Community discussions

MikroTik App
 
alberto464
just joined
Topic Author
Posts: 13
Joined: Tue Jun 14, 2022 10:19 pm

Firewall Rules Tips

Wed Jun 15, 2022 11:41 pm

Hello,

I'm trying to protect the MikroTik as much as possible from external attacks, I'll explain the situation:
I use mikrotik as LTE backup for physical connection, LTE backup works via IoT SIM with static public IP, this SIM also keeps additional public IPs.

The physical link is this here:

Image

My MikroTik configured it like this:
# jun/15/2022 22:34:39 by RouterOS 7.3
# software id = 3PWC-R7A2
#
# model = RBwAPR-2nD&R11e-LTE
/interface bridge
add name=bridge1 protocol-mode=none
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 network-mode=3g,lte
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface lte apn
set [ find default=yes ] apn=vodafone authentication=pap ip-type=ipv4 name=NAME use-network-apn=no user=USERNAME
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool ranges=192.168.88.101-192.168.88.199
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge1 name=dhcp
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=82.134.XXX.XXX/24 interface=ether1 network=82.XXX.XXX.0
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:14:49:bc:26:d7:XX comment="Router DrayTek" mac-address=14:49:BC:26:D7:XX server=dhcp
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24 ntp-server=193.204.114.232,193.204.114.233
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=lte1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=lte1 protocol=udp
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall nat
add action=masquerade chain=srcnat comment="Navigazione Rete Lan" out-interface=lte1 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Router Draytek" dst-port=44063 protocol=tcp to-addresses=192.168.88.2 to-ports=44063
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=93.175.XXX.XXX/32,192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=93.175.XXX.XXX/32,192.168.88.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.204.114.232
add address=193.204.114.233
/tool sms
set port=lte1

What rules can I add to further protect the MikroTik? Considering that there are no clients in the LAN other than the main router.

Who is online

Users browsing this forum: miks and 44 guests