Community discussions

MikroTik App
 
Tiketek
just joined
Topic Author
Posts: 3
Joined: Fri Dec 01, 2023 7:59 pm
Location: France

Firewall Rules Vlans + AdGuard Home

Sat Dec 02, 2023 6:34 pm

Hello everybody,

I've recently learned to use RouterOS. I've done a lot of research, but I still have a lot of doubts about certain things, especially my firewall rules. That's why I'm asking for your help ;)
Forgive my English, it's not my native language. So I hope you'll understand.

My router : RB5009UPr+S+IN

I have created several Vlans :
/ip dhcp print           
# NAME                             INTERFACE        ADDRESS-POOL                 LEASE-TIME
0 DHCPv4 Server - Lan (Bridge)     Lan (Bridge)     Pool IPv4 - Lan (Bridge)     1d        
1 DHCPv4 Server - Vlan 10 (Home)   Vlan 10 (Home)   Pool IPv4 - Vlan 10 (Home)   1d        
2 DHCPv4 Server - Vlan 20 (IoT)    Vlan 20 (IoT)    Pool IPv4 - Vlan 20 (IoT)    1d        
3 DHCPv4 Server - Vlan 30 (Guest)  Vlan 30 (Guest)  Pool IPv4 - Vlan 30 (Guest)  1d        
4 DHCPv4 Server - Vlan 50 (DNS)    Vlan 50 (DNS)    static-only                  1d
Each Vlan use my AdGuard Home DNS server (Vlan 50 - 192.168.50.50), which is installed on my Proxmox server :
/ip dhcp network print
# ADDRESS          GATEWAY       DNS-SERVER   
0 192.168.1.0/24   192.168.1.1   192.168.50.50
1 192.168.10.0/24  192.168.10.1  192.168.50.50
2 192.168.20.0/24  192.168.20.1  192.168.50.50
3 192.168.30.0/24  192.168.30.1  192.168.50.50
4 192.168.50.0/24  192.168.50.1  192.168.50.50
My questions :

I haven't set the DNS server in /ip dns, is this a mistake ? Because i can't ping domain name from the router if i don't set the ip of my DNS server.
/ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: yes
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: no
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
What do you think of the firewall rules created for :

- DNS (Forward and NAT);
- Inter-Vlan blocking (Input and Forward) ?

Don't hesitate to let me know if I need to delete/change/add anything. I'm always willing to learn.
/ip firewall filter print

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; Accept Established, Related, Untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2    ;;; Drop Invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; Allow Gateways From MGMT Vlan 10 (Home)
      chain=input action=accept src-address-list=MGMT Vlan 10 (Home) dst-address-list=GW Vlan 10 (Home) log=no log-prefix="" 

 4    ;;; Block Gateways From Lan (Bridge)
      chain=input action=drop src-address-list=Lan (Bridge) dst-address-list=GW Lan (Bridge) log=no log-prefix="" 

 5    ;;; Block Gateways From Vlan 10 (Home)
      chain=input action=drop src-address-list=Vlan 10 (Home) dst-address-list=GW Vlan 10 (Home) log=no log-prefix="" 

 6    ;;; Block Gateways From Vlan 20 (IoT)
      chain=input action=drop src-address-list=Vlan 20 (IoT) dst-address-list=GW Vlan 20 (IoT) log=no log-prefix="" 

 7    ;;; Block Gateways From Vlan 30 (Guest)
      chain=input action=drop src-address-list=Vlan 30 (Guest) dst-address-list=GW Vlan 30 (Guest) log=no log-prefix="" 

 8    ;;; Block Gateways From Vlan 50 (DNS)
      chain=input action=drop src-address-list=Vlan 50 (DNS) dst-address-list=GW Vlan 50 (DNS) log=no log-prefix="" 

 9    ;;; Accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

10    ;;; Accept To Local Loopback (CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 

11    ;;; Drop All Not Coming From Lan
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

12    ;;; Accept In IPsec Policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

13    ;;; Accept Out IPsec Policy

14    ;;; Fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

15    ;;; Accept Established, Related, Untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

16    ;;; Drop Invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

      ;;; Allow LAN to Access DNS (TCP)
17    chain=forward action=accept protocol=tcp dst-address-list=AdGuard Home in-interface-list=LAN dst-port=53 log=no log-prefix="" 

      ;;; Allow LAN to Access DNS (UDP)
18    chain=forward action=accept protocol=udp dst-address-list=AdGuard Home in-interface-list=LAN dst-port=53 log=no log-prefix="" 

19    ;;; Allow All Vlans From MGMT Vlan 10 (Home)
      chain=forward action=accept src-address-list=MGMT Vlan 10 (Home) dst-address-list=RFC 1918 log=no log-prefix="" 

20    ;;; Block Internet Access From Elgato Key Light E120
      chain=forward action=drop src-address-list=Elgato Key Light E120 log=no log-prefix="" 

21    ;;; Block Inter-Vlans Traffic
      chain=forward action=drop src-address-list=RFC 1918 dst-address-list=RFC 1918 log=no log-prefix="" 

22    ;;; Drop All From Wan Not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

/ip firewall nat print   
 0    ;;; Masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 
      ;;; DNS
 1    chain=dstnat action=dst-nat to-addresses=192.168.50.50 protocol=tcp src-address-list=!AdGuard Home in-interface-list=LAN dst-port=53 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.50.50 protocol=udp src-address-list=!AdGuard Home in-interface-list=LAN dst-port=53 log=no log-prefix=""

/ip firewall address print
 # LIST                   ADDRESS          CREATION-TIME      
 0 RFC 1918               192.168.0.0/16   2023-10-05 20:10:51
 1 RFC 1918               172.16.0.0/12    2023-10-05 20:11:01
 2 RFC 1918               10.0.0.0/8       2023-10-05 20:11:17
 3 Vlan 10 (Home)         192.168.10.0/24  2023-10-09 10:37:27
 4 Vlan 20 (IoT)          192.168.20.0/24  2023-10-09 10:37:35
 5 Vlan 30 (Guest)        192.168.30.0/24  2023-10-09 10:37:45
 6 GW Vlan 20 (IoT)       192.168.1.1      2023-10-09 17:38:43
 7 GW Vlan 20 (IoT)       192.168.10.1     2023-10-09 17:39:24
 8 GW Vlan 20 (IoT)       192.168.30.1     2023-10-09 17:40:25
 9 GW Lan (Bridge)        192.168.10.1     2023-10-11 16:37:25
10 GW Lan (Bridge)        192.168.20.1     2023-10-11 16:37:46
11 GW Lan (Bridge)        192.168.30.1     2023-10-11 16:38:00
12 GW Vlan 30 (Guest)     192.168.1.1      2023-10-12 11:28:35
13 GW Vlan 30 (Guest)     192.168.10.1     2023-10-12 11:28:41
14 GW Vlan 30 (Guest)     192.168.20.1     2023-10-12 11:28:45
15 Elgato Key Light E120  192.168.10.40    2023-11-17 18:32:14
16 MGMT Vlan 10 (Home)    192.168.10.10    2023-11-20 18:02:58
17 MGMT Vlan 10 (Home)    192.168.10.11    2023-11-20 18:03:10
18 GW Vlan 10 (Home)      192.168.1.1      2023-11-20 18:04:14
19 GW Vlan 10 (Home)      192.168.20.1     2023-11-20 18:04:36
20 GW Vlan 10 (Home)      192.168.30.1     2023-11-20 18:04:44
21 Lan (Bridge)           192.168.1.1      2023-11-21 19:39:11
22 AdGuard Home           192.168.50.50    2023-11-29 19:26:38
23 GW Vlan 20 (IoT)       192.168.50.1     2023-12-01 15:47:04
24 GW Vlan 10 (Home)      192.168.50.1     2023-12-01 15:47:13
25 GW Vlan 50 (DNS)       192.168.1.1      2023-12-01 15:47:46
26 GW Vlan 50 (DNS)       192.168.10.1     2023-12-01 15:47:51
27 GW Vlan 50 (DNS)       192.168.20.1     2023-12-01 15:47:57
28 GW Vlan 50 (DNS)       192.168.30.1     2023-12-01 15:48:04
29 GW Lan (Bridge)        192.168.50.1     2023-12-01 15:48:24
30 Vlan 50 (DNS)          192.168.50.0/24  2023-12-01 15:48:39
31 GW Vlan 30 (Guest)     192.168.50.1     2023-12-01 17:46:35
Thank you very much, have a nice week-end :D
 
erlinden
Forum Guru
Forum Guru
Posts: 1877
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Firewall Rules Vlans + AdGuard Home

Sun Dec 03, 2023 12:15 am

Please use, instead of print, export to make the config more readable:
/ip/firewall/filter export
 
Tiketek
just joined
Topic Author
Posts: 3
Joined: Fri Dec 01, 2023 7:59 pm
Location: France

Re: Firewall Rules Vlans + AdGuard Home

Sun Dec 03, 2023 2:26 am

Thanks for this advice.
/ip firewall filter
add action=accept chain=input comment="Accept Established, Related, Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow Gateways From MGMT Vlan 10 (Home)" \
    dst-address-list="GW Vlan 10 (Home)" src-address-list="MGMT Vlan 10 (Home)"
add action=drop chain=input comment="Block Gateways From Lan (Bridge)" \
    dst-address-list="GW Lan (Bridge)" src-address-list="Lan (Bridge)"
add action=drop chain=input comment="Block Gateways From Vlan 10 (Home)" \
    dst-address-list="GW Vlan 10 (Home)" src-address-list="Vlan 10 (Home)"
add action=drop chain=input comment="Block Gateways From Vlan 20 (IoT)" \
    dst-address-list="GW Vlan 20 (IoT)" src-address-list="Vlan 20 (IoT)"
add action=drop chain=input comment="Block Gateways From Vlan 30 (Guest)" \
    dst-address-list="GW Vlan 30 (Guest)" src-address-list="Vlan 30 (Guest)"
add action=drop chain=input comment="Block Gateways From Vlan 50 (DNS)" \
    dst-address-list="GW Vlan 50 (DNS)" src-address-list="Vlan 50 (DNS)"
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept To Local Loopback (CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="Drop All Not Coming From Lan" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Accept In IPsec Policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="Accept Out IPsec Policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Accept Established, Related, Untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=forward dst-address-list="AdGuard Home" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=forward dst-address-list="AdGuard Home" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=forward comment=\
    "Allow All Vlans From MGMT Vlan 10 (Home)" dst-address-list="RFC 1918" \
    src-address-list="MGMT Vlan 10 (Home)"
add action=drop chain=forward comment=\
    "Block Internet Access From Elgato Key Light E120" src-address-list=\
    "Elgato Key Light E120"
add action=drop chain=forward comment="Block Inter-Vlans Traffic" \
    dst-address-list="RFC 1918" src-address-list="RFC 1918"
add action=drop chain=forward comment="Drop All From Wan Not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp src-address-list="!AdGuard Home" to-addresses=192.168.50.50
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp src-address-list="!AdGuard Home" to-addresses=192.168.50.5

/ip firewall address-list
add address=192.168.0.0/16 list="RFC 1918"
add address=172.16.0.0/12 list="RFC 1918"
add address=10.0.0.0/8 list="RFC 1918"
add address=192.168.10.0/24 list="Vlan 10 (Home)"
add address=192.168.20.0/24 list="Vlan 20 (IoT)"
add address=192.168.30.0/24 list="Vlan 30 (Guest)"
add address=192.168.1.1 list="GW Vlan 20 (IoT)"
add address=192.168.10.1 list="GW Vlan 20 (IoT)"
add address=192.168.30.1 list="GW Vlan 20 (IoT)"
add address=192.168.10.1 list="GW Lan (Bridge)"
add address=192.168.20.1 list="GW Lan (Bridge)"
add address=192.168.30.1 list="GW Lan (Bridge)"
add address=192.168.1.1 list="GW Vlan 30 (Guest)"
add address=192.168.10.1 list="GW Vlan 30 (Guest)"
add address=192.168.20.1 list="GW Vlan 30 (Guest)"
add address=192.168.10.40 list="Elgato Key Light E120"
add address=192.168.10.10 list="MGMT Vlan 10 (Home)"
add address=192.168.10.11 list="MGMT Vlan 10 (Home)"
add address=192.168.1.1 list="GW Vlan 10 (Home)"
add address=192.168.20.1 list="GW Vlan 10 (Home)"
add address=192.168.30.1 list="GW Vlan 10 (Home)"
add address=192.168.1.1 list="Lan (Bridge)"
add address=192.168.50.50 list="AdGuard Home"
add address=192.168.50.1 list="GW Vlan 20 (IoT)"
add address=192.168.50.1 list="GW Vlan 10 (Home)"
add address=192.168.1.1 list="GW Vlan 50 (DNS)"
add address=192.168.10.1 list="GW Vlan 50 (DNS)"
add address=192.168.20.1 list="GW Vlan 50 (DNS)"
add address=192.168.30.1 list="GW Vlan 50 (DNS)"
add address=192.168.50.1 list="GW Lan (Bridge)"
add address=192.168.50.0/24 list="Vlan 50 (DNS)"
add address=192.168.50.1 list="GW Vlan 30 (Guest)"
Edit : If you need any further explanation, please let me know, and I'll do my best to explain.
Last edited by Tiketek on Wed Feb 07, 2024 6:29 pm, edited 1 time in total.
 
Tiketek
just joined
Topic Author
Posts: 3
Joined: Fri Dec 01, 2023 7:59 pm
Location: France

Re: Firewall Rules Vlans + AdGuard Home

Mon Jan 29, 2024 5:11 pm

Hello,

I reconfigured my network from scratch following Mikrotik Help + Topics on this forum (Vlans, Firewall ...). So I really figured out what was wrong with my setup.

This post has become totally useless, you can delete it without problems.

Thank you and wish you a pleasant day.

Who is online

Users browsing this forum: No registered users and 23 guests