Community discussions

 
starwebmanagement
just joined
Topic Author
Posts: 4
Joined: Wed Jun 12, 2019 6:53 am

My first Mikrotik Router - Firewall Help

Wed Jun 12, 2019 7:06 am

Hello. I've spent the last 5 hours trying to figure out why my firewall isn't working for port forwarding. I have a webserver that uses port 8181 for some testing purposes so I'm trying to forward any requests on that port to that machine (192.168.1.100). Any help would be greatly appreciated.

Here's my firewall export. The public IP for this post is PUBLICIP

Code: Select all

# model = RouterBOARD 3011UiAS
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=drop chain=input comment="drop all invalid requests to router" \
connection-state=invalid src-address-list=""
add action=drop chain=forward comment="drop all invalid requests from WAN" \
connection-state=invalid
add action=accept chain=forward comment="allow NAT dstnat " \
connection-nat-state=dstnat connection-state=established,related \
disabled=yes log=yes
add action=accept chain=input comment=\
"accept any LAN connections to the router" src-address-list=LAN
add action=accept chain=input comment=\
"accept established connections to the router" connection-state=\
established
add action=drop chain=input comment="drop all OTHER attempt to the router"
add action=accept chain=forward comment=\
"forward any NEW connections from LAN" connection-state=new \
src-address-list=LAN
add action=accept chain=forward comment="forward any RELATED connections" \
connection-state=related
add action=accept chain=forward comment="forward any ESTABLISHED connections" \
connection-state=established
add action=drop chain=forward comment="drop all other traffic" log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="beta sites" dst-address=\
PUBLICIP dst-port=8181 log=yes protocol=tcp to-addresses=\
192.168.1.100 to-ports=8181
The network has Internet access, but the port forwarding doesn't seem to work.
 
mducharme
Trainer
Trainer
Posts: 796
Joined: Tue Jul 19, 2016 6:45 pm

Re: My first Mikrotik Router - Firewall Help

Wed Jun 12, 2019 8:57 am

Your port forwarding is not working because there is no firewall filter forward chain rule that allows that traffic.
 
mkx
Forum Guru
Forum Guru
Posts: 2913
Joined: Thu Mar 03, 2016 10:23 pm

Re: My first Mikrotik Router - Firewall Help

Wed Jun 12, 2019 9:09 am

Your port forwarding is not working because there is no firewall filter forward chain rule that allows that traffic.

Actually there is one, but it's wrong and disabled:
add action=accept chain=forward comment="allow NAT dstnat " \
connection-nat-state=dstnat connection-state=established,related \
disabled=yes log=yes
If would work if it was rewritten as follows:
add action=accept chain=forward comment="allow NAT dstnat" connection-nat-state=dstnat connection-state=new log=yes
As written, it will only affect new connections. Already established connections will be dealt by the two rules many lines below (chain=forward connection-state=related and established).

Performance-wise it would be beneffitial to replace those two rules with single one
add action=accept chain=forward comment="forward any ESTABLISHED and RELATED connections" \
connection-state=related,established
and push this rule upwards (perhaps right after the first rule in chain=forward, the one with comment="drop all invalid requests from WAN" ). BTW, this comment is misleading as rule also drops any invalid connections originating from LAN and targeting anything but router itself (another LAN if it existed or WAN).
BR,
Metod
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: My first Mikrotik Router - Firewall Help

Wed Jun 12, 2019 11:50 pm

When you setup portfw and try to access this port from WAN that means there are "new connection" not related or established! You are not allowing new connections to initiate 3 way handshake to make those connections established!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
starwebmanagement
just joined
Topic Author
Posts: 4
Joined: Wed Jun 12, 2019 6:53 am

Re: My first Mikrotik Router - Firewall Help

Thu Jun 13, 2019 7:49 pm

Thank you for the help. I've made the changes and now it looks like this;

Code: Select all

# jun/13/2019 09:32:35 by RouterOS 6.44.3
# software id = xxxxxxx
#
# model = RouterBOARD 3011UiAS
# serial number = xxxxxxx
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=drop chain=input comment="drop all invalid requests to router" \
connection-state=invalid src-address-list=""
add action=drop chain=forward comment="drop all invalid requests from WAN" \
connection-state=invalid
add action=accept chain=forward comment=\
"forward any ESTABLISHED and RELATED connections" connection-state=\
established,related
add action=accept chain=forward comment="allow NAT dstnat " \
connection-nat-state=dstnat connection-state=new log=yes
add action=accept chain=input comment=\
"accept any LAN connections to the router" src-address-list=LAN
add action=accept chain=input comment=\
"accept established connections to the router" connection-state=\
established
add action=drop chain=input comment="drop all OTHER attempt to the router" \
log=yes
add action=accept chain=forward comment=\
"forward any NEW connections from LAN" connection-state=new \
src-address-list=LAN
add action=drop chain=forward comment="drop all other traffic" log=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="beta sites" disabled=yes \
dst-address=PUBLICIPADDRESS dst-port=8181 log=yes protocol=tcp \
to-addresses=192.168.1.100 to-ports=8181
add action=dst-nat chain=dstnat dst-port=8181 protocol=tcp to-addresses=\
192.168.1.100
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-port=8181 out-interface=bridgeLocal \
protocol=tcp src-address=192.168.1.0/24
The port forwarding seems to work correctly. Thank you for the explanations. It makes sense now.

I have some more questions to learn more about managing this firewall.
  • I've read about bogons lists in the firewall. Should I be concerned with this and implement rules for this?
  • I have another question. I also have a second router behind this router. It's a CISCO home router. It's IP address is static at 192.168.1.44. Nothing behind this router seems to work now and I'm pretty sure I have to tell the Mikrotik that traffic coming from this is okay. I figured it would just work like any other device on the network but it does not.
  • Also, a second issue which is strange. I have one computer with IP address 192.168.1.108 that cannot perform DNS lookups after changing to the Mikrotik. The adapter is configured with two IP addresses on it (.108 and .105). The gateway is 192.168.1.1. DNS is set to 192.168.1.1
Thank you to those who've helped thus far! Could the second two issues be related that it's not allowing DNS for devices which have hard coded DNS?
 
starwebmanagement
just joined
Topic Author
Posts: 4
Joined: Wed Jun 12, 2019 6:53 am

Re: My first Mikrotik Router - Firewall Help

Thu Jun 13, 2019 8:02 pm

It looks like I was able to solve both issues by checking the box "allow remote requests" in the DNS settings. Is this okay or is this making my system vulnerable? The firewall rules above shouldn't allow outside devices to use DNS off this router correct?
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: My first Mikrotik Router - Firewall Help

Thu Jun 13, 2019 10:07 pm

Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
Sob
Forum Guru
Forum Guru
Posts: 4619
Joined: Mon Apr 20, 2009 9:11 pm

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 12:45 am

It's not too bad. Firewall blocks all incoming requests from internet. They would be only accepted if someone spoofed the source address, but that's very unlikely. You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mkx
Forum Guru
Forum Guru
Posts: 2913
Joined: Thu Mar 03, 2016 10:23 pm

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 8:33 am

You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>.

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
I've read about bogons lists in the firewall. Should I be concerned with this and implement rules for this?
My personal view is that bogon lists concept does improve firewall, but only slightly. I'm not sure if it's worth bothering. Default firewall blocks almost everything originating from WAN and if there are not many ports forwarded, the "bogon list concept" doesn't do much. It does protect LAN services, exposed to internet (forwarded ports), to some extent. And it protects, if implemented carefully, internet from evil LAN users. There's another concept (black listing of port knockers) which seems to be popular and also adds only little to actual firewall security (due to very same reasons).

BTW, I don't think your first firewall rule
add action=drop chain=input comment="drop all invalid requests to router" \
connection-state=invalid src-address-list=""
actually does anything ... because it matches invalid requests against empty src address list ... so it never blocks anything. Run command
/ip firewall filter unset [ find src-address-list="" ] src-address-list
to fix the rule.
BR,
Metod
 
AidanAus
newbie
Posts: 25
Joined: Wed May 08, 2019 7:35 am

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 9:42 am

Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage!
As ongdaka said you ave made your system vulnerable at the moment, I would recommend adding the following rules to your list if you do not have them already, just swap out where it says wan interface with the actual name of your wan interface :)
/ip firewall filter add chain=input proto=tcp dst-port=53 in-interface=(wan interface) action=drop
/ip firewall filter add chain=input proto=udp dst-port=53 in-interface=(wan interface) action=drop
 
mkx
Forum Guru
Forum Guru
Posts: 2913
Joined: Thu Mar 03, 2016 10:23 pm

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 11:03 am

Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage!
As ongdaka said you ave made your system vulnerable at the moment,
That's not the case. Combination of these two firewall rules keep OPs router safe from internet:
add action=accept chain=input comment="accept any LAN connections to the router" src-address-list=LAN
add action=drop chain=input comment="drop all OTHER attempt to the router" log=yes
And there isn't any other FW rule accepting DNS requests originating from WAN.

OK, there's the first above quoted rule which would be better written by filtering according to in-interface-list (or in-interface as already indicated by @Sob) because right now router is open for some DOS attack involving spoofed IP addresses ... which actually uses router to possibly break connections of LAN hosts, but hardly to compromise either router or LAN.
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 4619
Joined: Mon Apr 20, 2009 9:11 pm

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 2:07 pm

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long. Just to make it clear.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mkx
Forum Guru
Forum Guru
Posts: 2913
Joined: Thu Mar 03, 2016 10:23 pm

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 2:18 pm

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long.
You're not saying you're old, are you? :wink:
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 4619
Joined: Mon Apr 20, 2009 9:11 pm

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 3:21 pm

Nah, only when I have to get out of bed too soon, then I feel like twice my age. :)

It's just that I've been playing with RouterOS for several years and most of the time interface lists didn't exist. They are great when you need to quickly add another LAN/WAN and make them use common rules. Not exactly what I do daily. I sometimes use them, but most of the time not (I won't be converting old configs to interface lists, it wouldn't help anything). So when I don't see them much, they are not the first thing that comes to my mind.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
starwebmanagement
just joined
Topic Author
Posts: 4
Joined: Wed Jun 12, 2019 6:53 am

Re: My first Mikrotik Router - Firewall Help

Fri Jun 14, 2019 7:21 pm

add action=accept chain=input comment="accept any LAN connections to the router" src-address-list=LAN
add action=drop chain=input comment="drop all OTHER attempt to the router" log=yes
OK, there's the first above quoted rule which would be better written by filtering according to in-interface-list (or in-interface as already indicated by @Sob) because right now router is open for some DOS attack involving spoofed IP addresses ... which actually uses router to possibly break connections of LAN hosts, but hardly to compromise either router or LAN.
Are you saying this rule:
add action=accept chain=input comment="accept any LAN connections to the router" src-address-list=LAN
Would be better served to use in-interface-list=LAN? Like this?
add action=accept chain=input comment="accept any LAN connections to the router" in-interface-list=LAN
And this is because it then eliminates spoofing from the WAN interface?
 
mkx
Forum Guru
Forum Guru
Posts: 2913
Joined: Thu Mar 03, 2016 10:23 pm

Re: My first Mikrotik Router - Firewall Help

Sat Jun 15, 2019 10:19 am

Yes. You just have to keep LAN interface list updated.

Generally when constructing some rules one should use criteria which has least possibility of spoofing. Remote attacker can easily spoof src-address but can hardly spoof ingress interface.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2964
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: My first Mikrotik Router - Firewall Help

Sat Jun 15, 2019 10:22 pm

Yes. You just have to keep LAN interface list updated.

Generally when constructing some rules one should use criteria which has least possibility of spoofing. Remote attacker can easily spoof src-address but can hardly spoof ingress interface.
That is GOLD advice.......... IF only MT would put gems like that into the WIKI.......
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 31 guests