Community discussions

 
andsmith
just joined
Topic Author
Posts: 24
Joined: Tue Feb 14, 2017 8:19 pm

Help with Firewall

Fri Jun 14, 2019 10:44 pm

I am trying to setup a firewall on our remote devices, each remote site is using EoIP, IPSec, MPLS, VPLS and OSPF back to two main offices IPs. I've looked at some of the manuals/wiki's and understand some of it, but I'm quite over whelmed. Any help would be greatly appreciated. Here is what I'd like to do:

1) Allow Winbox only from remote IPs 24.xxx.xxx.xxx and 74.xxx.xxx.xxx
2) Allow icmp from anywhere
3) Allow EOIP and IPSec from the two IPs listed above
4) Allow NAT from Internal DHCP Range
5) Block Everything Else

Thanks in advance!
 
andsmith
just joined
Topic Author
Posts: 24
Joined: Tue Feb 14, 2017 8:19 pm

Re: Help with Firewall

Mon Jun 17, 2019 4:00 pm

Can anyone out there help me?
 
anav
Forum Guru
Forum Guru
Posts: 2716
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help with Firewall

Mon Jun 17, 2019 4:22 pm

Yes, thats easy.
Attend some MT Academy training sessions, or get your company to hire a real IT person, or third, hire an MT consultant.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
andsmith
just joined
Topic Author
Posts: 24
Joined: Tue Feb 14, 2017 8:19 pm

Re: Help with Firewall

Mon Jun 17, 2019 4:55 pm

Wow... Thank you for your words of wisdom. Much appreciated, have a great day.
 
anav
Forum Guru
Forum Guru
Posts: 2716
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help with Firewall

Mon Jun 17, 2019 6:21 pm

There are many far wiser on this forum (at least for MT configs) that may chime in. Patience is your friend.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
andsmith
just joined
Topic Author
Posts: 24
Joined: Tue Feb 14, 2017 8:19 pm

Re: Help with Firewall

Mon Jun 17, 2019 9:56 pm

Ok, I think I figured it out. For future reference for someone.
/ip firewall filter
add action=accept chain=input dst-address-list="Local WAN" protocol=icmp src-address-list="Remote Sites"
add action=accept chain=input comment=Winbox dst-address-list="Local WAN" dst-port=8291 log=yes protocol=tcp src-address-list="Remote Sites"
add action=accept chain=input comment="IPSec Enc. on GRE" dst-address-list="Local WAN" protocol=ipsec-esp src-address-list="Remote Sites"
add action=accept chain=input comment=ISAKMP dst-address-list="Local WAN" dst-port=500 protocol=udp src-address-list="Remote Sites" src-port=500
add action=accept chain=input comment="IPSec NAT Authentication" dst-address-list="Local WAN" dst-port=4500 protocol=udp src-address-list="Remote Sites" src-port=4500
add action=accept chain=input comment=GRE dst-address-list="Local WAN" protocol=gre src-address-list="Remote Sites"
add action=accept chain=input comment=AH dst-address-list="Local WAN" protocol=ipsec-ah src-address-list="Remote Sites"
add action=drop chain=input in-interface="01 - ISP" log=yes src-address=0.0.0.0/0

Who is online

Users browsing this forum: Google [Bot] and 7 guests