Community discussions

MikroTik App
 
yaqueiroz88
just joined
Topic Author
Posts: 1
Joined: Tue Mar 21, 2023 2:32 pm

Firewall Drop DNS Local

Tue Mar 21, 2023 4:20 pm

Good morning,

I would like some help.

I set up a 750gr3 and I'm having trouble getting the local dns and the firewall drop rule working.

I configured the router to resolve the dns of the network, pointing the dhcp dns of the equipment to the ip of the MK.

When I enable the firewall drop all rule, the devices stop resolving the name.

Here is the firewall conf:

1 ;;; ALLOW ESTABLISHED AND RELATED CONNECTIONS
chain=input action=accept connection-state=established,related
connection-type="" log=no log-prefix=""

two ;;; INVALID DROP
chain=input action=drop connection-state=invalid log=no log-prefix=""

3 ;;; PING 50/SEC
chain=input action=accept protocol=icmp limit=50,5:packet log=no
log-prefix=""

4 ;;; SUPPORT NETWORK ACCESS
chain=input action=accept src-address-list=network-support log=no log-prefix=""

5 ;;; FASTTRACK
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related log=no log-prefix=""

6 ;;; FASTTRACK WITH ESTB AND RELAC
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

7 chain=input action=accept protocol=udp dst-port=53 log=no log-prefix=""

8 ;;; GENERAL DROP
chain=input action=drop log=no log-prefix=""
 
johnson73
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Firewall Drop DNS Local

Tue Mar 21, 2023 10:06 pm

this configuration will work correctly. You can use it safely.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Drop DNS Local

Wed Mar 22, 2023 3:21 am

This is a safe starting point.

add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"


What you need to know is the INPUT Chain is traffic TO the router. So the firewall rules state:
Allow all from LAN interface to access router
then
Allow all from LAN to access router DNS services protocol udp
Allow all from LAN to access router DNS services protocol tcp
DROP EVERYTHING ELSE

In other words inbox is how you the admin access the router for configuration.
You need that allow rule because the last rule will drop all traffic so you need to have the allow rule in place before it.

Now clearly its only the admin that needs full access to the router. YOU have all the users covered for DNS services so WE LIMIT FULL ACCESS TO ONLY THE ADMIN as follows:

add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"


Where we create the firewall address list (after setting dhcp leases to static/fixed for the below local IPs)
/ip firewall address
add ip-address=Admin_IP-desktop list=Authorized
add ip-address=Admin_IP-laptop list=Authorized
add ip-address=Admin_IP-ipad/iphone list=Authorized

Who is online

Users browsing this forum: anav, Bing [Bot], dervomsee and 91 guests