Community discussions

MikroTik App
 
Kryvee
just joined
Topic Author
Posts: 1
Joined: Mon May 15, 2023 11:30 pm

Several beginner questions about config

Mon May 15, 2023 11:47 pm

Hello everyone, first ever post on forum.
I'm pretty new to the MikroTik and RouterOS world, i come from Sophos ecosystem where everything is made for babies :)

I'm trying to figure out whether my config is correct. I'm using a RB951Ui-2HnD as a firewall and a router (it's connected directly to the cable from ISP from which i have a static WAN IP and DNS servers). What i want to achieve is to be able to port forward specific ports, while dropping everything else. I also want DNS queries to work from LAN, whether it is to the MikroTik or directly to ISP servers doesn't really matter. Same goes for the firewall rules - i'd like to drop all by default. Here's my config, after that i have an explanation:
# may/15/2023 17:04:42 by RouterOS 6.49.
#
# model = 951Ui-2HnD
/interface bridge
add name=bridge_all_LAN
/interface ethernet
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_WAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=xxxx
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge_all_LAN name=dhcp1
/interface bridge port
add bridge=bridge_all_LAN interface=ether2_LAN
add bridge=bridge_all_LAN interface=ether4
add bridge=bridge_all_LAN interface=ether1
/ip address
add address=xxxx/24 interface=ether3_WAN network=xxxx
add address=xxxx/24 interface=ether2_LAN network=xxxx
/ip dhcp-server network
add address=xxxx/24 dns-server=xxxx,xxxx gateway=\
    xxxx netmask=24
/ip dns
set allow-remote-requests=yes servers=xxxx,xxxx
/ip firewall filter
add action=passthrough chain=forward out-interface=ether3_WAN
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    xxx
add action=accept chain=input dst-port=25565 log=yes protocol=tcp
add action=accept chain=input dst-port=25565 log=yes protocol=udp
add action=accept chain=input dst-port="" in-interface=ether3_WAN protocol=udp \
    src-port=53
add action=accept chain=input dst-port=53 in-interface=bridge_all_LAN protocol=\
    udp
add action=drop chain=input in-interface=ether3_WAN
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=masq_ out-interface=\
    ether3_WAN
add action=dst-nat chain=dstnat dst-port=8006 in-interface=ether3_WAN protocol=\
    tcp src-address=xxxx to-addresses=xxxx to-ports=8006
add action=dst-nat chain=dstnat dst-port=25565-25575 in-interface=ether3_WAN \
    log=yes protocol=tcp to-addresses=xxxx to-ports=25565-25575
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp src-address=\
    xxxx to-addresses=xxxx to-ports=22
add action=dst-nat chain=dstnat dst-port=9191 protocol=tcp src-address=\
    xxxx to-addresses=xxxx to-ports=9191
add action=dst-nat chain=dstnat dst-port=25565-25575 in-interface=ether3_WAN \
    log=yes protocol=udp to-addresses=xxxx to-ports=25565-25575
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvpostfixsmtp_ protocol=tcp to-addresses=xxxx \
    to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvpostfixsmtps_ protocol=tcp to-addresses=xxxx \
    to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvpostfixsub_ protocol=tcp to-addresses=xxxx \
    to-ports=587
add action=dst-nat chain=dstnat dst-port=143 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvdovecotimap_ protocol=tcp to-addresses=xxxx \
    to-ports=143
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvdovecotimaps_ protocol=tcp to-addresses=xxxx \
    to-ports=993
add action=dst-nat chain=dstnat dst-port=110 in-interface=ether3_WAN \
    log-prefix=mailsrvdovecotpop3_ protocol=tcp to-addresses=xxxx \
    to-ports=110
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvdovecotpop3s_ protocol=tcp to-addresses=xxxx \
    to-ports=995
add action=dst-nat chain=dstnat dst-port=4190 in-interface=ether3_WAN \
    log-prefix=mailsrvdovecotms_ protocol=tcp to-addresses=xxxx \
    to-ports=4190
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvhttp_ protocol=tcp to-addresses=xxxx to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether3_WAN log=yes \
    log-prefix=mailsrvhttps_ protocol=tcp to-addresses=xxxx to-ports=\
    443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=xxxx
/system clock
set time-zone-name=Europe/Warsaw
Ignore the 25565 rules, i know they are wrong :)

The issue i have had with this config is that DNS was just not working at all (neither ISP servers or the router directly) until i added the src port input rule
add action=accept chain=input dst-port="" in-interface=ether3_WAN protocol=udp \
    src-port=53
I wonder if this is a normal behavior for RouterOS, that it needs to have a source port rule allowed in? I have used some port checkers to see if this makes 53 open from the outside, but it doesn't, it says it's closed. Makes me worried to have that input rule there though... I also noticed that using the MikroTik as DNS from LAN wouldn't work without "Allow remote requests" on the DNS servers.

I am also not sure if everything else here is correct. Is there anything else i should add/remove? I do want to run my own mail server, therefore the NATed ports, so i am aware of those as well. Perhaps i should approach this completely differently?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Several beginner questions about config

Tue May 16, 2023 5:34 am

Can you explain what the purpose of the first rule in your firewall is?

/ip firewall filter
add action=passthrough chain=forward out-interface=ether3_WAN

More importantly, it does not appear that you are using any stateful rules, i.e. rules for returning established and related traffic.

Perhaps start here and look for interesting parts. New User Pathway To Config Success

Or possibly go with the defconf rules and then add port forwarding. At least that's what I did when starting to play with my first MikroTik router in a lab situation.

Who is online

Users browsing this forum: No registered users and 46 guests