Community discussions

MikroTik App
 
Greenfun2
just joined
Topic Author
Posts: 5
Joined: Tue Jul 13, 2021 1:19 am

Audit my input firewall

Tue Sep 14, 2021 7:22 pm

This is my first Mikrotik device, and my first try at a default deny firewall. It is on a home network. Let me know what you think. Everything seems to work, I just want to make sure there are no obvious mistakes, holes, ect. Thank you.

Requirements:
DHCP Server for LAN
DHCP Client from ISP on WAN
DNS Server for LAN
DNS Client from WAN
NTP Server for LAN
NTP Client from WAN
L2TP/IPsec VPN server for Android client. Remote access to LAN and router admin.
Router admin access from the LAN DHCP pool (3 cellphones and a laptop on the wifi).


/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow L2TP VPN" dst-port=500,1701,4500 in-interface-list=WAN \
    protocol=udp
 add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 protocol=udp
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow NTP" dst-port=123 protocol=udp
add action=accept chain=input comment="Accept management from DHCP" dst-port=8291,443 protocol=tcp \
    src-address-list="DHCP Devices"
add action=accept chain=input comment="Allow Remote Admin, L2TP VPN" dst-port=8291,443 protocol=tcp \
    src-address-list="VPN Local IP Range"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="Drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 4:06 pm

I am confused by this line stated twice??

1. add action=accept chain=input comment="Accept management from DHCP" dst-port=8291,443 protocol=tcp \
src-address-list="DHCP Devices
"

2. add action=accept chain=input comment="Allow Remote Admin, L2TP VPN" dst-port=8291,443 protocol=tcp \
src-address-list="VPN Local IP Range"


(1) The first one appears to be for the purpose of allowing the admin to access the router which is a good idea. However I dont know why you delineate ports?
Not required and why 443 anyway?? We don't https into the router?
All you need is the following

add chain=input action=accept in-interface-list=MNGMT source-address-list=adminaccess
Where:
a. MGMT identifies every interface that the admin may use to access the router
b. firewall address list called "adminaccess" is where you delineate the static LANIPs of your devices (admin desktop, laptop, ipad, smartphone etc)
This could be a subset of DHCP

(2) The second rule is also confusing, as it appears you think its a good idea to allow direct access to the router from external websites. The quick answer is NO.
If you want to access the router, then use a VPN connection (seems like you have that intent), if so, then guess what you can scrap this rule because you already have a rule that I suggested above to allow access tot he router (just add the VPN local Ip users to adminaccess list!!!


3. You have changed modifed added rules but kept default rules that are no longer relevant.
For example what is covered or what is the purpose of this rule.
"add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN"

When you answer that question, then review your config to see if its needed!
See how it may affect other rules that follow!! is a hint.
 
Greenfun2
just joined
Topic Author
Posts: 5
Joined: Tue Jul 13, 2021 1:19 am

Re: Audit my input firewall

Wed Sep 15, 2021 5:26 pm

Thank you for your reply.

(1) and (2) Might be a little off topic, but why don't we use https? I have only winbox and https services enabled on the router with certificates for https that my browser seems to like. I don't need any other services, but don't want to rely only on winbox.

Per your suggestion, I replaced the 2 admin rules with:
add action=accept chain=input comment="Accept management" in-interface-list=Management src-address-list=\
    "Admin Access"
3. I kept the default drop all else not from LAN rule to prevent DNS and NTP requests from WAN. My allow DNS and NTP rules are below this, allowing requests from LAN, and my accept established, related rule is above this to allow replies to requests sent out by the router. Is this correct? Or would it be better if the DNS and NTP rules specify in-interfaces?
Also, with the new management rule I changed drop all else not from LAN to drop all else from WAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 5:42 pm

Sort of LOL.

The reason why you no longer need the rule.
add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN

Is because it ALLOWS ANY RULE COMING NOT FROM THE WAN ( lan to router, router to lan, router to WAN) and therefore any rule allowing anything from the LAN after this rule is redundant the traffic is already accepted and will not hit any other rules.
So all the DNS NTP and allow management rules etc. would never be used.
The rule basically opens the router TO ALL on the LAN, which is fine for the default rule.

We remove that rule because we added the better rule
add chain=input action=drop comment="drop all else"

This drops all traffic wan to router, router to wan, lan to router, router to lan.
Thus all we need to do above this is basically state what is allowed.
such as admin access
The only other things required are lan user access to router services DNS, NTP etc.
Oh I forgot the vpn rules at the top are required.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Okay regarding https access, interesting I have never used that for access, Id much rather use winbox and my own port of choosing.
Personal choice I guess...
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Wed Sep 15, 2021 6:36 pm

Everything is based on the default firewall rules. Complete them with the rolls you need.
Leaving dns port 53 open is not a "good practice"! It is better to close it. viewtopic.php?t=92793 The order of the firewall rules is also important because the rules are executed in a top-down order.
I'll copy it for you as an example.
/ip firewall address-list
add address=192.168.X.X/24 list=Allowed-IP

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=!WAN protocol=udp src-address-list=Allowed-IP
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=!WAN \
    src-address-list=Allowed-IP
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 7:54 pm

Sorry Johnson, your muddying the waters and leaving some default rules in place the OP no longer needs.

The allow services rule is just fine as it is because one delineates all those on the LAN interface have access.
NO further granularity is desired by the OP for allowing or disallowing DNS from a subset of lan users.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Wed Sep 15, 2021 8:13 pm

ok if you need to allow dns 53 from everywhere, you can leave input chain = Allow dns.
Only after a while the author will have a question - why my router is so busy and there are problems with speed :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 8:19 pm

I agree 100%, I should have added the rules to explain my line of thinking!
the rules should be
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment="Allow NTP" dst-port=123 protocol=udp in-interface-list=LAN

Only the admin needs full access to the router and lan users only need required services!
 
Greenfun2
just joined
Topic Author
Posts: 5
Joined: Tue Jul 13, 2021 1:19 am

Re: Audit my input firewall

Wed Sep 15, 2021 8:21 pm

The reason why you no longer need the rule.
add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN

Is because it ALLOWS ANY RULE COMING NOT FROM THE WAN ( lan to router, router to lan, router to WAN) and therefore any rule allowing anything from the LAN after this rule is redundant the traffic is already accepted and will not hit any other rules.
So all the DNS NTP and allow management rules etc. would never be used.
The rule basically opens the router TO ALL on the LAN, which is fine for the default rule.
I want to clarify this. In the unmodified default configuration, this is true. However, in the firewall in my original post this rule passes all LAN traffic to be tested by the remaining input chain rules. I reset all the counters and my DNS and NTP accept rules did show hits.
I intend to follow your advice and get rid of this rule, but I need to make the accept rules after this rule more specific. I do want to continue to avoid an open dns resolver, as johnson seems to be getting at.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 8:38 pm

@johnson73

Someone please explain me where is the point on default configuration that permit DNS from WAN,
or why on default configuration is needed to drop incoming DNS request from WAN on input chain...

viewtopic.php?f=13&t=175129&p=856824#p856824
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
[...]


On the OP "export":
/ip firewall filter
[...]
add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 protocol=udp
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow NTP" dst-port=123 protocol=udp
[...]
The rules "opened to the entire world" are putted after "drop all from the outside world"
and really (ON THAT POSITION) are perfectly secure because the traffic coming from WAN is already blocked.

As @anav suggest, is better specify "coming from LAN" because if are accidentally moved on wrong place... BANG!
Last edited by rextended on Wed Sep 15, 2021 8:54 pm, edited 2 times in total.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Wed Sep 15, 2021 8:50 pm

yes I agree. The default config does not specify permit dns from Wan, but the author had set it in his configuration. He asked if the configuration will be correct without errors ect ..
Maybe he needs it? Maybe he typed it in by mistake?
I personally blocked dns port 53 in the Raw chain section
Thanks for the information.
Last edited by johnson73 on Wed Sep 15, 2021 8:54 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 8:53 pm

edit................. NM

the !LAN rule is replaced by a better rule. DROP ALL.
The DROP rule makes the !LAN rule redundant.
Last edited by anav on Wed Sep 15, 2021 8:57 pm, edited 3 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 8:54 pm

I hope you read after "On the OP "export": on previous topic
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 8:54 pm

I also suggest @Greenfun2 to put the default rules on the same initial place, for example, if is invalid, can't be "established,related,untracked"
Moving invalid drop before "established,related,untracked" you only slow traffic, no one type of advantage (except if 51% of your traffic is invalid...)
And about "invalid" the system do not check the integrity of the packet, but other things, but is not this topic to explain all again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 8:59 pm

anav !disagrees with rextended.

Now can I have a docker containainer that automatically selects the right IP subnet mask please. :-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:16 pm

@anav 8)

Now can I have a docker containainer that automatically selects the right IP subnet mask please. :-)
but... i do not understand... really....
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:17 pm

To make it more obvious why dont they have a default rule after this rule which states.
add action=accept chain=input comment="defconf: allow all else coming from LAN" in-interface-list=LAN
because the LAN traffic has already been matched by the previous rule. ALL LAN Traffic has already been allowed!!!
The !LAN is a VERY POWERFUL CHOICE!!!

Let me explain with some examples (ignoring selection error on menu),
1) you add a WAN interface, but you forget to set on group WAN... perfect, not problem is !LAN
2) you remove one ethernet from bridge and use for another scope... not problem, the bridge is on LAN, the ethernet not, the ethernet is !LAN...
3) you add a VPN, but you forget to put it on right group, probably must be set on WAN, but still no problem, the VLAN is !LAN
4) you delete LAN grup for errors: not problem, the rule stop working because there is not a corrispondence on group
5) etc...

Obvously this can not prevent disaster if you delete all interface on LAN group...

And this also prevent you to accidentally remove the access to the router,
if you delete or move accidentally the rule that permit to access the ruter when is present "drop all input unconditionally" at the end...

Or if accidentally you put "drop all input unconditionally" on top...
and you have bad habit to disable MAC telnet...
hope if the device have serial port...
Last edited by rextended on Wed Sep 15, 2021 9:26 pm, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Audit my input firewall

Wed Sep 15, 2021 9:18 pm

@anav 8)

Now can I have a docker containainer that automatically selects the right IP subnet mask please. :-)
but... i do not understand... really....

Neither does @anav :-P
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:24 pm

The !LAN is a VERY POWERFULL CHOICE!!!

Ah... POWERFULL... :lol: I need some grammar corrector on browser...
This is not Poker.... or not? :lol: :lol: :lol:
Last edited by rextended on Wed Sep 15, 2021 9:26 pm, edited 1 time in total.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Wed Sep 15, 2021 9:26 pm

Anav,
This configuration has been for me for many years no problem. You explained very much and well, but would you please not say what is wrong with my case?
/ip firewall address-list
add address=192.168.X.X/24 list=Allowed-IP

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=!WAN protocol=udp src-address-list=Allowed-IP
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=!WAN \
    src-address-list=Allowed-IP
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Allow Pings" protocol=icmp
add action=accept chain=forward comment="Accept from local to internet" \
    in-interface-list=!WAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:33 pm

About input rules:
# missing this, but if you not use capsman, no problem:
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

# those are useless, or are needed only if the Allowed-IP are not on interface that not are on LAN group:
add action=accept chain=input comment="Allow DNS to local" dst-port=53 in-interface-list=!WAN protocol=udp src-address-list=Allowed-IP
add action=accept chain=input comment="Allow access to router from known network" in-interface-list=!WAN src-address-list=Allowed-IP

#  those rules are for WAN or LAN? wroted on that point permit any WAN / LAN L2TP & IKE to routerboard, I think is wanted behaviour:
add action=accept chain=input comment=L2TP connection-state=new dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
now I check forward section...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:40 pm

About forward rules:
# on top of forward chain I do not see this default rules
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"

# this is added, and I think is a good thing... (on kernel the ICMP are already limited to 100 ping/s)
add action=accept chain=forward comment="Allow Pings" protocol=icmp

# this is useless??? because the last "drop all rule" drop only new connections incoming from WAN
add action=accept chain=forward comment="Accept from local to internet" in-interface-list=!WAN out-interface-list=WAN
Last edited by rextended on Wed Sep 15, 2021 9:41 pm, edited 1 time in total.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Wed Sep 15, 2021 9:41 pm

L2TP.....
# those rules are for WAN or LAN?
this applies to the WAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:42 pm

L2TP.....
# those rules are for WAN or LAN?
this applies to the WAN
Yes, "I think is wanted behaviour" :)
Last edited by rextended on Wed Sep 15, 2021 9:47 pm, edited 1 time in total.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Wed Sep 15, 2021 9:47 pm

# on top of forward chain I do not see this default rules
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"

Everything works without these rules. I don't use constant vpn tunnel mode.
Thank you very much for the answers!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 9:48 pm

Yes, like capsman, are not required if you do not use that service.

Really I not see any hole on your config, only some redundant rules.

This is why you can say "for many years no problem"

I hope @anav find something, if I haven't seen it
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 11:43 pm

I am in the same bed with rextended '-0 jajajaja, anything is possible if you drink enough!

There is nothing dangerous or particularly wrong, it is just inefficient.
I also try to avoid ! rules because sometimes they have unintended consequences and also they can make rules harder to read/comprehend.

There are two approaches to the firewall rules (that mkx approves),
a. the default approach where the router accepts everything and you have to tell it what to block,
b. the drop all else rule at the end where then, one simply has to only tell the router what to allow.

(the odd rule that doesnt fit this mold is drop invalid packets but thats a special case)

Therefore any combination or mix of the two leads to inefficiencies (or as stated redundancies).
Lets just say I prefer the KISS method which also happens to be the more elegant method.

As for our rule for services, they can easily be modified if required.............
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 protocol=udp in-interface-list=LAN source-address-list=subset of lan usersA
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 protocol=tcp in-interface-list=LAN source-address-list=subset of lan usersA
add action=accept chain=input comment="Allow NTP" dst-port=123 protocol=udp in-interface-list=LAN source-address-list=subset of lan usersB

@rextended, the ref to docker was to encourage you to get over your phobia of creating docker containers. (the one thing you fear in IT lol)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Wed Sep 15, 2021 11:59 pm

Don't worry about Containers for Docker, I asked a colleague to study how it works :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Thu Sep 16, 2021 12:05 am

FROM
/ip firewall address-list
add address=192.168.X.X/24 list=Allowed-IP

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
in-interface-list=!WAN protocol=udp src-address-list=Allowed-IP
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=!WAN \
src-address-list=Allowed-IP
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=Fatsttrack \
connection-state=established,related
add action=accept chain=forward comment="Allow Established,Related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid
add action=accept chain=forward comment="Allow Pings" protocol=icmp
add action=accept chain=forward comment="Accept from local to internet" \
in-interface-list=!WAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

TO

ip firewall address-list
add address=IPA-desktop list=adminaccess
add address=IPB-laptop list=adminaccess
add address=IPC-ipad list=adminaccess
add address=IPD-smartphone list=adminaccess
add address=IP1-accesspoint1 list=NTP=serv
add address=IP2-accesspoint2 list=NTP-serv
add address=IP3-MTswitch list=NTP-serv

/ip firewall filter
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp

add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="Allow admin config" \
in-interface-list=LAN*** src-address-list=adminaccess ***
add action=accept chain=input comment="Allow DNS to local" dst-port=53 udp\
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 tcp \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow NTP"\
in-interface-list=LAN source-address-list=NTP-serv

add action=drop chain=input comment="drop all else" \

***where interface list could be Management etc....... not all LANs but the ones the admin will config the router from.........

Comments: I prefer to ONLY allow admin full access to the router, whereas you let everybody on the lan subnet access the router.
I prefer only to allow LAN users access to services they require.
In my case all LAN users need DNS services and only some NTP capable devices need NTP services.
As you will note I use interface lists most of the time for 'WHOLE" LAN segments and firewall address list for subsets of subnets.
I would rarely if ever create a firewall address list for an entire subnet, if I needed a subnet in a rule I would simply add that in the rule as a source address or use the interface.
By the way not sure why you are missing TCP DNS protocol???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Thu Sep 16, 2021 12:23 am

FORWARD CHAIN
FROM
add action=accept chain=forward comment="Allow Established,Related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid
add action=accept chain=forward comment="Allow Pings" protocol=icmp
add action=accept chain=forward comment="Accept from local to internet" \
in-interface-list=!WAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Notes:
1. Missing fastrack rule
2. Why are you letting icmp here? Not required and its too wide open anyway from anywhere??
3. Why are you allowing local to internet traffic as you are not stopping that traffic by any rule so you dont need to make one to allow it ???
Besides the rule is so fricken twisted its almost funny.
4. The last default rule is weak, it drops all wan to lan traffic (except dst natted traffic), whereas a drop all rule is more effective drops all wan to lan, lan to wan and lan to lan
(and then your allow rule for lan to wan starts making sense)
The last rule also becomes inefficient if one does not do any port forwarding........!!!

TO:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related

add action=accept chain=forward comment="Allow Established,Related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid

add action=accept chain=forward comment="Accept from local to internet" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Enable to Allow Port Forwarding \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN disabled=yes

add action=drop chain=forward comment="Drop everything else"
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Thu Sep 16, 2021 10:05 am

Anav,
Notes:
''''1. Missing fastrack rule
2. Why are you letting icmp here? Not required and its too wide open anyway from anywhere??
3. Why are you allowing local to internet traffic as you are not stopping that traffic by any rule so you dont need to make one to allow it ???
Besides the rule is so fricken twisted its almost funny.
4. The last default rule is weak, it drops all wan to lan traffic (except dst natted traffic), whereas a drop all rule is more effective drops all wan to lan, lan to wan and lan to lan
(and then your allow rule for lan to wan starts making sense)
The last rule also becomes inefficient if one does not do any port forwarding........!!!''''

1. You may not have noticed. Fasttrack is!
2. permission because if there is a need to block the ICMP in the "Input" section, then no longer ping the internal network workstation
3. Yes, it could be. My mistake
4. I will use your suggestions

Thanks a lot for the help!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Thu Sep 16, 2021 12:41 pm

Ooops, my bad, I see it now!! (fasstrack)

ICMP is allowed on the router normally because its useful for troubleshooting any issues on the router.
ICMP between devices on LANs like any traffic between the LANs ( subnet A to subnet B or vlan10 to vlan20) is blocked at L3 by the default rules (BLOCK ALL ELSE LAST RULE).
Thus no rules for ICMP are required. If you as the admin want to check something specific then you can!

On my router I have an admin rule in the forward chain that follows the standard lan to wan allow rule.
a. allow all vlans to internet
b. allow admin to all vlans

If one pc on a subnet or all pcs on a subnet need access to a device on another subnet, its simple another rule (shared printer)
c. allow subnet (or IP, or source-address-list, or vlan A) to a shared printer on vlan B
 
Greenfun2
just joined
Topic Author
Posts: 5
Joined: Tue Jul 13, 2021 1:19 am

Re: Audit my input firewall

Thu Sep 16, 2021 7:16 pm

This is what I have now:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow L2TP VPN" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow UPnP/SSDP" dst-address=239.255.255.250 dst-port=1900 in-interface-list=LAN log=yes log-prefix=UPnP protocol=udp src-address-list="UPnP Trusted Devices"
add action=accept chain=input comment="Allow NTP" dst-port=123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Accept management" in-interface-list=LAN src-address-list="Admin Access"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="Drop all else" log=yes log-prefix="Input drop"
The UPnP rule probably needs work. I don't use the game consoles, so it's hard for me to tell. They just have to work.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Thu Sep 16, 2021 7:39 pm

Greenfun2,
Say please or by connecting to the router via L2tp are you going to Winbox config? I have almost the same configuration just no UPnP.
I create an Input rule to 8291 = allow from trust address and then it works for me.

Anav,
Do you use = Output = rules? Doesn't an ordinary home user need it?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Audit my input firewall

Thu Sep 16, 2021 7:41 pm

Really output rules are hard to see on some place...
Output are connection initiated from Router CPU (like resolve DNS name) and is hard to think something that Router generate for bad purpose...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Audit my input firewall

Thu Sep 16, 2021 7:50 pm

... is hard to think something that Router generate for bad purpose...

Not that hard ... but that would probably mean router was hacked and we really need to protect router from getting hacked in the first place. Hence high importance of quality input filters.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Thu Sep 16, 2021 7:54 pm

Nope no output rules here.
Only output rule I ever saw was this one but not sure what its for...............
add action=drop chain=output comment="Drop Access to WebUI" protocol=tcp src-port=80
 
Greenfun2
just joined
Topic Author
Posts: 5
Joined: Tue Jul 13, 2021 1:19 am

Re: Audit my input firewall

Thu Sep 16, 2021 8:22 pm

Greenfun2,
Say please or by connecting to the router via L2tp are you going to Winbox config? I have almost the same configuration just no UPnP.
I create an Input rule to 8291 = allow from trust address and then it works for me.
Yes. I'm using the VPN to connect my android phone to my LAN, and can access the router via the Mikrotik android app which uses winbox ports. So my VPN connection also needs to match the Allow admin rule.
The VPN also lets me visit the Mikrotik forum on my work's wifi, where it's blocked.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Audit my input firewall

Thu Sep 16, 2021 9:36 pm

add action=drop chain=output comment="Drop Access to WebUI" protocol=tcp src-port=80

It's similar to
add action=drop chain=input comment="Drop Access to WebUI" protocol=tcp dst-port=80
but acts s packet later. The second rule drops even initial packet (SYN packet, the first step of three-way TCP initial handshake) while the first rule drops the second packet of three-way handshake (SYNACK reply). Essentially with the output chain rule TCP stack of target gets hit by connection establishment tries but connections don't establish. A nice way of getting loads of half-baked connections, potentially making TCP stack struggle (in other word: DOS attack).
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Sat Sep 25, 2021 4:55 pm

Anav,
At your suggestion, I create the following rules. Everything works fine, but there is a question - I want to use the rule for protection that I found in the @Jotne topic.
/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid in-interface-list=WAN
add action=drop chain=input comment=ICMP in-interface-list=WAN protocol=icmp
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=Admin-IP
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=Admin-IP
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=Admin-IP
add action=log chain=input comment="Log Everything Else" disabled=yes \
    log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop all else" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Allow Pings" protocol=icmp
add action=accept chain=forward comment="Accept from local to internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" in-interface-list=\
    WAN
Where better to place them? "Input" at the end or beginning? Maybe these rolls are not a good solution?
.
add action=add-src-to-address-list address-list=Block_unkown_port \
    address-list-timeout=1d chain=input comment=\
    "Add IP of user to access list if they have tried port that is not open." \
    disabled=yes in-interface-list=WAN log-prefix=FI_AS_port-test
add action=drop chain=input comment=\
    "Drop packets that has not been allowed or dropped before." disabled=yes \
    in-interface-list=WAN log-prefix=FI_D_port-test
/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open" in-interface-list=WAN src-address-list=Block_unkown_port
or ''Honeypot'' hack protection?
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox" \
    connection-state=new dst-port=22,3389,8291 in-interface=\
    ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=30d0h0m chain=input comment=\
    "block honeypot asterisk" connection-state=new dst-port=5060 \
    in-interface=ether4-wan protocol=udp 
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=\
    "Honeypot Hacker"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Sat Sep 25, 2021 8:39 pm

Comments:

(1) Why did you delineate the WAN, I would think all malformed, invalid packets should be dropped!!
add action=drop chain=input comment="drop invalid packets" connection-state=invalid in-interface-list=WAN

(2) Same comment for ICMP.
add action=drop chain=input comment=ICMP in-interface-list=WAN protocol=icmp

(3) Dont understand your logic, the first two rules are covered by the last rule and thus are not required.
What is needed is the last rule placed first!
After that the DNS rule are aimed at all other LAN users aka that are not admins ...
SO FROM THIS
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=udp src-address-list=Admin-IP
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=tcp src-address-list=Admin-IP
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP

TO THIS
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP

add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=tcp


OR ARE YOU SAYING there are LAN users on your network that should not receive DNS services???
If the answer is yes, then you are being inconsistent as you want the entire LAN to access the WAN!

(4) The big error is overthinking it as you seem to be doing, as illustrated by monkeying with the drop all rule........Do do it half assed otherwise you starting mixing concepts and become inefficient.
Thus drop the in-interface list it doesnt help ....................... and makes above rules redundant and defeats the purpose of a drop all rule.
add action=drop chain=input comment="Drop all else" in-interface-list=WAN

(5) There is no need for ICMP command in forward chain. Remove it.

(6) Again same case in the forward change, dont monkey with the drop all rule and get rid of the in-interface.....
add action=drop chain=forward comment="Drop everything else" in-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Sat Sep 25, 2021 8:44 pm

As for jotne's rules.
I would not put them in place unless you think you have an issue.
Do you have servers you are running?? If not, then no worries you are not open to internet traffic.
The only connections coming in on the WAN are for VPN and those are not going to cause isssues.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Sat Sep 25, 2021 10:03 pm

1) Okay, I'll remove it. I don't want to delimit it, but to specify a specific interface for it to work properly
2) ok, corrective
3) I watched the MUM webinar and there was a mention of that fact. That is why I stated exactly this. I watched the MUM webinar and there was a mention of that fact. That is why I stated exactly this. All LAN users only need to receive DNS from the internal network. External DNS service is not used.
4) ok, corrective
5) this recommendation was also once mentioned in microtik MUM. OK, corrective
6) ok, corrective
next .......
In my case, this is a small office network with 5 workstations. Only 2 networks, one LAN, the other wifi-Guest. Why ask about protection? Because there is one user on the network who uses the torrent to download data. When the torrent process is closed, our office IP address is scanned (possibly flood, dos, syn attack) for a long time, which can be seen in the log.
I want to maximally protect the WAN from possible attacks.

Maybe I can use the Forward chain part of the following rules to protect against dos with a connection limit? Do you use something like that?
add action=jump chain=forward comment="Ddos protect" connection-state=new \
    jump-target=block-ddos
add action=return chain=block-ddos dst-limit=32,42,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    3d30m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    3d30m chain=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
Thanks for your answers!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Sat Sep 25, 2021 11:29 pm

No I have no special rules as I dont have any open servers on my network.
Does the one user leave his computer running?
He should be warned for illegal use of company assets, lots of people want jobs.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Sun Sep 26, 2021 9:45 am

I create Firewall rules at your suggestion. L2tp ipsec stopped working. You can connect to the router but no longer have access to the internal LAN and also the winbox. Creating "Input" chain rule access from LAN 8291, etc. Unable to connect.
Left back -add action = drop chain = input comment = "Drop" in-interface-list = WAN .. and then I get back to the local LAN again. Where is the error? Do you need to create additional access rules?
If you use this method and everything works fine for you, the question is - are you using a vpn service?
/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid 
add action=drop chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
in-interface-list=LAN protocol=tcp src-address-list=Admin-IP
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=Admin-IP
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=tcp     
add action=log chain=input comment="Log Everything Else" disabled=yes \
    log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop all else" in-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Sun Sep 26, 2021 2:52 pm

Yes, I have used ipsec vpn in the past and currently using wireguard.
I will have a look!

(1) I dont quite understand this rule.................
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
in-interface-list=LAN protocol=tcp src-address-list=Admin-IP


Why does anyone including the admin need access to the router for ipsec?? This may be a perfectly legitimate rule I am just asking the question!
a. the initial connection to the router to establish the tunnel is already covered in this rule...........
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
500,1701,4500 in-interface-list=WAN protocol=udp


b. Typically there is an interface or faux IP address behind the router, where the ipsec tunnel lands ( exit/entry point for tunnelled traffic) which is not addressed in the rule I am not sure of.

c. What I dont see is if you wanted that tunnel traffic (lets say its you from a remote site) to be able to reach the router for config purposes???

d. Finally this is the format I think the rule should be in for ipsec.
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp in-interface-list=WAN protocol=tcp?? port=??

(2) Nothing wrong with this rule.............
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Sun Sep 26, 2021 3:17 pm

IN summary this is the direction I would go,,,,,,,,

/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
500,1701,4500 in-interface-list=WAN protocol=udp

add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp in-interface-list=WAN protocol=tcp?? ??
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS from local" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=log chain=input comment="Log Everything Else" disabled=yes \
log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop all else"

Now what is not clear to me is
a. what is the entry exit point for the tunnel on your router, is it an interface?
b. if its an interface is it an interface list member part of the lan?

There ARE TWO OPTIONS to solve this

A. You may need two rules....
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP

PLUS
add action=accept chain=input comment='allow remote config" src-address= IP of TUNNEL

(the reason one couldnt reach the router for config is due to the fact that the drop rule prevented it, WHICH IS GOOD!
when you allowed everything from the LAN to reach the router by only stating drop WAN info, then the traffic was allowed, not very precise too wide open).

SO the trick is to find exactly what traffic it is that you want allowed and address this in the ruleset, and hence the reason for the second rule.

B. If the vpn tunnel is an interface and you add it to the lan interface and add the IP of the tunnel to the admin IP address, you could stick with the existing single rule adjusting it accordingly.

Note: I am not certain of the format of the ipsec rule, that is for someone who knows ipsec................ I just tried to copy the rule from your earlier posts!!!! before you made it butt ugly :-)
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Sun Sep 26, 2021 5:06 pm

Yee! Everything is finally working well!
There were no such rules, so there was also a vpn connect problem.
'' '' PLUS
add action = accept chain = input comment = 'allow remote config' src-address = IP of TUNNEL '' ''
Thank you very much! :D

p.s. '' You say - (5) There is no need for ICMP command in forward chain. Remove it.''''
if i delete the icmp forward section, then connecting with L2tp is not possible to ping the device. I need it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Sun Sep 26, 2021 6:53 pm

To clarify a couple of points...
(1) add action = accept chain = input comment = 'allow remote config' src-address = IP of TUNNEL '' ''
Thank you very much! :D

That source address is on the ROUTER somewhere and is the LANIP of the tunnel exit/entry behind into the LAN side of the router (just make sure its not an external public IP)!!

(2) What do you mean you cannot ping the VPN.
Where are you pinging it from??

With more detail we can narrow down the requirement..


(3) Also please post the complete config to see how its looking
/export hide-sensitive file=anynameyouwish
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Sun Sep 26, 2021 7:33 pm

That source address is on the ROUTER somewhere and is the LANIP of the tunnel exit/entry behind into the LAN side of the router (just make sure its not an external public IP)!!
- No, it is not an external IP but an internal network address.
(2) What do you mean you cannot ping the VPN.
Where are you pinging it from??
- My setup- is an offiss, CCR device where the WAn port (ether1) is a public IP with a static address assigned by the provider. LAN - ether2 physical port.
When connecting to the Office from the outside (road warior) via L2tp ipsec, I get to all internal LAN devices. As I mentioned before, if we do not specify an ICMP rule in the forward section, then it is not possible to ping the equipment (workstation, printers, etc.). I leave him because I need it. Now everything works fine for me, no problem. Thanks!

(3) Also please post the complete config to see how its looking
/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input comment=Allow-VPN src-address-list=Admin-IP
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=Admin-IP
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=log chain=input comment="Log Everything Else" disabled=yes \
    log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop all else"

add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Accept from local to internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Accept ICMP" protocol=icmp
add action=accept chain=forward comment="Allow RDP" dst-port=3389 protocol=tcp \
    src-address-list=Admin-IP
add action=drop chain=forward comment="Drop everything else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Mon Sep 27, 2021 12:15 am

Sorry I dont get this comment
- No, it is not an external IP but an internal network address.
If you mean your coming from an external public WANIP into the router via a tunnel okay, but you dont exit the tunnel on the router with the same IP you are put on a subnet, an interface or what I call a faux internal IP address.\

So the pinging is from the internal network faux IP.....
This means you need a forward chain rule. before the drop rule that states

add chain=forward action=accept source-address=faux ip out-interface-list=LAN

NOW you can access the entire LAN, not just ICMP!!

Okay now to look at your config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Mon Sep 27, 2021 2:05 am

Sorry the firewall rules are not the entire config,,,,,,,,,,,, which makes one have to guess at things :-( :-(

In any case lets look at what is visible.
add action=accept chain=input comment=Allow-VPN src-address-list=Admin-IP
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP

Tell me what the purpose of each rule is, and what the difference between each rule is.

I will assume the following due to lack of an actual config posted.
a. the firewall address list comprises the following items.
IP of admin desktopp
IP of adming laptop
Ip of admin ipad
IP of admin smartphone
IP of faux VPN tunnel address.

b. interface lan does NOT include a vpn interface as one doesnt exist just the faux IP address.

So it should be plain by now that
the two rules overlap.
The first rule allows all the firewall address list entries from anywhere, access the router.
The second rule allows all the same firewall address list entries from the LAN access the router.

Is there any effective difference between the two rules.
YES, the first allows ALSO the faux VPN IP address on teh router (you coming in on the VPN tunnel) to access the router.
Conclusion the second rule DOES NOTHING as the rule will never get matched as all entries will match the first rule......

My concern is HOW TO associate only the faux VPN address access to the router without such a wide open rule (input from everywhere).

Suggesting try,
add chain=input action=accept source-address-type=local src-address=IP of faux vpn address
add chain=input action=accept in-intetface-list=LAN src-address-list=Admin-IP

see if that works to permit vpn access to the router.
If not then one will have to remove the source-address type.

What is the purpose of this rule??
add action=accept chain=forward comment="Allow RDP" dst-port=3389 protocol=tcp \
src-address-list=Admin-IP

You want to Remote desktop from where to where, there is no destination stated??

Remember if you have
add action=accept chain=forward src-address=Faux IP vpn out-interface=LAN, you has admin from the vpn tunnel can access all of the LAN,, no need for RDP rule or ICMP rule....
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Mon Sep 27, 2021 9:18 am

Sorry I dont get this comment
-'' No, it is not an external IP but an internal network address.''
-Sorry, I mixed something here myself :)
.
''''My concern is HOW TO associate only the faux VPN address access to the router without such a wide open rule (input from everywhere).''''
- in my case the VPN address access is a real static IP at both ends. What did you mean - '' faux '' ?? If you were thinking of associating a virtual IP address, I won't be able to answer you right away.
.
''''What is the purpose of this rule??
add action=accept chain=forward comment="Allow RDP" dst-port=3389 protocol=tcp \
src-address-list=Admin-IP ''''
- I introduced this rule only because it was not possible to access LAN devices via vpn. I am now correcting your method. I'll look and test. Looks like everything is ok.
.
'''' You want to Remote desktop from where to where, there is no destination stated?? ''''
- Remote access to internal network equipment is only through vpn (no specific equipment, everything must be present). There is no port forward. Using your suggested method the connection works.

''''''Remember if you have
add action=accept chain=forward src-address=Faux IP vpn out-interface=LAN, you has admin from the vpn tunnel can access all of the LAN,, no need for RDP rule or ICMP rule....''''
- now I understood! i turned off rdp and icmp. Yes, this rule works. Thanks, I'll test
Anav, sorry for my English..

.
I wanted to ask if I want to use a protection rule against port scan detect (techsoftcenter.com/how-to-prevent-mikrotik-brute-force-and-port-scanner-attacks) where to put it in favor? Behind -Input, Estabished, Related and Drop invalid? Or before "Drop All else"?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Audit my input firewall

Mon Sep 27, 2021 2:09 pm

Hi there,

1. Yes, port scanning is not required for your setup. Its more designed at the ISP level for those people running MTs providing IPs and services for users. Akin to edge router services....
The router setup you have is secure and taking CPU resources for fruitless exercise would be a waste.

2. As for the rule sets you have now, are good.
The only slight change is as follows:

From
add action=accept chain=input comment=Allow-VPN src-address-list=Admin-IP
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP


TO
add action=accept chain=input comment=Allow-VPN src-address-list=remotevpn
add action=accept chain=input comment=\
"Allow access to router from known network" in-interface-list=LAN \
src-address-list=Admin-IP



Where the firewall address list is
add IPof remote user list=remotevpn.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The reason being is that the second rule includes all the IPs under Admin-IP but that is okay because they can only come from the local subnets (in-interface-lan).
This is good because you dont want any of the IPs that describe your admin devices to be IPs that can come in direct from the WAN to hit your router.
Therefore using the admin-ip list TO Capture the remote address is not precise nor the best security approach. Best to detail the remote vpn rule separately in this case.

The first rule is open to both WAN and LAN because the remote IP address doesnt belong to the in-interface-list but we need a way of ensuring your remote address has access to config the router.
So lets say the remote address is 192.168.55.5

My concern was what if someone was able to spoof that address and come in direct to the router from the WAN side (not through a tunnel) and thus this rule, one would think, would allow them access.
add chain=input action=accept src-address=192.168.55.5 (or src-address-list=remotevpn)
BUT
It does not, as was explained to me by someone with gobs of ipsec expertise.................
The IPSEC RULES also have properties of firewall rules and the router thus inspects source and destination traffic based on ipsec entries.

In other words, the router would detect the IP address 192.168.55.5 attempting to enter the router on the WAN and would block it as the router via the ISPEC rules knows that traffic from that sources should ONLY be coming through the VPN tunnel. Hence the input chain rule above is valid.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: Audit my input firewall

Mon Sep 27, 2021 3:26 pm

Anav, everything is fine :)
I mentioned earlier that I use an L2tp ipsec connection. This is a passive connection. I don't use tunnel mode.
You have a lot of questions that I will not be able to answer at all :)
Insert screen from vpn configuration. It will be easier. You may also find the following information useful.
If we use tunnel mode, then everything will be different. You will need to enter external IP addresses, and so on. That will be another story.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: BrianTax, coreshock, Google [Bot], johnson73 and 67 guests