Researching Potential Office Firewall/Router Solutions

Taylor · Wed Aug 13, 2014 7:48 pm

I have been using MikroTik RouterOS/Routerboard at home for around 6 months and now and have also deployed it into a retail location for the business I work for.

Recently at the Corporate Office we have been having issues with our WatchGuard XTM Firewall/Router. I'm looking into replacing it, and using MikroTik since I have just loved everything about it since I started using it.

Here is my questions on its capabilities.

Current we have a /28 here with 50Mbit Up and down, we use those to have NAT to our Internal LAN IP's 192.168.2.0/24. We don't assign the Public IP's to our actual servers etc.

Watchguard provides a nice SSL VPN Connection that allows my boss to VPN from home and be able to access network shares and our servers here at the office as if hes connected.

The issue with this is, both the office and his home subnet are the same 192.168.2.0/24 Would this be a problem in Mikrotik?

I tried to talk him into MikroTik before, but this VPN part was in question. I saw the new HomeVPN Setup thats pretty easy, i tested it, and it did seem to work. But I wasn't sure if it would 100% work with the same subnets.

Also which device you recommend? We need wireless, I wasn't sure if to buy an all in one or buy a wireless system and router seperately. I was looking at RB2011UiAS-2HnD-IN

It is not a huge office building. I'm sure the RB2011UiAS-2HnD-IN would be plenty for wireless. I just to make sure we have a stable device to support our 50Mbit up and down and potentially increase that in the future. I don't want another scenario like our current Watchguard that is just terrible.

We also have about 20-30 NAT Rules

Thank you for your time reading this, and I hope I was clear enough in what im looking for and my questions, I do apologize I am somewhat new to Networking, But I am a bit above a beginner, I know all about the basics, and etc. Just not bigger things such as BGP Routes, and most routing protocols in general.

CelticComms · Fri Aug 15, 2014 7:53 am

Change one or both of the subnets and save a lot of grief. Having them the same will cause issues for all sorts of VPN gateways - not just RouterOS. The issues can sometimes be worked around - but best to simply avoid them.

lambert · Fri Aug 15, 2014 7:57 am

I really dislike running the same subnet at multiple sites. I cannot say if that will cause you any trouble. I dislike it enough that every site I manage uses some randomly chosen subnet in RFC1918 space. So, I don't have recent experience with your situation.

The CPU in the RB2011-UAS should be sufficient for the bandwidth and number of rules you specify. It just depends on the individual rules. Deep packet inspection rules could cause it to overwork the CPU. Watch how you write your rules to limit the impact on the CPU.

You don't say how many wired devices you have. Just remember that the RB2011's have 5 GigE ports and 5 10/100Mbps ports. The CRS125 has 24 GigE ports and the same CPU. I think the wireless is the same also, but I have not specifically looked at those specs. You may already have a separate switch and not care how many ports you get on the router.

I use the 2011 series devices as base of tower routers for up to around 100Mbps of traffic. I do not run VPNs on those routers but do queue tree bandwidth limiting for around 100 clients served from the tower and passthrough traffic to other towers. The queue tree is typically handling 50Mbps or less of traffic.

Taylor · Fri Aug 15, 2014 8:45 am

Unfortunately the subnets wont be something to change, if either of us were to VPN in from a store location, it would be on this subnet also. Over 87 locations... Nah can't change that, not worth it. It would be nice if you could push routes to the VPN client, such as in OpenVPN. Maybe someday It will happen, I saw someone mention it as a feature request.

I have a seperate 24port Gigabit switch for all the office machines. Somewhere around 20 of them. So I would only utilize one port on the Router itself. There is no deep rules, no filters really at all, just simple NAT's IP X on port 80 goes to IP Y on port 80 kind of scenario.

Just want to make sure it can handle what I throw at it, if the only concern is the VPN. I think I can work around that.

nkourtzis · Sat Aug 16, 2014 9:52 am

I would advice you to consider either the http://routerboard.com/CRS109-8G-1S-2HnD-IN the http://routerboard.com/RB951G-2HnD or the http://routerboard.com/RB922UAGS-5HPacD (the last one with a 2.4GHz extra wifi, enclosure and antennas) as your central router and for your branch office locations (and your boss' home). Then I would create PPTP tunnels on a totally different subnet and place bridged EoIP connections over the VPN tunnels.

Στάλθηκε από το GT-I9100 μου χρησιμοποιώντας Tapatalk

docmarius · Sat Aug 16, 2014 11:20 am

You all obviously discarded the most important request for Taylor's network: His boss has to be able to browse the network from home. That requires all machines to be on the same network so that windows can resolve machine names via SMB broadcasts.
Browsing which will not work on MT anyway, because their PtP implementations lack broadcast forwarding, and bridging is not available for windows clients.

CelticComms · Sat Aug 16, 2014 5:09 pm

You all obviously discarded the most important request for Taylor's network: His boss has to be able to browse the network from home. That requires all machines to be on the same network so that windows can resolve machine names via SMB broadcasts.
Browsing which will not work on MT anyway, because their PtP implementations lack broadcast forwarding, and bridging is not available for windows clients.

The OP mentioned access to network server shares. Broadcast traffic over the VPN is not necessary to provide access to network server shares. They can be accessed using the IP address or name if name lookup is available.

docmarius · Sat Aug 16, 2014 6:22 pm

Taylor mentioned "as if he was connected", which usually doesn't imply access using IP addresses. From own experiences I can tell you, bosses want browsing, visible names in My Network and so on.

nkourtzis · Sat Aug 16, 2014 7:11 pm

I would suggest also replacing the router at boss' home with a mikrotik (say the http://routerboard.com/RB951G-2HnD), and setting it up the way I described, ie with an EoIP connection over a PPtP link. The EoIP interfaces (one on each side) would be added to the LAN bridge of each of the routers and thus support broadcast and all.

CelticComms · Sun Aug 17, 2014 12:52 am

Taylor mentioned "as if he was connected", which usually doesn't imply access using IP addresses. From own experiences I can tell you, bosses want browsing, visible names in My Network and so on.

The irony is that in networks small enough for such browsing to be useful it is fairly trivial to make the necessary shortcuts to render browsing unnecessary. Even in a small business network, creating unfiltered layer 2 connectivity just to support broadcasts for network browsing is pretty ugly from the security perspective. Explaining to the "boss" how to provide the business connectivity necessary for the business while reducing the vulnerability profile can indeed be an art form, but once the boss buys in everybody else will fall in line, so it can be well worth the effort.

rextended · Sun Aug 17, 2014 1:06 am

Simply one EoIP between boss home and office?

On the office router EoIP is on bridge with local lan,
on the boss house the EoIP end is on bridge with one ethernet or one VirtualAP.

When boss connect with that ethernet or wireless, obtain IP from the office, and all work like the pc is directly connected to the office.

CelticComms · Sun Aug 17, 2014 1:15 am

on the boss house the EoIP end is on bridge with one ethernet or one VirtualAP.

That would certainly be preferable - even better if we can lock that port to permitted client MAC addresses.

If however the "office" has two servers then I would personally still advocate shortcuts & WINS and save the extra risk not to mention the overhead!

Taylor · Sun Aug 17, 2014 6:39 am

I ended up buying a RB2011UiAS-2HnD-IN My boss isn't like most bosses, we are pretty much partners, just "technically" he is the boss. He can just use IP's and I think he does that already. He's not your typical boss lol.

I talked to him about it and hes fine with switching to it, and he said he could even change his subnet at home and I said hey great that'll make less hassle. I ordered it Friday before I left work, and this weekend i've been preparing my rules heh.

I have the NAT Rules setup, just going through all the filter rules I"ll want. I typically go for a only allow inbound what I should and block everything, and same for outbound, but thats for personal servers. For the Office I might not block all the outbound except whats required, could be more hassle then its worth!

So far this is my Filter Rules I"ve prepared, if any of you have suggestions or comments, I appreciate all.

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings" 
add chain=input protocol=tcp dst-port=8291 comment="winbox" 
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward action=log log-prefix=email protocol=tcp dst-port=25
add chain=forward action=drop protocol=tcp dst-port=25

If any of you are in the United States. Where do you buy your MikroTik from? I have had to shop for randomly good places depending on which I needed. I bought this one from Newegg via 3rd party. And SolidSignal for the one for home and the store location I got. But neither places have a good supply it seems.

CelticComms · Sun Aug 17, 2014 6:59 am

If you want the device to be a firewall then your forward chain should start with a drop command and then only place accept rules for the traffic that you want to permit above that.

Good to hear that the "boss" isn't wed to 1999 style network browsing. Now if you can just persuade him that the remote networks' IP ranges should be changed as and when opportunity arises....

Taylor · Sun Aug 17, 2014 7:05 am

You've lost me on the forward chain putting it first... If you could go into more detail it would make it more clear for me.

Yea I'm fine with putting in MikroTik everywhere, it was even discussed as for PCI Compliance for Credit Card Processing at our retail locations. The problem is, we have 87 location.. at least 3-5 computers per location, and the only IT in the company is him and I... lol It would be utter chaos just to maintain these systems! The minute someone dumb enough resets our equipment and I have to drive 4 hours to fix it lol...

But yea. I of course want it to be a firewall, and locked down as tight as I can while still not being too tight as other employees cant do anything, and I don't want it to impact the performance of the Network.

Edit: woops just reread and saw you mentioned the subnets heh. Same still applies, its a bit of a pain to maintain and do all that lol. I already gave him a schema for what store gets what subnet, I called it our "5 year" plan

CelticComms · Sun Aug 17, 2014 3:50 pm

When you look at the forward chain rule you would expect to see a drop rule at the end (lowest on the list). That rule is not qualified with any selection criteria - it just says action=drop. Thus only traffic which has been specifically identified to be accepted in earlier (higher) rules will be permitted.

Taylor · Sun Aug 17, 2014 7:23 pm

Oh yes I understand now. That is if I want to lock down everyone on my LAN, and I don't know if I am going to do that yet. I would hvae to figure out any odd ports anyone is using for whatever reasons, and Right now i'll just leave that alone lol Obviously i blocked smtp port 25, had a rogue virus give me problems with that in the past. (Forgot to add our mail server as an exception on that rule woops, do that now)

CelticComms · Sun Aug 17, 2014 7:41 pm

I think you are misunderstanding. At the moment the forward chain rules that you have in place means that the device is not behaving like a firewall - it is behaving pretty much like a router in that it will forward packets among ports with only one restriction regarding SMTP.

A typical firewall config starts with:

Allowing NEW connection traffic from the inside / LAN to the outside / WAN.
Allowing ESTABLISHED connection traffic.
Allowing RELATED connection traffic.
If you have multiple LAN ports perhaps allowing inter-LAN port traffic.
Denying all remaining forwarded traffic by default.

Then add other rules as necessary.

You currently have a "drop all" at the end of the input chain but that only affects traffic to the router itself.

Taylor · Sun Aug 17, 2014 9:41 pm

We must not be thinking the same thing for sure. My definition of a firewall involves outside traffic coming INTO my network (through the firewall..)

So yes I am blocking everything from coming in, but im not blocking everything going out. (as stated before a few times, i may or may not do this)

You are saying im blocking everything coming, but not everything going out, therefore its not a full firewall in your definition. Am I understanding what you are saying now?

If you want to paste a set of rules you would do or that you are speaking of, that would make more sense to me. (If i didnt already say what you meant)

CelticComms · Sun Aug 17, 2014 9:53 pm

So yes I am blocking everything from coming in, ........

Not with the filter rules you showed above! The input chain only covers traffic to the router itself. At the moment the forward chain is pretty much open so for instance inbound WAN>LAN traffic is not being restricted.

Taylor · Sun Aug 17, 2014 10:13 pm

Well now I am really confused lol

I use the exact same setup on my linux servers and on the mikrotik at my home and it seems to function as I put it.

Forward is for LAN>WAN is it not? I dont want to restrict my LAN users going out of the router to the internet!

input is anything coming from outside towards my WAN correct?

Like I said can you show me some rules showing what you mean?

Edit: I read some more on this, and i dont have any public ip's on the network, so I dont think forward traffic can go through my mikrotik from the outside, correct?

My traffic comes to public ip's and then mikrotik decides where they go, so they should all be under the input chains right

CelticComms · Sun Aug 17, 2014 10:17 pm

No - you don't have the function of the chains clear. Have a look at this and look at the chain descriptions.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

The forward chain is traffic passing through the router. The input chain is for traffic destined for the router itself.

Taylor · Sun Aug 17, 2014 10:26 pm

Yes right I understand what you are saying, the part im not i guess, is... What makes it destined for the router and waht makes it not?

INPUT it says is for traffic going to the router, which is one of its addresses, how does it know which is its addresses?

FORWARD Is passthrough, k great, again what defines passthrough?

If i add my /25 into IP -> Address on ether1-gateway (WAN) will then the router think all of those addresses are its? and then the input chain applys?

CelticComms · Sun Aug 17, 2014 10:34 pm

Examples: If one of the public IPs is used to connect to the router itself (say Winbox) then that traffic would go through the input chain. However,if for example you DST NATed the IP to an internal address then the traffic would go through the forward chain.

Taylor · Sun Aug 17, 2014 10:40 pm

Alright I get that, so If I have a NAT rule for any one public ip that opens it to all?

Here is an example of what im doing for my NAT Rules

add action=dst-nat chain=dstnat comment="WebSite www.mywebsite.com" \
dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=\
192.168.2.250

That would go through forward as you said, would I need to really drop everything else? I was under the impression the way im doing NAT Rules, then i wouldnt need to drop everything, as im only allowing specifc ports to be NAT'd

Do i need to add a to-ports= to all my NAT Rules? so it for sure goes to the right port on that ip?

CelticComms · Sun Aug 17, 2014 10:46 pm

Yes you should control the forward chain too - even any cheap consumer router does so.

Taylor · Sun Aug 17, 2014 10:49 pm

Hows this?

/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward connection-state=established comment="Accept established connections"
add chain=forward connection-state=related comment="Accept related connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
add chain=forward action=log dst-port=25 log-prefix=email protocol=tcp src-address=!192.168.2.250
add chain=forward action=drop dst-port=25 protocol=tcp src-address=!192.168.2.250
add chain=forward action=log log-prefix="DROP FORWARD" comment="Log everything else"
add chain=forward action=drop comment="Drop everything else"

CelticComms · Sun Aug 17, 2014 10:52 pm

Right direction - but you would probably want to allow NEW connections LAN>WAN.

Taylor · Sun Aug 17, 2014 10:58 pm

Ok how would i allow new forward, but only for LAN>WAN? Via interfaces somehow or src-addresses ?

Could I do in bridge-local out ether1-gateway in the FORWARD Chain for NEW connection types?

CelticComms · Sun Aug 17, 2014 10:59 pm

A filter rule where you specify the in interface and out interface.

Taylor · Sun Aug 17, 2014 11:04 pm

I did the below, and i tried it on my home router, but now my NAT rules are blocked by this new forward chain

/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward connection-state=established comment="Accept established connections"
add chain=forward connection-state=related comment="Accept related connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
add chain=forward comment="Accept New LAN>WAN FORWARD" connection-state=new in-interface=bridge-local out-interface=ether1-gateway
add chain=forward action=log dst-port=25 log-prefix=email protocol=tcp src-address=!192.168.2.250
add chain=forward action=drop dst-port=25 protocol=tcp src-address=!192.168.2.250
add chain=forward action=log log-prefix="DROP FORWARD" comment="Log everything else"
add chain=forward action=drop comment="Drop everything else"

CelticComms · Sun Aug 17, 2014 11:10 pm

I did the below, and i tried it on my home router, but now my NAT rules are blocked by this new forward chain

Correct - you also need to add forward rules to permit the DST NATed traffic. These should use the internal IP as one of the selective elements since DST NAT occurs before the forward chain.

Taylor · Sun Aug 17, 2014 11:15 pm

Sorry but I tried and read, and don't know exactly what you just told me to make. Examples go a far way with me understanding how something works.

CelticComms · Sun Aug 17, 2014 11:39 pm

It should be similar to the forward chain rules that you showed earlier but you want to use the internal IP for the dst-address - along with the port. You can also specify the WAN interface as the in-interface.

Are you using Winbox?

Taylor · Sun Aug 17, 2014 11:41 pm

Yes Im using winbox. I haven't got the new routerboard for the office yet, im typing the rules into a file to have it ready to go.

So for every NAT rule I have, I have to make a filter rule for that? :\

Researching Potential Office Firewall/Router Solutions

Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Re: Researching Potential Office Firewall/Router Solutions

Who is online