Community discussions

MikroTik App
 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Firewall filters

Tue Aug 09, 2022 4:21 am

Evenin' Folks

I have a new RB750 and an older RB2011.
There will only be 3 devices on the RB2011. I have reset it and kept the default config in winbox and I have reset it and tried quickset. It seems with the PPOE connection picked in Quickset, it properly assigns dynamic DNS from the ISP. I had to manually enter DNS servers when adding the PPOE manually after keeping winbox defaults, even with use peer dns checked. So I started with the defconf from quickset. I am at the point of setting up the firewall and have a few questions.
I set up the RB maybe 6 years ago using PPOE internet with help from this forum. Not really working with ROS for so long I am wondering what best practice might be in regards to changes in the modern configs.
I did not have fasttrack then for example. The defconf firewall had to be changed to accomodate PPOE but it seems OK now using interface lists.
I previously had all Bogons in a single address list and they were filtered only in the forward chain. I see in Mikrotik help>Advanced Firewall, the suggestion is to add the Bogon filter(s) in the Raw chain along with a jump to a very specific ICMP filter chain and an additional jump to a TCP flag chain. Also the Bogons are separated into 3 lists, according to type. Any advantage to multiple smaller lists?
Previously i just allowed ICMP in the input chain and didn't worry about it. Should I?
The TCP flag filter seems legit but I never had any before. Good idea? Is using the raw chain (or any chain) a good idea for these types of filters performance wise?
I am dst-natting http(s), rtsp and a couple of service ports to an NVR and a PC that remotes to employees' home networks for application support. That is it for devices on this network. No wifi.
Are there any firewall considerations I should have in this case or should the defconf suffice?
My final question is regarding a hairpin masquerade. I need to be able to check connectivity from a web portal back to the PC from the PC. Is there a danger in doing this via a hairpin masquerade if I am literally the only PC on the subnet? Is there a better way?
The RB750 will be the gateway for the rest of the devices in the house on a second ISP. I will tackle it next as I may need some help with it too and I've rambled on long enough. I appreciate any forthcoming suggestions....router wise :)

Mongoid
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filters

Tue Aug 09, 2022 5:15 am

 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Re: Firewall filters

Tue Aug 16, 2022 5:52 am

Hi anav

I realize it's a late reply but thanks for pointing out a safe spot to dive into the quarry (quagmire? :) ). I have been reading, reading, reading.
Sorting through the volumes of documentation on my own was intimidating. Dates of articles mattered a lot. ROS version. Switch chip capability. Expert forum opinions differing from the wiki etc.
Your link got me down the right rabbit-hole. I am no network professional but I have a little knowledge through my work. I was having a bit of a rough go with the dynamic PPOE/hairpin nat to a webserver but your links got me there. As this is a secondary ISP at the house with a single subnet hosting only the webserver and an NVR I used the Local Address "force 'em through the right door" approach. I would like to use a dhcp script to pull the WAN IP into an address list but currently my dhcp status is "searching". I'm hoping it's a time-out from the ISP from the modem reboots.

As an aside, I got the RB750gr3 thinking it would be a good device to isolate the house into vlans without realizing not all switch chips were vlan capable at the hardware level. Think it will still do the trick in software for <20 devices, maybe 6 vlans?

Thanks again sir. Now back to reading.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filters  [SOLVED]

Tue Aug 16, 2022 12:58 pm

Yes that should work fine, mine did it for my house with more vlans and two internet connections.
 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Re: Firewall filters

Wed Aug 17, 2022 10:35 pm

One more question if you would since you have a similar setup.
Before I attempt this, addressing etc aside, I just wanted to verify I am using the correct commands/syntax to construct the VLANS for this:
HomeNetwork2.jpg
/interface vlan add interface=bridge1 name=Bench vlan-id=10
/interface vlan add interface=bridge1 name=House vlan-id=20
/interface vlan add interface=bridge1 name=Office vlan-id=30
/interface vlan add interface=bridge1 name=Wifi vlan-id=40
/interface vlan add interface=bridge1 name=Gwifi vlan-id=50
/interface vlan add interface=bridge1 name=IOT vlan-id=60
/interface vlan add interface=bridge1 name=Mgmt vlan-id=99

/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged pvid=10 interface=ether4

/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether2,ether3 vlan-ids=10,20,30,40,50,60,99
Or have I completely misunderstood?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filters

Wed Aug 17, 2022 11:06 pm

Looking good thus far.......
The TPLINK smart switches get IP addresses (set manually is best) on the management vlan, and set to static lease on the Mikrotik of course.

You can use ingress-filtering=yes for access ports, not just trunk ports
aka
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged pvid=10 interface=ether4 ingress-filtering=yes


For /interface bridge vlans you can combine vlan-ids on the same line if all the noted etherports have the identical requirements.

This is not the case so you need to break it down a little bit more.

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3 vlan-ids=20,30,40,50,60,99 { none of these vlans go on ether4).
 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Re: Firewall filters

Thu Aug 18, 2022 1:00 am

Awesome.

So for the /interface bridge vlan:
If all the ports were trunk that would have been OK, but you have to specify a single id per line if there's an Access port in the mix?
So supposing there were 2 Access ports here it would require yet another additional line like this?:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3 untagged=ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether2,ether3 vlan-ids=20,30,40,50,60,99
I think I made some incorrect assumptions about ingress-filtering. I will read that more carefully.

Thanks man,

I appreciate your time and experience.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filters

Thu Aug 18, 2022 2:20 am

Almost,,,,,,, follow the logic through
The mistake in yellow
add bridge=bridge1 tagged=bridge1,ether2,ether3 vlan-ids=20,30,40,50,60,99


/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3 untagged=ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether2,ether3 vlan-ids=30,40,50,60,99
 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Re: Firewall filters

Thu Aug 18, 2022 3:17 am

Lol...I see what I did there :)

Who is online

Users browsing this forum: own3r1138 and 44 guests