Community discussions

MikroTik App
 
davidreaton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Oct 02, 2014 12:21 am

Firewall drop all !LAN is not the same as drop all WAN

Mon Jul 12, 2021 8:21 pm

I found this out the hard way. I've set up several Mikrotik Routers over the years starting with the RouterOS default config and then modifying and adding what I needed. I then set VPN access using L2TP-IPSec, following one of the many helpful guides posted here, placing the VPN access rules high up in the firewall list. I've always successfully accessed these routers remotely, and modified them using Winbox, and accessed other devices on the LAN.

Recently, I started with an RB3011 and ROS 47.9. I set the network up locally and set up L2TP-IPSec access as I've described above. I found I could log onto the router using my VPN tunnel, but I could not access the router via Winbox, and could not access any other devices on the LAN. After much checking the forums, for folks with this same problem, I found the issue. The older routers I set up had a default firewall rule to "Drop all traffic not coming from the WAN". The latest default confiuration has a default rule "Drop all traffic that's !LAN == NOT LAN " These are, apparently, not the same. I changed the !LAN to WAN, and averything was OK, with full VPN remote access to Winbox and LAN devices. I'm making this post to:

1) Possibly help another ROS amateur like me,
2) Ask a ROS expert to explain why !LAN is not equal to WAN
3) Am I still adequately protected on my RB3011 after I changed !LAN to WAN in my firewall rules??

Thanks to all the forum posters that have helped me in the past.

Regards,
Dave
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Mon Jul 12, 2021 8:25 pm

Do not write novels, write /firewall filters export

WAN and LAN are not the ying and the yang.
VPN is not WAN and is not LAN until you put the VPN on one of the two groups.
What is not inside of this two gorup is !LAN and !WAN at the same time.
Multiple groups can be created.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall drop all !LAN is not the same as drop all WAN

Mon Jul 12, 2021 8:53 pm

2) Ask a ROS expert to explain why !LAN is not equal to WAN
3) Am I still adequately protected on my RB3011 after I changed !LAN to WAN in my firewall rules??
The default firewall rules use !LAN instead of WAN because beginning users may add extra interfaces (like an extra bridge, a new internet interface like a PPPoE client, etc) but not know that they need to manually put them in the LAN or WAN list when they are using the usual menu system.

When you add a new interface and not put it in any category, it is better to assume that incoming traffic is not allowed from it.
By using !LAN you assure that anything that is not put in the LAN list is treated as WAN.
When you would use WAN it would mean that a new interface that you would forget to put in the WAN list would be unprotected by default.

When you are careful enough to always put a new interface (like a PPPoE client, a VLAN, whatever) into the correct list, you can replace !LAN by WAN when you think that is more clear.
 
davidreaton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Oct 02, 2014 12:21 am

Re: Firewall drop all !LAN is not the same as drop all WAN

Tue Jul 13, 2021 5:53 pm

My FW export is below.

3 followup questions:
1) To what list do I add the VPN?
2) What's the risk of using as it is now with 'drop all not coming from WAN" rather than !LAN?
3) Why do you think Mikrotik changed their default config from WAN to !LAN ?

Thanks to you all.


# jul/13/2021 09:45:38 by RouterOS 6.47.9
# software id = 1TN6-HQF0
#
# model = RouterBOARD 3011UiAS
# serial number = 71A00666BD75
/ip firewall address-list
add address=192.168.70.0/24 list=fuladmin
/ip firewall filter
add action=drop chain=forward comment="Prevent Guest access to main network" \
dst-address=192.168.70.0/24 src-address=10.10.1.0/24
add action=accept chain=input comment="L2TP-IPSec VPN access" port=\
1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.70.190-192.168.70.198 \
src-address=192.168.70.190-192.168.70.198
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Tue Jul 13, 2021 6:00 pm

The default setup is ONLY for the basic home user that doesnt yet have a clue about MT configs.
Its set up that the basic user simply needs to plug ether1 into the ISP modem and connect on ether2 for example.
The firewall rules are setup such that only lan users can access the router for security reasons (input chain) (and so that all users can access DNS for example).
The firewall rules are setup such that in the forward chain Internet traffic is passed from lan to wan,, port forwarding is available and WAN to lan traffic is blocked.

So it covers the very basics...................
Its basically allows all traffic except for some very specific blocks......
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall drop all !LAN is not the same as drop all WAN

Tue Jul 13, 2021 9:48 pm

3 followup questions:
1) To what list do I add the VPN?
2) What's the risk of using as it is now with 'drop all not coming from WAN" rather than !LAN?
3) Why do you think Mikrotik changed their default config from WAN to !LAN ?
I already answered your questions in the post before (#3 above).
I would say, when you have to ask those questions again after I posted that, you are not yet ready to change !LAN into WAN.
Once you understand why it is done this way, you can consider that again. But now, just leave it as it is.
 
davidreaton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Oct 02, 2014 12:21 am

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 1:34 am

I understand, a bit more now. I added a firewall input rule to accept the VLAN IP address range, and changed the drop all rule back to !LAN. I put the new rule just ahead of the drop all rule. It seems to work well now.

I'm still unsure about adding this to an address or interface list. I'm looking a more tutorials now to learn more.

You help and comments are appreciated.

Regards,
Dave
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 7:15 am

I think neither option (!LAN / WAN) should be used. We are humans1. Humans do mistakes2. Different approach may require more rules, but it may prevent mistakes.

This is related to my only complain about default firewall, which uses "drop all !LAN". It works fine and is secure enough, but breaks the simple approach of explicit "drop all" rule.

In other words - understanding "allow what you want, block everything else" is simple. Once rule says "block all from not LAN" you have to twist your brain and if you didn't have your morning covfefe yet, you may end up with incorrect understanding and misconfiguration.

1) except those who identify as donkeys, ponies or apache helicopters.
2) donkeys, ponies and apache helicopters make mistakes as well
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 2:38 pm

The key is to go from an allow all concept for both chains (and thus have to know what to block and thus do it with weird commands) to a concept of block all and thus ensure you allow needed traffic. Much clearer and simpler.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 4:41 pm

When you want a default-block method you can change the "drop all from !LAN" to two rules: "allow all from LAN" and "drop all".
It will be no different, but some people like it better.
Sure I also setup my firewall like that, but I do not use the default ruleset at all.

What is most important is to classify the interfaces using interface list (WAN, LAN) and to make firewall rules in such a way that forgetting to classify an interface does not lead to a leak.
So, when a newbie users sets up PPPoE or adds a VPN, and does not know that they have to add that to the WAN list, that should not result in an open router.

In that, the current default firewall (which uses interface lists and !LAN) is good. The old default which blocked traffic from ether1 and allowed everything else was bad.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 6:53 pm

Pelchi I see your point but once you understand how FW rules work, the interface list usage is quite versatile and I encourage its use not discourage it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 7:11 pm

When I started doing the "WISP" in 2007 every single bit made a difference.
I was in constant "war" with p2p to limit them.
And firewall rules tended to be "block everything".
Then at some point, when I broke my balls, I gave up, I switched to a "pass it all" approach.

Each user must be responsible for what he does and how he uses it.

Practically after the BGP there is the firewall that blocks on input from Internet the classic ports 20-23-53-80-443-8291 and so on, and so on.
Obviously I only put some numbers, for example.

Is also present a Honeypot, just touch it and the IP, and all his class, go on blackhole FOREVER

The CPEs open the ports to the outside by themselves via the UPnP (except, of course, the locked ones)

If someone wants to hurt himself, he must ask us expressly in writing, if he wants us to open, for example, 80.

Some ports, such as 53, 67-68, 137-139, 8291, etc., etc., we do not open them for any reason.

In this way I only have to worry about outgoing connections that are not "spoofed",
that do not do DDoS attacks and incoming connections that do not arrive DDoS attacks.
Etc. Etc. Etc.

In short, the usual things ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 7:22 pm

Some ports, such as 53 ... we do not open them for any reason.

I'm glad I'm not your customer. I'm running DNS server authoritative for my personal domain at home. My ISP is letting me break my own balls ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 7:26 pm

Probably there is an exception for you, because you know what you do... (I hope...?)

How you solve from continuos "attack" from Internet?
IP range?
Rate limit?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 7:30 pm

I don't think it's exception for me, I never asked for one.

However, there is exception for me: my ISP delegates reverse queries for my (static) IPv6 prefix to my own DNS server. :-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall drop all !LAN is not the same as drop all WAN

Wed Jul 14, 2021 7:35 pm

Sorry, my english is not well...

Probably I make one there is an exception for you, if you are my client, because you know what you do... (I hope...?)

Who is online

Users browsing this forum: CGGXANNX, Cloudtechiq [Bot], hubi, menyarito, okw and 94 guests