Community discussions

MikroTik App
 
Edison
just joined
Topic Author
Posts: 1
Joined: Sun Jan 22, 2023 10:30 pm
Contact:

RouterOS v7.5, Firewall, Router RB4011iGS+5HacQ2HnD

Wed Jan 25, 2023 3:25 pm

Hello Mikrotik router experts. I am writing from the Czech Republic (Europe), I am 60 years old. I am constantly busy with education in the field of IT, computers, networks. I bought two Mikrotiks because I know that these routers are simply the best.. I wouldn't even want another router.

This router RB4011iGS+5HacQ2HnD(RouterOS v7.5) serves as the only main router in my home network. i don't even need any AP for it. I don't even really care about Wifi, but I do provide Wifi for sub-tenants. I have another Mikrotik RB962UiGS-5HacT2HnT router (RouterOS v7.5). I use it for various experiments.. Quick Set in different modes, or AP, wireless connection to the main router, test for 2nd NAT, OpenVPN, etc.. On the main Mikrotik (RB4011) I have 2 networks, one network for my family and the other network is for subtenants. I disabled access to the 1st network from the second network. From the first network, I allowed access to the 2nd network just to check the ping and if the internet is working.

Please, would anyone here be willing to check the firewall settings on my RB4011-Wifi router, if I have the Firewall set up correctly? Or suggest a better solution? I have a public IP address on the router, the router (GPON/ONT - Huawei) from the ISP is in bridge mode. I have VPN-WireGuard set up in my router and it works very well. From a remote wide area network, I can connect to the home network and view shared files from the home PC (data-disk), a remote desktop at the level of the local network, etc.

I am most interested in the setting of bans on entering the router from the outside and forward. When I make the settings according to the instructions, the packets are loaded for bans, which annoys me.. but when I set the dictator (! not + invalid + new), the packets are not loaded.. like the calm before or after a storm.. Those loading packets, it's probably fine about robots looking for bugs in networks..??? Maybe it can be ignored and not turn on the Log?

Is it possible to use the drop rule like this? Or is it a bug and such a rule doesn't work at all?

https://ctrlv.cz/HJvM


Nat- Here (RB4011-Wifi) I have it set up so that I can from WireGuard to the home network to shared files in connection with forward. It doesn't work without NAT - WG.

I have a few questions:

1. Is there any difference in Firewall settings between OS v6 and OS v7..???

2. The basic and advanced settings seem unnecessarily excessive to me. I don't use IPv6 and I don't want it. Firewall RAW? As primary protection? It is necessary?

https://help.mikrotik.com/docs/display/ ... t+Firewall

https://help.mikrotik.com/docs/display/ ... d+Firewall

https://help.mikrotik.com/docs/pages/vi ... d=28606504

***???
Basic:
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related

Advanced:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked


***???... Advaced -> + "untracked"... ??? Why?

3. Can another Mikrotik router be used as a switch without a DHCP client?. Just won't see his IP address on the main router? Can the router in the bridge be assigned an IP address?

4. Other routers in the Mikrotik series can be used as APs and can they be arranged one behind the other and connected each AP one behind the previous router with a cable in series (big building) without being connected extra each directly to the main router of the router with a cable? Wifi the same SSID, just a different channel, right, and all ports (including wlan1/wlan2 - just different wifi names (2.4GHz/5GHz) and passwords as on the main router) in the bridge and bridge as a DHCP client?

5. After every restart of the Mikrotik router, there is info in the terminal and in the log about a critical error of unsynchronized time. It can be fixed somehow without the system not writing a critical error.. but the time in the router always synchronizes correctly even after a restart.

Thank you for any answers and attention. Please, excuse me my bad english.

Edison

Configuration Router RB4011-Wifi

# jan/24/2023 21:19:40 by RouterOS 7.5
# software id = XXXXXXX
#
# model = RB4011iGS+5HacQ2HnD
# serial number = XXXXXXXX

/interface bridge
add admin-mac=Other_changed_MAC auto-mac=no name=bridge1
add admin-mac=Other_changed_MAC auto-mac=no name=bridge2

/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface wireguard
add listen-port=5XXXX mtu=1420 name=wireguard1_Mobil
add listen-port=5XXXX mtu=1420 name=wireguard2_PC

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=2G \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=5G \
supplicant-identity=""

/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eeeC country="czech republic" disable-running-check=yes \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=wlan1_5GHz security-profile=5G skip-dfs-channels=all ssid=\
MKT_5G wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n country="czech republic" \
disable-running-check=yes disabled=no distance=indoors frequency=2467 \
installation=indoor mode=ap-bridge name=wlan2_2GHz security-profile=2G \
ssid=RB1 tx-power=29 tx-power-mode=all-rates-fixed wds-mode=dynamic-mesh \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled

/ip pool
add name=dhcp_pool1 ranges=10.16.27.2-10.16.27.100
add name=dhcp_pool2 ranges=10.16.28.2-10.16.28.100
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
add add-arp=yes address-pool=dhcp_pool2 always-broadcast=yes interface=\
bridge2 name=dhcp2

/port
set 0 name=serial0
set 1 name=serial1

/interface bridge filter
add action=drop chain=input comment="Blockacces NET User PC-Name Example" \
disabled=yes in-bridge=bridge1 src-mac-address=\
XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF

/interface bridge port
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
add bridge=bridge1 interface=wlan1_5GHz
add bridge=bridge2 interface=wlan2_2GHz

/ip neighbor discovery-settings
set discover-interface-list=none

/ip settings
set tcp-syncookies=yes

/ipv6 settings
set disable-ipv6=yes forward=no

/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=bridge2 list=LAN
add interface=wireguard1_Mobil list=LAN
add interface=wireguard2_PC list=LAN

/interface wireguard peers
add allowed-address=10.X.X.X/32 interface=wireguard1_Mobil public-key=\
"IrelevantInfo"
add allowed-address=10.X.X.X/32 interface=wireguard2_PC public-key=\
"IrelevantInfo="

/ip address
add address=10.16.27.1/24 interface=bridge1 network=10.16.27.0
add address=10.16.28.1/24 interface=bridge2 network=10.16.28.0
add address=10.X.20.1/24 interface=wireguard1_Mobil network=10.X.20.0
add address=10.X.40.1/24 interface=wireguard2_PC network=10.X.40.0
***Here is the ether1(WAN) address - the public IP address of the (ISP) DHCP client - 80.X.X.X/27
The device *router Huvawei(GPON/ONT) from the ISP is in bridge mode

/ip cloud
set update-time=no

/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server lease
add address=10.16.27.27 client-id=ID_XXX comment=PC-Name \
mac-address=XXXXXXXXX server=dhcp1
add address=10.16.27.16 client-id=ID_XXX comment=PC-Name \
mac-address=XXXXXXXXX server=dhcp1
add address=10.16.27.17 client-id=ID_XXX comment=Name_Mobil_5G_LAN1 \
mac-address=XXXXXXXXX server=dhcp1
add address=10.16.27.60 client-id=ID_XXX comment=Name_Mobil_5G_LAN1 \
mac-address=XXXXXXXXX server=dhcp1
add address=10.16.28.60 client-id=ID_XXX comment=Name_Mobil_LAN2 \
mac-address=XXXXXXXXX server=dhcp2
***Rest Leases is no info relevant

/ip dhcp-server network
add address=10.16.27.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.16.27.1 \
netmask=24 ntp-server=195.113.144.238,195.113.144.201
add address=10.16.28.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.16.28.1 \
netmask=24 ntp-server=195.113.144.238,195.113.144.201

/ip dns
set servers=1.1.1.1,1.0.0.1

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add list=ddos-attackers
add list=ddos-target
add list=ddos-targets
add address=10.16.27.2-10.16.27.100 comment=LAN list=allowed-to-router
add address=10.16.28.2-10.16.28.100 comment=LAN2 list=allowed-to-router
add address=10.X.20.2 comment=WG-Mobil list=allowed-to-router
add address=10.X.40.2 comment=WG-PC list=allowed-to-router

/ip firewall filter
add action=accept chain=input comment="Accept established, related" \
connection-state=established,related
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="Allowed to Router LAN" \
src-address-list=allowed-to-router
add action=accept chain=input comment=WinBox dst-port=5XXXX log=yes protocol=\
tcp
add action=accept chain=input comment="NTP client/server" connection-state=\
new dst-port=123 in-interface-list=LAN log=yes protocol=udp src-address=\
195.113.144.201
add action=accept chain=input comment="NTP client/server" connection-state=\
new dst-port=123 in-interface-list=LAN log=yes protocol=udp src-address=\
195.113.144.238
add action=accept chain=input comment=WireGuard_Mobil dst-port=5XXXX \
protocol=udp
add action=accept chain=input comment="Accept Input LAN" connection-state=\
established,related in-interface-list=LAN
add action=accept chain=input comment=WireGuard_PC dst-port=5XXXX protocol=\
udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN log=yes protocol=\
tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN log=yes protocol=\
udp
add action=accept chain=input comment="Allow LAN DHCP queries-UDP" \
connection-state=new dst-port=67 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop not comming from LAN" \
connection-state=!invalid,new dst-address-type="" in-interface-list=!LAN \
log=yes
add action=drop chain=input comment="Drop not public network" \
connection-state=!invalid,new in-interface=ether1 log=yes \
src-address-list=NotPublic
add action=drop chain=input comment="Drop All Rest" connection-state=\
!invalid,new dst-address-type="" log=yes
add action=fasttrack-connection chain=forward comment=\
"Fast-track for established,related" connection-state=established,related \
hw-offload=yes
add chain=forward comment="Accept established and related packets" \
connection-state=established,related
add action=accept chain=forward comment="NET LAN" in-interface-list=LAN \
out-interface-list=WAN
add action=accept chain=forward comment=WireGuard_Mobil_To_LAN dst-address=\
10.16.27.0/24 src-address=10.X.20.2
add action=accept chain=forward comment="LAN to WireGuard_Mobil" dst-address=\
10.X.20.2 src-address=10.16.27.0/24
add action=accept chain=forward comment=WireGuard_PC_To_LAN dst-address=\
10.16.27.0/24 src-address=10.X40.2
add action=accept chain=forward comment="LAN to WireGuard_PC" dst-address=\
10.X40.2 src-address=10.16.27.0/24
add action=accept chain=forward comment=WireGuard_Mobil_To_LAN2 dst-address=\
10.16.28.0/24 src-address=10.X.20.2
add action=accept chain=forward comment=WireGuard_PC_To_LAN2 dst-address=\
10.16.28.0/24 src-address=10.X.40.2
add action=accept chain=forward comment="LAN To_LAN2" dst-address=\
10.16.28.0/24 src-address=10.16.27.0/24
add action=accept chain=forward comment="LAN2_Name_Mobil To_LAN2" dst-address=\
10.16.27.0/24 src-address=10.16.28.60
add action=drop chain=forward comment="Drop invalid packets " \
connection-state=!invalid,new
add action=drop chain=forward comment=\
"Drop new from internet WAN / not dst-natted" connection-nat-state=\
!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment=\
"Drop all packetsfrom internet what not is public network" in-interface=\
ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop in WAN Invalid" connection-state=\
invalid in-interface=ether1
add action=drop chain=forward comment="Drop all that not from LAN" \
in-interface=bridge1 src-address=!10.16.27.0/24
add action=drop chain=forward comment="Drop all that not from LAN2" \
in-interface=bridge2 log=yes src-address=!10.16.28.0/24
add action=drop chain=forward comment="Drop all that not from WG_Mobil" \
in-interface=wireguard1_Mobil src-address=!10.X.20.0/24
add action=drop chain=forward comment="Drop all that not from WG_PC" \
in-interface=wireguard2_PC src-address=!10.X.40.0/24
add action=drop chain=forward comment="LAN2 not to LAN" dst-address=\
10.16.27.0/24 log=yes src-address=10.16.28.0/24
add action=drop chain=forward comment=LAN2_NOT_To_WG_Mobil dst-address=\
10.X.20.0/24 src-address=10.16.28.0/24
add action=drop chain=forward comment=LAN2_NOT_To_WG_PC dst-address=\
10.X.40.0/24 src-address=10.16.28.0/24
add action=drop chain=forward comment="Drop Forward Rest" connection-state=\
!invalid,new,untracked
add action=return chain=detect-ddos connection-state=!new dst-limit=\
32,32,src-and-dst-addresses/10s log=yes
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos log=yes
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos log=yes
add action=jump chain=forward connection-state=new jump-target=detect-ddos \
log=yes
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
log=yes
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack

/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
add action=masquerade chain=srcnat comment="Masquerade LAN_To_LAN2" \
out-interface=bridge2 src-address=10.16.27.0/24
add action=masquerade chain=srcnat comment="Masquerade LAN2_Name_Mobil_To_LAN" \
out-interface=bridge1 src-address=10.16.28.60
add action=masquerade chain=srcnat comment="Masquerade WireGuard_Mobil" \
out-interface=bridge1 src-address=10.X.20.2
add action=masquerade chain=srcnat comment="Masquerade WireGuard_Mobil" \
out-interface=bridge2 src-address=10.X.20.2
add action=masquerade chain=srcnat comment="Masquerade WireGuard_PC" \
out-interface=bridge1 src-address=10.X.40.2
add action=masquerade chain=srcnat comment="Masquerade WireGuard_PC" \
out-interface=bridge2 src-address=10.X.40.2

/ip firewall raw
add action=drop chain=prerouting comment=DDoS dst-address-list=ddos-target \
src-address-list=ddos-attackers
add action=drop chain=prerouting comment=DDoS dst-address-list=dddos-targets \
src-address-list=ddos-attackers

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=5XXXX
set api-ssl disabled=yes

/ip smb
set allow-guests=no

/ip ssh
set strong-crypto=yes

/system clock
set time-zone-name=Europe/Prague

/system identity
set name=RB1

/system leds
add interface=*D leds="wlan2_2GHz_signal1-led,wlan2_2GHz_signal2-led,wlan2_2GH\
z_signal3-led,wlan2_2GHz_signal4-led,wlan2_2GHz_signal5-led" type=\
wireless-signal-strength
add interface=*D leds=wlan2_2GHz_tx-led type=interface-transmit
add interface=*D leds=wlan2_2GHz_rx-led type=interface-receive

/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=tik.cesnet.cz
add address=tak.cesnet.cz

/system scheduler
add interval=2h name=WAN_renew on-event=\
"/ ip dhcp-client renew [find interface=ether1]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=no/relevant/info start-time=18:00:00

/system script
add dont-require-permissions=no name=WOL_Name owner=Name policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"tool wol interface=bridge1 mac=XXXXXXXX"
add dont-require-permissions=no name=WOL_Name owner=Name policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"tool wol interface=bridge1 mac=XXXXXXXX"
add dont-require-permissions=no name=WAN_renew owner=Name policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ ip dhcp-client renew [find interface=ether1]"

/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Who is online

Users browsing this forum: No registered users and 35 guests