Here is a diagram of my setup below:
Is this forward rule (12) I have added correct? When I ping the DMZ I get timeout.
[admin@NolliTik] > /ip/firewall export
# jan/17/2022 11:50:26 by RouterOS 7.1
# software id = 33B2-XGBT
#
# model = RB450Gx4
# serial number = ADBA0ACE537B
/ip firewall address-list
add address=10.0.8.0/24 list=nolliLAN-management
add address=10.8.27.0/24 list=DMZPBX
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input src-address-list=nolliLAN-management
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow admin to manage DMZ" dst-address-list=DMZPBX src-address-list=nolliLAN-management
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
[admin@NolliTik] > ping 10.8.27.9
SEQ HOST SIZE TTL TIME STATUS
0 10.8.27.9 timeout
1 10.8.27.9 timeout
2 10.8.27.9 timeout
3 10.8.27.9 timeout
4 10.8.27.9 timeout
5 10.8.27.9 timeout
6 10.8.27.9 timeout
sent=7 received=0 packet-loss=100%
[admin@NolliTik] >
Firewall Rule
You do not have the required permissions to view the files attached to this post.
Re: Firewall Rule
Hi,
I would say (but of course lots of details are missing), this is what you miss: remove nat from the Mikrotik box and check routing on the pfsense box, to have a static route for your 10.0.8.0/24 Network to the Mikrotik box IP. Of course give the Mikrotik a static IP from 192.168.1.x.
Don´t forget to give the Mikrotik a default route to the pfsense box.
BR
Woland
I would say (but of course lots of details are missing), this is what you miss: remove nat from the Mikrotik box and check routing on the pfsense box, to have a static route for your 10.0.8.0/24 Network to the Mikrotik box IP. Of course give the Mikrotik a static IP from 192.168.1.x.
Don´t forget to give the Mikrotik a default route to the pfsense box.
BR
Woland
Re: Firewall Rule
Why do you need the pfsense box? Mikrotik can do it all.
Re: Firewall Rule
Hi Jotne!Why do you need the pfsense box? Mikrotik can do it all.
I learned to love Mikrotik, but just to name a few features pfSense (or OPNsense) has:
IPS, extensive DNS blacklisting support (no need to write a script), full Bind and Unbound, full proxy , can be used as a loadbalancer ...
https://www.netgate.com/pfsense-features#get-to-know https://opnsense.org/about/features/
Mikrotik is not a full next gen firewall, those both open source projects come somewhat closer.
I think if Mikrotik would release same features as a specialized FW vendor, we would need to pay at least 10x as much for the boxes.
BR
Woland
Re: Firewall Rule
You can put pfsense behind Mikrotik and let the Mikrotik be the main router.
I do use HAproxy as a reverse proxy for many websites placed behind the Mikrotik
If you nat in both pfsense and Mikrotik, I do suggest that you remove nat in the second device and use Mikrotik without nat.
I do use HAproxy as a reverse proxy for many websites placed behind the Mikrotik
If you nat in both pfsense and Mikrotik, I do suggest that you remove nat in the second device and use Mikrotik without nat.
Re: Firewall Rule
Thanks for chiming in. I think something is wrong with my ESXI box since I can ping the DMZ IP from my laptop behind Mikrotik without removing NAT.Hi,
I would say (but of course lots of details are missing), this is what you miss: remove nat from the Mikrotik box and check routing on the pfsense box, to have a static route for your 10.0.8.0/24 Network to the Mikrotik box IP. Of course give the Mikrotik a static IP from 192.168.1.x.
Don´t forget to give the Mikrotik a default route to the pfsense box.
BR
Woland
The ESXI box is turned on, but I don't have my monitor as I loan it out so I can see what's happening...I'll follow up in a few days when my monitor returns.
Re: Firewall Rule
It is much easier to run IPS/IDS on pfSense than Mikrotik, that's why! On pfSense, I have Suricata on WAN as well as Snort on LAN.Why do you need the pfsense box? Mikrotik can do it all.
Another great package is pfBlpckerNG. So, why cannot I like both platforms? Mikrotik is my LAN's gatekeeper.
Re: Firewall Rule
Yes, ids/ips is not an MT thing.....
You must be protecting the king of some nation with all that security, what are you hiding LOL
You must be protecting the king of some nation with all that security, what are you hiding LOL
Re: Firewall Rule
My privacy...LOL. Real answer is I got into networking when I purchased my RB450G and was fascinated with Mikrotik...that was fourteen years ago.Yes, ids/ips is not an MT thing.....
You must be protecting the king of some nation with all that security, what are you hiding LOL
Then, discovered pfSense and IPS/IDS...was even more fascinated. Then one day I found an Hp desktop sitting on the ground next to the trash dumpster.
I figured it was still good since they didn't throw it in the dumpster; so, I took it home, it was good, and I souped it up for a pfSense box...that was 2016.
I then learn pfSense as well as IDS/IPS and when I was proficient, gave the HP away and converted my Mac Mini Server 2011 to a pfSense box. Then
last year, I upgraded my network to a Lenovo M93 with 32GB RAM dual raid ZFS SSD for pfSense WAN king and a Mikrotik RB450x4 LAN king.
I really like both platforms.
Re: Firewall Rule
How does IDS and IPS work is it applied to traffic flowing out originating on the LAN out to the internet
OR to
Traffic originated from external sources heading to the LAN
OR
Return external to lan traffic
OR to
Traffic originated from external sources heading to the LAN
OR
Return external to lan traffic
Re: Firewall Rule
How does IDS and IPS work is it applied to traffic flowing out originating on the LAN out to the internet
OR to
Traffic originated from external sources heading to the LAN
OR
Return external to lan traffic
Yes, I agree...that's why I have Suricata on WAN (inline mode) for traffic that didn't originate from LAN to reduce the burden on my firewall and eliminate them at the NIC.
Then, I have Snort on LAN (inline mode) to take care of the out flowing since it has the OpenAppID detection.
Disclaimer: my setup is not approved nor recommended by the package maintainer (he does both) on pfSense as well as I don't use rules duplication...the rules I use in Suricata are not the same rules I use in Snort...I keep them separate and different. I have been using this setup since 2016 and have no problem.
I just don't go around recommending it for others despite working very well for me. That's why I like the default Mikrotik firewall connection state for my LAN.
I also like the overkill just for fun.
