Community discussions

MikroTik App
 
nuke235
just joined
Topic Author
Posts: 1
Joined: Sun Feb 12, 2023 7:17 am

Sanity Check on Firewall Rules

Sat Feb 18, 2023 7:15 am

It's been a long time since I've manually played with firewall rules and I'm just hoping to get a sanity check.

I've got a hAP ax3 and used quick set to get my initial "simple" config working with VLAN1 using 10.0.0.0/24.

From there I added VLAN10 and a guest WiFi network running on 10.0.10.0/24. Then I added firewall rules to drop VLAN10 traffic not destined for WAN, unless it's DNS queries to the router.

The setup works without issue, but I want to ensure I haven't done something stupid and opened myself up to bad actors. That or if there's a simpler way to do things.

I deleted the CAPsMAN rule that defconf creates as I don't use it, and I've disabled the ipsec rules for similar reasons. Figured less is better in this situation.

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="allow dns queries from untrusted vlan" \
    dst-address=10.0.10.1 dst-port=53 protocol=tcp src-address=10.0.10.0/24
add action=accept chain=input dst-address=10.0.10.1 dst-port=53 protocol=udp \
    src-address=10.0.10.0/24
add action=drop chain=input comment=\
    "drop all other traffic to router from untrusted vlan" dst-address=\
    10.0.10.1 src-address=10.0.10.0/24
add action=drop chain=forward comment="isolate untrusted vlan subnet" \
    out-interface-list=!WAN src-address=10.0.10.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Who is online

Users browsing this forum: baragoon, xrlls and 92 guests