Community discussions

MikroTik App
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 1:38 pm

Hi,

I have a lot of external requests on port 53. I suspect there is an error in my firewall, but I can't find it. Does anyone see the error?
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=Level_03
add action=add-src-to-address-list address-list=Level_03 address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 connection-state=new dst-port=45735,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 address-list-timeout=5m chain=input comment=FtB_Level_02 connection-state=new dst-port=45735,8291 protocol=tcp src-address-list=Level_01
add action=add-src-to-address-list address-list=Level_01 address-list-timeout=5m chain=input comment=FtB_Level_01 connection-state=new dst-port=45735,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=established,related
add action=accept chain=input comment=Wireguard dst-port=13240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13241 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=53245 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1443 protocol=tcp src-address-list=local
add action=accept chain=input comment=Accept_DNS dst-port=53 in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp src-address-list=local
add action=accept chain=input comment=MGMT dst-port=45735,8291 in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45735,8291 protocol=tcp
add action=accept chain=input comment=CAPsMAN_localhost
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=drop chain=forward comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=forward comment=detect_DDoS connection-state=new jump-target=detect_DDoS
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=443 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=5222 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=5060 protocol=udp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=2022 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_CameraNAS connection-nat-state=dstnat dst-address=172.16.1.10 dst-port=5005 protocol=tcp
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=established,related
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN src-address-list=Produktion
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=80,443 out-interface-list=!WAN protocol=tcp src-address-list=Gast
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN src-address-list=Offline
add action=return chain=detect_DDoS dst-limit=128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=30m chain=detect_DDoS
add action=accept chain=forward in-interface=VLAN_99 out-interface=VPNCOMP
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=Company src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=MGMT src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=DMZ src-address-list=Remote
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=Company src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=Music src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=IOT src-address-list=Music
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list=Company src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Music dst-address-list=Music src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BB src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BO src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_IOT dst-address-list=IOT src-address-list=Wireguard
add action=accept chain=forward dst-address-list=IOT src-address-list=Company
add action=accept chain=forward dst-address-list=Company src-address-list=IOT
add action=accept chain=forward log=yes log-prefix=AAAAAAAAAA src-address-list=MGMT
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list=DIMA src-address-list=Wireguard
add action=accept chain=forward comment=Accept_Local src-address-list=local
add action=drop chain=forward comment=Drop_Rest_all
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 1:44 pm

Forgot to mention something else. When I do an external port scan, port 53 is closed.

172.16.2.20 is my WAN port. I have a modem in front of it with Expost Host.

Connection List:
413    C      udp      93.113.159.82:55980   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
414    C      udp      93.113.159.54:25223   172.16.2.20:53                    1s               0bps      0bps            2            0             142               0
415    C      udp      160.20.21.21:443      172.16.2.20:53                    1s               0bps      0bps            1            0              48               0
416    C      udp      143.92.35.106:31110   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
417    C      udp      179.125.46.114:443    172.16.2.20:53                    1s               0bps      0bps            1            0              57               0
418    C      udp      179.125.44.16:443     172.16.2.20:53                    3s               0bps      0bps            2            0              96               0
419    C      udp      122.189.171.111:36052 172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
420    C      udp      160.20.20.183:443     172.16.2.20:53                    1s               0bps      0bps            1            0              48               0
421    C      udp      143.92.35.106:19122   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
422    C      udp      93.113.159.86:17100   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
423    C      udp      179.125.46.125:443    172.16.2.20:53                    1s               0bps      0bps            1            0              57               0
424    C      udp      156.234.127.190:62084 172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
425    C      udp      93.113.159.186:56850  172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
426    C      udp      143.92.35.106:33241   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
427    C      udp      156.234.127.190:18209 172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
428    C      udp      192.250.255.40:44021  172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
429    C      udp      93.113.159.150:62256  172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
 
monkez
just joined
Posts: 5
Joined: Thu Feb 13, 2014 1:37 pm
Location: Příbram, Czech Republic
Contact:

Re: Firewall - DNS Open? - Urgent  [SOLVED]

Wed Oct 18, 2023 2:19 pm

Hello!

I think.... this rule might be the problem:
add action=accept chain=input comment=CAPsMAN_localhost
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 3:34 pm

Its amazing to me how a config full of bogus crap and designed to block all traffic but little focus on allowed traffic and built upon fear, has the one rule that leaves the front door wide open. Almost comical. I would add its harder to see such simple errors with such an overly busy and complex firewall ruleset.

Truth is the default ruleset is actually better that this monster.
Your best bet is to simplify and ensure there is no access to the input chain from the outside period.
If you want to remotely access the config, use vpn.


Highly suggest you scrap the crap and use this is a basis....
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=Authorized src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ 
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"  { last rule to add as this will cut off access to router if above rules not in place }
{forward chain}
(default rules to keep)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
Note1: Use VPN to access router remotely, place required input chain rules as first of user rules.....
Note2: Use firewall address list Authorized to permit only admin to access router for config purposes ( static dhcp leases and any fixed vpn IP addresses )
Note3: To add required traffic use the forward chain and insert prior to the last drop all rule!
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 8:17 pm

Hello!

I think.... this rule might be the problem:
add action=accept chain=input comment=CAPsMAN_localhost
thank you, that really helped.
Would that be better then?

add action=accept chain=input comment=CAPsMAN_localhost disabled=yes dst-port=5246 protocol=udp
add action=accept chain=input comment=CAPsMAN_localhost disabled=yes dst-port=5247 protocol=udp

What do strangers actually benefit from using my router as a DNS server?
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 8:23 pm

Its amazing to me how a config full of bogus crap and designed to block all traffic but little focus on allowed traffic and built upon fear, has the one rule that leaves the front door wide open. Almost comical. I would add its harder to see such simple errors with such an overly busy and complex firewall ruleset.

Truth is the default ruleset is actually better that this monster.
Your best bet is to simplify and ensure there is no access to the input chain from the outside period.
If you want to remotely access the config, use vpn.


Highly suggest you scrap the crap and use this is a basis....
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=Authorized src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ 
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"  { last rule to add as this will cut off access to router if above rules not in place }
{forward chain}
(default rules to keep)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
Note1: Use VPN to access router remotely, place required input chain rules as first of user rules.....
Note2: Use firewall address list Authorized to permit only admin to access router for config purposes ( static dhcp leases and any fixed vpn IP addresses )
Note3: To add required traffic use the forward chain and insert prior to the last drop all rule!
I paid for that crap :-)
I sought help from a Mikrotik specialist for the firewall rules and paid him for it.

Can you maybe help me with that then?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 8:52 pm

You should ask for a refund..........
Clearly you seem to need
a. some VPN connectivity to config router and for workers to access local addresses? --> wireguard is best and if only that I can help as limited for other types
b. clean firewall rules, which are usually accomplished by a clear set of what traffic should be allowed, simple! as the drop all rules at the end of the firewall rules provided get rid of the rest for you.
c. maybe some port forwarding if you have servers behind the router.
d. maybe some ip routes and wan connections to consider

Devil is in the details, assuming you have one bridge and a number of vlans to distribute.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 9:23 pm

I'll ask for a refund.
I am willing to learn and also pay for a good service provider. But how are you supposed to know which one is good?

I'm not completely ignorant, but I don't really understand a few firewall rules.

We all use Wireguard, that's no problem.

I usually have a bridge and up to 20 VLANs.
For example, the guest network should only use ports 80 and 443, there are some machines in the production network that are not allowed to be online, etc.

Can you help me work through this?
######Here I wanted to fend off DDOS attacks
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=Level_03
add action=add-src-to-address-list address-list=Level_03 address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 address-list-timeout=5m chain=input comment=FtB_Level_02 connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=Level_01
add action=add-src-to-address-list address-list=Level_01 address-list-timeout=5m chain=input comment=FtB_Level_01 connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=established,related

######we have many Wireguard VPNs, hence 3 interfaces
add action=accept chain=input comment=Wireguard dst-port=13240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13241 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=53245 in-interface-list=WAN protocol=udp

######We also have a few Ipsec tunnels, which are gradually being replaced by wireguard.
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp

######We query SNMP via the VPN, therefore with list
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp src-address-list=local

######Https on the MIkrotik from Intern
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 protocol=tcp src-address-list=local

######To allow DNS requests from internally, from the networks with the list
add action=accept chain=input comment=Accept_DNS dst-port=53 in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp src-address-list=local

######SSH has a different port and Winbox allows it. I already understood, I won't allow blocking from the Internet anymore, right?
add action=accept chain=input comment=MGMT dst-port=45131,8291 in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45131,8291 protocol=tcp

######If a router has WiFi and Capsman can be addressed. Here I have already adapted the rule with 127.0.0.1. I didn't even think of limiting it like that
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=drop chain=forward comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=forward comment=detect_DDoS connection-state=new jump-target=detect_DDoS

######this is forward to Opnsense (HA Proxy)
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=443 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=5222 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=5060 protocol=udp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=2022 protocol=tcp

add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=established,related

######These PCs are only allowed to access the Internet and not the LAN
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN src-address-list=Produktion

######Guest LAN may only use ports 80 and 443
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=80,443 out-interface-list=!WAN protocol=tcp src-address-list=Gast

##### This PCs are Offline
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN src-address-list=Offline

#####DDos Rules
add action=return chain=detect_DDoS dst-limit=128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=30m chain=detect_DDoS
add action=accept chain=forward in-interface=VLAN_99 out-interface=VPNCOMP

Here are the VLAN networks, what is allowed from A to B, etc.
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=Company src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=MGMT src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=DMZ src-address-list=Remote
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=Company src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=Music src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=IOT src-address-list=Music
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid

#####Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list=Company src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Music dst-address-list=Music src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BB src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BO src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_IOT dst-address-list=IOT src-address-list=Wireguard
add action=accept chain=forward dst-address-list=IOT src-address-list=Company
add action=accept chain=forward dst-address-list=Company src-address-list=IOT
add action=accept chain=forward log=yes  src-address-list=MGMT
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list= src-address-list=Wireguard
add action=accept chain=forward comment=Accept_Local src-address-list=local
add action=drop chain=forward comment=Drop_Rest_all
 
monkez
just joined
Posts: 5
Joined: Thu Feb 13, 2014 1:37 pm
Location: Příbram, Czech Republic
Contact:

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 9:33 pm

Exposed DNS might be possibly abused for a DDoS attack: https://www.cloudflare.com/learning/ddo ... os-attack/

I would suggest starting with getting familiar with the packet flow in RouterOS: https://help.mikrotik.com/docs/display/ ... n+RouterOS
Then learning firewalling in general.
You can try contacting a local consultant (https://mikrotik.com/consultants) and asking him/her for a basic firewall training. MTCNA certification and higher trainings is not mandatory, you can learn without them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 10:36 pm

I

Can you help me work through this? Yes gratis........
Most people here do not get ddos attacks and if they do its because their ISP is incompetent etc........
If the ISP cannot handle it, how can you expect your MT router to do it. :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Wed Oct 18, 2023 10:45 pm

1. Decide on interface lists required.
Typically use interface lists for two or more whole subnets ( single subnets can be identified by address )
one for all subnets requiring internet W-Internet
one for all subnets requiring access to local DNS services usually LAN subnet
One interface for the Managment vlan (or the trusted VLAN or trusted interface that includes admins)
Use firewall address list whenever you have less than a full subnet needing to be identified, could be a single subnet or users/devices from various subnets ( with or without entire subnet).

Take the firewall rules provided and massage:::::::

add the wireguard interfaces required just under the input chain default rules - why so many?
Define your list of admin IPs be it from fixed static leases (local) or wireguard IPs (remote) name of list=Authorized and create the firewall address list!!

In forward chain use appropriate interface list for WAN access
Add any rules where you need access between vlans before the last drop rule. or user to devices etc.......
Typically admin needs access to all vlans aka src-address-list=Authorized out-interface-list=LAN

Simplify where possible.
FROM:
add action=accept chain=input comment=Wireguard dst-port=13240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13241 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=53245 in-interface-list=WAN protocol=udp

TO:
add action=accept chain=iinput comment="wireguard handshake ports" dst-ports=13240,13241,53245 protocol=udp


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Give it a go and post the complete config here for review.
/export file=anynameyouwish (minus router serial #, public WANIP information, keys etc....

Assuming wireguard server for the router and all incoming remote users?
Assuming single WAN, nothing complex ??
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Nov 12, 2023 7:50 pm

Hi,
Sorry, I didn't have time again.
I tried it once, but I'm not sure if it's really any better. Can you please take a look at this?
add action=drop chain=input comment="Drop_detect_DDoS" connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment="detect_DDoS" connection-state=new jump-target=detect_DDoS
add action=drop chain=input comment="Drop_FtB_Level_03" src-address-list=Level_03
add action=add-src-to-address-list address-list=Level_03 address-list-timeout=none-dynamic chain=input comment="FtB_Level_03" connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=Level_02
add action=add-src-to-address-list address-list=Level_02 address-list-timeout=5m chain=input comment="FtB_Level_02" connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=Level_01
add action=add-src-to-address-list address-list=Level_01 address-list-timeout=5m chain=input comment="FtB_Level_01" connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment="Accept_Est_und_Rel" connection-state=established,related

add action=accept chain=input comment="Wireguard" dst-port=13240,13241,53245 in-interface-list=WAN protocol=udp

add action=accept chain=input comment="IPsec-ESP" protocol=ipsec-esp
add action=accept chain=input comment="L2TP" dst-port=500,4500 protocol=udp

add action=accept chain=input comment="SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="HTTPS_ROUTER_Intern" dst-port=1449 protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept_DNS" dst-port=53 in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp src-address-list=local

add action=accept chain=input comment="MGMT" dst-port=45131,8291 in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment="MGMT" dst-port=45131,8291 protocol=tcp

add action=accept chain=input comment="CAPsMAN_localhost" dst-address=127.0.0.1
add action=drop chain=input comment="Drop_Invalid" connection-state=invalid
add action=drop chain=input comment="Drop_Rest_all"

add action=accept chain=forward comment="Accept_forward_from_dst-nat_to_OPNsense" connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=443,5222,5061,5060,2022 protocol=tcp,udp

add action=accept chain=forward comment="Accept_Remote_to_Company" dst-address-list=Company src-address-list=Remote
add action=drop chain=forward comment="Drop_IOT_to_Company" dst-address-list=Company src-address-list=IOT

add action=accept chain=forward comment="Accept_Est_und_Rel" connection-state=established,related
add action=drop chain=forward comment="Only_Internet" out-interface-list=!WAN src-address-list=Produktion
add action=drop chain=forward comment="GUEST_ONLY_INTERNET" dst-port=!80,443 out-interface-list=!WAN protocol=tcp src-address-list=Gast
add action=drop chain=forward comment="NO_INTERNET" out-interface-list=WAN src-address-list=Offline
add action=accept chain=forward comment="Wireguard_Roadwarrior_auf_Company" dst-address-list=Company src-address-list=Wireguard
add action=drop chain=forward comment="Drop_Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop_Rest_all"

add action=return chain=detect_DDoS dst-limit=128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=30m chain=detect_DDoS
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Nov 12, 2023 7:54 pm

oh, I forgot something. I still close the management networks and only allow this via VPN. But I would like to replace the firewall 1 to 1 in the first step and then the VPNs come in the second step.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Mon Nov 13, 2023 12:52 am

I dont comment on partial configs.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys, long lease lists etc...)
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Mon Nov 27, 2023 9:57 pm

sorry I didn't get to it sooner.
Keys are wrong
Here's an entire router:
# 2023-11-27 20:51:13 by RouterOS 7.12.1

/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz frequency="" name=\
    5Ghz-Channels skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE priority=0x7000
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=WAN4
/interface l2tp-client
add allow-fast-path=yes connect-to=vpn.test.com disabled=no name=l2tp-DM \
    user=APV01
/interface wireguard
add listen-port=13239 mtu=1420 name=wireguard-VPN
add listen-port=40231 mtu=1420 name=wireguardStS_DIM
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=FIRMA interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GAST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=TELEFON interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    FIRMA vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=FIRMA
add authentication-types=wpa2-psk encryption=aes-ccm name=GAST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=2.4Ghz-Channels country=etsi datapath=FIRMA installation=indoor \
    mode=ap name=V012GHZ security=FIRMA ssid=AP-Netz
add channel=5Ghz-Channels country=etsi datapath=FIRMA installation=indoor \
    mode=ap name=V015GHZ security=FIRMA ssid=AP-Netz
add channel=2.4Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=V022GHZ security=GAST ssid=AP-Gast
add channel=5Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=V025GHZ security=GAST ssid=AP-Gast
add channel=2.4Ghz-Channels country=germany datapath=HOTSPOT mode=ap name=\
    V042GHZ security=HOTSPOT ssid=WLAN_HOTSPOT_SSID
add channel=5Ghz-Channels country=germany datapath=HOTSPOT mode=ap name=\
    V045GHZ security=HOTSPOT ssid=WLAN_HOTSPOT_SSID
add channel=2.4Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=V052GHZ security=PRIVAT ssid=AP-Team
add channel=5Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=V055GHZ security=PRIVAT ssid=AP-Team
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.9.5-10.99.9.253
add name=FIRMA ranges=192.168.9.20-192.168.9.250
add name=GAST ranges=10.178.1.10-10.178.1.100
add name=DMZ ranges=10.178.2.10-10.178.2.20
add name=HOTSPOT ranges=10.178.3.10-10.178.3.100
add name=PRIVAT ranges=192.168.114.10-192.168.114.100
add name=LTE ranges=10.178.4.10-10.178.4.20
add name=BACKUP01 ranges=10.178.5.5-10.178.5.10
add name=BACKUP02 ranges=10.178.6.10-10.178.6.20
add name=TELEFON ranges=10.178.7.10-10.178.7.100
add name=IOT ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 lease-time=1w10m name=MGT
add address-pool=FIRMA interface=VLAN_100 lease-time=1w10m name=FIRMA
add address-pool=GAST interface=VLAN_200 lease-time=1h name=GAST
add address-pool=DMZ interface=VLAN_300 lease-time=1d10m name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 lease-time=1d10m name=HOTSPOT
add address-pool=PRIVAT interface=VLAN_500 lease-time=1d10m name=PRIVAT
add address-pool=LTE interface=VLAN_600 lease-time=1d10m name=LTE
add address-pool=BACKUP01 interface=VLAN_700 lease-time=1d10m name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 lease-time=1d10m name=BACKUP02
add address-pool=TELEFON interface=VLAN_900 lease-time=1d10m name=TELEFON
add address-pool=IOT interface=VLAN_1000 lease-time=1d10m name=IOT
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=8M/8M name=queue-Gast target=10.178.1.0/24
/snmp community
add addresses=192.168.254.0/24,10.16.0.0/16,10.99.0.0/16,10.10.9.0/24 \
    authentication-protocol=SHA1 encryption-protocol=AES name=snmpv3DIM \
    security=private
/user-manager user
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:300,Tunnel-Type:13 comment=\
    Macbook disabled=yes name=22:E0:4C:A4:91:76
add attributes=Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:99,Tunnel-Type:13 \
    comment=Kamera disabled=yes name=EC:71:DB:EA:51:FD
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:100,Tunnel-Type:13 comment=\
    TV disabled=yes name=7C:0A:3F:FB:B6:2A
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-75..115 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    V012GHZ name-format=prefix-identity slave-configurations=V022GHZ,V052GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    V015GHZ name-format=prefix-identity slave-configurations=V025GHZ,V055GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN4 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add interface=WAN3 list=WAN
add interface=wireguard-VPN list=VLAN
/interface wireguard peers
add allowed-address=192.168.85.4/32 comment="Test User" disabled=yes \
    interface=wireguard-VPN public-key=\
    "AnZ146qo6tS+n9elKeqToC4cmXjfGU7BaN6MHwCZjU0="
add allowed-address=\
    10.10.9.254/32,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \
    comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com \
    endpoint-port=40231 interface=wireguardStS_DIM persistent-keepalive=25s \
    public-key="VREJdyp/MYXh17rtaOsWU8a/mCXdoTc953D39TIvWk0="
/ip address
add address=10.99.9.254/24 interface=VLAN_99 network=10.99.9.0
add address=192.168.9.1/24 interface=VLAN_100 network=192.168.9.0
add address=10.178.1.254/24 interface=VLAN_200 network=10.178.1.0
add address=10.178.2.254/24 interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 interface=VLAN_400 network=10.178.3.0
add address=192.168.114.254/24 interface=VLAN_500 network=192.168.114.0
add address=10.178.4.254/24 interface=VLAN_600 network=10.178.4.0
add address=10.178.5.254/24 interface=VLAN_700 network=10.178.5.0
add address=10.178.6.254/24 interface=VLAN_800 network=10.178.6.0
add address=10.178.7.254/24 interface=VLAN_900 network=10.178.7.0
add address=192.168.1.254/24 interface=VLAN_1000 network=192.168.1.0
add address=192.168.85.254/24 interface=wireguard-VPN network=192.168.85.0
add address=10.10.9.9/24 interface=wireguardStS_DIM network=10.10.9.0
add address=192.168.2.254/24 disabled=yes interface=VLAN_1000 network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=WAN1
add disabled=yes interface=WAN2
/ip dhcp-server network
add address=10.99.9.0/24 dns-server=10.99.9.254 gateway=10.99.9.254
add address=10.178.1.0/24 dns-server=8.8.8.8 gateway=10.178.1.254
add address=10.178.2.0/24 dns-server=10.178.2.254 gateway=10.178.2.254
add address=10.178.3.0/24 dns-server=10.178.3.254 gateway=10.178.3.254
add address=10.178.4.0/24 dns-server=10.178.4.254 gateway=10.178.4.254
add address=10.178.5.0/24 dns-server=10.178.5.254 gateway=10.178.5.254
add address=10.178.6.0/24 dns-server=10.178.6.254 gateway=10.178.6.254
add address=10.178.7.0/24 dns-server=10.178.7.254 gateway=10.178.7.254
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.254
add address=192.168.9.0/24 dns-server=192.168.9.5 domain=apv.local gateway=\
    192.168.9.1
add address=192.168.114.0/24 dns-server=192.168.114.254 gateway=\
    192.168.114.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.11 name=ad-server
/ip firewall address-list
add address=10.99.0.0/16 list=local
add address=192.168.9.0/24 list=local
add address=10.178.1.0/24 list=local
add address=10.178.2.0/24 list=local
add address=10.178.3.0/24 list=local
add address=192.168.114.0/24 list=local
add address=10.178.4.0/24 list=local
add address=10.178.5.0/24 list=local
add address=10.178.6.0/24 list=local
add address=10.178.7.0/24 list=local
add address=10.178.8.0/24 list=local
add list=local
add address=8.8.8.8 list=DNS
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=vpn2.test.com list=local
add address=vpn.test.com list=local
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add address=192.168.155.0/24 list=local
add address=192.168.85.0/24 list=local
add list=192.168.249.0/24
add address=10.10.9.0/24 list=local
add address=192.168.1.0/24 list=local
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new \
    jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=\
    Level_03
add action=add-src-to-address-list address-list=Level_03 \
    address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 \
    address-list-timeout=5m chain=input comment=FtB_Level_02 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_01
add action=add-src-to-address-list address-list=Level_01 \
    address-list-timeout=5m chain=input comment=FtB_Level_01 \
    connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=input comment=Wireguard dst-port=13240,13241,53245 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address-list=local
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 \
    protocol=tcp src-address-list=local
add action=accept chain=input comment=Accept_DNS dst-port=53 \
    in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp \
    src-address-list=local
add action=accept chain=input comment=MGMT dst-port=45131,8291 \
    in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
    src-address-type=local
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-port=13239 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="FIRMA Port | WireGuard-Zugriff" \
    dst-port=40231 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=192.168.85.254 in-interface=wireguard-VPN log=yes log-prefix=\
    Wireguard
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=10.10.9.254 in-interface=wireguardStS_DIM log=yes log-prefix=\
    Wireguard
add action=drop chain=input comment="Drop everything else" log=yes \
    log-prefix="IN DROP REST -> "
add action=accept chain=forward comment=\
    "WireGuard-VPN -> VLAN_100 | Netzwerkzugriff" dst-address=\
    !192.168.85.0/24 in-interface=wireguard-VPN out-interface=VLAN_100
add action=accept chain=forward comment=\
    "WireGuard-VPN COMPANY | alle VLAN Netzwerkzugriff" dst-address=\
    !10.10.9.0/24 in-interface=wireguardStS_DIM out-interface=all-vlan
add action=accept chain=forward dst-address-list=192.168.254.0/24 \
    src-address-list=192.168.9.0/24
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=Company src-address-list=Remote
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    Company src-address-list=IOT
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=forward comment=Starface dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=5060 protocol=udp
add action=accept chain=forward comment=Starface dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=10000-13239 \
    protocol=udp
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN \
    src-address-list=Produktion
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=!80,443 \
    out-interface-list=!WAN protocol=tcp src-address-list=Gast
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN \
    src-address-list=Offline
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company \
    dst-address-list=Company src-address-list=Wireguard
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=drop chain=forward comment=Drop_Rest_all
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=udp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-13238 in-interface=WAN1 log=\
    yes protocol=udp to-addresses=192.168.9.20 to-ports=10000-13238
add action=dst-nat chain=dstnat dst-port=5061 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5061
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.254.0/24 gateway=\
    wireguardStS_DIM routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.249.0/24 gateway=\
    wireguardStS_DIM pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.155.0/24 gateway=\
    wireguardStS_DIM pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=188.144.0.0/15 gateway=192.168.9.3 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45735
set www-ssl disabled=no port=1455
set api disabled=yes
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/radius
add address=10.99.254.1 service=login
/snmp
set contact="COMPANY <mikrotik@test.com>" enabled=yes location=Berlin \
    trap-community=snmpv3AA trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=TestRouter
/system note
set note="COMPANY - Authorized Administrators only. Access to this d\
    evice is monitored." show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add name=schedule1 on-event="/system routerboard :if ( [get current-firmware] \
    != [get upgrade-firmware] ) do={ /system reboot }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=Backup on-event=Backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=00:00:00
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
/user-manager
set certificate=*0
/user-manager router
add address=10.99.1.251 name=TEST01SW01
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Mon Nov 27, 2023 10:27 pm

(1) Where is bridge vlan-filtering=yes ??
/interface bridge
add name=BRIDGE priority=0x7000


(2) Allowed IPs is not quite right, fixed.......
add allowed-address=\
10.10.9.0/24,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \
comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com \
endpoint-port=40231 interface=wireguardStS_DIM persistent-keepalive=25s \
public-key="VREJdyp/MYXh17rtaOsWU8a/mCXdoTc953D39TIvWk0="


(3) This should be removed. vlan1000 is already identified in the address list 192.168.1...
add address=192.168.2.254/24 disabled=yes interface=VLAN_1000 network=\
192.168.2.0


(4) This local list entry for firewall address list is not complete.
add list=192.168.249.0/24

(5) These local list entry makes no sense there is no such vlan or local subent
add address=10.178.8.0/24 list=local
add address=10.99.0.0/16 list=local
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add address=192.168.155.0/24 list=local


(6) Firewall rules are so full of bloat.
Suggest looking here as a starter, and ONLY, add traffic that needs to flow............
viewtopic.php?t=180838

(7) Its not clear to me what you are doing with the four WANs wrt IP routes.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Mon Nov 27, 2023 11:55 pm

Hello :-)

is this so ok?

(1)
/interface bridge
add name=BRIDGE priority=0x7000 vlan-filtering=yes
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1

(2)
Why not Subnet 16?

(3)
What do you mean? where is that twice?

(4)
what is missing here?

(5)
These are our networks, i.e. on the other side of the VPN

(6)
Unfortunately I don't have the time. Can you please help me with that? First I need a good firewall. We have a lot of problems at the moment.
As I said, I would pay for that too.

(7)
We have customers who have 2 DSL connections and an LTE connection as a backup.
In fact, in 99%, 3 WAN connections would be completely sufficient.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Tue Nov 28, 2023 2:14 am

(1) YES, THAT IS THE WAY.

(2) WHAT ARE YOU TALKING ABOUT SUBNET 16? Point #2 was pointing that your allowed Ip 10.10.9.X/32 was wrong..... The correct version is blue.

(3) If you look at the config line its clearly an /ip address entry. Its disabled which is good, I am saying just get rid of it.

(4) What do you mean what is missing from this firewall address list entry?? add list=192.168.249.0/24
There is an address but you called it LIST, and there is no actual LIST (aka with a name). Not sure why you find this hard?

(5) WRONG WRONG WRONG.................... you put them as LOCAL addresses and they are not. You are mixing up remote and local addresses.
I do not know for what purpose.

The only time you should be using firewall address lists is when you have a group of users and not quiite a full subnet, or users from various subnets, with or without whole subents.
If you have full subnets use interface lists instead.

(6) I have litttle time too.

(7) What I meant was to identify the purpose of each WAN, which traffic is intended for which wans etc.... So need far more detail.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 12:44 pm

OK, I've revised everything a bit now. Is it more understandable now?
# 2023-12-03 11:21:51 by RouterOS 7.12.1

/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz frequency="" name=\
    5Ghz-Channels skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] disabled=yes name=WAN4
/interface l2tp-client
add allow-fast-path=yes connect-to=vpn.test.de disabled=no name=l2tp-DM \
    user=APV01
/interface wireguard
add comment=test listen-port=40231 mtu=1420 name=WIREGUARD_MGMT
add comment="VPN to 2nd customer location" listen-port=13239 mtu=1420 name=\
    WIREGUARD_VPN01
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=COMPANY interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GUEST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=PHONE interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
add comment=PRINTER interface=BRIDGE name=VLAN_1100 vlan-id=1100
add comment=SONOS interface=BRIDGE name=VLAN_1200 vlan-id=1200
add comment=CAMERA interface=BRIDGE name=VLAN_1300 vlan-id=1300
add comment=PRODUCTION interface=BRIDGE name=VLAN_1400 vlan-id=1400
add comment=SERVER interface=BRIDGE name=VLAN_1500 vlan-id=1500
add comment=MISCELLANEOUS01 interface=BRIDGE name=VLAN_1600 vlan-id=1600
add comment=MISCELLANEOUS02 interface=BRIDGE name=VLAN_1700 vlan-id=1700
add comment=MISCELLANEOUS03 interface=BRIDGE name=VLAN_1800 vlan-id=1800
add comment=MISCELLANEOUS04 interface=BRIDGE name=VLAN_1900 vlan-id=1900
add comment=MISCELLANEOUS05 interface=BRIDGE name=VLAN_2000 vlan-id=2000
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    COMPANY vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no comment=GUEST \
    local-forwarding=no name=GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=COMPANY
add authentication-types=wpa2-psk encryption=aes-ccm name=GUEST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=2.4Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY2GHZ security=COMPANY ssid=COMPANY
add channel=5Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY5GHZ security=COMPANY ssid=COMPANY
add channel=2.4Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST2GHZ security=GUEST ssid=GUEST
add channel=5Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST5GHZ security=GUEST ssid=GUEST
add channel=2.4Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT2GHZ security=HOTSPOT ssid=HOTSPOT
add channel=5Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT5GHZ security=HOTSPOT ssid=HOTSPOT
add channel=2.4Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE2GHZ security=PRIVAT ssid=PRIVATE
add channel=5Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE5GHZ security=PRIVAT ssid=PRIVATE
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.9.5-10.99.9.253
add name=COMPANY ranges=192.168.9.20-192.168.9.250
add name=GUEST ranges=10.178.1.10-10.178.1.100
add name=DMZ ranges=10.178.2.10-10.178.2.20
add name=HOTSPOT ranges=10.178.3.10-10.178.3.100
add name=PRIVAT ranges=192.168.114.10-192.168.114.100
add name=LTE ranges=10.178.4.10-10.178.4.20
add name=BACKUP01 ranges=10.178.5.5-10.178.5.10
add name=BACKUP02 ranges=10.178.6.10-10.178.6.20
add name=PHONE ranges=10.178.7.10-10.178.7.100
add name=IOT ranges=192.168.1.10-192.168.1.200
add name=PRODUCTION ranges=192.168.44.10-192.168.44.100
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 lease-time=1w10m name=MGT
add address-pool=COMPANY interface=VLAN_100 lease-time=1w10m name=COMPANY
add address-pool=GUEST interface=VLAN_200 lease-time=1h name=GUEST
add address-pool=DMZ interface=VLAN_300 lease-time=1d10m name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 lease-time=1d10m name=HOTSPOT
add address-pool=PRIVAT interface=VLAN_500 lease-time=1d10m name=PRIVAT
add address-pool=LTE interface=VLAN_600 lease-time=1d10m name=LTE
add address-pool=BACKUP01 interface=VLAN_700 lease-time=1d10m name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 lease-time=1d10m name=BACKUP02
add address-pool=PHONE interface=VLAN_900 lease-time=1d10m name=PHONE
add address-pool=IOT interface=VLAN_1000 lease-time=1d10m name=IOT
add address-pool=PRODUCTION interface=VLAN_1400 lease-time=1d30m name=\
    PRODUCTION
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=8M/8M name=queue-Gast target=10.178.1.0/24
/snmp community
add addresses=192.168.254.0/24,10.16.0.0/16,10.99.0.0/16,10.10.9.0/24 \
    authentication-protocol=SHA1 encryption-protocol=AES name=snmpv3DIM \
    security=private
/user-manager user
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:300,Tunnel-Type:13 comment=\
    Macbook disabled=yes name=22:E0:4C:A4:91:76
add attributes=Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:99,Tunnel-Type:13 \
    comment=Kamera disabled=yes name=EC:71:DB:EA:51:FD
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:100,Tunnel-Type:13 comment=\
    TV disabled=yes name=7C:0A:3F:FB:B6:2A
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-75..115 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    COMPANY2GHZ name-format=prefix-identity slave-configurations=\
    GUEST2GHZ,PRIVATE2GHZ,HOTSPOT2GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    COMPANY5GHZ name-format=prefix-identity slave-configurations=\
    GUEST5GHZ,PRIVATE5GHZ,HOTSPOT5GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1
/interface list member
add comment=DSL interface=WAN1 list=WAN
add comment="DSL Backup" interface=WAN2 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add comment="LTE Backup" interface=WAN3 list=WAN
add interface=WIREGUARD_VPN01 list=VLAN
/interface wireguard peers
add allowed-address=192.168.85.0/24 comment="2nd Customer Location" \
    interface=WIREGUARD_VPN01 public-key=\
    "BnZ546q66tS+A9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
add allowed-address=\
    10.10.9.254/32,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \
    comment="MGMT test" endpoint-address=vpn.test.de endpoint-port=40231 \
    interface=WIREGUARD_MGMT persistent-keepalive=25s public-key=\
    "XREJdyp/MYRh57rtVOsXU8a/mLXdoTc953D39TIvW60="
/ip address
add address=10.99.9.254/24 interface=VLAN_99 network=10.99.9.0
add address=192.168.9.1/24 interface=VLAN_100 network=192.168.9.0
add address=10.178.1.254/24 interface=VLAN_200 network=10.178.1.0
add address=10.178.2.254/24 interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 interface=VLAN_400 network=10.178.3.0
add address=192.168.114.254/24 interface=VLAN_500 network=192.168.114.0
add address=10.178.4.254/24 interface=VLAN_600 network=10.178.4.0
add address=10.178.5.254/24 interface=VLAN_700 network=10.178.5.0
add address=10.178.6.254/24 interface=VLAN_800 network=10.178.6.0
add address=10.178.7.254/24 interface=VLAN_900 network=10.178.7.0
add address=192.168.1.254/24 interface=VLAN_1000 network=192.168.1.0
add address=192.168.85.254/24 interface=WIREGUARD_VPN01 network=192.168.85.0
add address=10.10.9.9/24 interface=WIREGUARD_MGMT network=10.10.9.0
add address=192.168.44.254/24 interface=VLAN_1400 network=192.168.44.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=DSL interface=WAN1
add comment="BACKUP DSL" interface=WAN2
add comment="LTE BACKUP" interface=WAN3
/ip dhcp-server network
add address=10.99.9.0/24 comment=VLAN99_MGMT dns-server=10.99.9.254 gateway=\
    10.99.9.254
add address=10.178.1.0/24 comment=VLAN200_GUEST dns-server=8.8.8.8 gateway=\
    10.178.1.254
add address=10.178.2.0/24 comment=VLAN300_DMZ dns-server=10.178.2.254 \
    gateway=10.178.2.254
add address=10.178.3.0/24 comment=VLAN400_HOTSPOT dns-server=10.178.3.254 \
    gateway=10.178.3.254
add address=10.178.4.0/24 comment=VLAN600_LTE dns-server=10.178.4.254 \
    gateway=10.178.4.254
add address=10.178.5.0/24 comment=VLAN700_BACKUP01 dns-server=10.178.5.254 \
    gateway=10.178.5.254
add address=10.178.6.0/24 comment=VLAN800_BACKUP02 dns-server=10.178.6.254 \
    gateway=10.178.6.254
add address=10.178.7.0/24 comment=VLAN900_PHONE dns-server=10.178.7.254 \
    gateway=10.178.7.254
add address=192.168.1.0/24 comment=VLAN1000_IOT dns-server=8.8.8.8 gateway=\
    192.168.1.254
add address=192.168.9.0/24 comment=VLAN100_COMPANY dns-server=192.168.9.5 \
    domain=test.local gateway=192.168.9.1
add address=192.168.114.0/24 comment=VLAN500_PRIVATE dns-server=\
    192.168.114.254 gateway=192.168.114.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=m.test.de list=MGMT
add address=vpn.test.de list=MGMT
add address=192.168.254.0/24 list=MGMT
add address=192.168.155.0/24 list=MGMT
add address=10.178.1.0/24 list=DNS
add address=192.168.9.0/24 list=DNS
add address=10.99.9.0/24 list=DNS
add address=10.178.7.0/24 list=DNS
add address=192.168.9.0/24 list=COMPANY
add address=192.168.1.0/24 list=IOT
add address=192.168.44.0/24 list=PRODUCTION
add address=10.178.1.0/24 list=GUEST
add address=192.168.9.10 list=OFFLINE
add address=127.0.0.1 list=FIREWALL
add address=192.168.85.0/24 list=REMOTE
add address=10.10.9.0/24 list=MGMT
add address=10.178.2.0/24 list=OFFLINE
add address=10.178.5.0/24 list=OFFLINE
add address=10.178.6.0/24 list=OFFLINE
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new \
    jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=\
    Level_03
add action=add-src-to-address-list address-list=Level_03 \
    address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 \
    address-list-timeout=5m chain=input comment=FtB_Level_02 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_01
add action=add-src-to-address-list address-list=Level_01 \
    address-list-timeout=5m chain=input comment=FtB_Level_01 \
    connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=input comment=Wireguard dst-port=13240,13241,53245 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address-list=MGMT
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 \
    protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=Accept_DNS dst-port=53 \
    in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp \
    src-address-list=DNS
add action=accept chain=input comment=MGMT dst-port=45131,8291 \
    in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
    in-interface-list=!WAN protocol=udp src-address-list=FIREWALL
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
    src-address-type=local
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-port=13239 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="FIRMA Port | WireGuard-Zugriff" \
    dst-port=40231 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=192.168.85.254 in-interface=WIREGUARD_VPN01 log=yes \
    log-prefix=Wireguard
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=10.10.9.254 in-interface=WIREGUARD_MGMT log=yes log-prefix=\
    Wireguard
add action=drop chain=input comment="Drop everything else" log=yes \
    log-prefix="IN DROP REST -> "
add action=accept chain=forward comment=\
    "WireGuard-VPN -> VLAN_100 | Network Access" dst-address=\
    !192.168.85.0/24 in-interface=WIREGUARD_VPN01 out-interface=VLAN_100
add action=accept chain=forward comment=\
    "WireGuard-VPN test | all VLAN Network Access" dst-address=\
    !10.10.9.0/24 in-interface=WIREGUARD_MGMT out-interface=all-vlan
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=REMOTE
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=MGMT
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    COMPANY src-address-list=IOT
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=forward comment=Starface dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=5060 protocol=udp
add action=accept chain=forward comment=Starface dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=10000-13239 \
    protocol=udp
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN \
    src-address-list=PRODUCTION
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=!80,443 \
    out-interface-list=!WAN protocol=tcp src-address-list=GUEST
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN \
    src-address-list=OFFLINE
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=drop chain=forward comment=Drop_Rest_all
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!COMPANY
add action=return chain=detect_DDoS src-address-list=COMPANY
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
add action=accept chain=input comment=\
    "Allow existing and related connections" connection-state=\
    established,related
add action=drop chain=input comment="Blockiere ungltige Verbindungen" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP (Ping)" protocol=icmp
add action=drop chain=input comment="Block than others from WAN" \
    in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=udp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-13238 in-interface=WAN1 log=\
    yes protocol=udp to-addresses=192.168.9.20 to-ports=10000-13238
add action=dst-nat chain=dstnat dst-port=5061 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5061
add action=masquerade chain=srcnat comment=DSL out-interface=WAN1
add action=masquerade chain=srcnat comment="DSL Backup" out-interface=WAN2
add action=masquerade chain=srcnat comment="LTE Backup" out-interface=WAN3
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.254.0/24 gateway=\
    WIREGUARD_MGMT routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.249.0/24 gateway=\
    WIREGUARD_MGMT pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.155.0/24 gateway=\
    WIREGUARD_MGMT pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=188.144.0.0/15 gateway=192.168.9.3 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45131
set www-ssl disabled=no port=1455
set api disabled=yes
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/radius
add address=10.99.254.1 service=login
/snmp
set contact="test <mikrotik@test.de>" enabled=yes trap-community=snmpv3test \
    trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system note
set note="test - Authorized Administrators only. Access to this d\
    evice is monitored." show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add name=schedule1 on-event="/system routerboard :if ( [get current-firmware] \
    != [get upgrade-firmware] ) do={ /system reboot }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=Backup on-event=Backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=00:00:00
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
/user-manager
set certificate=*0
/user-manager router
add address=10.99.1.251 name=ROUTER
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 5:26 pm

I will have a look. I am actually hoping that you are understanding the config better and learning as you go and gaining confidence in your own skills!

Observations:
1. You have many vlans identified but not fully configured, assumed this was future plans and removed them from the config for the moment ( noise ).

2. Product vlan not on interface list member of VLAN and also missing from dhpc-server network settings.

3. We can keep fastrack for rest of config and just isolate it for the queue for guest........

4. Firewall rules totally redone, simplified.

5. I do not understand your wireguard situation.
Can I assume VPN-01 is the case where this router is the server for handshake??? Clients unknown............. ( you need to fill in the wireguard blanks here at client device)
Can I assume VPN MGMT is the case where this router is the client for handshake?? and the Server Router is elsewhere type unknown, wireguard config unknown??? ( you need to fill in the blanks here)

a. for example. this is wrong if VPN01 is acting as a server. Any client from the server should be X/32 for the wireguard associated address. If it was another router with subnets, then one could add the remote subnets as well..........
Each client gets its own peer config line!!
/interface wireguard peers
add allowed-address=192.168.85.0/24 comment="2nd Customer Location" \
interface=WIREGUARD_VPN01 public-key= "B0="

b. for example if VPN MGT means that there is a server elsewhere and this router was acting as a client for handshake......
then your Allowed IPs are wrong. The associated wireguard address to the server should be in the format of subnt 0/24

add allowed-address=\
10.10.9.254/32,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \
comment="MGMT test" endpoint-address=vpn.test.de endpoint-port=40231 \
interface=WIREGUARD_MGMT persistent-keepalive=25s public-key="X="

d. Knowing that you only are required to have an input chain for the listening port IF, IF IF the router is acting as a server for handshake....... you should be able to see why this is confusing.....
add action=accept chain=input comment=Wireguard dst-port=13240,13241,53245 \
in-interface-list=WAN protocol=udp

Which tells the reader you think all three wireguard ports, ( and only two identified in the config itself adding to more confusion) are required and thus you have three different wireguard interfaces and the router is acting as server in all three cases.

Thus you need to provide much more clarity for the wireguard requirements!!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 7:28 pm

This rule makes no sense to me......
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
in-interface-list=!WAN protocol=udp src-address-list=FIREWAL


WHere the only entry for firewall address list is the following
add address=127.0.0.1 list=FIREWALL

Another rule that makes no sense to me......... What are you trying to say, or accomplish.........
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
src-address-type=local
???????

Which users, to which services on the router...........................
The only service users typically need is to DNS........
and you already identified which users should have access to DNS already...........
(as well as the other services).

And thus this input chain rule seems silly............. or based on troubleshooting......

These rules make no sense............
add action=accept chain=forward comment=Starface dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=5060 protocol=udp
add action=accept chain=forward comment=Starface dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=10000-13239 \
protocol=udp


Be clear what are you trying to say or accomplish???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 7:36 pm

Which subnets or list of individual devices should be getting NTP services from the router???

Where are the remote subnets coming from in this rule................??

add action=accept chain=forward comment=Accept_Remote_to_Company \
dst-address-list=COMPANY src-address-list=REMOTE


Reminder........
add address=192.168.254.0/24 list=REMOTE
add address=192.168.155.0/24 list=REMOTE
add address=192.168.85.0/24 list=REMOTE


Are they coming from a remote device over wg vpn01 or wg vpn mgmt ???

You already gave access to company from VPNO1 in a separate rule
and
You already gave access to all VLANs from VPN MGMT in another rule......

So just wondering why this additional one is necessary???

- What is the purpose of this rule........ Where are you trying to reach, its not a local address nor one available through wireguard ????
add disabled=no dst-address=188.144.0.0/15 gateway=192.168.9.3 routing-table=\
main suppress-hw-offload=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 8:07 pm

YOur three wans, in IP DHCP CLIENT did you enable default routes and if so did you put any script in there..........??

Right now there is no way to determine how you setup the WANs in terms of priority..........??
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 8:34 pm

Yes thank you. Hopefully with more time and more to do with it, it will get better and better.
It's slowly getting fun.

1. Yes, I just wanted to prepare the VLANs. I have now finished configuring all VLANs up to 1500

2. Production VLAN was also configured

3. I also adapted the telephone network with a queue, is that ok?

4. I have summarized firewall even more. I have adapted the DNS list to the local networks.

5. I had completely forgotten about Wireguard settings beforehand. I have now adjusted the ports and peers.
# 2023-12-03 19:23:58 by RouterOS 7.12.1
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz frequency="" name=\
    5Ghz-Channels skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] disabled=yes name=WAN4
/interface l2tp-client
add allow-fast-path=yes connect-to=vpn.test.com name=l2tp-TEST user=TEST01
/interface wireguard
add comment=TEST listen-port=40231 mtu=1420 name=WIREGUARD_TEST
add comment="VPN to 2nd customer location" listen-port=53239 mtu=1420 name=\
    WIREGUARD_VPN01
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=COMPANY interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GUEST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=PHONE interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
add comment=PRINTER interface=BRIDGE name=VLAN_1100 vlan-id=1100
add comment=SONOS interface=BRIDGE name=VLAN_1200 vlan-id=1200
add comment=CAMERA interface=BRIDGE name=VLAN_1300 vlan-id=1300
add comment=PRODUCTION interface=BRIDGE name=VLAN_1400 vlan-id=1400
add comment=SERVER interface=BRIDGE name=VLAN_1500 vlan-id=1500
add comment=MISCELLANEOUS01 disabled=yes interface=BRIDGE name=VLAN_1600 \
    vlan-id=1600
add comment=MISCELLANEOUS02 disabled=yes interface=BRIDGE name=VLAN_1700 \
    vlan-id=1700
add comment=MISCELLANEOUS03 disabled=yes interface=BRIDGE name=VLAN_1800 \
    vlan-id=1800
add comment=MISCELLANEOUS04 disabled=yes interface=BRIDGE name=VLAN_1900 \
    vlan-id=1900
add comment=MISCELLANEOUS05 disabled=yes interface=BRIDGE name=VLAN_2000 \
    vlan-id=2000
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    COMPANY vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no comment=GUEST \
    local-forwarding=no name=GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=COMPANY
add authentication-types=wpa2-psk encryption=aes-ccm name=GUEST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=2.4Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY2GHZ security=COMPANY ssid=COMPANY
add channel=5Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY5GHZ security=COMPANY ssid=COMPANY
add channel=2.4Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST2GHZ security=GUEST ssid=GUEST
add channel=5Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST5GHZ security=GUEST ssid=GUEST
add channel=2.4Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT2GHZ security=HOTSPOT ssid=HOTSPOT
add channel=5Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT5GHZ security=HOTSPOT ssid=HOTSPOT
add channel=2.4Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE2GHZ security=PRIVAT ssid=PRIVATE
add channel=5Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE5GHZ security=PRIVAT ssid=PRIVATE
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.9.100-10.99.9.253
add name=COMPANY ranges=192.168.9.20-192.168.9.250
add name=GUEST ranges=10.178.1.200-10.178.1.253
add name=DMZ ranges=10.178.2.200-10.178.2.253
add name=HOTSPOT ranges=10.178.3.200-10.178.3.253
add name=LTE ranges=10.178.5.200-10.178.5.253
add name=BACKUP01 ranges=10.178.6.200-10.178.6.253
add name=BACKUP02 ranges=10.178.7.200-10.178.7.253
add name=PHONE ranges=10.178.8.100-10.178.8.253
add name=IOT ranges=10.178.9.100-10.178.9.253
add name=PRIVATE ranges=10.178.4.200-10.178.4.253
add name=SONOS ranges=10.178.11.100-10.178.11.253
add name=CAMERA ranges=10.178.12.200-10.178.12.253
add name=SERVER ranges=10.178.14.1-10.178.14.20
add name=PRINTER ranges=10.178.10.100-10.178.10.253
add name=PRODUCTION ranges=10.178.13.200-10.178.13.253
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 lease-time=1w10m name=MGT
add address-pool=COMPANY interface=VLAN_100 lease-time=1w10m name=COMPANY
add address-pool=GUEST interface=VLAN_200 lease-time=1h name=GUEST
add address-pool=DMZ interface=VLAN_300 lease-time=1d10m name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 lease-time=1d10m name=HOTSPOT
add address-pool=PRIVATE interface=VLAN_500 lease-time=1d10m name=PRIVAT
add address-pool=LTE interface=VLAN_600 lease-time=1d10m name=LTE
add address-pool=BACKUP01 interface=VLAN_700 lease-time=1d10m name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 lease-time=1d10m name=BACKUP02
add address-pool=PHONE interface=VLAN_900 lease-time=1d10m name=PHONE
add address-pool=IOT interface=VLAN_1000 lease-time=1d10m name=IOT
add address-pool=PRODUCTION interface=VLAN_1400 lease-time=1d30m name=\
    PRODUCTION
add address-pool=PRINTER interface=VLAN_1100 lease-time=1d10m name=PRINTER
add address-pool=SONOS interface=VLAN_1200 lease-time=1d30m name=SONOS
add address-pool=CAMERA interface=VLAN_1300 lease-time=1d30m name=CAMERA
add address-pool=SERVER interface=VLAN_1500 lease-time=1d30m name=SERVER
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=8M/8M name=queue-guest target=10.178.1.0/24
add max-limit=8M/8M name=queue-phone priority=1/1 target=10.178.8.0/24
/snmp community
add addresses=192.168.254.0/24,10.16.0.0/16,10.99.0.0/16,10.10.9.0/24 \
    authentication-protocol=SHA1 encryption-protocol=AES name=snmpv3DIM \
    security=private
/user-manager user
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:300,Tunnel-Type:13 comment=\
    Macbook disabled=yes name=22:E0:4C:A4:91:76
add attributes=Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:99,Tunnel-Type:13 \
    comment=Kamera disabled=yes name=EC:71:DB:EA:51:FD
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:100,Tunnel-Type:13 comment=\
    TV disabled=yes name=7C:0A:3F:FB:B6:2A
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-75..115 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    COMPANY2GHZ name-format=prefix-identity slave-configurations=\
    GUEST2GHZ,PRIVATE2GHZ,HOTSPOT2GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    COMPANY5GHZ name-format=prefix-identity slave-configurations=\
    GUEST5GHZ,PRIVATE5GHZ,HOTSPOT5GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1
/interface list member
add comment=DSL interface=WAN1 list=WAN
add comment="DSL Backup" interface=WAN2 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add comment="LTE Backup" interface=WAN3 list=WAN
add interface=WIREGUARD_VPN01 list=VLAN
/interface wireguard peers
add allowed-address=192.168.85.0/24,192.168.9.0/24 comment=\
    "2nd Customer Location" endpoint-address=vpn.test.com endpoint-port=40230 \
    interface=WIREGUARD_VPN01 persistent-keepalive=25s preshared-key=\
    "AMcEkC40rCHaYZFpKHjTI9Om8hHEHiRlo4Hwm5T3R1o=" public-key=\
    "BnZ146qo6tS+n9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
add allowed-address=192.168.254.0/24,192.168.155.0/24 comment=\
    "MGMT TEST - Site to Site" endpoint-address=vpn.test.com endpoint-port=\
    40231 interface=WIREGUARD_TEST persistent-keepalive=25s preshared-key=\
    "iMou/lFZEvPiljjJEgtigxnn75cqdw2hAaXAehqOsFY=" public-key=\
    "XRXJdyp/CYXh57rtaOsWU8a/mLXdoTc251D39fIvWk0="
add allowed-address=192.168.85.10/32 comment="Employees - home office - VPN" \
    interface=WIREGUARD_VPN01 persistent-keepalive=25s preshared-key=\
    "mPQhQX9rSElkgQ7KsL0x/memzWsDaItzuddIY1RXzWI=" public-key=\
    "CYZ146qo6tS+n9elKeqToC5cmyjfGU7AaN6MHxCZjU0="
/ip address
add address=10.99.9.254/24 comment=MGMT interface=VLAN_99 network=10.99.9.0
add address=192.168.9.1/24 comment=COMPANY interface=VLAN_100 network=\
    192.168.9.0
add address=10.178.1.254/24 comment=GUEST interface=VLAN_200 network=\
    10.178.1.0
add address=10.178.2.254/24 comment=DMZ interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 comment=HOTSPOT interface=VLAN_400 network=\
    10.178.3.0
add address=10.178.4.254/24 comment=PRIVATE interface=VLAN_500 network=\
    10.178.4.0
add address=10.178.5.254/24 comment=LTE interface=VLAN_600 network=10.178.5.0
add address=10.178.6.254/24 comment=BACKUP01 interface=VLAN_700 network=\
    10.178.6.0
add address=10.178.7.254/24 comment=BACKUP02 interface=VLAN_800 network=\
    10.178.7.0
add address=10.178.8.254/24 comment=PHONE interface=VLAN_900 network=\
    10.178.8.0
add address=10.178.9.254/24 comment=IOT interface=VLAN_1000 network=\
    10.178.9.0
add address=192.168.85.254/24 interface=WIREGUARD_VPN01 network=192.168.85.0
add address=10.10.9.9/24 interface=WIREGUARD_TEST network=10.10.9.0
add address=10.178.10.254/24 comment=PRINTER interface=VLAN_1100 network=\
    10.178.10.0
add address=10.178.11.254/24 comment=SONOS interface=VLAN_1200 network=\
    10.178.11.0
add address=10.178.12.254/24 comment=CAMERA interface=VLAN_1300 network=\
    10.178.12.0
add address=10.178.13.254/24 comment=PRODUCTION interface=VLAN_1400 network=\
    10.178.13.0
add address=10.178.14.254/24 comment=SERVER interface=VLAN_1500 network=\
    10.178.14.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=DSL interface=WAN1
add comment="BACKUP DSL" interface=WAN2
add comment="LTE BACKUP" interface=WAN3
/ip dhcp-server network
add address=10.99.9.0/24 comment=VLAN99_MGMT dns-server=10.99.9.254 gateway=\
    10.99.9.254
add address=10.178.1.0/24 comment=VLAN200_GUEST_WITH_OPENDNS dns-server=\
    208.67.222.123,208.67.220.123 gateway=10.178.1.254
add address=10.178.2.0/24 comment=VLAN300_DMZ dns-server=10.178.2.254 \
    gateway=10.178.2.254
add address=10.178.3.0/24 comment=VLAN400_HOTSPOT dns-server=10.178.3.254 \
    gateway=10.178.3.254
add address=10.178.4.0/24 comment=VLAN500_PRIVATE dns-server=10.178.4.254 \
    gateway=10.178.4.254
add address=10.178.5.0/24 comment=VLAN600_LTE dns-server=10.178.5.254 \
    gateway=10.178.5.254
add address=10.178.6.0/24 comment=VLAN700_BACKUP01 dns-server=10.178.6.254 \
    gateway=10.178.6.254
add address=10.178.7.0/24 comment=VLAN800_BACKUP02 dns-server=10.178.7.254 \
    gateway=10.178.7.254
add address=10.178.8.0/24 comment=VLAN900_PHONE dns-server=10.178.8.254 \
    gateway=10.178.8.254
add address=10.178.9.0/24 comment=VLAN1000_IOT dns-server=8.8.8.8 gateway=\
    10.178.9.254
add address=10.178.10.0/24 comment=VLAN1100_PRINTER dns-server=8.8.8.8 \
    gateway=10.178.10.254
add address=10.178.11.0/24 comment=VLAN1200_SONOS dns-server=8.8.8.8 gateway=\
    10.178.11.254
add address=10.178.12.0/24 comment=VLAN1300_CAMERA dns-server=8.8.8.8 \
    gateway=10.178.12.254
add address=10.178.13.0/24 comment=VLAN1400_PRODUCTION dns-server=\
    10.178.13.254 gateway=10.178.13.254
add address=10.178.14.0/24 comment=VLAN1500_SERVER dns-server=10.178.14.254 \
    gateway=10.178.14.254
add address=192.168.9.0/24 comment=VLAN100_COMPANY dns-server=192.168.9.5 \
    domain=test.local gateway=192.168.9.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=m.test.com list=MGMT
add address=vpn.test.com list=MGMT
add address=192.168.254.0/24 list=MGMT
add address=192.168.155.0/24 list=MGMT
add address=192.168.9.0/24 list=COMPANY
add address=10.178.9.0/24 list=IOT
add address=192.168.44.0/24 list=PRODUCTION
add address=10.178.1.0/24 list=GUEST
add address=192.168.9.10 list=OFFLINE
add address=127.0.0.1 list=FIREWALL
add address=192.168.85.0/24 list=REMOTE
add address=10.10.9.0/24 list=MGMT
add address=10.178.2.0/24 list=OFFLINE
add address=10.178.7.0/24 list=OFFLINE
add address=10.178.6.0/24 list=OFFLINE
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=10.10.9.0/24 list=ALL_INT_MGMT
add address=10.99.9.0/24 list=ALL_INT_MGMT
add address=10.178.1.0/24 list=ALL_INT_MGMT
add address=10.178.2.0/24 list=ALL_INT_MGMT
add address=10.178.5.0/24 list=ALL_INT_MGMT
add address=10.178.6.0/24 list=ALL_INT_MGMT
add address=10.178.7.0/24 list=ALL_INT_MGMT
add address=192.168.9.0/24 list=ALL_INT_MGMT
add address=192.168.85.0/24 list=ALL_INT_MGMT
add address=10.178.8.10 comment="Telephone System" list=PHONE
add address=10.178.3.0/24 list=ALL_INT_MGMT
add address=10.178.4.0/24 list=ALL_INT_MGMT
add address=10.178.8.0/24 list=ALL_INT_MGMT
add address=10.178.9.0/24 list=ALL_INT_MGMT
add address=10.178.10.0/24 list=ALL_INT_MGMT
add address=10.178.11.0/24 list=ALL_INT_MGMT
add address=10.178.12.0/24 list=ALL_INT_MGMT
add address=10.178.13.0/24 list=ALL_INT_MGMT
add address=10.178.14.0/24 list=ALL_INT_MGMT
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new \
    jump-target=detect_DDoS
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!ALL_INT_MGMT
add action=return chain=detect_DDoS src-address-list=ALL_INT_MGMT
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=BruteForceTemp \
    address-list-timeout=1m chain=input comment=\
    "Erkenne Brute-Force (Phase 1)" connection-state=new dst-port=45131,8291 \
    protocol=tcp
add action=add-src-to-address-list address-list=BlackList \
    address-list-timeout=1d chain=input comment=\
    "Blockiere Brute-Force (Phase 2)" connection-state=new dst-port=\
    45131,8291 protocol=tcp src-address-list=BruteForceTemp
add action=drop chain=input comment="Blockiere Zugriff von BlackList" \
    src-address-list=BlackList
add action=accept chain=input comment=\
    "Erlaube Management-Zugriff nur von MGMT" dst-port=45131,8291 protocol=\
    tcp src-address-list=MGMT
add action=drop chain=input comment=\
    "Blockiere Management-Zugriff von anderen Netzwerken" dst-port=45131,8291 \
    protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=input comment=Wireguard dst-port=53239,40231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address-list=MGMT
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 \
    protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=Accept_DNS dst-port=53 \
    in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp \
    src-address-list=ALL_INT_MGMT
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=accept chain=forward comment=\
    "WireGuard-VPN -> VLAN_100 | Network access" dst-address=!192.168.85.0/24 \
    in-interface=WIREGUARD_VPN01 out-interface=VLAN_100
add action=accept chain=forward comment=\
    "WireGuard-VPN TEST | alle VLAN Network access" dst-address=!10.10.9.0/24 \
    in-interface=WIREGUARD_TEST out-interface=all-vlan
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=REMOTE
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=DMZ src-address-list=MGMT
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=MGMT
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    COMPANY src-address-list=IOT
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    DMZ src-address-list=IOT
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=forward comment=Phone dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Phone dst-port=5060 protocol=udp
add action=accept chain=forward comment=Phone dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Phone dst-port=10000-13239 protocol=\
    udp
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN \
    src-address-list=PRODUCTION
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=!80,443 \
    out-interface-list=!WAN protocol=tcp src-address-list=GUEST
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN \
    src-address-list=OFFLINE
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=drop chain=forward comment=Drop_Rest_all
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!ALL_INT_MGMT
add action=return chain=detect_DDoS src-address-list=ALL_INT_MGMT
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
add action=accept chain=input comment=\
    "Allow existing and related connections" connection-state=\
    established,related
add action=drop chain=input comment="Block invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP (Ping)" protocol=icmp
add action=drop chain=input comment="Block everything else from WAN" \
    in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=udp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-13238 in-interface=WAN1 log=\
    yes protocol=udp to-addresses=192.168.9.20 to-ports=10000-13238
add action=dst-nat chain=dstnat dst-port=5061 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5061
add action=masquerade chain=srcnat comment=DSL out-interface=WAN1
add action=masquerade chain=srcnat comment="DSL Backup" out-interface=WAN2
add action=masquerade chain=srcnat comment="LTE Backup" out-interface=WAN3
/ip firewall raw
add action=add-src-to-address-list address-list=DDoSTemp \
    address-list-timeout=1m chain=prerouting comment=\
    "Erkenne potenzielle DDoS-Angriffe (SYN Flood)" protocol=tcp \
    src-address-list=!ALL_INT_MGMT tcp-flags=syn
add action=drop chain=prerouting comment="Blockiere DDoS-Verdchtige" \
    src-address-list=DDoSTemp
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.254.0/24 gateway=\
    WIREGUARD_TEST routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.249.0/24 gateway=\
    WIREGUARD_TEST pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.155.0/24 gateway=\
    WIREGUARD_TEST pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=188.144.0.0/15 gateway=192.168.9.3 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45131
set www-ssl disabled=no port=1455
set api disabled=yes
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/radius
add address=10.99.254.1 service=login
/snmp
set contact="<mikrotik@test.com>" enabled=yes trap-community=snmpv3TEST \
    trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=ROUTER
/system note
set note="Authorized Administrators only. Access to this d\
    evice is monitored." show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add name=schedule1 on-event="/system routerboard :if ( [get current-firmware] \
    != [get upgrade-firmware] ) do={ /system reboot }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=Backup on-event=Backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=00:00:00
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
/user-manager
set certificate=*0
/user-manager router
add address=10.99.1.251 name=ROUTER
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 8:48 pm

YOur three wans, in IP DHCP CLIENT did you enable default routes and if so did you put any script in there..........??

Right now there is no way to determine how you setup the WANs in terms of priority..........??
I have a modem in front of it with a DHCP server. Which is on Expost Host.
I have now adjusted the priority in the DHCP client. That would be ok, right?

/ip dhcp client
add comment=DSL interface=WAN1
add comment="BACKUP DSL" default-route-distance=10 interface=WAN2
add comment="LTE BACKUP" default-route-distance=20 interface=WAN3
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 03, 2023 8:50 pm

The network 188.144.0.0/15 can only be reached via gateway 192.168.9.3. But that was just a test. It's actually not needed in my configuration and I just deleted it. Thanks for the tip.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Mon Dec 04, 2023 2:00 am

If its disabled on the config, I delete it when looking at it....... KISS
I delete all capsman config entries for easier viewing, now the config is looking smaller LOL

No problem for queues, I worked around that so you can user fastrack for everything else.........

You forgot to add additional vlans to LAN interface list.........
Last edited by anav on Mon Dec 04, 2023 2:14 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Mon Dec 04, 2023 2:11 am

You really need to explain your wireguard setup. ITS STILL WRONG!!!
Where is the server for VPN01 for handshake? if not this router then this router is the client for handshake?
Where is the server for MGNT for handshake? if not this router then this router is the client for handshake?

Server Device does not have endpoint or keep alive in allowed IPs......................
Server Device refers to each client peers' wireguard input allowed address via X/32
Server Device needs an input chain rule to accept incoming wireguard handshakes

Client Device refers to server peer as 0/24 for wireguard input allowed address
Client device needs to put endpoint port and port pointing to server device and needs keep alive setting!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Mon Dec 04, 2023 2:14 am

Once you provide the details on wireguard I will send an updated config, that gets rid of all the crap..............
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sat Dec 09, 2023 6:42 pm

Is it better like this now?
# 2023-12-09 16:57:27 by RouterOS 7.12.1
# software id = HD12-GV43
#
# model = CCR2004-16G-2S+
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz frequency="" name=\
    5Ghz-Channels skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
/interface wireguard
add comment="MGMT VPN" listen-port=40231 mtu=1420 name=WIREGUARD_IT
add comment="VPN to 2nd customer location" listen-port=53239 mtu=1420 name=\
    WIREGUARD_VPN01
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=COMPANY interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GUEST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=PHONE interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
add comment=PRINTER interface=BRIDGE name=VLAN_1100 vlan-id=1100
add comment=SONOS interface=BRIDGE name=VLAN_1200 vlan-id=1200
add comment=CAMERA interface=BRIDGE name=VLAN_1300 vlan-id=1300
add comment=PRODUCTION interface=BRIDGE name=VLAN_1400 vlan-id=1400
add comment=SERVER interface=BRIDGE name=VLAN_1500 vlan-id=1500
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    COMPANY vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no comment=GUEST \
    local-forwarding=no name=GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=COMPANY
add authentication-types=wpa2-psk encryption=aes-ccm name=GUEST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=2.4Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY2GHZ security=COMPANY ssid=COMPANY
add channel=5Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY5GHZ security=COMPANY ssid=COMPANY
add channel=2.4Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST2GHZ security=GUEST ssid=GUEST
add channel=5Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST5GHZ security=GUEST ssid=GUEST
add channel=2.4Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT2GHZ security=HOTSPOT ssid=HOTSPOT
add channel=5Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT5GHZ security=HOTSPOT ssid=HOTSPOT
add channel=2.4Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE2GHZ security=PRIVAT ssid=PRIVATE
add channel=5Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE5GHZ security=PRIVAT ssid=PRIVATE
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.9.100-10.99.9.253
add name=COMPANY ranges=192.168.9.20-192.168.9.250
add name=GUEST ranges=10.178.1.200-10.178.1.253
add name=DMZ ranges=10.178.2.200-10.178.2.253
add name=HOTSPOT ranges=10.178.3.200-10.178.3.253
add name=LTE ranges=10.178.5.200-10.178.5.253
add name=BACKUP01 ranges=10.178.6.200-10.178.6.253
add name=BACKUP02 ranges=10.178.7.200-10.178.7.253
add name=PHONE ranges=10.178.8.100-10.178.8.253
add name=IOT ranges=10.178.9.100-10.178.9.253
add name=PRIVATE ranges=10.178.4.200-10.178.4.253
add name=SONOS ranges=10.178.11.100-10.178.11.253
add name=CAMERA ranges=10.178.12.200-10.178.12.253
add name=SERVER ranges=10.178.14.1-10.178.14.20
add name=PRINTER ranges=10.178.10.100-10.178.10.253
add name=PRODUCTION ranges=10.178.13.200-10.178.13.253
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 lease-time=1w10m name=MGT
add address-pool=COMPANY interface=VLAN_100 lease-time=1w10m name=COMPANY
add address-pool=GUEST interface=VLAN_200 lease-time=1h name=GUEST
add address-pool=DMZ interface=VLAN_300 lease-time=1d10m name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 lease-time=1d10m name=HOTSPOT
add address-pool=PRIVATE interface=VLAN_500 lease-time=1d10m name=PRIVAT
add address-pool=LTE interface=VLAN_600 lease-time=1d10m name=LTE
add address-pool=BACKUP01 interface=VLAN_700 lease-time=1d10m name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 lease-time=1d10m name=BACKUP02
add address-pool=PHONE interface=VLAN_900 lease-time=1d10m name=PHONE
add address-pool=IOT interface=VLAN_1000 lease-time=1d10m name=IOT
add address-pool=PRODUCTION interface=VLAN_1400 lease-time=1d30m name=\
    PRODUCTION
add address-pool=PRINTER interface=VLAN_1100 lease-time=1d10m name=PRINTER
add address-pool=SONOS interface=VLAN_1200 lease-time=1d30m name=SONOS
add address-pool=CAMERA interface=VLAN_1300 lease-time=1d30m name=CAMERA
add address-pool=SERVER interface=VLAN_1500 lease-time=1d30m name=SERVER
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=8M/8M name=queue-guest target=10.178.1.0/24
add max-limit=8M/8M name=queue-phone priority=1/1 target=10.178.8.0/24
/snmp community
add addresses=192.168.254.0/24,10.16.0.0/16,10.99.0.0/16,10.10.9.0/24 \
    authentication-protocol=SHA1 encryption-protocol=AES name=snmpv3DIM \
    security=private
/user-manager user
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:300,Tunnel-Type:13 comment=\
    Macbook disabled=yes name=22:E0:4C:A4:91:76
add attributes=Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:99,Tunnel-Type:13 \
    comment=Kamera disabled=yes name=EC:71:DB:EA:51:FD
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:100,Tunnel-Type:13 comment=\
    TV disabled=yes name=7C:0A:3F:FB:B6:2A
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-75..115 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto package-path=/
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    COMPANY2GHZ name-format=prefix-identity slave-configurations=\
    GUEST2GHZ,PRIVATE2GHZ,HOTSPOT2GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    COMPANY5GHZ name-format=prefix-identity slave-configurations=\
    GUEST5GHZ,PRIVATE5GHZ,HOTSPOT5GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1
/interface list member
add comment=DSL interface=WAN1 list=WAN
add comment="DSL Backup" interface=WAN2 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add comment="LTE Backup" interface=WAN3 list=WAN
add interface=WIREGUARD_VPN01 list=VLAN
/interface wireguard peers
add allowed-address=192.168.10.0/24 comment=\
    "2nd Customer Location - Site to Site" endpoint-address=vpn.test.com \
    endpoint-port=40230 interface=WIREGUARD_VPN01 preshared-key=\
    "sEdtukyjV6trT5T9+gDkoWyF4zo/h4deo5JAHtrtV2U=" public-key=\
    "BnZ146qo6tS+n9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
add allowed-address=192.168.155.0/24,10.99.9.0/24 comment=\
    "MGMT VPN- Site to Site" endpoint-address=vpn.test2.com endpoint-port=\
    40231 interface=WIREGUARD_IT preshared-key=\
    "WLgn1zNC8WPWYidLmPK35ncxJcHmBrfG+qYwoQtxYkY=" public-key=\
    "XREJdyp/MYXh57rtaOsWU8a/mLXdoTc953D39TIvWk0="
add allowed-address=192.168.85.252/32 comment="Employees - home office - VPN" \
    interface=WIREGUARD_VPN01 persistent-keepalive=25s preshared-key=\
    "kKjyGKS7+/JVBS0DQgttuK50iZ+PbmJ1Pmt6w2ry6EU=" public-key=\
    "CnZ146qo6tS+n9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
/ip address
add address=10.99.9.254/24 comment=MGMT interface=VLAN_99 network=10.99.9.0
add address=192.168.9.1/24 comment=COMPANY interface=VLAN_100 network=\
    192.168.9.0
add address=10.178.1.254/24 comment=GUEST interface=VLAN_200 network=\
    10.178.1.0
add address=10.178.2.254/24 comment=DMZ interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 comment=HOTSPOT interface=VLAN_400 network=\
    10.178.3.0
add address=10.178.4.254/24 comment=PRIVATE interface=VLAN_500 network=\
    10.178.4.0
add address=10.178.5.254/24 comment=LTE interface=VLAN_600 network=10.178.5.0
add address=10.178.6.254/24 comment=BACKUP01 interface=VLAN_700 network=\
    10.178.6.0
add address=10.178.7.254/24 comment=BACKUP02 interface=VLAN_800 network=\
    10.178.7.0
add address=10.178.8.254/24 comment=PHONE interface=VLAN_900 network=\
    10.178.8.0
add address=10.178.9.254/24 comment=IOT interface=VLAN_1000 network=\
    10.178.9.0
add address=192.168.85.254/24 interface=WIREGUARD_VPN01 network=192.168.85.0
add address=10.10.9.9/24 interface=WIREGUARD_IT network=10.10.9.0
add address=10.178.10.254/24 comment=PRINTER interface=VLAN_1100 network=\
    10.178.10.0
add address=10.178.11.254/24 comment=SONOS interface=VLAN_1200 network=\
    10.178.11.0
add address=10.178.12.254/24 comment=CAMERA interface=VLAN_1300 network=\
    10.178.12.0
add address=10.178.13.254/24 comment=PRODUCTION interface=VLAN_1400 network=\
    10.178.13.0
add address=10.178.14.254/24 comment=SERVER interface=VLAN_1500 network=\
    10.178.14.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=DSL interface=WAN1
add comment="BACKUP DSL" default-route-distance=10 interface=WAN2
add comment="LTE BACKUP" default-route-distance=20 interface=WAN3
/ip dhcp-server network
add address=10.99.9.0/24 comment=VLAN99_MGMT dns-server=10.99.9.254 gateway=\
    10.99.9.254
add address=10.178.1.0/24 comment=VLAN200_GUEST_WITH_OPENDNS dns-server=\
    208.67.222.123,208.67.220.123 gateway=10.178.1.254
add address=10.178.2.0/24 comment=VLAN300_DMZ dns-server=10.178.2.254 \
    gateway=10.178.2.254
add address=10.178.3.0/24 comment=VLAN400_HOTSPOT dns-server=10.178.3.254 \
    gateway=10.178.3.254
add address=10.178.4.0/24 comment=VLAN500_PRIVATE dns-server=10.178.4.254 \
    gateway=10.178.4.254
add address=10.178.5.0/24 comment=VLAN600_LTE dns-server=10.178.5.254 \
    gateway=10.178.5.254
add address=10.178.6.0/24 comment=VLAN700_BACKUP01 dns-server=10.178.6.254 \
    gateway=10.178.6.254
add address=10.178.7.0/24 comment=VLAN800_BACKUP02 dns-server=10.178.7.254 \
    gateway=10.178.7.254
add address=10.178.8.0/24 comment=VLAN900_PHONE dns-server=10.178.8.254 \
    gateway=10.178.8.254
add address=10.178.9.0/24 comment=VLAN1000_IOT dns-server=8.8.8.8 gateway=\
    10.178.9.254
add address=10.178.10.0/24 comment=VLAN1100_PRINTER dns-server=8.8.8.8 \
    gateway=10.178.10.254
add address=10.178.11.0/24 comment=VLAN1200_SONOS dns-server=8.8.8.8 gateway=\
    10.178.11.254
add address=10.178.12.0/24 comment=VLAN1300_CAMERA dns-server=8.8.8.8 \
    gateway=10.178.12.254
add address=10.178.13.0/24 comment=VLAN1400_PRODUCTION dns-server=\
    10.178.13.254 gateway=10.178.13.254
add address=10.178.14.0/24 comment=VLAN1500_SERVER dns-server=10.178.14.254 \
    gateway=10.178.14.254
add address=192.168.9.0/24 comment=VLAN100_COMPANY dns-server=192.168.9.5 \
    domain=test.local gateway=192.168.9.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=m.ittest.de list=MGMT
add address=vpn.ittest.de list=MGMT
add address=192.168.254.0/24 list=MGMT
add address=192.168.155.0/24 list=MGMT
add address=192.168.9.0/24 list=COMPANY
add address=10.178.9.0/24 list=IOT
add address=192.168.44.0/24 list=PRODUCTION
add address=10.178.1.0/24 list=GUEST
add address=192.168.9.10 list=OFFLINE
add address=127.0.0.1 list=FIREWALL
add address=192.168.85.0/24 list=REMOTE
add address=10.10.9.0/24 list=MGMT
add address=10.178.2.0/24 list=OFFLINE
add address=10.178.7.0/24 list=OFFLINE
add address=10.178.6.0/24 list=OFFLINE
add address=10.10.9.0/24 list=ALL_INT_MGMT
add address=10.99.9.0/24 list=ALL_INT_MGMT
add address=10.178.1.0/24 list=ALL_INT_MGMT
add address=10.178.2.0/24 list=ALL_INT_MGMT
add address=10.178.5.0/24 list=ALL_INT_MGMT
add address=10.178.6.0/24 list=ALL_INT_MGMT
add address=10.178.7.0/24 list=ALL_INT_MGMT
add address=192.168.9.0/24 list=ALL_INT_MGMT
add address=192.168.85.0/24 list=ALL_INT_MGMT
add address=10.178.8.10 comment="Telephone System" list=PHONE
add address=10.178.3.0/24 list=ALL_INT_MGMT
add address=10.178.4.0/24 list=ALL_INT_MGMT
add address=10.178.8.0/24 list=ALL_INT_MGMT
add address=10.178.9.0/24 list=ALL_INT_MGMT
add address=10.178.10.0/24 list=ALL_INT_MGMT
add address=10.178.11.0/24 list=ALL_INT_MGMT
add address=10.178.12.0/24 list=ALL_INT_MGMT
add address=10.178.13.0/24 list=ALL_INT_MGMT
add address=10.178.14.0/24 list=ALL_INT_MGMT
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new \
    jump-target=detect_DDoS
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!ALL_INT_MGMT
add action=return chain=detect_DDoS src-address-list=ALL_INT_MGMT
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=BruteForceTemp \
    address-list-timeout=1m chain=input comment=\
    "Erkenne Brute-Force (Phase 1)" connection-state=new dst-port=45131,8291 \
    protocol=tcp
add action=add-src-to-address-list address-list=BlackList \
    address-list-timeout=1d chain=input comment=\
    "Blockiere Brute-Force (Phase 2)" connection-state=new dst-port=\
    45131,8291 protocol=tcp src-address-list=BruteForceTemp
add action=drop chain=input comment="Blockiere Zugriff von BlackList" \
    src-address-list=BlackList
add action=accept chain=input comment=\
    "Erlaube Management-Zugriff nur von MGMT" dst-port=45131,8291 protocol=\
    tcp src-address-list=MGMT
add action=drop chain=input comment=\
    "Blockiere Management-Zugriff von anderen Netzwerken" dst-port=45131,8291 \
    protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=input comment=Wireguard dst-port=53239,40231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address-list=MGMT
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 \
    protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=Accept_DNS dst-port=53 \
    in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp \
    src-address-list=ALL_INT_MGMT
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=accept chain=forward comment=\
    "WireGuard-VPN -> VLAN_100 | Network access" dst-address=!192.168.85.0/24 \
    in-interface=WIREGUARD_VPN01 out-interface=VLAN_100
add action=accept chain=forward comment=\
    "WireGuard-VPN TEST | alle VLAN Network access" dst-address=!10.10.9.0/24 \
    in-interface=WIREGUARD_IT out-interface=all-vlan
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=REMOTE
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=DMZ src-address-list=MGMT
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=MGMT
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    COMPANY src-address-list=IOT
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    DMZ src-address-list=IOT
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=forward comment=Phone dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Phone dst-port=5060 protocol=udp
add action=accept chain=forward comment=Phone dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Phone dst-port=10000-13239 protocol=\
    udp
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN \
    src-address-list=PRODUCTION
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=!80,443 \
    out-interface-list=!WAN protocol=tcp src-address-list=GUEST
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN \
    src-address-list=OFFLINE
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=drop chain=forward comment=Drop_Rest_all
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!ALL_INT_MGMT
add action=return chain=detect_DDoS src-address-list=ALL_INT_MGMT
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
add action=accept chain=input comment=\
    "Allow existing and related connections" connection-state=\
    established,related
add action=drop chain=input comment="Block invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP (Ping)" protocol=icmp
add action=drop chain=input comment="Block everything else from WAN" \
    in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=udp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-13238 in-interface=WAN1 log=\
    yes protocol=udp to-addresses=192.168.9.20 to-ports=10000-13238
add action=dst-nat chain=dstnat dst-port=5061 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5061
add action=masquerade chain=srcnat comment=DSL out-interface=WAN1
add action=masquerade chain=srcnat comment="DSL Backup" out-interface=WAN2
add action=masquerade chain=srcnat comment="LTE Backup" out-interface=WAN3
/ip firewall raw
add action=add-src-to-address-list address-list=DDoSTemp \
    address-list-timeout=1m chain=prerouting comment=\
    "Erkenne potenzielle DDoS-Angriffe (SYN Flood)" protocol=tcp \
    src-address-list=!ALL_INT_MGMT tcp-flags=syn
add action=drop chain=prerouting comment="Blockiere DDoS-Verdchtige" \
    src-address-list=DDoSTemp
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.254.0/24 gateway=WIREGUARD_IT \
    routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.249.0/24 gateway=WIREGUARD_IT \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.155.0/24 gateway=WIREGUARD_IT \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45131
set www-ssl disabled=no port=1455
set api disabled=yes
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/radius
add address=10.99.254.1 service=login
/snmp
set contact="TEST <mikrotik@test.de>" enabled=yes trap-community=snmpv3 \
    trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=TESTROUTER
/system note
set note="TEST- Authorized Administrators only. Access to this d\
    evice is monitored." show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add name=schedule1 on-event="/system routerboard :if ( [get current-firmware] \
    != [get upgrade-firmware] ) do={ /system reboot }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=Backup on-event=Backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=00:00:00
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
/user-manager
set certificate=*0
/user-manager router
add address=10.99.1.251 name=TEST01SW01
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sat Dec 09, 2023 6:56 pm

For wireguard read this............
viewtopic.php?t=182340
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sat Dec 09, 2023 7:21 pm

I feel like I already know it by heart. What do you want to say? or can you give a tip?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sat Dec 09, 2023 9:38 pm

I asked you repeatedly for more details but you have not provided them. Posts #28/29 which follows on questions on WG from post #20.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 12:08 pm

Oh, I didn't quite understand that. I hope that explains it better? here the whole configuration.

The WIREGUARD_IT01 = VPN from the customer to us, via site to site. There should be server and client on both sides.

Customer network: 10.178.4.0/24
Customer network MGMT: 10.99.9.0/24

Our network: 192.168.125.0/24
Our MGMT network: 10.99.0.0/24

We want to reach both networks from our network 192.168.125.0/24 (PC and server) and from our MGMT network 10.99.0.0/24. From the customer network, only the MGMT should reach us.

WIREGUARD_VPN01 = VPN from customer to 2nd location
Customer network at location 1 = 10.178.4.0/24
Customer network at location 2 = 192.168.10.0/24
Both site to site and on each page there should be server and client.

Configuration from customer Location 1:
/interface wireguard add comment="MGMT VPN Server-Client - Site-To-Site - Customer to us" listen-port=40231 mtu=1420 name=WIREGUARD_IT01 add comment="VPN Server-Client - Site-To-Site - 2. Location of Company - and dialing in the VPN for employees at location 1" listen-port=40230 mtu=1420 name=WIREGUARD_VPN01
/interface wireguard peers add allowed-address=192.168.10.0/24 comment="2nd Customer Location - Site to Site" endpoint-address=vpn.test.com endpoint-port=40230 interface=WIREGUARD_VPN01 persistent-keepalive=25s preshared-key="sEdtukyjV6trT5T9+gDkoWyF4zo/h4deo5JAHtrtV2U=" public-key="CnZ146qo6tS+n9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
/interface wireguard peers add allowed-address=192.168.125.0/24 comment="MGMT VPN- Site to Site" endpoint-address=vpn.test2.com endpoint-port=40231 interface=WIREGUARD_IT01 persistent-keepalive=25s preshared-key="WLgn1zNC8WPWYidLmPK35ncxJcHmBrfG+qYwoQtxYkY=" public-key="AREJdyp/MYXh57rtaOsWU8a/mLXdoTc953D39TIvWk0="
/interface wireguard peers add allowed-address=192.168.85.252/32 comment="Employees - home office - VPN" interface=WIREGUARD_VPN01 preshared-key="kKjyGKS7+/JVBS0DQgttuK50iZ+PbmJ1Pmt6w2ry6EU=" public-key="Vn5146qo6tS+n9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
Configuration e.g. from the customer, location 2:
/interface wireguard add name=WIREGUARD_VPN01 listen-port=40230 mtu=1420 private-key="<Private_Key_Kunde_Location2>"
/ip address add address=192.168.10.1/24 interface=WIREGUARD_VPN01
/interface wireguard peers add public-key="<Public_Key_Kunde_Location1>" allowed-address=10.178.4.0/24 endpoint-address="<Public_IP_von_Location1>" endpoint-port=40230 interface=WIREGUARD_VPN01 persistent-keepalive=25s
/interface wireguard peers add public-key="<Public_Key_Kunde_Location1>" allowed-address=10.178.4.0/24 endpoint-address="<Public_IP_von_Location1>" endpoint-port=40230 interface=WIREGUARD_VPN01 persistent-keepalive=25s
/ip firewall filter add chain=input action=accept protocol=udp port=40230 comment="Allow WireGuard location 2"
/ip route add dst-address=10.178.4.0/24 gateway=WIREGUARD_VPN01
Configuration from us to the customer at location 1:
/interface wireguard add name=WIREGUARD_IT01 listen-port=40231 mtu=1420 private-key="<Private_Key_Your_Location>"
/ip address add address=10.99.0.1/24 interface=WIREGUARD_IT01
/interface wireguard peers add public-key="<Public_Key_Kunde_Location1>" allowed-address=10.178.4.0/24,10.99.9.0/24 endpoint-address="<Public_IP_von_Kunde_Location1>" endpoint-port=40231 interface=WIREGUARD_IT01 persistent-keepalive= 25s
/ip firewall filter add chain=input action=accept protocol=udp port=40231 comment="Allow WireGuard your location"
/ip route add dst-address=10.178.4.0/24 gateway=WIREGUARD_IT01
/ip route add dst-address=10.99.9.0/24 gateway=WIREGUARD_IT01
Employees in the home office as clients, with dial-in:
[Interface]
PrivateKey = <Private_Key_Windows_Client>
Address = 192.168.85.252/32
DNS = <DNS_IP_Address>

[Peer]
PublicKey = Vn5146qo6tS+n9elKeqToC5cmXjfGU7AaN6MHwCZjU0=
PresharedKey = kKjyGKS7+/JVBS0DQgttuK50iZ+PbmJ1Pmt6w2ry6EU=
AllowedIPs = 192.168.85.0/24, 10.178.4.0/24, 10.99.9.0/24
Endpoint = <Public_IP_of_WIREGUARD_VPN01>:40231
PersistentKeepalive = 25
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 4:50 pm

This statement is problematic...........
The WIREGUARD_IT01 = VPN from the customer to us, via site to site. There should be server and client on both sides.

Should I assume you mean, that the customer are clients connecting to your WIreguard Server?
The other site cannot be a client and server for the same wireguard network, in terms of the initial handshake ( after handshake its peer to peer )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 4:53 pm

You really need to provide a network diagram as the description is too confusing.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 7:36 pm

This statement is problematic...........
The WIREGUARD_IT01 = VPN from the customer to us, via site to site. There should be server and client on both sides.
Why shouldn't that work? With a site-to-site connection, both sides should be server and client so that everyone can initiate the VPN.
Should I assume you mean, that the customer are clients connecting to your WIreguard Server?
Yes why not?
The other site cannot be a client and server for the same wireguard network, in terms of the initial handshake ( after handshake its peer to peer )
Where do they have the same Wireguard network? If so, that was an oversight.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 8:06 pm

I need a diagram to make sense of what your saying.........
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 9:47 pm

OK, you were right, there were really mistakes in there, but would that be correct?
Network_Wireguard.JPG
Router 1 - WIREGUARD_VPN01:
/interface wireguard
add name=WIREGUARD_VPN01 listen-port=51820 private-key="aBCdefGhIJKlmNoPQRStuVWXyZ1234567890abcd="

/ip address
add address=192.168.80.254/24 interface=WIREGUARD_VPN01

/interface wireguard peers
add interface=WIREGUARD_VPN01 public-key="TUVwxyzABCDefGhijklMNOpqr2345678901stuVwX=" allowed-address=192.168.125.0/24 endpoint-address="vpn.test1.com" endpoint-port=51820 persistent-keepalive=25s
add interface=WIREGUARD_VPN01 public-key="YZabCDEfgHIjklMNOPQRstu2345678901vwXYZab=" allowed-address=192.168.10.0/24 endpoint-address="vpn.test3.com" endpoint-port=51820 persistent-keepalive=25s
Router 2 - WIREGUARD_IT01:
/interface wireguard
add name=WIREGUARD_IT01 listen-port=51820 private-key="bcDEfgHIJKLmnopQRStUVwxyzAB1234567890cde="

/ip address
add address=192.168.80.253/24 interface=WIREGUARD_IT01

/interface wireguard peers
add interface=WIREGUARD_IT01 public-key="MNOPQRSTUVwxyzABCDEfghij1234567890klmnOPQ=" allowed-address=10.178.4.0/24,10.99.9.0/24 endpoint-address="vpn.test1.com" endpoint-port=51820 persistent-keepalive=25s
Router 3 - WIREGUARD_VPN02:
/interface wireguard
add name=WIREGUARD_VPN02 listen-port=51820 private-key="fGHIJKLMNOPQRStuvWXyzABCDE1234567890fghijkl="

/ip address
add address=10.178.85.253/24 interface=WIREGUARD_VPN02

/interface wireguard peers
add interface=WIREGUARD_VPN02 public-key="stUVWXYZabcdefGHIJKLmnopqr1234567890stuvWXy=" allowed-address=10.178.4.0/24,10.99.9.0/24 endpoint-address="vpn.test1.com" endpoint-port=51820 persistent-keepalive=25s
Employees in the home office as clients, with dial-in:
[Interface]
PrivateKey = "AvDdfgHIrKLmnopERStUVwxyzAc1232561890cde="
Address = 192.168.85.252/32
DNS = 10.178.4.1

[Peer]
PublicKey = <Public_Key_Router1>
AllowedIPs = 10.178.4.0/24
Endpoint = vpn.test1.com:51820
PersistentKeepalive = 25
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall - DNS Open? - Urgent

Sun Dec 10, 2023 11:16 pm

Okay got it,
The MAIN ROUTER acts as the server for handshakes on TWO separate wireguard networks.
It connects to two other routers acting as clients which initiate the handshake.

Once connected the wireguard network is established between routers, users from all devices behind the routers, should be able to connect to all other devices depending upon configuration as designed by the admin. Once connected, the admin, behind any of the 3 routers ( on their local network) or remotely ( laptop in a cafe or at home ) , should be able to configure each router.

Please confirm the following.
A. All three routers have their own connection to the internet and are not in the same location.
B. I dont understand employees in the home office..................... they do not need any configuration!!

Each Router will likely have its own subnets and users.
Each Router will assign Wireguard to subnets/users as required by the admin and NO CONFIG is required on devices used at the office.

C. SO please confirm that no users/devices behind the routers have NOT been provided wireguard settings to connect.

D. What does make sense is if you have users that need to connect to their work remotely.
DO you have any users that require REMOTE ACCESS to networks behind the routers, aka at a cafe, at home, basically away from one of the three routers??
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Mon Dec 11, 2023 12:10 pm

A. All three routers have their own connection to the internet and are not in the same location.
Yes, exactly, there are 3 different locations, each with its own Internet connection
B. I dont understand employees in the home office..................... they do not need any configuration!!
Each Router will likely have its own subnets and users.
Each Router will assign Wireguard to subnets/users as required by the admin and NO CONFIG is required on devices used at the office.
Those in the office are on the LAN and don't have Wireguard installed.
C. SO please confirm that no users/devices behind the routers have NOT been provided wireguard settings to connect.
I don't understand the question, that's obvious. In the LAN, the PCs are simply connected to the switch. Why should a Wireguard configuration be installed?
D. What does make sense is if you have users that need to connect to their work remotely.
DO you have any users that require REMOTE ACCESS to networks behind the routers, aka at a cafe, at home, basically away from one of the three routers??
Yes, e.g. one employee in the home office. He has to access the drives or the terminal server from home.
Hence the Wireguard configuration for the employee.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 157
Joined: Fri Jan 26, 2018 8:40 pm

Re: Firewall - DNS Open? - Urgent

Tue Dec 12, 2023 11:40 pm

Is everything actually clear here? or what about the firewall?

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 39 guests