Community discussions

MikroTik App
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

This should be easy

Tue Jun 20, 2023 3:37 pm

Hi, I'm new here but have been using RouterBOARD model 750 with firmware 2.41 for some time.

I can't get it to do something which I perceive to be incredibly simple - it's my failing.

The essence of what I'm trying to do is: a firewall within a LAN. I have a modem/gateway which I can't change, but its firewall is inadequate, so I'm trying to use the ROS as kind of an inline filter to further protect some servers.

The modem/gateway does DHCP and DNS etc. I want all my computers to be on the same IP pool and visible to each other, but I want 2 (potentially various) servers to have additional protection behind the Mikrotik.

As far as I can tell I shouldn't need NAT as I'm not really concealing IP addresses.

I have 4 ether interfaces in a bridge for the 'private' side, and ether1 is connected to the public-side (but is not literally public). I have a static IP address reserved for DHCP client on the public side, which allows me to connect fine.

I have tried (and disabled) various firewall rules on input and forward chain, which I have tested in various states of enablement. Nothing works right no matter what filter rules are applied: either nothing gets through at all or everything gets through unfiltered.

It appears no packets ever hit the forward chain.

I heard that I might still need NAT, despite not really trying to hide addresses, so I tried it with srcnat masquerade on ether1 - that didn't work. I also tried various dstnat configurations, all of which failed. Most advice on the forums seems to be for newer models as some features (e.g. in-address-list, fasttrack) seem to be unavailable, so that makes it tricky. Also, this model appears to not have distinct srcnat dstnat chains (or pre- / post- whatever), it just has: input, output and forward.

Can someone please advise on the basic steps that are essential for this configuration and for this model? I'm sure it must be really simple (especially as I've tried this with all firewall rules disabled), but I just can't fathom it!

Thanks in advance.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: This should be easy

Tue Jun 20, 2023 3:53 pm

A basic drawing how your network is constructed with clear indications what is located where, might help.
Just a scan from a drawing on a piece of paper can do.
From your explanation it's rather confusing for me. Others might see things more clearly.

PS ROS 2.41 ??? :shock:
That's from before 2011 ??

Time to upgrade to latest ROS6, perhaps ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: This should be easy

Tue Jun 20, 2023 4:01 pm

Do you have access to the modem gateway.......
I would try simply route all traffic or port forward all traffic to the MT router and bypass anything on the modem/router of the ISP.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: This should be easy

Tue Jun 20, 2023 4:51 pm

The config might help here.

But essentially the clients need to use the Mikrotik as the default gateway for this to work. So you need to disable DHCP on the ISP router, and use the Mirktoik DHCP server to assign the same subnet your ISP router uses, and have DHCP network return the Mikrotik is their default gateway. The reason is if the clients are using the ISP router's address as their default, the Mikrotik firewall will never come into play – since they send their traffic to the ISP router and Mikrotik acts as dumb switch in that case.
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Fri Jun 23, 2023 1:25 pm

Thank you all for your responses.

I will send a diagram as holvoetn suggested, but I will also try to explain again, in different words... As follows...

I have an ordinary home network consisting of modem and gateway, which does ordinary home things 'fine' / okay adequately. I have no good reason to change it, and it would be difficult / inconvenient and possibly costly to try. But, the firewall is basic, and I want to give my servers additional protection ( I get various probing attempts / hacks / brute force log in attempts every day). So the way I envisage it, I just need some sort of packet filter between my servers and the existing LAN. It would do things like: drop ssh except where source is in known list. Very simple things, but these are not possible on the existing (basic) firewall / gateway.

So, you could call it a firewall behind a firewall. You could call it an inline packet filter. All I need the Mikrotik to do is to better control access to certain machines within the existing LAN. It has to operate within the existing set up. It does not need to do anything (no DHCP, no DNS) except inspect / control packets that pass through to the servers.

I'll send a diagram as soon as I can, hoping that doesn't confuse things! Thanks again for your time on this. (And yes, I'll upgrade the ROS, but only if I can get this to work first)
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Fri Jun 23, 2023 1:45 pm

Diagram of set up
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: This should be easy

Sun Jun 25, 2023 12:09 am

Diagram of set up
Could it be some attachment is missing ?
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: This should be easy

Sun Jun 25, 2023 5:47 am

Start by upgrading your version of RouterOS
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: This should be easy

Sun Jun 25, 2023 7:12 am

For someone complaining about things that should be easy, you don't seem to care much about making it easy for others to help.

1. Your title means nothing. Most people will just skip it because if you don't put enough effort into making the title relevant, it is a good indicator that the post wont' be well formed either.

2. You didn't attach the image. To do that, click on "Attachments" under the post editing window, then click "Add files", and upload your picture, then move the cursor to where you want the picture to be displayed in your post, and then click on "Place inline"
Add picture to post.png
You do not have the required permissions to view the files attached to this post.
Last edited by Buckeye on Sun Jun 25, 2023 11:04 am, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: This should be easy

Sun Jun 25, 2023 7:36 am

I have an ordinary home network consisting of modem and gateway, which does ordinary home things 'fine' / okay adequately. I have no good reason to change it, and it would be difficult / inconvenient and possibly costly to try. But, the firewall is basic, and I want to give my servers additional protection ( I get various probing attempts / hacks / brute force log in attempts every day). So the way I envisage it, I just need some sort of packet filter between my servers and the existing LAN. It would do things like: drop ssh except where source is in known list. Very simple things, but these are not possible on the existing (basic) firewall / gateway.
What model of the RB750 do you have? If it has 2.41, it is probably a discontinued model. And in my opinion, probably not work wasting much time with, because it may have a single core 400Mhz processor. This is like trying to run Windows 10 on a 2012 PC with 2GB of RAM, and expecting to get satisfactory results.

what does /system routerboard print and /system resource print say about the model you have (leave out the SN).

Your existing "gateway" probably has a more powerful processor than the model you probably have.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: This should be easy

Sun Jun 25, 2023 8:14 am

>WBut, the firewall is basic, and I want to give my servers additional protection ( I get various probing attempts / hacks / brute force log in attempts every >day). So the way I envisage it, I just need some sort of packet filter between my servers and the existing LAN. It would do things like: drop ssh except >where source is in known list. Very simple things, but these are not possible on the existing (basic) firewall / gateway.

You can even do that on the server itself, depending on the server-OS it runs.
If you ssh-logins on your server it means your current ISP-modem/router has "port forwarding" enabled of some sort, otherwise packets would never end up at your server on your LAN. Can you confirm this ?
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Thu Jun 29, 2023 11:20 am

Diagram of set up
Could it be some attachment is missing ?
Hi Holvoetn. I've no idea why my attachment doesn't appear. I'll try again...
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Thu Jun 29, 2023 11:28 am

For someone complaining about things that should be easy, you don't seem to care much about making it easy for others to help.

1. Your title means nothing. Most people will just skip it because if you don't put enough effort into making the title relevant, it is a good indicator that the post wont' be well formed either.

2. You didn't attach the image. To do that, click on "Attachments" under the post editing window, then click "Add files", and upload your picture, then move the cursor to where you want the picture to be displayed in your post, and then click on "Place inline"

Add picture to post.png
Hi Buckeye. Thanks for your suggestions. Unlike you I am not a forum veteran; this is my first post.

My title is not a complaint. I actually chose it to encourage people to view it. How wrong I was, it seems. The reason I chose that title is: it "should be easy"! Evidently that is also something I was wrong about!

I will try again to attach the diagram. It looks like I just uploaded it, maybe, and inserting it is a separate process? I will learn from this. If I ever have to ask for help again, at least I'll know all about how to do it.
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Thu Jun 29, 2023 11:40 am

Hi. I can't attach the image. I keep getting a status as yellow exclamation mark. It's only one meg and it's JPG so I've no idea why. I tried drag and dropping it.

Just ignore the whole thing. The (clearly too old to drop a few packets) Mikrotik can go in landfill.

I'm very grateful to everyone that tried to help though.
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Thu Jun 29, 2023 12:17 pm

The config might help here.

But essentially the clients need to use the Mikrotik as the default gateway for this to work. So you need to disable DHCP on the ISP router, and use the Mirktoik DHCP server to assign the same subnet your ISP router uses, and have DHCP network return the Mikrotik is their default gateway. The reason is if the clients are using the ISP router's address as their default, the Mikrotik firewall will never come into play – since they send their traffic to the ISP router and Mikrotik acts as dumb switch in that case.
Thanks Amm0. I can't do it this way though.

The existing set up works for most devices just fine - TV, phones, laptops, ipads, printers, music system etc. There is just no need for me to change it and 'break' all that.

The servers on the LAN which I'd like to give additional protection will be behind the Mikrotik, so its firewall can come into play. Which is why in my first post I summarised it as a (kind of) "firewall within a LAN". "Dumb switch" is almost what I want... I just want it to integrate with the existing LAN, inspect packets going through and drop certain packets (example given previously).

I can't easily do this on the servers as they are consumer grade / SOHO NAS units.
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Thu Jun 29, 2023 12:44 pm

Maybe the best way to describe what I'm after is subtractively:

The RB 750 is a switch that in basic configuration performs gateway and firewall and LAN... The config I need is effectively the same, except do not perform DHCP server and do not perform as gateway.

Just perform as inline switch and firewall; just a packet filter. Add protection to devices on one side (the servers) within LAN managed on other side of Mikrotik. Like this:

INTERNET----->-----EXISTING:GATEWAY/DNS/DHCP/SWITCH/WIFI_LAN/BASIC_FIREWALL----->-----MIKROTIK_BETTER_FIREWALL/SWITCH----->-----SOHO_NAS_BOXE

I'm sure I'm not asking for something wildly unusual or demanding. It's pretty basic. Which is why an old / weak unit is perfect for the job. I'll do the upgrade once it works.
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: This should be easy

Thu Jun 29, 2023 3:06 pm

If you need firewall on Mikrotik it need works as Router, not switch.

What I whould do?

I call to the ISP and I ask if is possible to put the existing gateway as bridge mode. Then all I manage using Mikrotik (DHCP, firewall, WAN connection, etc.)

RB750 not comes with Wi-FI, so add an access point somewhere.

Regards.
 
Harpur
just joined
Topic Author
Posts: 9
Joined: Thu May 18, 2023 6:05 pm

Re: This should be easy

Thu Jun 29, 2023 4:17 pm

If you need firewall on Mikrotik it need works as Router, not switch.

What I whould do?

I call to the ISP and I ask if is possible to put the existing gateway as bridge mode. Then all I manage using Mikrotik (DHCP, firewall, WAN connection, etc.)

RB750 not comes with Wi-FI, so add an access point somewhere.

Regards.
Okay, thanks krafg, that was an option I'd considered, but I won't do (it's not worth the hassle).

Surprisingly it seems it's not possible. Thanks to all who responded.

Who is online

Users browsing this forum: Ahrefs [Bot], GoogleOther [Bot], JDF, netmas, patrikg, RHWwijk and 89 guests