Unfortunately I always have problems.
Can someone check my firewall, please? Could I improve something? or do I have errors in the firewall?
Code: Select all
/ip firewall address-list
add address=192.168.141.8 list=INTERN
add address=192.168.141.0/24 list=local
add address=172.16.4.0/24 list=local
add address=8.8.8.8 list=DNS
add address=80.69.96.12 list=DNS
add address=81.210.129.4 list=DNS
add address=192.168.162.101 list=CAM
add address=192.168.141.3 list=INTERN
add address=192.168.141.171 list=INTERN
add address=192.168.141.14 list=INTERN
add address=1.1.1.1 list=DNS
add address=192.168.141.15 list=DNS
add address=192.168.141.12 list=INTERN
add address=192.168.141.2 list=MAIL
add address=192.168.141.15 list=INTERN
add address=78.42.44.6 list=ALT
add address=217.92.135.90 list=ALT
add address=192.168.141.8 list=MAIL
add address=172.16.2.1 list=DNS
add address=217.128.21.3 list=local
add address=78.18.89.11 comment=217.128.21.3 list=local
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
"Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
"Black List (Port Scanner LAN)"
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.168.113.50 list=INTERN
add address=192.168.113.51 list=INTERN
add address=192.168.113.52 list=INTERN
add address=192.168.113.254 list=INTERN
add address=192.168.8.1 list=DNS
add address=192.168.113.0/24 list=local
add address=172.16.4.74 list=BLOCK
add address=192.168.162.102 list=CAM
add address=192.168.162.104 list=CAM
add address=192.168.162.105 list=CAM
add address=192.168.162.106 list=CAM
add address=192.168.162.107 list=CAM
add address=192.168.162.108 list=CAM
add address=192.168.141.25 list=INTERN
add address=172.16.4.110 list=MUSIC
add address=172.16.4.111 list=MUSIC
add address=172.16.4.112 list=MUSIC
add address=172.16.4.113 list=MUSIC
add address=172.16.4.114 list=MUSIC
add address=10.16.0.0/16 list=local
add address=192.168.141.26 list=INTERN
add address=192.168.141.6 list=INTERN
add address=192.168.141.205 list=INTERN
add address=192.168.252.0/24 list=local
add address=172.16.46.0/24 list=VPN
add address=192.168.141.65 list=INTERN
add address=192.168.141.66 list=INTERN
add address=192.168.141.210 list=INTERN
add address=172.16.4.109 list=MUSIC
add address=172.16.4.108 list=MUSIC
add address=172.16.4.107 list=MUSIC
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop Netbios" connection-state="" \
dst-port=137,138 protocol=udp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
20m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
20m chain=detect-ddos
add action=drop chain=forward comment="Drop DDOS" connection-state=new \
dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment=\
"Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=drop chain=forward comment=\
"Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
comment="Add TCP port scanner to Port Scanner (WAN) list." \
in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Port Scanner WAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=\
"Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=drop chain=forward comment=\
"Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward \
comment="Add TCP port scanner to Port Scanner (LAN) list." \
in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Port Scanner LAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." \
in-interface-list=WAN log=yes log-prefix="BL_Black List (Winbox)" \
src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." \
dst-port=8291 in-interface-list=WAN jump-target=\
"Black List (Winbox) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" \
address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment="Trans\
fer repeated attempts from Black List (Winbox) Stage 6 to Black List (Winb\
ox)." connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox)" src-address-list="Black List (Winbox) Stage 6"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 6" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 6." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S6" src-address-list=\
"Black List (Winbox) Stage 5"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 5" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 5." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S5" src-address-list=\
"Black List (Winbox) Stage 4"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 4" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 4." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S4" src-address-list=\
"Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 3." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S3" src-address-list=\
"Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 2." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S2" src-address-list=\
"Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add initial attempt to Black List (Winbox) Stage 1." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment=\
"Return From Black List (Winbox) chain."
add action=drop chain=input comment="Drop anyone in Black List (SSH)." \
in-interface-list=WAN log=yes log-prefix="BL_Black List (SSH)" \
src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." \
dst-port=45735 in-interface-list=WAN jump-target="Black List (SSH) Chain" \
protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" \
address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer\
_repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (SSH)" src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 3." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S3" \
src-address-list="Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 2." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S2" \
src-address-list="Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add initial attempt to Black List (SSH) Stage 1." connection-state=new \
in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment=\
"Return From Black List (SSH) chain."
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=accept chain=input comment="Allow limited pings" limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
45735 log=yes log-prefix=SSH_LOGIN protocol=tcp
add action=accept chain=input comment="Accept VPN" protocol=ipsec-esp
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 log=yes \
log-prefix=VPN_LOGIN protocol=tcp
add action=accept chain=input comment="Accept VPN" dst-port=500,4500,1701 \
log=yes log-prefix=VPN_LOGIN protocol=udp
add action=accept chain=input comment="Accept Winbox access" dst-port=8291 \
protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Winbox MAC" dst-port=20561 \
in-interface-list=!WAN log-prefix=MIKROTIK_MAC_LOGIN protocol=udp \
src-address-list=local
add action=accept chain=input comment="Accept NDP" dst-port=5678 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DNS Querry" dst-port=53 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NTP Querry" dst-port=123 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DHCP Querry" dst-port=67 \
in-interface-list=!WAN protocol=udp src-address-list=local src-port=68
add action=accept chain=input comment="Accept SNMP" dst-port=161 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept Winbox http" dst-port=1455 \
in-interface-list=!WAN protocol=tcp src-address-list=local
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
src-address-type=local
add action=drop chain=input comment="Drop everything else" log-prefix=\
"IN DROP REST -> "
add action=accept chain=forward comment="von VPN zu INTERN nach Liste" \
dst-address-list=INTERN out-interface=bridge_FIRMA src-address=\
192.168.113.0/24
add action=accept chain=forward comment=\
"VPN nach S1 nach INTERN Liste" src-address=192.168.113.0/24 \
src-address-list=INTERN
add action=accept chain=forward comment="Privat zu INTERN" dst-address=\
192.168.141.0/24 src-address=172.16.4.0/24
add action=accept chain=forward comment="Privat nach Firma S2" \
dst-address=192.168.113.0/24 src-address=172.16.4.0/24
add action=accept chain=forward comment="Privat nach Firma S2" \
dst-address=192.168.113.0/24 src-address=192.168.141.0/24
add action=accept chain=forward comment="Privat nach DMZ - CAM" \
dst-address=192.168.162.0/24 src-address=172.16.4.0/24
add action=accept chain=forward comment="Firma nach DMZ" dst-address=\
192.168.162.0/24 src-address=192.168.141.0/24
add action=accept chain=forward comment="Firma S1 nach Privat" \
dst-address=172.16.4.0/24 src-address=192.168.141.0/24
add action=accept chain=forward comment=\
"Firma S1 DMZ nach Privat - MUSIC" dst-address=172.16.4.0/24 \
dst-address-list=MUSIC src-address=192.168.162.0/24
add action=accept chain=forward comment=\
"Firma S1 DMZ nach Privat - MUSIC" dst-address=192.168.162.0/24 \
src-address=172.16.4.0/25 src-address-list=MUSIC
add action=drop chain=forward comment="Firma S2 nach Privat - Drop" \
dst-address=172.16.4.0/24 log-prefix="DROP PTIVAT -->" src-address=\
192.168.113.0/24 src-address-list=INTERN
add action=drop chain=forward comment="Firma S2 nach Privat - Drop" \
dst-address=192.168.141.0/24 log-prefix="DROP PTIVAT -->" src-address=\
192.168.113.0/24 src-address-list=INTERN
add action=drop chain=forward comment="VPN nach PRIVAT" dst-address=\
172.16.4.0/24 log-prefix="DROP PTIVAT -->" src-address=172.16.46.0/24 \
src-address-list=INTERN
add action=drop chain=forward comment="VPN nach FIRMA" dst-address=\
192.168.141.0/24 log-prefix="DROP PTIVAT -->" src-address=172.16.46.0/24 \
src-address-list=INTERN
add action=drop chain=forward comment="CAM kein Internet" \
dst-address-list=172.16.4.10 log-prefix="DROP CAM -->" \
src-address-list=CAM
add action=drop chain=forward comment="VPN nach PRIVAT" disabled=yes \
dst-address=172.16.4.0/24 log=yes log-prefix="DROP PTIVAT -->" \
src-address=192.168.162.0/24 src-address-list=!CAM
add action=drop chain=forward comment="VPN nach FIRMA" disabled=yes \
dst-address=192.168.141.0/24 log-prefix="DROP PTIVAT -->" src-address=\
192.168.162.0/24 src-address-list=!INTERN
add action=drop chain=forward comment="VPN nach INTERN" dst-address=\
192.168.113.0/24 log-prefix="DROP PTIVAT -->" src-address=172.16.46.0/24 \
src-address-list=!INTERN
add action=drop chain=forward comment="Firma S2 nach Privat - Drop" \
in-interface=bridge_IOT log-prefix="DROP PTIVAT -->" out-interface=\
bridge_FIRMA src-address-list=!INTERN
add action=accept chain=forward comment=E-MAIL dst-port=80 in-interface=WAN1 \
log-prefix=80 protocol=tcp
add action=accept chain=forward comment=E-MAIL dst-port=8080 in-interface=\
WAN1 log-prefix=80 protocol=tcp
add action=accept chain=forward comment=E-MAIL dst-port=443 in-interface=WAN1 \
log-prefix=443 protocol=tcp
add action=accept chain=forward comment=VIR dst-port=2221 in-interface-list=\
WAN protocol=tcp
add action=accept chain=forward comment=CAM dst-port=4017 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=TK dst-port=446 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=TK dst-port=5222 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=TK dst-port=5223 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=VIR dst-port=2222 in-interface-list=\
WAN protocol=tcp
add action=accept chain=forward comment=TK dst-port=10000-20000 \
in-interface-list=WAN protocol=udp
add action=accept chain=forward comment=TK dst-port=5060 \
in-interface-list=WAN protocol=udp
add action=accept chain=forward comment=TK dst-port=5060 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=TK dst-port=5061 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="SSH" dst-port=1566 \
in-interface-list=WAN protocol=tcp
add action=accept chain=forward out-interface=bridge_FIRMA src-address=\
192.168.141.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.141.63 \
src-address=192.168.141.254
add action=accept chain=forward comment="Accept established connections" \
disabled=yes out-interface=l2tp-aa
add action=accept chain=forward disabled=yes in-interface=l2tp-aa \
out-interface=bridge_FIRMA
add action=accept chain=forward disabled=yes in-interface=bridge_FIRMA \
out-interface=l2tp-aa
add action=accept chain=forward comment="Accept established connections" \
disabled=yes in-interface=l2tp-aa out-interface=bridge_FIRMA
add action=accept chain=forward comment="Accept established connections" \
in-interface=l2tp-PGP01
add action=accept chain=forward comment="Accept established connections" \
out-interface=l2tp-PGP01
add action=accept chain=forward comment="Accept DSTNAT connections" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Accept established connections" \
connection-state=established
add action=accept chain=forward comment="Accept related connections" \
connection-state=related
add action=accept chain=forward comment="Allow Forward to WAN" out-interface=\
WAN1
add action=accept chain=forward comment="Allow Forward to WAN" out-interface=\
WAN2
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=log chain=forward comment="Log everything else" log=yes \
log-prefix="DROP FORWARD"
add action=drop chain=forward comment="Drop everything else"
add action=reject chain=forward disabled=yes layer7-protocol=drop \
reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.141.171 dst-port=\
5060 new-connection-mark=sip-connection protocol=tcp
add action=mark-packet chain=forward connection-mark=sip-connection \
new-packet-mark=SIP
add action=mark-connection chain=forward dst-address=192.168.141.171 \
new-connection-mark=rtp-connection port=10000-20000 protocol=udp
add action=mark-packet chain=forward connection-mark=rtp-connection \
new-packet-mark=RTP
/ip firewall nat
add action=dst-nat chain=dstnat comment=Mailserver dst-port=80 in-interface=\
WAN1 protocol=tcp to-addresses=192.168.141.2 to-ports=80
add action=dst-nat chain=dstnat comment=Mailserver dst-port=443 in-interface=\
WAN1 protocol=tcp to-addresses=192.168.141.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=1566 \
in-interface=WAN1 protocol=tcp to-addresses=192.168.141.66 to-ports=22
add action=dst-nat chain=dstnat comment=TK dst-port=5222 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.141.171 to-ports=\
5222
add action=dst-nat chain=dstnat comment=TK dst-port=5223 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.141.171 to-ports=\
5223
add action=dst-nat chain=dstnat comment=TK dst-port=5060 \
in-interface-list=WAN protocol=udp to-addresses=192.168.141.171 to-ports=\
5060
add action=dst-nat chain=dstnat comment=TK dst-port=5060 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.141.171 to-ports=\
5060
add action=dst-nat chain=dstnat comment=TK dst-port=5061 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.141.171 to-ports=\
5061
add action=dst-nat chain=dstnat comment=TK dst-port=10000-20000 \
in-interface-list=WAN protocol=udp to-addresses=192.168.141.171 to-ports=\
10000-20000
add action=dst-nat chain=dstnat comment=TK dst-port=446 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.141.171 to-ports=\
446
add action=dst-nat chain=dstnat comment=Camera dst-port=4017 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.4.10 to-ports=4017
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip firewall service-port
set sip disabled=yes