Community discussions

MikroTik App
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

The one or the other?

Tue Aug 09, 2022 12:15 pm

Heya there MikroTik fam,

Which one of these methods of transparent dns proxy is the better option:
/ip firewall nat
  add chain=dstnat dst-port=53 protocol=udp to-addresses=10.17.1.1 action=dst-nat comment="transparent dns proxy"
/ipv6 firewall nat
  add chain=dstnat dst-port=53 protocol=udp to-address=fc00:1::1/128 action=dst-nat comment="transparent dns proxy"
vs
/ip firewall nat 
  add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect comment="transparent dns proxy"
/ipv6 firewall nat 
  add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect comment="transparent dns proxy"
& why?

Cheers,
Reev
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: The one or the other?  [SOLVED]

Wed Aug 10, 2022 2:15 am

There's at least one functional difference, the latter will work only from interfaces listed in "LAN" list (I guess it's probably what you want), while the former will catch traffic coming from anywhere. Aside from that, if those addresses in first example are local, then AFAIK there's no difference.
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

Re: The one or the other?

Wed Aug 10, 2022 11:51 am

Hiya there Sob,

Thank you for explaining that to me! Aye, they're local, I suppose it would be just easier to use the interface list instead of manually addressing them.

Cheers,
Reev
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: The one or the other?

Wed Aug 10, 2022 9:15 pm

It seems to me that you're mixing different things. The in-interface-list=LAN is condition, i.e. only packets coming from LAN will match, while to-addresses is part of dst-nat action, it's the new destination. So differences between the two configs are:

1) First one doesn't have any extra conditions beyond protocol and port, second one is only for connections from LAN.
2) First one uses specific local address as new destination, second one uses random(?) local address. Services in RouterOS listen on all addresses anyway, so there shouldn't be any problem (unless you allow only specific address with firewall filter rules).
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

Re: The one or the other?

Thu Aug 11, 2022 12:21 am

It seems to me that you're mixing different things. The in-interface-list=LAN is condition, i.e. only packets coming from LAN will match, while to-addresses is part of dst-nat action, it's the new destination. So differences between the two configs are:

1) First one doesn't have any extra conditions beyond protocol and port, second one is only for connections from LAN.
2) First one uses specific local address as new destination, second one uses random(?) local address. Services in RouterOS listen on all addresses anyway, so there shouldn't be any problem (unless you allow only specific address with firewall filter rules).
This is what my firewall looks like:
#| IPv4 Firewall
#-------------------------------------------------------------------------------
/ip firewall{
  address-list add list=no_forward_ipv4 address=0.0.0.0/8 comment="RFC6890"
  address-list add list=no_forward_ipv4 address=169.254.0.0/16 comment="RFC6890"
  address-list add list=no_forward_ipv4 address=224.0.0.0/4 comment="multicast"
  address-list add list=no_forward_ipv4 address=255.255.255.255/32 comment="RFC6890"
  address-list add list=bad_ipv4 address=127.0.0.0/8 comment="RFC6890"
  address-list add list=bad_ipv4 address=192.0.0.0/24 comment="RFC6890"
  address-list add list=bad_ipv4 address=192.0.2.0/24 comment="RFC6890 documentation"
  address-list add list=bad_ipv4 address=198.51.100.0/24 comment="RFC6890 documentation"
  address-list add list=bad_ipv4 address=203.0.113.0/24 comment="RFC6890 documentation"
  address-list add list=bad_ipv4 address=240.0.0.0/4 comment="RFC6890 reserved"
  address-list add list=not_global_ipv4 address=0.0.0.0/8 comment="RFC6890"
  address-list add list=not_global_ipv4 address=10.0.0.0/8 comment="RFC6890"
  address-list add list=not_global_ipv4 address=100.64.0.0/10 comment="RFC6890"
  address-list add list=not_global_ipv4 address=169.254.0.0/16 comment="RFC6890"
  address-list add list=not_global_ipv4 address=172.16.0.0/12 comment="RFC6890"
  address-list add list=not_global_ipv4 address=192.0.0.0/29 comment="RFC6890"
  address-list add list=not_global_ipv4 address=192.168.0.0/16 comment="RFC6890"
  address-list add list=not_global_ipv4 address=198.18.0.0/15 comment="RFC6890 benchmark"
  address-list add list=not_global_ipv4 address=255.255.255.255/32 comment="RFC6890"
  address-list add list=bad_src_ipv4 address=224.0.0.0/4 comment="multicast"
  address-list add list=bad_src_ipv4 address=255.255.255.255/32 comment="RFC6890"
  address-list add list=bad_dst_ipv4 address=0.0.0.0/8 comment="RFC6890"
  address-list add list=bad_dst_ipv4 address=224.0.0.0/4 comment="RFC6890"
  filter add chain=input action=accept protocol=icmp comment="accept ICMP after RAW"
  filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec disabled=yes comment="accept all that matches IPSec policy"
  filter add chain=forward action=fasttrack connection-state=established,related comment="fasttrack"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
  filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
  filter add chain=forward action=drop connection-nat-state=!dstnat connection-state=new in-interface-list=WAN comment="drop all from WAN not DSTNATed"
  filter add chain=forward action=drop src-address-list=no_forward_ipv4 comment="drop bad forward IPs"
  filter add chain=forward action=drop dst-address-list=no_forward_ipv4 comment="drop bad forward IPs"
  nat add chain=dstnat action=redirect protocol=udp dst-port=53 in-interface-list=LAN comment="transparent dns proxy"
  nat add chain=srcnat action=accept ipsec-policy=out,ipsec disabled=yes comment="accept all that matches IPSec policy"
  nat add chain=srcnat action=masquerade out-interface-list=WAN comment="masquerade"
  raw add chain=prerouting action=accept disabled=yes comment="enable for transparent firewall"
  raw add chain=prerouting action=accept dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68 comment="accept DHCP discover"
  raw add chain=prerouting action=drop src-address-list=bad_ipv4 comment="drop bogon IP's"
  raw add chain=prerouting action=drop dst-address-list=bad_ipv4 comment="drop bogon IP's"
  raw add chain=prerouting action=drop src-address-list=bad_src_ipv4 comment="drop bogon IP's"
  raw add chain=prerouting action=drop dst-address-list=bad_dst_ipv4 comment="drop bogon IP's"
  raw add chain=prerouting action=drop src-address-list=not_global_ipv4 in-interface-list=WAN comment="drop non global from WAN"
  raw add chain=prerouting action=drop in-interface-list=WAN dst-address=10.17.0.0/16 comment="drop forward to local lan from WAN"
  raw add chain=prerouting action=drop in-interface-list=LAN src-address=!10.17.0.0/16 comment="drop local if not from default IP range"
  raw add chain=prerouting action=drop port=0 protocol=udp comment="drop bad UDP"
  raw add chain=prerouting action=jump jump-target=icmp4 protocol=icmp comment="jump to ICMP chain"
  raw add chain=prerouting action=jump jump-target=bad_tcp protocol=tcp comment="jump to TCP chain"
  raw add chain=prerouting action=accept in-interface-list=LAN comment="accept everything else from LAN"
  raw add chain=prerouting action=accept in-interface-list=WAN comment="accept everything else from WAN"
  raw add chain=prerouting action=drop comment="drop the rest"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=!fin,!syn,!rst,!ack comment="TCP flag filter"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,syn comment="TCP flag filter"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,rst comment="TCP flag filter"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,!ack comment="TCP flag filter"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,urg comment="TCP flag filter"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=syn,rst comment="TCP flag filter"
  raw add chain=bad_tcp action=drop protocol=tcp tcp-flags=rst,urg comment="TCP flag filter"
  raw add chain=bad_tcp action=drop port=0 protocol=tcp comment="TCP port 0 drop"
}

#| IPv6 Firewall
#-------------------------------------------------------------------------------
/ipv6 firewall{
  address-list add list=no_forward_ipv6 address=fe80::/10 comment="RFC6890 Linked-Scoped Unicast"
  address-list add list=no_forward_ipv6 address=ff00::/8 comment="multicast"
  address-list add list=bad_ipv6 address=::1/128 comment="RFC6890 lo"
  address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="RFC6890 IPv4 mapped"
  address-list add list=bad_ipv6 address=2001::/23 comment="RFC6890"
  address-list add list=bad_ipv6 address=2001:db8::/32 comment="RFC6890 documentation"
  address-list add list=bad_ipv6 address=2001:10::/28 comment="RFC6890 orchid"
  address-list add list=bad_ipv6 address=::/96 comment="ipv4 compat"
  address-list add list=not_global_ipv6 address=100::/64 comment="RFC6890 Discard-only"
  address-list add list=not_global_ipv6 address=2001::/32 comment="RFC6890 TEREDO"
  address-list add list=not_global_ipv6 address=2001:2::/48 comment="RFC6890 benchmark"
  address-list add list=not_global_ipv6 address=fc00::/7 comment="RFC6890 Unique-Local"
  address-list add list=bad_dst_ipv6 address=::/128 comment="unspecified"
  address-list add list=bad_src_ipv6 address=::/128 comment="unspecified"
  address-list add list=bad_src_ipv6 address=ff00::/8  comment="multicast"
  filter add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6 after RAW"
  filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=input action=accept port=33434-33534 protocol=udp comment="accept UDP traceroute"
  filter add chain=input action=accept dst-port=546 protocol=udp src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation."
  filter add chain=input action=accept dst-port=500,4500 protocol=udp comment="accept IKE"
  filter add chain=input action=accept protocol=ipsec-ah comment="accept IPSec AH"
  filter add chain=input action=accept protocol=ipsec-esp comment="accept IPSec ESP"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
  filter add chain=forward action=drop src-address-list=no_forward_ipv6 comment="drop bad forward IPs"
  filter add chain=forward action=drop dst-address-list=no_forward_ipv6 comment="drop bad forward IPs"
  filter add chain=forward action=drop hop-limit=equal:1 protocol=icmpv6 comment="rfc4890 drop hop-limit=1"
  filter add chain=forward action=accept protocol=icmpv6 comment="accept ICMPv6 after RAW"
  filter add chain=forward action=accept protocol=139 comment="accept HIP"
  filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
  filter add chain=forward action=accept protocol=ipsec-ah comment="accept AH"
  filter add chain=forward action=accept protocol=ipsec-esp comment="accept ESP"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept all that matches IPSec policy"
  filter add chain=forward action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
  nat add chain=dstnat action=redirect protocol=udp dst-port=53 in-interface-list=LAN comment="transparent dns proxy"
  raw add chain=prerouting action=accept disabled=yes comment="enable for transparent firewall"
  raw add chain=prerouting action=accept src-address=::/128 dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 comment="RFC4291, section 2.7.1"
  raw add chain=prerouting action=drop src-address-list=bad_ipv6 comment="drop bogon IP's"
  raw add chain=prerouting action=drop dst-address-list=bad_ipv6 comment="drop bogon IP's"
  raw add chain=prerouting action=drop src-address-list=bad_src_ipv6 comment="drop packets with bad SRC ipv6"
  raw add chain=prerouting action=drop dst-address-list=bad_dst_ipv6 comment="drop packets with bad dst ipv6"
  raw add chain=prerouting action=drop src-address-list=not_global_ipv6 in-interface-list=WAN comment="drop non global from WAN"
  raw add chain=prerouting action=jump jump-target=icmp6 protocol=icmpv6 comment="jump to ICMPv6 chain"
  raw add chain=prerouting action=accept dst-address=ff02::/16 comment="accept local multicast scope"
  raw add chain=prerouting action=drop dst-address=ff00::/8 comment="drop other multicast destinations"
  raw add chain=prerouting action=accept in-interface-list=WAN comment="accept everything else from WAN"
  raw add chain=prerouting action=accept in-interface-list=LAN comment="accept everything else from LAN"
  raw add chain=prerouting action=drop comment="drop the rest"
}

Who is online

Users browsing this forum: baragoon, RHWwijk and 87 guests