Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Beginner question on firewall rule(s)

Post Reply
 
aomu
just joined
Topic Author
Posts: 21
Joined: Mon Feb 25, 2013 4:42 pm

Beginner question on firewall rule(s)

Fri Jan 06, 2023 12:17 am

Dear community,

I'm trying to accomplish the following:

A Mikrotik router holds a Wireguard tunnel, it's up and running. I'm trying to create a firewall rule, which makes the following:
  • All connections from the local networks to the remote network on the other side of tunnel should be possible.
  • It should not be possible to create any connections from remote network to any local networks.
The local networks are in the list called "Intranet Networks". The network 192.168.20.0/24 is one of them.
The remote network is 192.168.10.0/24.

Will the following rule do the trick, or is it absolutely incorrect?
Code: Select all
add action=drop chain=forward comment="Drop connections from remote network" \
    connection-state=!established dst-address-list="Intranet Networks" \
    in-interface=MyWireGuardInterface
And the following part would make an exception from the rule above, if one host from remote side should be able to connect to some local host. This rule must be placed prior to the "forbidding" rule.
Code: Select all
add action=accept chain=forward comment="Sample allow connections from remote network" \
    dst-address=192.168.20.11 in-interface=MyWireGuardInterface src-address=192.168.10.2
Is this approach okay?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19352
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Beginner question on firewall rule(s)

Fri Jan 06, 2023 12:25 am

Who can say.
You need to post the entire config, many moving parts are related.
I am not going to play whackamole chasing them please post the entire config

/export file=anynameyouwish ( minus router serial # and any public WANIP information )
Top
 
aomu
just joined
Topic Author
Posts: 21
Joined: Mon Feb 25, 2013 4:42 pm

Re: Beginner question on firewall rule(s)

Fri Jan 06, 2023 11:43 am

You need to post the entire config, many moving parts are related.
Here is the [almost] full config. I omitted the WiFi parts.
Code: Select all
/interface bridge
add name=bridge-dmz
add name=bridge-lan
add name=bridge-wlan
/interface wireguard
add listen-port=some_port mtu=1420 name=wg-office
/ip pool
add name=local-dhcp-pool ranges=192.168.60.101-192.168.60.229
/ip dhcp-server
add address-pool=local-dhcp-pool authoritative=after-2sec-delay interface=\
    bridge-wlan lease-time=22h name=dhcp-wlan
/interface bridge port
add bridge=bridge-dmz ingress-filtering=no interface=ether2
add bridge=bridge-lan ingress-filtering=no interface=ether1
add bridge=bridge-wlan ingress-filtering=no interface=wlan-nv-2
add bridge=bridge-wlan ingress-filtering=no interface=wlan-nv-5
add bridge=bridge-lan ingress-filtering=no interface=ether4
add bridge=bridge-wlan ingress-filtering=no interface=wlan-temp
/ip firewall connection tracking
set udp-timeout=20s
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=192.168.4.0/30,192.168.10.0/24 endpoint-address=\
    some_public_ip_address endpoint-port=some_port interface=wg-office public-key=\
    some_public_key
/ip address
add address=192.168.20.252/24 interface=bridge-lan network=192.168.20.0
add address=192.168.60.1/24 interface=bridge-wlan network=192.168.60.0
add address=192.168.178.4/24 interface=bridge-dmz network=192.168.178.0
add address=192.168.4.1/30 interface=wg-office network=192.168.4.0
/ip dhcp-server network
add address=192.168.60.0/24 dns-server=192.168.60.1 domain=some.domain.lan \
    gateway=192.168.60.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.20.0/24 comment=LAN list="Intranet Networks"
add address=192.168.60.0/24 comment=WiFi list="Intranet Networks"
/ip firewall filter
add action=accept chain=input comment="Accept pings" protocol=icmp
add action=accept chain=input comment="Accept established connections" \
    connection-state=established
add action=accept chain=input comment="Accept related connections" \
    connection-state=related
add action=accept chain=forward comment=\
    "Sample allow connections from remote network" disabled=yes dst-address=\
    192.168.20.11 dst-port=22 in-interface=wg-office protocol=tcp \
    src-address=192.168.10.2
add action=drop chain=forward comment="Drop connections from Hetzner network" \
    connection-state=!established dst-address-list="Intranet Networks" \
    in-interface=wg-office
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Outgoing traffic from WiFi to LAN + Internet" out-interface=bridge-lan
add action=passthrough chain=srcnat comment=\
    "Outgoing traffic from LAN to WiFi" out-interface=bridge-wlan
add action=masquerade chain=srcnat comment="Outgoing traffic from LAN to DMZ" \
    out-interface=bridge-dmz
add action=masquerade chain=srcnat comment="Outgoing traffic from LAN to WAN" \
    out-interface=wg-office
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.20.254
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.4.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system ntp client servers
add address=ptbtime1.ptb.de
add address=ptbtime2.ptb.de
add address=ptbtime3.ptb.de
Top
Post Reply

Who is online

Users browsing this forum: brg3466, Wintxi and 66 guests
  4. RouterOS
  5. Beginner Basics