I'm pretty new to the MikroTik and RouterOS world, i come from Sophos ecosystem where everything is made for babies
I'm trying to figure out whether my config is correct. I'm using a RB951Ui-2HnD as a firewall and a router (it's connected directly to the cable from ISP from which i have a static WAN IP and DNS servers). What i want to achieve is to be able to port forward specific ports, while dropping everything else. I also want DNS queries to work from LAN, whether it is to the MikroTik or directly to ISP servers doesn't really matter. Same goes for the firewall rules - i'd like to drop all by default. Here's my config, after that i have an explanation:
Code: Select all
# may/15/2023 17:04:42 by RouterOS 6.49.
#
# model = 951Ui-2HnD
/interface bridge
add name=bridge_all_LAN
/interface ethernet
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_WAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=xxxx
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge_all_LAN name=dhcp1
/interface bridge port
add bridge=bridge_all_LAN interface=ether2_LAN
add bridge=bridge_all_LAN interface=ether4
add bridge=bridge_all_LAN interface=ether1
/ip address
add address=xxxx/24 interface=ether3_WAN network=xxxx
add address=xxxx/24 interface=ether2_LAN network=xxxx
/ip dhcp-server network
add address=xxxx/24 dns-server=xxxx,xxxx gateway=\
xxxx netmask=24
/ip dns
set allow-remote-requests=yes servers=xxxx,xxxx
/ip firewall filter
add action=passthrough chain=forward out-interface=ether3_WAN
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
xxx
add action=accept chain=input dst-port=25565 log=yes protocol=tcp
add action=accept chain=input dst-port=25565 log=yes protocol=udp
add action=accept chain=input dst-port="" in-interface=ether3_WAN protocol=udp \
src-port=53
add action=accept chain=input dst-port=53 in-interface=bridge_all_LAN protocol=\
udp
add action=drop chain=input in-interface=ether3_WAN
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=masq_ out-interface=\
ether3_WAN
add action=dst-nat chain=dstnat dst-port=8006 in-interface=ether3_WAN protocol=\
tcp src-address=xxxx to-addresses=xxxx to-ports=8006
add action=dst-nat chain=dstnat dst-port=25565-25575 in-interface=ether3_WAN \
log=yes protocol=tcp to-addresses=xxxx to-ports=25565-25575
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp src-address=\
xxxx to-addresses=xxxx to-ports=22
add action=dst-nat chain=dstnat dst-port=9191 protocol=tcp src-address=\
xxxx to-addresses=xxxx to-ports=9191
add action=dst-nat chain=dstnat dst-port=25565-25575 in-interface=ether3_WAN \
log=yes protocol=udp to-addresses=xxxx to-ports=25565-25575
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvpostfixsmtp_ protocol=tcp to-addresses=xxxx \
to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvpostfixsmtps_ protocol=tcp to-addresses=xxxx \
to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvpostfixsub_ protocol=tcp to-addresses=xxxx \
to-ports=587
add action=dst-nat chain=dstnat dst-port=143 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvdovecotimap_ protocol=tcp to-addresses=xxxx \
to-ports=143
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvdovecotimaps_ protocol=tcp to-addresses=xxxx \
to-ports=993
add action=dst-nat chain=dstnat dst-port=110 in-interface=ether3_WAN \
log-prefix=mailsrvdovecotpop3_ protocol=tcp to-addresses=xxxx \
to-ports=110
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvdovecotpop3s_ protocol=tcp to-addresses=xxxx \
to-ports=995
add action=dst-nat chain=dstnat dst-port=4190 in-interface=ether3_WAN \
log-prefix=mailsrvdovecotms_ protocol=tcp to-addresses=xxxx \
to-ports=4190
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvhttp_ protocol=tcp to-addresses=xxxx to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether3_WAN log=yes \
log-prefix=mailsrvhttps_ protocol=tcp to-addresses=xxxx to-ports=\
443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=xxxx
/system clock
set time-zone-name=Europe/Warsaw
The issue i have had with this config is that DNS was just not working at all (neither ISP servers or the router directly) until i added the src port input rule
Code: Select all
add action=accept chain=input dst-port="" in-interface=ether3_WAN protocol=udp \
src-port=53
I am also not sure if everything else here is correct. Is there anything else i should add/remove? I do want to run my own mail server, therefore the NATed ports, so i am aware of those as well. Perhaps i should approach this completely differently?