Community discussions

MikroTik App
 
deveth0
just joined
Topic Author
Posts: 6
Joined: Thu Jan 20, 2022 6:19 pm

Some VLAN related firewall questions

Sat Jan 22, 2022 1:48 am

Hey all,

first of all, I wanna thank you for your awesome work in this forum, especially those threads, where the author pasts a final working config are really really helpful.

I purchased a RB5009 a few weeks ago and finally found some time to tinker with it. I plan to replace my Ubiquiti USG with the RB and sadly I need to do some double-nat stuff cause I have a Fritzbox by my provider, but nevermind, that worked so far...
Furthermore there is a 8 Port Ubiquiti switch plus an AP Pro in my living room and an CRS305 in my office (my first Mikrotik device, now I'm hooked...)

Right now I want 5 VLANs, 3 of those are for Wifi (IoT, Guest, Home), one managment and the normal LAN.
#######################################
# VLAN Overview
#######################################

# 10 = LAN - 10.0.9.1/24
# 20 = WLAN - 10.0.20.1/24
# 30 = Guest WLAN - 10.0.30.1/24
# 50 = IoT - 10.0.50.1/24
# 99 = MGMT VLAN - 192.168.99.1/24

#######################################
# Port Overview
#######################################

# ether1 - Access port VLAN 10
# ether2 - Access port VLAN 10
# ether3 - Access port VLAN 10
# ether4 - Access port VLAN 10
# ether5 - HP ILOM, VLAN 99
# ether6 - Management Interface, VLAN 99
# ether7 - Trunk to Switch in Living Space
# ether8 - WAN Interface, DHCP Client
# sfp-sfpplus1 - Trunk to CRS305
# lte1 - USB Lte fallback
So far I'm confident, that my VLAN configs are correct, I used this thread as baseline and combined it with @pcunite 's tutorials.

Currently I'm struggleing a bit with the Firewall rules and would appreciate some feedback. All VLans except the IoT one need internet access, only a single IoT device right now should be enabled. Furthermore I want to allow all LAN devices to access the WLAN and IoT devices (vice versa for WLAN devices). The Guest WLAN should be completely isolated.
The WebUi (192.168.99.1) should only be accessible from the Managment VLAN.

Is there any shortcut to prevent any other VLANs to access the WebUi, right now it's accessible on all Gateway IPs? Furthermore I ask myself if I'm missing something with the other rules, it seems to be too easy oO.
/ip firewall filter

##################
# INPUT CHAIN
##################

add chain=input action=accept comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add chain=input action=drop comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept comment="defconf: accept ICMP" protocol=icmp
add chain=input action=drop comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN

##################
# FORWARD CHAIN
##################


add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

## Some communication between VLANs
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=WLAN_VLAN comment="Corporate => WLAN"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=Corporate_VLAN comment="WLAN => Corporate"
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=IoT_VLAN comment="Corporate => IoT"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=IoT_VLAN comment="WLAN => IoT"

## Allow internet access for specific IoT Devices only
add chain=forward action=accept out-interface-list=WAN src-mac-address=2C:F4:32:16:02:F

## Allow IoT Devices to access MQTT Gateway
add chain=forward action=accept dst-address=10.0.9.17 dst-port=1883 in-interface=IoT_VLAN protocol=tcp

## Drop all other IoT traffic (the S in IoT means security...)
add chain=forward action=drop in-interface=IoT_VLAN out-interface-list=WAN

## Allow internet access for all other VLANs
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="Default masquerade"
Generally this is my first Mikrotik RouterOS device, therefor any input on anything you'd change is helpful, thank you so much!
######################################################
######################################################
####
#### RB5009 Configuration
####
####
######################################################
######################################################


#######################################
# VLAN Overview
#######################################

# 10 = LAN - 10.0.9.1/24
# 20 = WLAN - 10.0.20.1/24
# 30 = Guest WLAN - 10.0.30.1/24
# 50 = IoT - 10.0.50.1/24
# 99 = MGMT VLAN - 192.168.99.1/24

#######################################
# Port Overview
#######################################

# ether1 - Access port VLAN 10
# ether2 - Access port VLAN 10
# ether3 - Access port VLAN 10
# ether4 - Access port VLAN 10
# ether5 - HP ILOM, VLAN 99
# ether6 - Management Interface, VLAN 99
# ether7 - Trunk to Switch in Living Space
# ether8 - WAN Interface, DHCP Client
# sfp-sfpplus1 - Trunk to CRS305
# lte1 -

######################################################
####                                              ####
####              System Configuration            ####
####                                              ####
######################################################

/system clock
set time-zone-name=Europe/Berlin

/system identity
set name=rb5009

/ip ssh
set always-allow-password-login=yes

######################################################
####                                              ####
####                 Create Bridge                ####
####                                              ####
######################################################

/interface bridge
add name=BR1 vlan-filtering=yes

/interface bridge port

add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 comment="ILOM" pvid=99
add bridge=BR1 interface=ether6 comment="Management Port" pvid=99
add bridge=BR1 interface=ether7 comment="Trunk Living Room"
add bridge=BR1 interface=sfp-sfpplus1 comment="Trunk CRS305"

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=10 comment="LAN"
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=20 comment="WLAN"
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=30 comment="Guest VLAN"
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=50 comment="IoT VLAN"
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether5,ether6 vlan-ids=99 comment="Mgmt VLAN"


######################################################
####                                              ####
####           Configure WAN Networking           ####
####                                              ####
######################################################

/ip dhcp-client
add comment=WAN interface=ether8


######################################################
####                                              ####
####                  LAN Network                 ####
####                                              ####
######################################################

/interface vlan
add interface=BR1 name=Corporate_VLAN vlan-id=10

/ip address
add interface=Corporate_VLAN address=10.0.9.1/24

/ip pool
add name=Corporate_POOL ranges=10.0.9.20-10.0.9.200 comment="Corporate Pool"

/ip dhcp-server
add address-pool=Corporate_POOL interface=Corporate_VLAN name=Corporate_DHCP disabled=no

/ip dhcp-server network
add address=10.0.9.0/24 dns-server=10.0.9.1 gateway=10.0.9.1


######################################################
####                                              ####
####                 WLAN Network                 ####
####                                              ####
######################################################

/interface vlan
add interface=BR1 name=WLAN_VLAN vlan-id=20

/ip address
add interface=WLAN_VLAN address=10.0.20.1/24

/ip pool
add name=WLAN_POOL ranges=10.0.20.20-10.0.20.200 comment="WLAN Pool"

/ip dhcp-server
add address-pool=WLAN_POOL interface=WLAN_VLAN name=WLAN_DHCP disabled=no

/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1


######################################################
####                                              ####
####             Guest WLAN Network               ####
####                                              ####
######################################################

/interface vlan
add interface=BR1 name=Guest_VLAN vlan-id=30

/ip address
add interface=Guest_VLAN address=10.0.30.1/24

/ip pool
add name=Guest_POOL ranges=10.0.30.20-10.0.30.200 comment="Guest WLAN Pool"

/ip dhcp-server
add address-pool=Guest_POOL interface=Guest_VLAN name=Guest_DHCP disabled=no

/ip dhcp-server network
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1


######################################################
####                                              ####
####              IoT WLAN Network                ####
####                                              ####
######################################################

/interface vlan
add interface=BR1 name=IoT_VLAN vlan-id=50

/ip address
add interface=IoT_VLAN address=10.0.50.1/24

/ip pool
add name=IoT_POOL ranges=10.0.50.20-10.0.50.200 comment="IoT WLAN Pool"

/ip dhcp-server
add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no

/ip dhcp-server network
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1


######################################################
####                                              ####
####              Management Network              ####
####                                              ####
######################################################

/interface vlan
add interface=BR1 name=Mgmt_VLAN vlan-id=99

/ip address
add interface=Mgmt_VLAN address=192.168.99.1/24

/ip pool
add name=Mgmt_POOL ranges=192.168.99.11-192.168.99.50 comment="Mgmt Pool"

/ip dhcp-server
add address-pool=Mgmt_POOL interface=Mgmt_VLAN name=Mgmt_DHCP disabled=no

/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1



######################################################
####                                              ####
####                Configure DNS                 ####
####                                              ####
######################################################

/ip dns
set servers "9.9.9.9,8.8.8.8,1.1.1.1,1.0.0.1,4.2.2.2"
set allow-remote-requests=yes


######################################################
####                                              ####
####               Interface List                 ####
####                                              ####
######################################################

/interface list
add name=VLAN comment="VLAN Interfaces"
add name=MGMT comment="MGMT Interfaces"
add name=WAN comment="WAN Interfaces"

/interface list member
add interface=lte1              list=WAN
add interface=ether8            list=WAN

add interface=Mgmt_VLAN         list=VLAN
add interface=Corporate_VLAN    list=VLAN
add interface=WLAN_VLAN         list=VLAN
add interface=IoT_VLAN          list=VLAN

add interface=Mgmt_VLAN         list=MGMT


######################################################
####                                              ####
####                   Firewall                   ####
####                                              ####
######################################################

/ip firewall filter

##################
# INPUT CHAIN
##################

add chain=input action=accept comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add chain=input action=drop comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept comment="defconf: accept ICMP" protocol=icmp
add chain=input action=drop comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN

##################
# FORWARD CHAIN
##################


add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

## Some communication between VLANs
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=WLAN_VLAN comment="Corporate => WLAN"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=Corporate_VLAN comment="WLAN => Corporate"
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=IoT_VLAN comment="Corporate => IoT"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=IoT_VLAN comment="WLAN => IoT"

## Allow internet access for specific IoT Devices only
add chain=forward action=accept out-interface-list=WAN src-mac-address=2C:F4:32:16:02:F

## Allow IoT Devices to access MQTT Gateway
add chain=forward action=accept dst-address=10.0.9.17 dst-port=1883 in-interface=IoT_VLAN protocol=tcp

## Drop all other IoT traffic (the S in IoT means security...)
add chain=forward action=drop in-interface=IoT_VLAN out-interface-list=WAN

## Allow internet access for all other VLANs
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus1]

#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from Mgmt_VLAN
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT




 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Some VLAN related firewall questions

Mon Jan 24, 2022 12:26 am

Is there any shortcut to prevent any other VLANs to access the WebUi, right now it's accessible on all Gateway IPs?
Do the same as you have in chain=forward, add unconditional drop at the end of chain=input, and allow what should be accessible before it (don't add the drop until you allow access for yourself, to not lock yourself out). So if you want WebFig accessible only from management VLAN, then allow it from there (in-interface=Mgmt_VLAN) and it will be automatically blocked from everywhere else.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Some VLAN related firewall questions

Mon Jan 24, 2022 12:48 am

Read through this for some ideas.......
viewtopic.php?t=180838
 
deveth0
just joined
Topic Author
Posts: 6
Joined: Thu Jan 20, 2022 6:19 pm

Re: Some VLAN related firewall questions

Tue Jan 25, 2022 9:33 am

Hey, i did not notice, that my post was approved and I already got answers, thank you!

@Sob ok, that's what I thought, I hoped for something like the
/tool mac-server set allowed-interface-list=MGMT
command :)

@anav no clue, how I could miss this post, I'll dig through it right await!


Here we go, updated INPUT Chain, now restricting a lot more and allowing only specific traffic.
/ip firewall filter

##################
# INPUT CHAIN
##################

add chain=input action=accept comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add chain=input action=drop comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept comment="defconf: accept ICMP" protocol=icmp

add chain=input action=accept in-interface=Corporate_VLAN connection-state=new dst-port=161 protocol=udp comment="Allow SNMP"

add chain=input action=accept in-interface-list=VLAN connection-state=new dst-port=53 protocol=udp comment="Allow LAN DNS queries-UDP"
add chain=input action=accept in-interface-list=VLAN connection-state=new dst-port=53 protocol=tcp comment="Allow LAN DNS queries-TCP"
add chain=input action=accept in-interface-list=VLAN connection-state=new dst-port=123 protocol=udp comment="Allow LAN NTP queries"

add chain=input action=accept in-interface-list=MGMT dst-port=80 protocol=tcp comment="defconf: allow WebFig access from Mgmt VLAN"

add chain=input action=drop comment="defconf: drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Some VLAN related firewall questions

Tue Jan 25, 2022 2:30 pm

Looks sweet!
Only comment I would say is you can drop the "NEW" in your rules. I dont think it hurts but its not necessary.
The first time a packet hits the firewall it will not be matched by the established related rule but will hit the firewall rule that applies (regardless if you have new or not entered) and will be matched.
The next packets will then be matched on the established/related rule and never see that original rule again for that session/connection.

So stating new is really only to remind yourself, I am making this rule to capture the first packet of a new session..............
 
deveth0
just joined
Topic Author
Posts: 6
Joined: Thu Jan 20, 2022 6:19 pm

Re: Some VLAN related firewall questions

Wed Jan 26, 2022 10:11 am

Great, thanks for your review :)

Who is online

Users browsing this forum: Ahrefs [Bot], kub1x, smirgo, sybadi and 81 guests