Recommended firewall rules for a home office

tunguskalabs · Fri Feb 02, 2024 1:44 pm

Hi all,

After finally putting up a VLAN setting to split my network between home, guest and work, now I'm in search for a good set of firewall rules. Nothing crazy, just a standard home office setup with a personal NAS, a few homelab servers (all in the home VLAN), a notebook and a mobile phone in the work network, and guest network for, well, guests. No communication between the VLANs, maybe with the exception of a DNS server, like a pihole, that I'm thinking about adding to the mix. I use Tailscale for accessing my NAS from outside, and I do use DLNA and Airplay on my home VLAN. I definitely don't want to open anything that I don't need to the external world, I don't need to manage my 4011 from outside, and the guest and work network will not need to do anything with DLNA and such, so no mDNS reflectors.

This is my current set of rules:

 /ip/firewall> export hide-sensitive
# 2024-02-02 08:42:11 by RouterOS 7.13
# software id = 65AU-E2NI
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/ip firewall address-list
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=bad_dst_ipv4
add address=192.168.0.0/16 list=allowed_to_router
add address=192.168.0.0/16 comment="internal networks, including VLANs" list=allowed_lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow local net to router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=base_vlan
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow Base_Vlan Full Access" in-interface=base_vlan
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=fw_invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

I would like to add DNS redirection to the pihole, to block a nasty roku that I can't remove right now. Is this a (relatively) secure set of rules? I do get a lot of these messages with this rules:

.10:42038->142.251.129.106:443, len 52
 08:36:26 firewall,info fw_invalid forward: in:home_vlan out:pppoe-out1, connection-state:invalid src-mac 3a:e1:df:0d:44:33, proto TCP (ACK,RST), 192.168.10.10:49940->216.239.38.135:443, len 52
 08:36:26 firewall,info fw_invalid forward: in:home_vlan out:pppoe-out1, connection-state:invalid src-mac 3a:e1:df:0d:44:33, proto TCP (ACK,RST), 192.168.10.10:45782->142.251.129.106:443, len 52
 08:36:35 firewall,info fw_invalid forward: in:guest_vlan out:pppoe-out1, connection-state:invalid src-mac e6:b4:6e:5d:2e:6c, proto TCP (ACK,FIN), 192.168.30.251:41568->201.0.223.213:443, len 52
 08:37:02 firewall,info fw_invalid forward: in:guest_vlan out:pppoe-out1, connection-state:invalid src-mac e6:b4:6e:5d:2e:6c, proto TCP (ACK,FIN), 192.168.30.251:41568->201.0.223.213:443, len 52
 08:39:29 firewall,info fw_invalid forward: in:home_vlan out:pppoe-out1, connection-state:invalid src-mac 3a:e1:df:0d:44:33, proto TCP (ACK,RST), 192.168.10.10:45118->142.250.218.202:443, len 40
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:35936->18.67.129.82:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:35940->18.67.129.82:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:50590->95.101.124.55:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:50570->95.101.124.55:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:38578->54.154.153.238:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:38568->54.154.153.238:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:35956->18.67.129.82:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:50606->95.101.124.55:80, len 52
 02-01 23:21:20 firewall,info fw_invalid forward: in:work_vlan out:pppoe-out1, connection-state:invalid src-mac d8:68:a0:9f:17:1c, proto TCP (ACK,FIN), 192.168.20.11:54972->142.251.129.195:80, len 52

Thanks!

Recommended firewall rules for a home office

Recommended firewall rules for a home office

Who is online