Community discussions

MikroTik App
 
abracadabricx
just joined
Topic Author
Posts: 4
Joined: Sun Mar 06, 2022 9:41 pm

How to setup firewall for Router as ike2 vpn gateway

Sun Mar 20, 2022 4:54 pm

Hi,

I have a AC3 router with protonvpn Ike2/IPSec vpn connection as gateway to internet..
The router is connected to an internet router that provides internet access and NAT, which is not configurable.
"WAN" network is 192.168.5.0/24, GW 192.168.5.1
LAN network is 192.168.6.0/24, GW 192.168.6.1

Since I regard the vpn tunnel end point a direct connection with internet I am trying to setup a firewall to protect the router and the lan.

Building up the "advanced firewall" https://help.mikrotik.com/docs/display/ ... d+Firewall leads to couple of questions which I dont know how to resolve.

1) add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN does not seem to block anything: no connection with winbox to the "WAN" Ip address of the router is blocked, and counter never increases. I tried the same rules without the IKE2/IPSEC setup, with no difference. Isn't this rule expected to block connections to the router, from the "WAN" ip. And if so, should it therefore also protect the router from connections initiated from the real internet (on the other side of the vpn tunnel)?
2) add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN : Once I activate this rule no connection to the internet is possible anymore. The vpn tunnel created a dynamic srcnat rule, but since this rule refers to new connections I did not expect this to block all network connection. Why would this be, and how should I change the rule?

/interface bridge add name=bridge1
/interface list add include=all name=WAN
/interface list add include=all name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=WIFI supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce country=switzerland disabled=no frequency=auto installation=indoor mode=ap-bridge name=WIFI_2 security-profile=WIFI ssid=WIFI2
/interface wireless set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eCee country=switzerland disabled=no frequency=auto installation=indoor mode=ap-bridge name=WIFI_5 security-profile=WIFI ssid=WIFI5
/ip ipsec mode-config add connection-mark=via_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer add address=185.1.1.99/32 exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none
/ip pool add name=dhcp_pool0 ranges=192.168.6.200-192.168.6.250
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=WIFI_2
/interface bridge port add bridge=bridge1 interface=WIFI_5
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add comment=defconf interface=bridge1 list=LAN
/ip address add address=192.168.5.244/24 interface=ether1 network=192.168.5.0
/ip address add address=192.168.6.1/24 interface=bridge1 network=192.168.6.0
/ip dhcp-server network add address=192.168.6.0/24 gateway=192.168.6.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1
/ip dns static add comment="Redirect for \"Local.Net\" domain to local dns server" forward-to=192.168.5.3 regexp=".*\\.Local\\.WIFI" type=FWD
/ip firewall address-list add address=192.168.6.0/24 comment="Forward to vpn" list=via_protonvpn
/ip firewall address-list add address=192.168.5.0/24 comment="No forward to vpn" list=NoVPN
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter add action=accept chain=input comment="defconf: 1: accept ICMP after RAW" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: 2: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf:3: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall mangle add action=accept chain=prerouting comment="Not via VPN" dst-address-list=NoVPN src-address-list=""
/ip firewall mangle add action=mark-connection chain=prerouting comment="Via VPN" new-connection-mark=via_protonvpn passthrough=yes src-address-list=via_protonvpn
/ip firewall nat add action=masquerade chain=srcnat src-address-list=via_protonvpn
/ip ipsec identity add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" peer="ProtonVPN server" policy-template-group=ProtonVPN username=protonusername
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
/ip route add distance=1 gateway=192.168.5.1
/ip ssh set strong-crypto=yes
/system clock set time-zone-name=Europe/Paris
/system ntp client set enabled=yes primary-ntp=195.176.26.206 secondary-ntp=5.1.73.2 server-dns-names=ch.pool.ntp.org,pool.ntp.org
/tool graphing interface add allow-address=192.168.6.0/24 interface=bridge1 store-on-disk=no
/tool graphing interface add allow-address=192.168.6.0/24 interface=ether1 store-on-disk=no
/tool graphing resource add allow-address=192.168.6.0/24 store-on-disk=no

Who is online

Users browsing this forum: No registered users and 44 guests