Community discussions

MikroTik App
 
mymikro
just joined
Topic Author
Posts: 3
Joined: Tue Mar 14, 2023 9:22 pm

settings for safe use...

Tue Mar 14, 2023 10:03 pm

Good day,

I am new to mikrotik and would like to ask if my settings are so safe. Maybe someone has suggestions for improvement.
I use a Mikrotik Hex S, Mikrotik CAP AC with a DrayTek Vigor 167.

1. admin user deleted and new one created.
2. password changed.
3. upgrade to 7.8
4. deactivated telnet, ftp, www, www-ssl, api, api-ssl.
5. Ports from SSH + Winbox changed
6. deactivated:
- IPv6
- bandwidth server
- MAC-Access (MAC Telnet Server = local / listBridge / MAC-Winbox-Server = local / listBridge)
- Neighbor-Discovery (MNDP, CDP, LLDP)
- IPv6 Neighbor-Discovery
- Proxy
- Socks
- upnp
- cloud
7. enabled IP -> SSH -> Strong Crypto
8. IPv4 -> DNS
m1.png
9. Firewall -> NAT (action = masquerade)
m2.png
10. IP -> Firewall -> Filter -> Print
XXX@RouterOS] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; WAN -> FW | deny ping
      chain=input action=drop protocol=icmp in-interface=ether1WAN log=no 
      log-prefix="" 

 1    ;;; ALLG. | aufgebaute Verbindungen erlauben (established)
      chain=input action=accept connection-state=established src-address-list="" 
      dst-address-list="" in-interface=br-local log=no log-prefix="" 

 2    ;;; ALLG. |  aufgebaute Verbindungen erlauben (related)
      chain=input action=accept connection-state=related in-interface=br-local 
      log=no log-prefix="" 

 3    ;;; LAN (local) -> FW | Zugriff zur Firewall erlauben
      chain=input action=accept dst-address=192.168.1.1 in-interface=br-local 
      log=no log-prefix="" 

 4    ;;; LAN (local) -> FW | Ping erlauben
      chain=input action=accept protocol=icmp dst-address=192.168.1.1 
      in-interface=br-local log=no log-prefix="" 

DEACTIVATED
 5 X  ;;; LAN (local) -> FW | DNS erlauben UDP

DEACTIVATED
6 X  ;;; LAN (local) -> FW | DNS erlauben TCP
      chain=input action=accept protocol=tcp dst-address=192.168.1.1 in-interface=br-local dst-port=53 log=no log-prefix="" 

 7    ;;; DNS allow TCP from br-local
      chain=input action=accept protocol=tcp in-interface=br-local dst-port=53 log=no log-prefix="" 

 8    ;;; DNS allow UDP from br-local
      chain=input action=accept protocol=udp in-interface=br-local dst-port=53 log=no log-prefix="" 

 9    ;;; DNS drop WAN request TCP
      chain=input action=drop connection-state=new protocol=tcp in-interface=ether1WAN dst-port=53 log=no log-prefix="" 

10    ;;; DNS drop WAN request UDP
      chain=input action=drop connection-state=new protocol=udp in-interface=ether1WAN dst-port=53 log=no log-prefix="" 

11    ;;; ALLG. | drop all else
      chain=input action=drop connection-state="" log=yes log-prefix="" 

12    ;;; drop invalid connections
      chain=forward action=drop connection-state=invalid protocol=tcp

13    ;;; accept established connections
      chain=forward action=accept connection-state=established log=no log-prefix="" 

14    ;;; allow related connections
      chain=forward action=accept connection-state=related 

15    ;;; accept br-local -> WAN
      chain=forward action=accept in-interface=br-local out-interface=ether1WAN log=no log-prefix="" 

16    ;;; Drop Bogon
      chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix="" 

17    ;;; Drop Bogon
      chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix="" 

18    ;;; Drop Bogon
      chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix="" 

19    ;;; Drop Bogon
      chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix="" 

20    ;;; Drop Bogon
      chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix="" 

21    ;;; Drop Bogon
      chain=forward action=drop dst-address=224.0.0.0/3 log=no log-prefix="" 

22    ;;; JUMP TCP
      chain=forward action=jump jump-target=tcp protocol=tcp log=no log-prefix="" 

23    ;;; JUMP UDP
      chain=forward action=jump jump-target=udp protocol=udp log=no log-prefix="" 

24    ;;; JUMP ICMP
      chain=forward action=jump jump-target=icmp protocol=icmp log=no log-prefix="" 

25    ;;; deny TFTP
      chain=tcp action=drop protocol=tcp dst-port=69 

26    ;;; deny RPC portmapper
      chain=tcp action=drop protocol=tcp dst-port=111 

27    ;;; deny RPC portmapper
      chain=tcp action=drop protocol=tcp dst-port=135 

28    ;;; deny NBT
      chain=tcp action=drop protocol=tcp dst-port=137-139 

29    ;;; deny cifs
      chain=tcp action=drop protocol=tcp dst-port=445 

30    ;;; deny NFS
      chain=tcp action=drop protocol=tcp dst-port=2049 

31    ;;; deny NetBus
      chain=tcp action=drop protocol=tcp dst-port=12345-12346 

32    ;;; deny NetBus
      chain=tcp action=drop protocol=tcp dst-port=20034 

33    ;;; deny BackOriffice
      chain=tcp action=drop protocol=tcp dst-port=3133 

34    ;;; deny DHCP
      chain=tcp action=drop protocol=tcp dst-port=67-68 

35    ;;; deny TFTP
      chain=udp action=drop protocol=udp dst-port=69 

36    ;;; deny PRC portmapper
      chain=udp action=drop protocol=udp dst-port=111 

37    ;;; deny PRC portmapper
      chain=udp action=drop protocol=udp dst-port=135 

38    ;;; deny NBT
      chain=udp action=drop protocol=udp dst-port=137-139 

39    ;;; deny NFS
      chain=udp action=drop protocol=udp dst-port=2049 

40    ;;; deny BackOriffice
      chain=udp action=drop protocol=udp dst-port=3133 

41    ;;; drop ssh brute downstream
      chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

42    ;;; ALLG. | drop all else
      chain=forward action=drop log=no log-prefix=""
QUESTIONS:
1. is this okay? (yellow)
m3.png
2. Is the DNS port 53 forwarding in the firewall rules ok so that I can use Quad9 (9.9.9.9)?
3. i am most unsure about the forward rules..

currently i have only 1 bridge with DHCP /24 IP addresses. i would like to create 3 bridges + on it 3 vlan's based on this:
- br-local -> VLAN-1
- br-wlan -> VLAN-10
- br-public -> VLAN-20

VLAN-20 contains webserver, mailserver etc. where I want to forward corresponding ports in the firewall

Thanks for any help!

best regards

mymikro
You do not have the required permissions to view the files attached to this post.
Last edited by BartoszP on Tue Mar 21, 2023 7:50 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: settings for safe use...

Wed Mar 15, 2023 2:35 pm

I would say you have some minor errors that need fixing.
Provide full export
/export file=anynameyouwish (minus router serial number and any public WANIP information )
 
mymikro
just joined
Topic Author
Posts: 3
Joined: Tue Mar 14, 2023 9:22 pm

Re: settings for safe use...

Wed Mar 15, 2023 10:02 pm

hi,

thank you for your answer

today i tested vlan on ether3 (VLAN-30 / ip 192.168.30.1/24)... but get no (dhcp) IP on the 2nd laptop (cmd: ipconfig /renew)

here is my configuration / export:
# mar/15/2023 19:50:50 by RouterOS 7.8
# software id = 4T08-8BMQ
#
# model = RB760iGS
# serial number = XXXXXX
/caps-man configuration
add channel.control-channel-width=20mhz .extension-channel=Ceee .frequency=\
    6425 country=switzerland mode=ap name=cfg1 security.authentication-types=\
    wpa2-psk .encryption=aes-ccm ssid="Wlan-1 5G"
/interface bridge
add name=br-local
add ingress-filtering=no name=br-public pvid=30 vlan-filtering=yes
add name=br-wlan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1WAN
set [ find default-name=ether2 ] comment=Laptop
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=WLAN
set [ find default-name=sfp1 ] disabled=yes
/caps-man interface
add disabled=no l2mtu=1600 mac-address=48:A9:7B:42:F6:78 master-interface=\
    none name=cap1 radio-mac=48:A9:7B:42:F6:78 radio-name=48A98A32F678
add channel.frequency=5180 configuration=cfg1 disabled=no l2mtu=1600 \
    mac-address=48:A9:8A:32:F6:79 master-interface=none name=cap2 radio-mac=\
    48:A9:8A:32:F6:79 radio-name=48A98A32F679
/interface vlan
add interface=br-public name=VLAN-30-PUBLIC vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=listBridge
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool30 ranges=192.168.30.10-192.168.30.254
/ip dhcp-server
add address-pool=dhcp interface=br-local name=DHCP-LOCAL
add address-pool=dhcp_pool30 interface=VLAN-30-PUBLIC name=DHCP-PUBLIC
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/interface bridge port
add bridge=br-local interface=ether2
add bridge=br-wlan comment="Port 5 CAP verbindung" interface=ether5
add bridge=br-wlan interface=cap1
add bridge=br-wlan interface=cap2
add bridge=br-public interface=ether3 pvid=30
add bridge=br-local interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=br-public tagged=VLAN-30-PUBLIC untagged=ether3 vlan-ids=30
/interface list member
add interface=ether1WAN list=WAN
add interface=ether2 list=LAN
add interface=br-local list=listBridge
add interface=VLAN-30-PUBLIC list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 interface=br-local network=192.168.1.0
add address=192.168.30.1/24 interface=VLAN-30-PUBLIC network=192.168.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=9.9.9.9 gateway=192.168.1.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=drop chain=input comment="WAN -> FW | deny ping" in-interface=\
    ether1WAN protocol=icmp
add action=accept chain=input comment=\
    "ALLG. | aufgebaute Verbindungen erlauben (established)" \
    connection-state=established dst-address-list="" in-interface=br-local \
    src-address-list=""
add action=accept chain=input comment=\
    "ALLG. |  aufgebaute Verbindungen erlauben (related)" connection-state=\
    related in-interface=br-local
add action=accept chain=input comment=\
    "LAN (local) -> FW | Zugriff zur Firewall erlauben" dst-address=\
    192.168.1.1 in-interface=br-local
add action=accept chain=input comment="LAN (local) -> FW | Ping erlauben" \
    dst-address=192.168.1.1 in-interface=br-local protocol=icmp
add action=accept chain=input comment="VLAN-30-PUBLIC / TEST" dst-address=\
    192.168.30.1 in-interface=VLAN-30-PUBLIC
add action=accept chain=input comment="DNS allow TCP from br-local" dst-port=\
    53 in-interface=br-local protocol=tcp
add action=accept chain=input comment="DNS allow UDP from br-local" dst-port=\
    53 in-interface=br-local protocol=udp
add action=drop chain=input comment="DNS drop WAN request TCP" \
    connection-state=new dst-port=53 in-interface=ether1WAN protocol=tcp
add action=drop chain=input comment="DNS drop WAN request UDP" \
    connection-state=new dst-port=53 in-interface=ether1WAN protocol=udp
add action=drop chain=input comment="ALLG. | drop all else" connection-state=\
    "" log=yes
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add action=accept chain=forward comment="accept established connections" \
    connection-state=established
add action=accept chain=forward comment="allow related connections" \
    connection-state=related
add action=accept chain=forward comment="accept br-local -> WAN" \
    in-interface=br-local out-interface=ether1WAN
add action=drop chain=forward comment="Drop Bogon" src-address=0.0.0.0/8
add action=drop chain=forward comment="Drop Bogon" dst-address=0.0.0.0/8
add action=drop chain=forward comment="Drop Bogon" src-address=127.0.0.0/8
add action=drop chain=forward comment="Drop Bogon" dst-address=127.0.0.0/8
add action=drop chain=forward comment="Drop Bogon" src-address=224.0.0.0/3
add action=drop chain=forward comment="Drop Bogon" dst-address=224.0.0.0/3
add action=jump chain=forward comment="JUMP TCP" jump-target=tcp protocol=tcp
add action=jump chain=forward comment="JUMP UDP" jump-target=udp protocol=udp
add action=jump chain=forward comment="JUMP ICMP" jump-target=icmp protocol=\
    icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="ALLG. | drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN \
    out-interface-list=WAN
/ip firewall service-port
set h323 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24 port=4385
set api disabled=yes
set winbox address=192.168.1.0/24 port=4386
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=RouterOS
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge


thanks for any help and greetings from switzerland ;)
Last edited by BartoszP on Tue Mar 21, 2023 7:48 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: settings for safe use...

Wed Mar 15, 2023 10:44 pm

Minor comments:
- Maybe your DHCP Server is providing time. But if not you might consider using an NTP client if you're going to disable /ip cloud's time.
- I'd also consider looking at your logging, if the goal is "safe". Otherwise a reboot will clear the logs since they are stored in memory only.
- Specifically dropping ICMP will cause PMTUD to stop working, so if the full path isn't 1500, you'll get fragmentations. This may slow some connections down. And break things more generally. The kernel already throttles icmp to prevent attack, but you can apply additional rules, but really think you want it enabled.
- Most threats would use 443 anyway, which you can't really block or monitor on a Mikrotik. So there are limited to how "safe" a router can be, they are designed to forward packets.

My main question is what type of traffic is this preventing that isn't already covered by the Advanced Firewall example in the docs?
e.g. https://help.mikrotik.com/docs/display/ ... d+Firewall

For example, the documented firewall uses RAW and address-list to drop bogons, which is likely more efficient. Since I think you have some duplicate/unneeded drops – if stuff isn't allowed it doesn't need to be dropped. Each firewall line add time to packet processing, even ones that can't do anything. You also make the configuration harder troubleshoot with some many drop rules, instead using "accept, then drop everything else" style.

Just my opinion. You may have your reasons for making this more complex too.
 
mymikro
just joined
Topic Author
Posts: 3
Joined: Tue Mar 14, 2023 9:22 pm

Re: settings for safe use...

Tue Mar 21, 2023 7:38 pm

Hello,

Thanks for your answere.

I have adjusted the firewall rules:
# mar/21/2023 17:20:50 by RouterOS 7.8
# software id = 4T08-8BMQ
#
# model = RB760iGS
# serial number = XXXXXX
/caps-man configuration
add channel.control-channel-width=20mhz .extension-channel=Ceee .frequency=\
    6425 country=switzerland mode=ap name=cfg1 security.authentication-types=\
    wpa2-psk .encryption=aes-ccm ssid="Wlan-1"
/interface bridge
add name=br-local
add name=br-wlan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1WAN
set [ find default-name=ether3 ] comment=VLAN-20
set [ find default-name=ether5 ] comment="WLAN | Mikrotik CAP AC"
set [ find default-name=sfp1 ] disabled=yes
/caps-man interface
add disabled=no l2mtu=1600 mac-address=58:A9:9A:32:F6:88 master-interface=\
    none name=cap1 radio-mac=58:A9:9A:32:F6:88 radio-name=48A98A32F688
add channel.frequency=5180 configuration=cfg1 disabled=no l2mtu=1600 \
    mac-address=48:A9:8A:32:F6:89 master-interface=none name=cap2 radio-mac=\
    48:A9:8A:32:F6:89 radio-name=48A98A32F689
/interface list
add name=WAN
add name=LAN
add name=listBridge
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=br-local name=DHCP-LOCAL
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/interface bridge port
add bridge=br-local interface=ether2
add bridge=br-local comment="Port 5 CAP verbindung" interface=ether5
add bridge=br-local interface=cap1
add bridge=br-local interface=cap2
add bridge=br-local interface=ether3
add bridge=br-local interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1WAN list=WAN
add interface=ether2 list=LAN
add interface=br-local list=listBridge
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 interface=br-local network=192.168.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=9.9.9.9 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall address-list
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=drop chain=input comment="WAN -> FW | deny ping" in-interface=\
    ether1WAN protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related dst-address-list="" in-interface=\
    br-local src-address-list=""
add action=accept chain=input comment=\
    "LAN (local) -> FW | Zugriff zur Firewall erlauben" dst-address=\
    192.168.1.1 in-interface=br-local
add action=accept chain=input comment="LAN (local) -> FW | Ping erlauben" \
    dst-address=192.168.1.1 in-interface=br-local protocol=icmp
add action=accept chain=input comment="VLAN-30-PUBLIC / TEST" disabled=yes \
    dst-address=192.168.30.1 in-interface=*E
add action=accept chain=input comment="DNS allow TCP from br-local" dst-port=\
    53 in-interface=br-local protocol=tcp
add action=accept chain=input comment="DNS allow UDP from br-local" dst-port=\
    53 in-interface=br-local protocol=udp
add action=drop chain=input comment="DNS drop WAN request TCP" \
    connection-state=new dst-port=53 in-interface=ether1WAN protocol=tcp
add action=drop chain=input comment="DNS drop WAN request UDP" \
    connection-state=new dst-port=53 in-interface=ether1WAN protocol=udp
add action=drop chain=input comment="ALLG. | drop all else" connection-state=\
    "" log=yes
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN \
    out-interface-list=WAN
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip firewall service-port
set h323 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24 port=4373
set api disabled=yes
set winbox address=192.168.1.0/24 port=4374
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=RouterOS
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
Last edited by BartoszP on Tue Mar 21, 2023 7:48 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: settings for safe use...

Tue Mar 21, 2023 8:50 pm

In the "safe" category, I'm not sure I'd allow remote requests to the /ip/dns, especially since your clients are already directly using Quad9's server:
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=9.9.9.9 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
The "allow-remote-request=yes" opens port 53 – be blocked by firewall... but you're looking for "safe", so disable it and your disabling other ports already so this be consistent.

Caching DNS might offer slight performance benefits, but clients directly using a DNS server seems "safer" since you kinda want more frequent DNS queries in case some domain goes the Quad9 blacklist & clients already do some level of caching (but yes same site from multiple clients results in more outbound traffic).

You're using two bridges, again if "safe" is operative word, that seem like a good idea as it's simpler than VLAN bridging and less chance of accidental leak between WAN and LAN. But I think on the hEX S only one bridge can be hardware offloaded, so have to choose which one be hardware offloaded. I'd say the LAN since the WAN likely going through the CPU anyway. But something to consider. You can see what is hardware offloaded by looking at bridge ports for the "H" in left column.

I don't see any queues. So if "safe" includes "important" traffic that must get out, that be another a measure of "safe" to ensure it does by using a queue. You don't want one client inside to use the whole network – e.g. an DoS-like attack can also happen if you have a single legit client/traffic, but that's a bandwidth hog and not sharing the WAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: settings for safe use...

Wed Mar 22, 2023 12:04 am

I am a believe in simplify for both clarity and troubleshooting issues.
Therefore.

A. ONE BRIDGE
B. VLANS for all subnets ( bridge just does bridging )
C. Capsman for one AP - COMPLETE WASTE of time and clutters up clean config. I had three at one time and you couldnt pay me to use capsman.

In this case you have only one flat network. OKAY, seems unrealistic, dont have any iot devices or guest wifi where you want to segregate users or devices ??
Not sure why you even state vlan 20 on ether3 - nonsensical!!

By the way, you should never copy and use rules you have no clue what they do!!! Copy and paste is just dumb.
Quite obvious by your use of BOGONS.
Look familiar ---> add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.1.1/24 interface=br-local network=192.168.1.0

++++++++++++++++++++

Relevant changes shown Capsman removed completely.

# software id = 4T08-8BMQ
#
# model = RB760iGS
# serial number = XXXXXX
/interface bridge
add name=br-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1WAN
set [ find default-name=ether3 ] comment=VLAN-20
set [ find default-name=ether5 ] comment="WLAN | Mikrotik CAP AC"
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=br-local name=DHCP-LOCAL
/interface bridge port
add bridge=br-local interface=ether2
add bridge=br-local interface=ether3
add bridge=br-local interface=ether4
add bridge=br-local comment="Port 5 CAP verbindung" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1WAN list=WAN
add interface=br-local list=LAN
/ip address
add address=192.168.1.1/24 interface=br-local network=192.168.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9

/ip firewall address-list
add address=192.168.1.X list=ADMIN comment=admin-desktop
add address=192.168.1.Y list=ADMIN comment=admin-laptop
add address=192.168.1.XY list=ADMIN comment=admin-ipad/iphone

add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/24 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.2.1-192.168.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=ICMP
{ essential for networking ignore the bad advice everywhere!! }
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=ADMIN
add action=accept chain=input comment="DNS allow TCP from br-local" dst-port=\
53 in-interface=br-local protocol=tcp
add action=accept chain=input comment="DNS/NTP allow UDP from br-local" dst-port=\
53,123 in-interface=br-local protocol=udp { to enable NTP usage by downstream devices like CAP }
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=forward comment=internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not using port forwarding }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop non global from WAN" src-address-list=not_global_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment="not LAN" src-address=!192.168.1.0/24 in-interface-list=LAN


Note1: First RAW rule blocks all invalid incoming WANIPs before it hits connection tracking.
Note2: Second RAW rule blocks all invalid LANIPs from leaking out and hitting WAN
( if adding other subnets to the router, change rule to src-address-list=!Lan-Subnets (which blocks all invalid LANIPs to WAN and to LAN!
Note3: Route Rules below block all LAN to WAN traffic going to an invalid WANIP.

/ip route
add blackhole disabled=no dst-address=192.0.0.0/24
add blackhole disabled=no dst-address=192.0.2.0/24
add blackhole disabled=no dst-address=198.51.100.0/24
add blackhole disabled=no dst-address=203.0.113.0/24
add blackhole disabled=no dst-address=240.0.0.0/4
add blackhole disabled=no dst-address=0.0.0.0/8
add blackhole disabled=no dst-address=100.64.0.0/10
add blackhole disabled=no dst-address=169.254.0.0/16
add blackhole disabled=no dst-address=192.0.0.0/29
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=198.18.0.0/15
add blackhole disabled=no dst-address=255.255.255.255
add blackhole disabled=no dst-address=224.0.0.0/4
add blackhole disabled=no dst-address=10.0.0.0/8

/ip firewall service-port
set h323 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24 { dont recommend posting actual winbox or SSH port on a config }
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=RouterOS
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=NONE { not a secure access method }
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by anav on Wed Mar 22, 2023 3:41 am, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: settings for safe use...

Wed Mar 22, 2023 1:01 am

Perhaps you should add a rp-filter and tcp-syncookies to the "safe" list...
/ip settings set rp-filter=loose tcp-syncookies=yes 
see https://help.mikrotik.com/docs/display/ROS/IP+Settings, also https://help.mikrotik.com/docs/pages/vi ... d=28606504

@anav, I was of mixed minds on the bridge...know your stance :)...but WAN and LAN seem okay, especially with preference for "safe" vs "speed". e.g. there is zero chance a packet can leave via WAN without hitting the CPU/firewall, but you do give up potential hw offloading which isn't great for speed. Now at three or more bridges it becomes malpractice.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: settings for safe use...

Wed Mar 22, 2023 2:02 am

Interesting, I have always set RP filter to loose for multiple reasons but I dont have syn cookies checked, should I?
Interesting link, seems like a valid checkbox to use. But I must check with my Tarot Cards.

There is no point to using tcp syn cookies checkbox.
Its only useful for targetted atacks and a waste of time at all other times.
By useful I mean like for a nano-second to save some memory exhaustion but your router CPU will quickly overload and the game is over.
MT routers should not be falsely portrayed by the MT wiki that somehow they have a viable anti-ddos capability shame on them.

Thumbs DOWN for the checkbox.

Who is online

Users browsing this forum: No registered users and 47 guests