Community discussions

MikroTik App
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

DMZ Pinhole

Wed Jan 15, 2025 12:21 pm

Hi,
I am using a RB760iGS running 7.16.2 packages and firmware.
I have a LAN bridge configured on ether2&3 and the SFP socket subnet 172.16.23.0/24
I have a DMZ configured on ether4 subnet 172.16.24.0/28

I have a Raspberry pi running Network UPS Tools on 172.16.23.4:3493 and I am trying (without any sucess) to allow a NUT Client on my Ubuntu server (172.16.24.8) in the DMZ to communicate to the RPi.
I used to run OpnSense firewall and this was known as a pinhole between networks and was easy to setup through the web interface as it would write the firewall rules for you.

The firewall rules from the config are below. I am sure its something simple that my lack of knowledge is missing or knowing the right phrase to search for. Any help would be greatly appreciated. If there are any good references for learning the RouterOS firewall that would be great as I am using a lot of the hex routers for work and seem to be muddling through.
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward in-interface-list=DMZ
add action=accept chain=input comment="defconf: accept ICMP" \
    in-bridge-port-list=LAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="OVPN Pass" dst-port=1194 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=new in-interface="DMZ Port" \
    out-interface=LAN_bridge
add action=drop chain=forward in-interface=ether5 out-interface=LAN_bridge
add action=drop chain=forward in-interface=VLAN_SCS_WORKSHOP out-interface=\
    LAN_bridge
add action=drop chain=forward in-interface=VLAN_SCS_WAN2 out-interface=\
    LAN_bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT Incoming Mail " dst-address=\
    212.159.16.166 dst-port=587 protocol=tcp to-addresses=172.16.24.8 \
    to-ports=587
add action=dst-nat chain=dstnat comment="NAT SMTPS Incoming Mail " \
    dst-address=212.159.16.166 dst-port=465 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=465
add action=dst-nat chain=dstnat comment="NAT SMTP Incoming Mail " \
    dst-address=212.159.16.166 dst-port=25 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=25
add action=dst-nat chain=dstnat comment="NAT HTTP to the web server" \
    dst-address=212.159.16.166 dst-port=80 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "NAT HTTP to the web server for webmail" dst-address=212.159.16.166 \
    dst-port=8081 protocol=tcp to-addresses=172.16.24.8 to-ports=8081
add action=dst-nat chain=dstnat dst-address=212.159.16.166 dst-port=110 \
    protocol=tcp to-addresses=172.16.24.8 to-ports=110
add action=dst-nat chain=dstnat dst-address=212.159.16.166 dst-port=143 \
    protocol=tcp to-addresses=172.16.24.8 to-ports=143
add action=dst-nat chain=dstnat comment="NAT IMAP to mail Server " \
    dst-address=212.159.16.166 dst-port=993 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=993
add action=dst-nat chain=dstnat comment="NAT HTTPS to Web Server " \
    dst-address=212.159.16.166 dst-port=443 protocol=tcp to-addresses=\
    172.16.24.8 to-ports=443
add action=masquerade chain=srcnat out-interface=ether1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Wed Jan 15, 2025 4:40 pm

Detailed network diagram would help understand.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Wed Jan 15, 2025 5:27 pm

Hi,
Network diagram attached.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Wed Jan 15, 2025 6:17 pm

So you have servers on one subnet.
a. are users coming to the servers from external?
b. are users coming from same subnet as servers?
c. are users coming from the other subnet (where pi is located)

So no traffic ORIGINATED at severs, only responses to incoming requests??
( except for NUT client originating traffic to PI ??? ).

Full config required.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Wed Jan 15, 2025 6:31 pm

Hi,

The servers are web and mail. They have traffic from WAN and LAN going to DMZ. User PCs, NAS, and general LAN is where the pi is located. The only thing originated from the server would be outboud mail but all of that is working fine with dst-nat.

NUT client is running on the server to monitor the UPS for power failure. The NUT server is running on the Pi in the LAN. This is a home network so I have 1 ups running the LAN side and the 1 small web and mail server.

Config file attached.
Thanks for your help
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Wed Jan 15, 2025 7:23 pm

When you are willing to change your config to the optimal one bridge approach - all vlans associated with bridge, will be happy to assist.
viewtopic.php?t=143620
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Wed Jan 15, 2025 7:56 pm

Thanks but I am looking for help on firewall rules not rebuilding the config.

There seems to be many ways to configure the RouterOS and your answer seems a bit "my way is best" and misses the question completely.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Wed Jan 15, 2025 8:04 pm

Understood, no worries. Most are not picky like me. :-)
 
ConradPino
Member
Member
Posts: 455
Joined: Sat Jan 21, 2023 12:44 pm
Location: San Francisco Bay
Contact:

Re: DMZ Pinhole

Thu Jan 16, 2025 7:01 pm

There seems to be many ways to configure the RouterOS and your answer seems a bit "my way is best" and misses the question completely.
You misunderstand, @anav was polite whereas I will say "your way is worse and you've killed your performance",
see Layer2 misconfiguration - Bridges on a single switch chip
MT forum users generally ignore bad practice requests.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Fri Jan 17, 2025 6:46 pm

No offence was intended to anyone.

@anav - thanks for the information regarding VLANs. It was my misunderstanding of the hardware I am using, i presumed each port was a separtate NIC instead of part of a switch.
@ConradPino - thanks for pointing out in a more blunt and to the point way that my current config and config design principles are killing the performance of the router.
I have taken onboard the principles and am working to build a new config.

Is dsnat still the prefered method for allowing WAN access to servers / services (web and mail) within a VLAN or is there a better solution?
 
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Sun Jan 19, 2025 6:45 pm

I am working on rebuilding the config and wondered if there were any examples of how to make this more granular?

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Mon Jan 20, 2025 6:46 pm

Do I have to explicitly create drop firewall rules to stop traffic between vlans?

How do I allow the OpenVPN Client access to the LAN? I had this working in the old bad method not using VLANs, copied the config over and I am not able to access clients on the LAN side through the VPN as I did.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Mon Jan 20, 2025 8:55 pm

Everything was looking normal until you decided to add an undocumented immigrant in your config.
Where did vlan16 come from??

Also you stated you want nut client to reach pi...... dmz to lan.
however in the diagram it states nut client LISTENing on port 3498, which IMPLIES that the pi is going to contact the nut client on that port, not the other way round???

I dont see any opvn settings on the router input chain aka port?? Assuming this is a router service how do you expect to connect??.

Too many interface lists for needs described
/ip interface
add name=WAN
add name=LAN
add name=TRUSTED
/interface list members
add interface=ether1 list=WAN
add interface=LAN_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
add interface=LAN_VLAN list=TRUSTED
add interface=OpenVPN_CLient list=TRUSTED


/ip firewall address-list
add address=192.168.100.X list=Authorized comment="local admin device 1"
add address=192.168.100.Y list=Authorized comment="local admin device 2"
add address=OVPN address ( or subnet ) list=Authorized comment="admin remote vpn"


/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp { enabled !! }
add action=accept chain=input in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else" { add this rule last }
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="nut client to pi" in-interface=DMZ_VLAN src-address=172.16.24.8/32 out-interface=LAN_VLAN dst-address=172.16.23.4/32
add action=accept chain=forward comment="admin to LAN" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"


ether5 removed until vlan16 mystery cleared up, but missing sfp1

/interface bridge port
add bridge=br1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=br1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=br1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=br1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=spf1 comment="trunk to switch"


/interface bridge vlan
add bridge=br1 tagged=br1,sfp1 untagged=ether2,ether3 vlan-ids=10
add bridge=br1 tagged=br1,sfp1 untagged=ether4 vlan-ids=20


/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
Last edited by anav on Mon Jan 20, 2025 11:55 pm, edited 3 times in total.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Mon Jan 20, 2025 10:12 pm

Sorry I was trying to run before i could walk :)

Ether5 is a hybrid port for some development. I have it in my current config which is we copying across.
I have removed it and just stuck with the basics. If i can get that working I can add to it, hopefully...
You do not have the required permissions to view the files attached to this post.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Mon Jan 27, 2025 9:42 pm

I have removed the vpn server for the moment as its not that important.
I have worked up all the VLANs etc but it doesnt seem to be working. I have loaded it onto the hex and I am not able to get traffic from the LAN to wan and DMZ to wan is very slow. WiFi on the LAN and SCS-Wireless stop completely.

It is probably something really simple, fingers crossed.
THanks in advance
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Tue Jan 28, 2025 4:37 pm

Please post config in normal export format, its very difficult trying to read your work otherwise.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)


Note: I read recently that auto-mac for bridge is best set to manual NOT AUTO.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Tue Feb 04, 2025 6:41 pm

I have made some big steps forward and got a config running where I can get an IP from either of the main VLANs but the connection on ether1 seems to keep dropping and network throughput to the internet is painfully slow and keeps failing with a laptop on either vlan.

any ideas?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Tue Feb 04, 2025 6:53 pm

Its also not clear whats going on ether2,3 would seem you have setup \hybrid ports to what?? unifi access points?
remove bridge from lan interface as a member.
remove the static dns setting to 192.168.88.1
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Sun Feb 09, 2025 4:15 pm

@Anav - Thank you for all your help I now have 98% of the config working and a better understanding of ROS.
I have 1 final hurdle to overcome - wireguard VPN for road warrior config.
I have the server and a peer setup. I can connect but not access the LAN subnet. I am sure its firewall related. Would you be able to point me to the probably obvious issues in the config?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Sun Feb 09, 2025 5:55 pm

Several issues and the biggie is firewall rules. You have to be waY CLEarer on your forward chain rules.
There is no effing reason why vlans can originate traffic to your trusted vlan, aint trusted anymore LOL
So I have assumed the following, EVERYONE should have access to dmz
MAIN should have access to everyone.
DONE. we can adjust when intentions are made known.
Also fixed access to the router by the admin
Also fixed interface lists you only need three.
removed second sourcenat rule stating ether1, not needed.,

model =RB760iGS
# serial number = #####
/interface bridge
add admin-mac=D4:01:C3:6A:E4:CE auto-mac=no comment=defconf name=br1 \
protocol-mode=none vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=\
"PlusNet Full Fibre" use-peer-dns=yes user=***@plusdsl.net
/interface wireguard
add listen-port=9874 mtu=1420 name=wireguard1
/interface vlan
add interface=br1 name=DMZ_VLAN vlan-id=20
add interface=br1 name=IoT_VLAN vlan-id=50
add interface=br1 name=Main_VLAN vlan-id=5
add interface=br1 name=SCS-Wireless_VLAN vlan-id=100
add interface=br1 name=SCS_Workshop_VLAN vlan-id=30

/interface list
add name=WAN
add name=LAN
add name=Trusted
/ip pool
add name=Main_VLAN_Pool ranges=172.16.23.115-172.16.23.245
add name=DMZ_Pool ranges=172.16.24.10-172.16.24.13
add name=IoT_Pool ranges=172.16.50.100-172.16.50.200
add name=SCS-Wireless_Pool ranges=192.168.10.100-192.168.10.150
add name=SCS-Workshop_Pool ranges=192.168.3.10-192.168.3.200
/ip dhcp-server
add address-pool=Main_VLAN_Pool interface=Main_VLAN lease-time=12h name=\
Main_VLAN_DHCP
add address-pool=DMZ_Pool interface=DMZ_VLAN name=DMZ_VLAN_DHCP
add address-pool=SCS-Wireless_Pool interface=SCS-Wireless_VLAN lease-time=8h \
name=SCS-Wireless_DHCP
add address-pool=IoT_Pool interface=IoT_VLAN name=IoT_VLAN_DHCP
add address-pool=SCS-Workshop_Pool interface=SCS_Workshop_VLAN lease-time=8h \
name=SCS-Workshop_DHCP
/disk settings
set auto-media-interface=br1 auto-media-sharing=yes auto-smb-sharing=yes

/interface bridge port
add bridge=br1 interface=ether2 pvid=5 comment="hybrid port"
add bridge=br1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether3 pvid=20
add bridge=br1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether4 pvid=5
add bridge=br1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether5 pvid=30
add bridge=br1 interface=sfp1 pvid=5 comment="hybrid port"
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface bridge vlan
add bridge=br1 tagged=br1 untagged=ether2,sfp1 vlan-ids=5
add bridge=br1 tagged=br1 untagged=ether3 vlan-ids=20
add bridge=br1 tagged=br1 untagged=ether5 vlan-ids=30
add bridge=br1 tagged=br1,ether2,sfp1 vlan-ids=50,100
/interface list member
add interface=ether1 list=WAN
add interface=Main_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
add interface=IoT_VLAN list=LAN
add interface=SCS-Wireless_VLAN list=LAN
add interface=SCS_Workshop_VLAN list=LAN
add interface=wireguard1 list=LAN
add interface=Main_VLAN list=Trusted
add interface=wireguard1 list=Trusted
add interface="PlusNet Full Fibre" list=WAN
/interface wireguard peers
add allowed-address=172.16.30.2/32 interface=wireguard1 name=peer5 \
public-key="aOnJYVQJ5YwfpV1V5D8hWwfl1QM6zXXSUQCFo5SbH28="
add allowed address=..................one for admin smartphone/ipad 172.16.30.3/32
/ip address
add address=172.16.23.1/24 interface=Main_VLAN network=172.16.23.0
add address=172.16.24.2/28 interface=DMZ_VLAN network=172.16.24.0
add address=192.168.3.254/24 interface=SCS_Workshop_VLAN network=192.168.3.0
add address=192.168.10.254/24 interface=SCS-Wireless_VLAN network=\
192.168.10.0
add address=172.16.50.1/24 interface=IoT_VLAN network=172.16.50.0
add address=172.16.30.1/29 interface=wireguard1 network=172.16.30.0 comment="five useable IPs"
/ip dhcp-client
add comment=defconf interface=ether1 disabled=yes comment="already using pppoe"
/ip dhcp-server lease
add address=172.16.23.101 comment="Main Desktop PC" mac-address=\
40:B0:76:60:89:89 server=Main_VLAN_DHCP
add address=172.16.23.105 comment="Lounge TV" mac-address=38:68:A4:6E:A8:D4 \
server=Main_VLAN_DHCP
add address=172.16.23.106 comment=SonosZP mac-address=00:0E:58:10:E7:0A \
server=Main_VLAN_DHCP
add address=172.16.23.107 comment="Sonos ZP2" mac-address=00:0E:58:10:E7:C0 \
server=Main_VLAN_DHCP
add address=172.16.23.108 comment="Sonos ZP3" mac-address=94:9F:3E:76:6D:94 \
server=Main_VLAN_DHCP
add address=172.16.23.109 comment="Bedroom Firestick" mac-address=\
38:F7:3D:3D:9F:A9 server=Main_VLAN_DHCP
add address=172.16.23.111 comment="Sony DVD Bluray Player" mac-address=\
38:B8:00:D3:5A:AC server=Main_VLAN_DHCP
add address=192.168.10.100 client-id=1:ea:8a:87:50:89:42 mac-address=\
EA:8A:87:50:89:42 server=SCS-Wireless_DHCP
add address=172.16.23.110 comment="Sonos Controller Phone" mac-address=\
36:F6:43:B1:B0:35 server=Main_VLAN_DHCP
add address=172.16.23.102 comment="Andy's Laptop WiFi" mac-address=\
54:6C:EB:0D:EB:E3 server=Main_VLAN_DHCP
add address=172.16.23.103 comment="Lissa's Laptop" mac-address=\
5C:87:9C:8C:6D:E2 server=Main_VLAN_DHCP
/ip dhcp-server network
add address=172.16.23.0/24 comment="Main LAN" dns-server=172.16.23.4 gateway=\
172.16.23.1
add address=172.16.24.0/28 comment=DMZ dns-server=8.8.8.8 gateway=172.16.24.2
add address=172.16.50.0/24 comment=IoT dns-server=172.16.23.1 gateway=\
172.16.50.1
add address=192.168.3.0/24 comment="SCS Workshop" dns-server=172.16.23.1 \
gateway=192.168.3.254
add address=192.168.10.0/24 comment="SCS Wireless" dns-server=8.8.8.8 \
gateway=192.168.10.254

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=172.16.23.1.X/32 list=Authorized comment="admin desktop"
add address=172.16.23.1.Y/32 list=Authorized comment="admin laptop"
add address=172.16.23.1.Z/32 list=Authorized comment="admin smartphone/ipad"
add address=172.16.30.2/32 list=Authorized comment="remote admin laptop"
add address=172.16.30.3/32 list=Authorized comment="remote admin smartphone/ipad"
/ip firewall filter comment="fix order"
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=9874 \
protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=Trusted src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp comment="users to services"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp comment="users to services"
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN dst-address=172.16.24.0/28 comment="all to DMZ"
add action=accept chain-forward in-interface-list=Trusted out-interface-list=LAN comment="main & wireguard to ALL"
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT Incoming Mail " dst-address=\
212.***.16.*** dst-port=587 protocol=tcp to-addresses=172.16.24.8 \
to-ports=587
add action=dst-nat chain=dstnat comment="NAT SMTPS Incoming Mail " \
dst-address=212.***.16.*** dst-port=465 protocol=tcp to-addresses=\
172.16.24.8 to-ports=465
add action=dst-nat chain=dstnat comment="NAT SMTP Incoming Mail " \
dst-address=212.***.16.*** dst-port=25 protocol=tcp to-addresses=\
172.16.24.8 to-ports=25
add action=dst-nat chain=dstnat comment="NAT HTTP to the web server" \
dst-address=212.***.16.*** dst-port=80 protocol=tcp to-addresses=\
172.16.24.8 to-ports=80
add action=dst-nat chain=dstnat comment=\
"NAT HTTP to the web server for webmail" dst-address=212.***.16.*** \
dst-port=8081 protocol=tcp to-addresses=172.16.24.8 to-ports=8081
add action=dst-nat chain=dstnat dst-address=212.***.16.*** dst-port=110 \
protocol=tcp to-addresses=172.16.24.8 to-ports=110
add action=dst-nat chain=dstnat dst-address=212.***.16.*** dst-port=143 \
protocol=tcp to-addresses=172.16.24.8 to-ports=143
add action=dst-nat chain=dstnat comment="NAT IMAP to mail Server " \
dst-address=212.***.16.*** dst-port=993 protocol=tcp to-addresses=\
172.16.24.8 to-ports=993
add action=dst-nat chain=dstnat comment="NAT HTTPS to Web Server " \
dst-address=212.***.16.*** dst-port=443 protocol=tcp to-addresses=\
172.16.24.8 to-ports=443

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no port=445
/system clock
set time-zone-name=Europe/London
/system identity
set name=The-Gate-New
/system note
set show-at-login=no

{MISSING AND ADDED}
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
 
Guscht
Member Candidate
Member Candidate
Posts: 274
Joined: Thu Jul 01, 2010 5:32 pm

Re: DMZ Pinhole

Sun Feb 09, 2025 6:47 pm

In firewall -> filter (forward-chain):
create new rule: in interface "G4", source ip: 172.16.24.8, destination ip: 172.16.23.4, destination port: 3493 (I assume tcp, but could be udp as well).
action: accept

place this rule logically above any rule, that would prevent this connection. The first rule (top to bottom) will match.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Sun Feb 09, 2025 7:27 pm

Thanks for the reply
My interntions are

Main VLAN has access to everything
DMZ - WAN
IoT - DMZ & WAN
SCS-Wireless & SCS-Workshop - WAN

Wireguard VPN for up to 10 clients access to the file storage on the Main VLAN as well as remote access to servers on DMZ
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Sun Feb 09, 2025 8:31 pm

So its fair to say you have two types of VPN users.
A. admin ( lets say two-five devices )
B. others who need remote access to main and DMZ only.

RESULT. All the changes Ive made above stand, except for some finessing of forward chain filter rules and a slight modification to Wireguard.
We will give the wireguard interface two addresses, one for the admin to use the current one! , and a new one for the rest of the users for DMZ access etc.....

++++++++++++++++++++

/interface list
add name=WG-to-LAN
/interface list members
add interface=Main_VLAN list=WG-to-LAN
add interface=DMZ_VLAN list=WG-to-LAN
/ip address
add address=172.16.30.1/29 interface=wireguard1 network=172.16.30.0 comment="five useable IPs for admin devices"
add address=172.16.40.1/28 interface=wireguard1 network=172.16.40.0 comment="thirteen usable IPs for users"

/ip firewall address-list
add address=172.16.23.1.X/32 list=Authorized comment="admin desktop"
add address=172.16.23.1.Y/32 list=Authorized comment="admin laptop"
add address=172.16.23.1.Z/32 list=Authorized comment="admin smartphone/ipad"
add address=172.16.30.2/32 list=Authorized comment="remote admin laptop"
add address=172.16.30.3/32 list=Authorized comment="remote admin smartphone/ipad"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=9874 \
protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=Trusted src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp comment="users to services"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp comment="users to services"
add action=drop chain=input comment="drop all else"

+++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN src-address=!172.168.40.0/24
add action=accept chain-forward in-interface-list=Trusted src-address-list=Authorized out-interface-list=LAN comment="admin to ALL"
add action=accept chain-forward in-interface=Main_VLAN src-address=172.168.23.0/24 out-interface-list=LAN comment="main to ALL"
add action=accept chain-forward in-interface=IoT_VLAN src-address=172.16.50.0/24 dst-address=172.16.24.0/24 comment="iot to DMZ"
add action=accept chain=forward in-interface=wireguard1 scr-address=172.168.40.0/24 out-interface-list=WG-to-LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

explanation
- we allow traffic from all vlans (main,iot,dmz,scs), and wireguard remote admin, to the internet -> except we dont allow other wireguard users.
- we allow admin to all vlans
- we allow all main users to to all vlans
- we allow iot users to dmz subnet
- we allow wireguard1 users to Main and DMZ subnet
- we allow port forwarding
- we drop all else.
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Sun Feb 09, 2025 11:05 pm

Thank you for your patience and help with getting this setup.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Sun Feb 09, 2025 11:10 pm

No worries, at some point it turns into fun and rewarding!
By the way, the more you learn and know, the more you realize you don't know. :-)
 
andy2605
just joined
Topic Author
Posts: 14
Joined: Wed Jan 15, 2025 12:09 pm

Re: DMZ Pinhole

Sun Feb 09, 2025 11:13 pm

Apart from this forum are there any decent books or online courses to learn more about ROS? I have found that the Mikrotik documentation is as clear as mud normally.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DMZ Pinhole

Mon Feb 10, 2025 12:56 am