 5 XXXXXX

Firewall FIRST rule is set to
cahin forward
dst. address 10.30.0.0/254
action drop

and i still can access to web servers / web pages on network 10.30.0.0/24
HTTP or HTTPS

what is the catch?
this first rule should drop all traffic to 10.30.0.0/24 or im missing something here?
Last edited by josey on Wed Jun 30, 2021 3:01 pm, edited 1 time in total.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: firewall

Wed Jun 30, 2021 2:36 pm

Firewall FIRST rule is set to
cahin forward
dst. address 10.30.0.0/254
action drop

and i still can access to web servers / web pages on network 10.30.0.0/24
HTTP or HTTPS
Is your destination address in your rule /24 or is it /254 as your post says?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: firewall

Wed Jun 30, 2021 2:40 pm

Just from the title "firewall",
"firewall" what?

What a mess...

How to write posts:
http://forum.mikrotik.com/viewtopic.php?f=3&t=45259
 
josey
just joined
Topic Author
Posts: 13
Joined: Tue Jun 26, 2012 9:42 am

Re: help to setup firewall

Wed Jun 30, 2021 3:02 pm

sorry,
10.30.0.0/24

ok, topic edited to help to setup firewall
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help to setup firewall

Wed Jun 30, 2021 5:12 pm

Hi Josey, the more coherent the explanation provided the quicker and more accurate our assistance can be.

So please provide.
a. a network diagram (your explanation is confusing) and the more labelling the better.
b. a copy of your current config /export hide-sensitive file=anynameyouwish
c. any requirements that are special, aka what do you want users/devices to be able to do, or NOT to do, without any reference the config or solutions.
 
josey
just joined
Topic Author
Posts: 13
Joined: Tue Jun 26, 2012 9:42 am

Re: help to setup firewall

Thu Jul 01, 2021 8:15 am

a)
pfsense as internet router with
WAN
LAN2 10.20.0.0/24 interface ip 10.20.0.254
LAN3 10.30.0.0/24 interface ip 10.30.0.254
LAN4 10.40.0.0/24 interface ip 10.40.0.254
LAN5 xx.xx.xx.xx not important
LAN6 xx.xx.xx.xx not important

MIKROTIK RB433GL
WLAN 10.70.0.0/24 interface ip 10.70.0.1
LAN 10.30.0.0/24 interface ip 10.30.0.180
GW on mikrotik is 10.30.0.254

routes, dns etc are setup corectly, internet works and i can access to all networks behind PFS.

b)
[admin@MikroTik] > ip firewall export
# jul/1/2021 06:50:01 by RouterOS 6.48.3
# software id = M11L-RRJ2
#
# model = 433GL
# serial number = 448104C4AE1F
/ip firewall filter
add action=drop chain=forward dst-address=10.20.0.0/24
add action=reject chain=forward port=!53,80,443,3128 protocol=tcp reject-with=\
icmp-network-unreachable
add action=reject chain=forward port=!53 protocol=udp reject-with=\
icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.70.0.0/24
[admin@MikroTik] >
[admin@MikroTik] >

c)
what i want is that users behind mikrotik wlan can access internet but can not access network 10.20.0.0/24 (first fw rule)

second rule is to reject all ports except 53, 80, 443 and 3128 because proxy is running on PFS and mikrotik is providing neccessary data over wpad.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: help to setup firewall

Thu Jul 01, 2021 2:36 pm

MIKROTIK RB433GL
WLAN 10.70.0.0/24 interface ip 10.70.0.1
LAN 10.30.0.0/24 interface ip 10.30.0.180
GW on mikrotik is 10.30.0.254
I know you have WLAN's ip listed as interface, but is WLAN a bridge port? If it is, in the bridge settings you would need to enable ip-firewall.

The rest of the configuration export would be helpful.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: help to setup firewall

Thu Jul 01, 2021 3:23 pm

I think im missing something in firewall and i cant get this.
MikroTik have done a fabulous job updating its online documentation. ....
I recommend that you check out the following link for superb direction on RouterOS Firewall construction and explanations.

Securing your router
Building Your First Firewall
Building Advanced Firewall

Congratulations to the MikroTik Team for this excellent work in progress.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help to setup firewall

Thu Jul 01, 2021 6:14 pm

Disagree,
Some of the rules in the intro are not practical or normal from my limited experience
setting mac winbox Server interface list to NONE????
Turnine IP DNS allow remote request to NO???

On the building a firewall page - the extra noise and garbage of ICMP jumping!!! yuck
In the advance page - playing with raw rules......... not recommended except for the very knowledgeable user......
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: help to setup firewall

Thu Jul 01, 2021 6:56 pm

Who write this guide???
Router interface
Ethernet/SFP interfaces

It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router:
/interface print
/interface set X disabled=yes

Where X numbers of unused interfaces.
I do not know where it live, if core devices are installed on publics road, where everyone can plug his own device on free ports...

Or home user must disable router ports if use only wifi....

Oh, I just have an SFP module to plug on this free port....
Last edited by rextended on Thu Jul 01, 2021 7:03 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: help to setup firewall

Thu Jul 01, 2021 7:01 pm

Again, we use EVERYDAY the bandwidth server on PRODUCTION environment...
"Production Environment" is like IT PRO, not for home user...

Bandwidth server

A bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment:
/tool bandwidth-server set enabled=no
 
josey
just joined
Topic Author
Posts: 13
Joined: Tue Jun 26, 2012 9:42 am

Re: help to setup firewall

Fri Jul 02, 2021 7:25 am

Disagree,
Some of the rules in the intro are not practical or normal from my limited experience
setting mac winbox Server interface list to NONE????
Turnine IP DNS allow remote request to NO???

On the building a firewall page - the extra noise and garbage of ICMP jumping!!! yuck
In the advance page - playing with raw rules......... not recommended except for the very knowledgeable user......
ok so i get questions a) b) c)
which i ansvered and explain
but it seems that one simple fw rule is not that simple isnt it?

any other question?

no device is not on public road its in locked office.
ok i know that it is good practice to disable not used interfaces, but if your device is on public road, why i just cant unplug lan cable on active lan interface? :)

im off topic now.

can i get this fw to work, because it seems that suggested help documentation does not help.

thank you

Who is online

Users browsing this forum: jamesperks, patrikg and 76 guests