I don't know what else to check, I don't know what am I doing wrong. I configured RB2011 firewall as I configured RB450G and some others.
I used 9 ports as LAN ports, put them into bridge and 1 port (port 10) as WAN port (PPPoE connection configured). I want to block winbox on that WAN port. Not on the PPPoE interface, but on WAN port. If I directly connect ethernet cable to RB on that WAN port and connect through MAC address, I want that to be blocked.
Usually, my firewall was configured to block winbox traffic on ports where it is not explicitly allowed. But I accidentally noticed here, that this is not the case.
So I added rules to explicitly block winbox on that port and put them as first rules in the firewall.
Code: Select all
add action=drop chain=input dst-port=5678 in-interface="WAN(eth10)" protocol=\
udp
add action=drop chain=input comment="Disable Winbox on WAN port" dst-port=\
20561 in-interface="WAN(eth10)" protocol=udp
I can still connect with winbox. What is even more strange is that I see a lot of packets matching those rules, but I can still connect with winbox and change the configuration.
What am I doing wrong?
I thought that maybe it has to do something with two groups of port 1-5 and 6-10 and that ports inside that group are automatically switched. Since, on ports 6-9 winbox is allowed, maybe that is translated to port 10 also? It sounds stupid to me, but I don't know what else to think.
Here is the compact configuration:
Code: Select all
# jan/01/2002 02:10:02 by RouterOS 5.22
# software id = KHRA-3DJ0
#
/interface bridge
add arp=proxy-arp name="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" protocol-mode=\
rstp
/interface
set "LAN(eth1)" name="LAN(eth1)"
set "LAN(eth2)" name="LAN(eth2)"
set "LAN(eth3)" name="LAN(eth3)"
set "LAN(eth4)" name="LAN(eth4)"
set "LAN(eth5)" name="LAN(eth5)"
set "LAN(eth6)" name="LAN(eth6)"
set "LAN(eth7)" name="LAN(eth7)"
set "LAN(eth8)" name="LAN(eth8)"
set "LAN(eth9)" name="LAN(eth9)"
set "WAN(eth10)" name="WAN(eth10)"
/interface pppoe-client
add add-default-route=yes disabled=no interface="WAN(eth10)" name=PPPoE-ADSL \
use-peer-dns=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
group-ciphers=tkip,aes-ccm management-protection=allowed mode=\
dynamic-keys name=secure supplicant-identity="" unicast-ciphers=\
tkip,aes-ccm wpa-pre-shared-key=xxxxxx wpa2-pre-shared-key=xxxxxxxxx
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no frequency=\
2427 l2mtu=2290 mode=ap-bridge radio-name=Xxxx security-profile=secure \
ssid=Xxxx wireless-protocol=802.11
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1
/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.199
add name=VPN_sve ranges=192.168.1.201-192.168.1.220
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" lease-time=8h name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.200 name=VPN_sve \
remote-address=VPN_sve use-encryption=yes
set 2 local-address=10.60.1.1
/system logging action
add disk-file-count=3 disk-file-name=Firewall_log disk-lines-per-file=30000 \
name=Firewall target=disk
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no time-zone=-00:00
/interface bridge port
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth2)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth3)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth1)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface=wlan1
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth4)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth5)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth6)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth7)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth8)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth9)"
/interface l2tp-server server
set authentication=mschap2 default-profile=default
/interface pptp-server server
set authentication=mschap2 enabled=yes
/interface sstp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
/ip address
add address=192.168.1.2/24 interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)"
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 gateway=192.168.1.2 \
netmask=24
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
85.114.32.7,85.114.32.8
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=0.0.0.0/8 list=illegal_addr
add address=10.0.0.0/8 list=illegal_addr
add address=127.0.0.0/8 list=illegal_addr
add address=169.254.0.0/16 list=illegal_addr
add address=172.16.0.0/12 disabled=yes list=illegal_addr
add address=192.0.2.0/24 list=illegal_addr
add address=192.168.0.0/16 list=illegal_addr
add address=198.18.0.0/15 list=illegal_addr
add address=192.0.0.0/24 list=illegal_addr
add address=198.51.100.0/24 list=illegal_addr
add address=203.0.113.0/24 list=illegal_addr
add address=224.0.0.0/3 list=illegal_addr
add address=192.168.1.200-192.168.1.220 list=VPN
/ip firewall filter
add action=drop chain=input dst-port=5678 in-interface="WAN(eth10)" protocol=\
udp
add action=drop chain=input comment="Disable Winbox on WAN port" dst-port=\
20561 in-interface="WAN(eth10)" protocol=udp
add action=log chain=input comment="Allow limited PING reguests (5pps)" \
log-prefix=ICMP_PING protocol=icmp
add chain=forward comment="Allow traffic between clients on LAN (would not pas\
s illegal dest. addr. in sanity-check)" in-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" out-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)"
add action=jump chain=forward comment="Sanity check forward" jump-target=\
sanity-check
add chain=forward comment=\
"LAN to VPN traffic (accepted in established connection in sanity-check)" \
dst-address-list=VPN src-address-list=LAN
add chain=forward comment="VPN to LAN traffic (accepted in established connec\
tion in sanity-check)" dst-address-list=LAN src-address-list=VPN
add chain=forward comment=\
"LAN to VPN traffic (accepted in established connection in sanity-check)" \
dst-address-list=VPN src-address-list=LAN
add chain=forward comment="VPN to LAN traffic (accepted in established connec\
tion in sanity-check)" dst-address-list=LAN src-address-list=VPN
add chain=forward comment="LAN to WAN traffic" in-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" out-interface=PPPoE-ADSL
add action=jump chain=forward comment=\
"Drop everything that is not explicitly forwarded" jump-target=drop
add action=jump chain=sanity-check comment="Deny illegal NAT Traversal" \
jump-target=drop packet-mark=illegal-nat-traversal
add chain=input comment="Allow the router to be visible via Neighbor Disovery \
to WinBox on LAN port" dst-address=255.255.255.255 dst-port=5678 \
in-interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" protocol=udp
add chain=input comment="LAN services - WinBox MAC on LAN port (20561/UDP)" \
dst-address=255.255.255.255 dst-port=20561 in-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" protocol=udp
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block port scans" \
protocol=tcp psd=84,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas Scan" \
protocol=tcp tcp-flags=fin,psh,urg,!fin,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block TCP NULL Scan" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment=\
"Drop everything that is in bloc-addr list" jump-target=drop \
src-address-list=blocked-addr
add action=jump chain=sanity-check comment="Drop TCP RST" jump-target=drop \
protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" jump-target=\
drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=\
"Drop invalid connections immediately" connection-state=invalid \
jump-target=drop
add action=drop chain=sanity-check comment=\
"Drop everything that is in SSH black list (without logging)" \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_login \
address-list-timeout=2d chain=sanity-check comment="SSH trying to login" \
connection-state=new disabled=yes dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=2d chain=sanity-check comment=\
"SSH brute force attack - 4. login - blacklist" connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=30s chain=sanity-check comment=\
"SSH brute force attack - 3. login" connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=sanity-check comment=\
"SSH brute force attacks - 2. login" connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=sanity-check comment=\
"SSH brute force attacks - 1. login" connection-state=new dst-port=22 \
protocol=tcp
add chain=sanity-check comment="Accept established connections" \
connection-state=established
add chain=sanity-check comment="Accept related connections" connection-state=\
related
add action=drop chain=sanity-check comment=\
"Drop NetBios traffic without logging" dst-port=137-138 protocol=udp
add action=log chain=sanity-check comment="Log broadcast, multicast packets" \
disabled=yes dst-address-type=broadcast,multicast log-prefix=\
sanity-check_25
add action=jump chain=sanity-check comment=\
"Drop broadcast, multicast packets" dst-address-type=broadcast,multicast \
jump-target=drop
add action=jump chain=sanity-check comment=\
"Drop illegal destination addresses (packet coming to LAN interface)" \
dst-address-list=illegal_addr dst-address-type=!local in-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=drop
add action=jump chain=sanity-check comment="Drop everything that comes to LAN \
interface, but not with LAN source address" in-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=drop src-address-list=\
!LAN
add action=jump chain=sanity-check comment=\
"Drop packets with illegal source addresses that come to WAN interface" \
disabled=yes in-interface="WAN(eth10)" jump-target=drop src-address-list=\
illegal_addr
add action=jump chain=sanity-check comment=\
"Drop all traffic that comes from broadcast or multicast address" \
jump-target=drop src-address-type=broadcast,multicast
add chain=input comment="Allow local traffice between Router's application" \
dst-address-type=local src-address-type=local
add action=jump chain=input comment="Enabling DHCP (would not pass sanity-chec\
\_so enabling it explicitly before other checks)" in-interface=\
"BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=dhcp port=67,68 \
protocol=udp
add action=jump chain=input comment="Jump to Sanity Check" jump-target=\
sanity-check
add action=jump chain=input comment="Drop all packets in input chain that go t\
o router itself, but do not have destination IP of router itself (includin\
g broadcast traffic)" dst-address-type=!local jump-target=drop
add chain=input comment="Allow limited PING reguests (5pps)" icmp-options=8 \
limit=5,5 protocol=icmp
add action=jump chain=input comment="Allowed services on LAN network" \
in-interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=\
"LAN services"
add action=jump chain=input comment=\
"Allowed services from Internet to WAN Public Interface" in-interface=\
PPPoE-ADSL jump-target=Public-services_1
add action=jump chain=input comment=\
"Allowed services from VPN to Router itself" jump-target="VPN services" \
src-address-list=VPN
add action=jump chain=input comment="Drop everything else" jump-target=drop
add chain=dhcp comment=\
"DHCP - accept broadcast packets from 0.0.0.0 source address" \
dst-address=255.255.255.255 src-address=0.0.0.0
add chain=dhcp comment="DHCP - accept packets from source address 0.0.0.0 to b\
e resolved in router - DHCP service" dst-address-type=local src-address=\
0.0.0.0
add chain=dhcp comment="DHCP - allow packets with source IP from LAN to be res\
olved in router (DHCP renewal)" dst-address-type=local src-address-list=\
LAN
add chain="LAN services" comment="LAN services - SSH (22/TCP)" dst-port=22 \
protocol=tcp
add chain="LAN services" comment="LAN services - DNS (53/UDP)" dst-port=53 \
protocol=udp
add chain="LAN services" comment="LAN services - DNS (53/TCP) - additionally" \
dst-port=53 protocol=tcp
add chain="LAN services" comment="LAN services - HTTP (Web) Proxy (3128/TCP)" \
disabled=yes dst-port=3128 protocol=tcp
add chain="LAN services" comment=\
"LAN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)" \
dst-port=5678 protocol=udp
add chain="LAN services" comment="LAN services - WinBox (8291/TCP)" dst-port=\
8291 protocol=tcp
add chain="LAN services" comment="LAN services - SNMP management (161/UDP)" \
dst-port=161 protocol=udp
add chain="LAN services" comment="LAN services - FTP (21/TCP)" dst-port=21 \
protocol=tcp
add chain="LAN services" comment="LAN services - HTTP (80/TCP)" dst-port=80 \
protocol=tcp
add chain="LAN services" comment="LAN services - NTP server (123/UDP)" \
disabled=yes dst-port=123 protocol=udp
add action=log chain="LAN services" comment="LAN services - Temporary log" \
log-prefix="LAN services_56:"
add action=drop chain="LAN services" comment=\
"LAN services - Drop everything else"
add chain=Public-services_1 comment="Public-services_1 - SSH (22/TCP)" \
dst-port=22 protocol=tcp
add chain=Public-services_1 comment=\
"Public-services_1 - PPTP - VPN (1723/UDP)" dst-port=1723 protocol=tcp
add chain=Public-services_1 comment="Public-services_1 - GRE for PPTP - VPN" \
protocol=gre
add action=log chain=Public-services_1 comment=\
"Public-services_1 services - Temporary log" log-prefix=\
Public-servics_1_65:
add action=drop chain=Public-services_1 comment=\
"Public-services_1 - Drop everything else"
add chain="VPN services" comment="VPN services - SSH (22/TCP)" dst-port=22 \
protocol=tcp
add chain="VPN services" comment=\
"VPN services - DNS (53/UDP) (otherwise mail forward doesn't work)" \
disabled=yes dst-port=53 protocol=udp
add chain="VPN services" comment=\
"VPN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)" \
dst-port=5678 protocol=udp
add chain="VPN services" comment="VPN services - WinBox (8291/TCP)" dst-port=\
8291 protocol=tcp
add chain="VPN services" comment="VPN services - SNMP management (161/UDP)" \
dst-port=161 protocol=udp
add chain="VPN services" comment="VPN services - FTP (21/TCP)" dst-port=21 \
protocol=tcp
add action=log chain="VPN services" comment="VPN services - Temporary log" \
log-prefix="VPN services_75:"
add action=drop chain="VPN services" comment=\
"VPN services - Drop DNS packets without logging" dst-port=53 protocol=\
udp
add action=drop chain="VPN services" comment=\
"VPN services - Drop everything else"
add action=drop chain=drop comment="Drop NetBios traffic without logging" \
dst-port=137-138 protocol=udp
add action=log chain=drop comment="Drop - Log before dropping" log-prefix=\
drop_77:
add action=drop chain=drop comment="Drop everything else"
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
"Detect packets with illegal destination IP (NAT-Traversal)" \
dst-address-list=local_addr in-interface="WAN(eth10)" new-packet-mark=\
illegal-nat-traversal passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN(eth10)" to-addresses=\
0.0.0.0
/ip neighbor discovery
set wlan1 disabled=yes
/ppp secret
add name=Doma password=Doma profile=VPN_sve service=pptp
/snmp
set enabled=yes trap-community=public
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Doma_RB2011
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set PPPoE-ADSL disabled=yes display-time=5s
set "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set "LAN(eth1)" disabled=yes display-time=5s
set "LAN(eth2)" disabled=yes display-time=5s
set "LAN(eth3)" disabled=yes display-time=5s
set "LAN(eth4)" disabled=yes display-time=5s
set "LAN(eth5)" disabled=yes display-time=5s
set "LAN(eth6)" disabled=yes display-time=5s
set "LAN(eth7)" disabled=yes display-time=5s
set "LAN(eth8)" disabled=yes display-time=5s
set "LAN(eth9)" disabled=yes display-time=5s
set "WAN(eth10)" disabled=yes display-time=5s
/system logging
set 0 action=echo topics=info,!firewall
add disabled=yes topics=firewall
add action=disk topics=critical
add action=disk topics=error
add topics=critical
add action=disk topics=system
add action=Firewall topics=firewall
add topics=info,!firewall
add topics=system
add action=echo topics=error
/system ntp client
set enabled=yes primary-ntp=161.53.123.5 secondary-ntp=161.53.160.5
/system scheduler
add interval=5m name=dynDNS on-event="/system script run dynDns\r\
\n" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/01/2002 start-time=02:00:02
/system script
add name=dynDNS policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="# Define User Variables\r\
\n:global ddnsuser \"DYNDNSUSER\"\r\
\n:global ddnspass \"DYNDNSPASS\"\r\
\n:global ddnshost \"xxxxxxxxxxxxxxxxx\"\r\
\n\r\
\n# Define Global Variables\r\
\n:global ddnsip\r\
\n:global ddnslastip\r\
\n:if ([ :typeof \$ddnslastip ] = nil ) do={ :global ddnslastip \"0\" }\r\
\n\r\
\n:global ddnsinterface\r\
\n:global ddnssystem (\"mt-\" . [/system package get system version] )\r\
\n\r\
\n# Define Local Variables\r\
\n:local int\r\
\n\r\
\n# Loop thru interfaces and look for ones containing\r\
\n# default gateways without routing-marks\r\
\n:foreach int in=[/ip route find dst-address=0.0.0.0/0 active=yes ] do={\
\r\
\n :if ([:typeof [/ip route get \$int routing-mark ]] != str ) do={\r\
\n :global ddnsinterface [/ip route get \$int interface]\r\
\n }\r\
\n}\r\
\n\r\
\n# Grab the current IP address on that interface.\r\
\n:global ddnsip [ /ip address get [/ip address find interface=\$ddnsinter\
face ] address ]\r\
\n\r\
\n# Did we get an IP address to compare\?\r\
\n:if ([ :typeof \$ddnsip ] = nil ) do={\r\
\n :log info (\"DynDNS: No ip address present on \" . \$ddnsinterface . \
\", please check.\")\r\
\n} else={\r\
\n :if (\$ddnsip != \$ddnslastip) do={\r\
\n :log info \"DynDNS: Sending UPDATE!\"\r\
\n :local str \"/nic/update\?hostname=\$ddnshost&myip=\$ddnsip&wildcard\
=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
\n /tool fetch address=members.dyndns.org src-path=\$str mode=http user\
=\$ddnsuser \\\r\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
\n :delay 1\r\
\n :local str [/file find name=\"DynDNS.\$ddnshost\"];\r\
\n /file remove \$str\r\
\n :global ddnslastip \$ddnsip\r\
\n }\r\
\n}\r\
\n"
/tool sniffer
set filter-direction=any interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)"