Community discussions

MikroTik App
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Requesting a review of my IPv4 Firewall configuration

Wed May 18, 2022 11:07 pm

Hey, I am at a point where I have somewhat "stabilized" my firewall configuration and there probably won't be any huge changes in near future.

If you have a moment, Please review my firewall config and let me know if there is anything I can improve.

My network has a total of 9 VLANs.

10 => My vlan
20 => Neighbour's #1
30 => Neighbour #2
40 => Neighbour #3
50 => LAB
60 => Guest
99 => Management
150 => WAN1 Only VLAN
160 => WAN3 Only VLAN


(WAN1 and WAN2 are from same ISP)


I have also read some criticism of using a address list like, `not_in_internet` but in my case I use chains and had to use the `not_in_internet` address list to control internet access.


Please let me know if you have any questions and if there is anything I can improve in this config.
firewall.review.rsc

edit #1: Removed serial number.
You do not have the required permissions to view the files attached to this post.
Last edited by ishanjain on Fri May 20, 2022 3:14 pm, edited 1 time in total.
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Re: Requesting a review of my IPv4 Firewall configuration

Fri May 20, 2022 9:04 am

BUMP
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Requesting a review of my IPv4 Firewall configuration

Fri May 20, 2022 10:10 am

Do you have any particular concerns in mind or just a discussion in general regarding "best practice"?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Requesting a review of my IPv4 Firewall configuration

Fri May 20, 2022 10:36 am

Free hint: do not reveal serial number
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Re: Requesting a review of my IPv4 Firewall configuration

Fri May 20, 2022 3:15 pm

Do you have any particular concerns in mind or just a discussion in general regarding "best practice"?
For now, I am just looking for a discussion on just best practices.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Requesting a review of my IPv4 Firewall configuration

Fri May 20, 2022 3:21 pm

Perhaps you can add a network diagram describing all allowed traffic. From just the export it is hard to tell.

You might want to order your firewall rules (first input, then forward).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Requesting a review of my IPv4 Firewall configuration  [SOLVED]

Fri May 20, 2022 3:25 pm

Some hints:
Golden rule: drop all at the end
Drop all at the end on both input and forward.
Permit only what is know.
No remote access directly the RouterBOARD, use VPN.
PPtP is not a VPN, not more...
A VPN is nowaday a VPN only if some form of cryptography is involved.
Drop traffic from unwanted sources or unwanted types on RAW, not on filter (for example block on RAW any DNS request not coming from your LAN).
Disable loose TCP tracking,
Set RP Filter at least on loose.
Decrease TCP timeout from 1 day (???...) to 30 min.
Block from going outside any IP that you do not have, prevent IP spoofing.
DO NOT disable mac winbox on LAN side, or at least leave one ethernet for direct CPU access for management (and do it before config anything).
Separate traffic on forward with chains, for not process same packet dozen of times.
Do not lost time with DDoS, ask your ISP, you can not do anything...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Requesting a review of my IPv4 Firewall configuration

Fri May 20, 2022 6:02 pm

viewtopic.php?t=180838

-as rextended noted, besides the drop invalid default rule the concept of drop all as the last rule, and only putting in user rules for allowed traffic above them is
usually the most efficient and safer method. It also avoids many of the confusing !rules!!
-Forget jump rules unless you really need them.
-Move bogons to ip routes.
etc..

Who is online

Users browsing this forum: Bing [Bot], keithy and 64 guests