Community discussions

MikroTik App
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

From Quick Setup Bridge Mode to simple Firewall Rule

Thu Apr 28, 2022 4:53 pm

Hello,

i apologize to be a beginner and would apprechiate your input. I have a Mikrotik Hex Router, which I setup in the Quick Setup in the bridge mode. Router mode is not preffered. Now I would like to add a simple firewall rule that only devices from a specific network range can access the LAN devices, for instance 10.11.12.0/24. How may I accomplish this using the WinBox? May I need the adjust the exitsting firewall rules to accomplish this? Is it possible to have a firewall in the bridge mode of the Quick Setup?

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu Apr 28, 2022 7:20 pm

You have a long way to go to understand what the rules mean and how to use them.......
viewtopic.php?t=180838
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu Apr 28, 2022 9:11 pm

Yes, you can modify the configuration that was created with QuickSet. However, once you manually change something, NEVER use QuickSet again - it will blow away whatever changes you made.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu Apr 28, 2022 11:28 pm

IP firewall by default does not apply to bridged traffic and everything is allowed. If you need some filtering, you can use either stateless bridge filters (Bridge->Filters), or for something more complex it's possible to enable Bridge->Settings->Use IP Firewall, and then all bridged traffic will run through IP firewall. It can have unexpected behaviour if combined with regular routing, because everything is mixed together.
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Tue May 03, 2022 4:35 pm

IP firewall by default does not apply to bridged traffic and everything is allowed. If you need some filtering, you can use either stateless bridge filters (Bridge->Filters), or for something more complex it's possible to enable Bridge->Settings->Use IP Firewall, and then all bridged traffic will run through IP firewall. It can have unexpected behaviour if combined with regular routing, because everything is mixed together.
Thank you very much,
Last edited by Mayon on Thu May 05, 2022 1:11 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Tue May 03, 2022 4:43 pm

viewtopic.php?t=180838

Read try, post your config if having difficulties.
No spoons here!! :-)
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu May 05, 2022 6:32 pm

Thank you, so far all works fine. I made an initial Quick Set with brdige mode. I enabled in Bride -Settings - Use IP Firewall.
The input chain works well, however the Forward chain not:
add action=accept chain=input comment=\
"defconf: Router Access: accept established,related" connection-state=\
established,related
add action=drop chain=input comment="defconf: Router Access: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: Router Access: accept ICMP" \
protocol=icmp
add action=drop chain=input comment=\
"defconf: Router Access: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=\
"defconf: Clients: fasttrack (Bypass FW after Initial)" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: Clients: accept established,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: Clients: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: Clients: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

The forward chain I can't get work. On the LAN side is everything working well. The LAN side can reach everything on the WAN side. Pinging from the WAN side a client on the LAN side works also, which I don't understand why. Should it not be denied? What is missing?
Last edited by Mayon on Thu May 05, 2022 8:48 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu May 05, 2022 6:49 pm

How much sure are you that you want bridge mode? You talk about LAN, WAN, different /24 subnets on them, it seems like regular routing.
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu May 05, 2022 8:52 pm

How much sure are you that you want bridge mode? You talk about LAN, WAN, different /24 subnets on them, it seems like regular routing.
Well, basicly the goal is to have an external firewall for old programmable logic controler or plcs. At the same time I like the external firewall not to appear on the network and to receive an IP or to register. That is why I attempt to use the bridge mode, which works so far well. Just the firewall config seems to miss something. Did I miss to consider something that makes it work?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu May 05, 2022 9:03 pm

post your config
/export hide-sensitive file=anynameyouwish (just be sure not to post the public IP).

The first thing is to turn bridge IP firewall off, and use the regular firewall for now. (IP firewall filters (forward and input chain).l
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu May 05, 2022 9:29 pm

@anav: It's perfectly possible that bridge with transparent firewall is the right choice, I just wanted to make sure about it. If it is, it needs some changes. Using in/out-interface(-list) is not very useful, because it will be always bridge interface for any bridge port. Individual interfaces need to be matched by in/out-bridge-port(-list).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Thu May 05, 2022 10:36 pm

Assume a standard config and not the edge case as a starting point............. KISS ;-P
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Fri May 06, 2022 5:12 pm

post your config
/export hide-sensitive file=anynameyouwish (just be sure not to post the public IP).

The first thing is to turn bridge IP firewall off, and use the regular firewall for now. (IP firewall filters (forward and input chain).l
Thank you. Please find the config attached. It has the firewall enabled and configured.
I try to dig into bridge filters. I find it difficult to get videos and examples on it, anything you may recommend?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Fri May 06, 2022 9:49 pm

Yes as per my previous recommendation, stay away from bridge filters unless an advanced user. :-)

(1) WAN port is NOT usually part of the bridge.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

add bridge=bridge interface=ether1


(2) I would turn this OFF...................
/interface bridge settings
set use-ip-firewall=yes

(3) Can replace interface list member etherports with bridge entry
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge=LAN

(4) ETHER1 is the WAN port, not the bridge.
/ip dhcp-client
add comment=defconf disabled=no interface=bridge ?????? should be ether1

(5) This is wrong and does not match anything else.
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24

Suggest
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

(6) Why is address DISABLED??
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Fri May 06, 2022 11:29 pm

... unless an advanced user. :-)
... or unless you have some use for it. It's not wrong to have transparent firewall. Something like this should do:
/ip firewall filter
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-bridge-port-list=LAN out-bridge-port-list=WAN action=accept comment="allow outgoing connections"
add chain=forward in-bridge-port-list=WAN out-bridge-port-list=LAN src-address=10.11.12.0/24 action=accept comment="allow incoming connections from selected subnet"
add chain=forward in-bridge-port-list=WAN out-bridge-port-list=LAN protocol=udp src-port=67 dst-port=68 action=accept comment="allow dhcp responses (if devices on LAN side use DHCP to get addresses)"
add chain=forward action=drop comment="block the rest"
But yes, it's less common, and I'm not 100% sure about all possible problems myself.
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Mon May 09, 2022 1:05 pm

Yes as per my previous recommendation, stay away from bridge filters unless an advanced user. :-)

(1) WAN port is NOT usually part of the bridge.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

add bridge=bridge interface=ether1


(2) I would turn this OFF...................
/interface bridge settings
set use-ip-firewall=yes

(3) Can replace interface list member etherports with bridge entry
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge=LAN

(4) ETHER1 is the WAN port, not the bridge.
/ip dhcp-client
add comment=defconf disabled=no interface=bridge ?????? should be ether1

(5) This is wrong and does not match anything else.
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24

Suggest
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

(6) Why is address DISABLED??
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
Thanks, that was very helpful. I started from the scratch and made sure that the router has no default configuration:
Winbox - System - Reset Configuration
Keep all disabled/empty, except enable or select "No Default Configuration"
Then I initially used Quick Set for initial setup and followed the advice, once manually changed something, NEVER use QuickSet again - it will blow away whatever changes you made.
Mode: Bridge
Address Acq.: Automatic
Address Src.: Any
VPN: Disabled
Attached the basis config for all further work
You do not have the required permissions to view the files attached to this post.
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Mon May 09, 2022 1:16 pm

... unless an advanced user. :-)
... or unless you have some use for it. It's not wrong to have transparent firewall. Something like this should do:
/ip firewall filter
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-bridge-port-list=LAN out-bridge-port-list=WAN action=accept comment="allow outgoing connections"
add chain=forward in-bridge-port-list=WAN out-bridge-port-list=LAN src-address=10.11.12.0/24 action=accept comment="allow incoming connections from selected subnet"
add chain=forward in-bridge-port-list=WAN out-bridge-port-list=LAN protocol=udp src-port=67 dst-port=68 action=accept comment="allow dhcp responses (if devices on LAN side use DHCP to get addresses)"
add chain=forward action=drop comment="block the rest"
But yes, it's less common, and I'm not 100% sure about all possible problems myself.
Thank you very much, the input helped to add/setup the firewall correctly. The WAN stands for the external network (connected to ether1) in front of the firewall, the LAN for the network (bridge ether2 to ether5) behind the firewall. The Clients are receiving their IP from DHCP server in front of the firewall, other services are allowed as DNS, NTP, SNMP too. A specific external subnet has access too (connect to PLC).
Attached the working fireall setup, However router hardening still needs to be done.
Refer to: https://help.mikrotik.com/docs/display/ ... figuration

Open question:
- Why can't I communicate on the LAN (bridge) side, for instance ether 4 can't access ether5? Adding rule right way?
add action=accept chain=forward comment="CLIENTS: Allow connections between LAN" in-bridge-port-list=LAN out-bridge-port-list=LAN
- Should fasttrack-connection be added? What are the pros and cons?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Mon May 09, 2022 4:39 pm

Let somebody else who understand the config reply................ I dont normally put the wan port on ether1, nor use firewall rule settings on the bridge etc etc.....
I have no idea why you think port forwarding is done in the Forward Chain, why you have a whole whack of what would be considered, first, unnecessary input chain rules, and second located in the forward chain?

Do you know what you are doing or is this just copy and paste from somewhere? And on top of ignoring all previous advice??

No Wait, it all makes sense. You are a student of SOB, and he has been teaching you his genius ways.
I will let Sob then complete his lessons!!! Over to you good sir!!
 
Mayon
just joined
Topic Author
Posts: 8
Joined: Thu Apr 28, 2022 4:40 pm

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Wed May 11, 2022 12:43 pm

Yes as per my previous recommendation, stay away from bridge filters unless an advanced user. :-)

Okay, we will do this :-)

(1) WAN port is NOT usually part of the bridge.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

add bridge=bridge interface=ether1

Disabling ether1 from the bridge is done, however it blocks or stops all communication from the LAN side. How to continue?

(2) I would turn this OFF...................
/interface bridge settings
set use-ip-firewall=yes

Done

(3) Can replace interface list member etherports with bridge entry
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge=LAN

Done

(4) ETHER1 is the WAN port, not the bridge.
/ip dhcp-client
add comment=defconf disabled=no interface=bridge ?????? should be ether1

Done

(5) This is wrong and does not match anything else.
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24

Suggest
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

I added the external DNS,DHCPand NTP servers (on ether1 side)

(6) Why is address DISABLED??
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
As I use the Mikrotik as switch and not as router, so it does not appear with an IP in the network. Access to the router happens through MAC on the LAN side, which is desired

I apprechiate very much your input and I have tried to apply these. At some points I still lack understanding. Please find the config attached and the comments on it above
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: From Quick Setup Bridge Mode to simple Firewall Rule

Wed May 11, 2022 2:39 pm

As I use the Mikrotik as switch and not as router, so it does not appear with an IP in the network. Access to the router happens through MAC on the LAN side, which is desired
Finally some effing clarity. :-)

In that case you simply need this guidance - viewtopic.php?t=182276
Interestingly you have no vlans?
In other words you have no way to manage the device securely from all users.
There is no WAN, just LAN, and you only need one IP address, that assigned to the MT device on the previous Routers LAN.
There are no firewall rules required unless you want to institute some here.
# model = RB750Gr3
/interface bridge
add name=bridge1
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.X/24 interface=bridge1 network=192.168.88.0  
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1

Who is online

Users browsing this forum: mtkvvv and 31 guests