Community discussions

MikroTik App
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Firewall whitelist setup

Tue Mar 02, 2021 6:28 am

I have a measurement device connected to a BGAN satellite terminal (which frustratingly has no firewall). data is very expensive and we want to be able to connect to the device via FTP to download data periodically.
The connected measurement device is not something that we can easily configure and it is always trying to ping servers and is consuming large volumes of data unchecked.

Currently I have port forwarding set up on the satellite terminal to direct incoming connections to the measuremnt device (external port X is forwarded to <localIP>:80 and external port Y is forwarded to <localIP>:22)
The satellite provider has a firewall that prevents incoming connections from anywhere except our business network (about 5 subnets of public IPs - all of our egress IP addresses basically). Unfortunately this only stops unwanted incoming traffic. As the firewall is located at the ground station, it can't stop the measurement device from sending requests over the satellite network - even if they are dropped at the firewall, they have already travelled through the satellite network and have been counted as data against our quota and are hence very expensive!

I want to use the mikrotik router between the satellite terminal and the measurement device to block any traffic except for that between the measurement device and our work network (i.e. when we manually connect to the device for downloading data via FTP (port 22) or connecting for diagnostic purposes (port 80).

I have a list of our company's public IP ranges (we're a big company and we have about 5 subnets)
I'd really appreciate it if anyone could show me how to configure the router to perform this function.

Thanks!
 
SuperMario
just joined
Posts: 8
Joined: Sat Mar 06, 2021 10:25 am

Re: Firewall whitelist setup

Sat Mar 06, 2021 11:14 am

Hi
I had a similar issue to allow ftp-access only from a specific country.
So this is what I've done to make it work. I hope it will inspire you:
  • Install the list following the instructions in the video (found on the same page)
  • Then add 2 rules to the firewall:
    • /ip firewall filter add chain=forward action=accept protocol=tcp dst-address-list=CountryIPAllow src-port=21 log=no log-prefix=""
    • /ip firewall filter add chain=forward action=drop protocol=tcp src-port=21 log=no log-prefix=""
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Sun Mar 07, 2021 8:49 am

Hello, I'm hoping someone out there has some ideas!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Firewall whitelist setup

Sun Mar 07, 2021 11:02 pm

Start with a simple schematic please ;-)
Apart from that, why is this measurement device so "chatty" ? What does it try to contact as you wrote "...and it is always trying to ping servers and is consuming large volumes of data unchecked"

What is that BGAN terminal ? A Linux host ? Windows machine of some sort ?

Configuration-wise a solution with a Mikrotik does not seem extremely challenging. Can you insert a Mikrotik at Layer3 ? Or are you bound with certain IP-ranges between "measurement" & BGAN device ? (hence the request of a simple drawing to understand the LAN-ranges etc)
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Tue Feb 07, 2023 1:00 am

Thanks @ jvanhambelgium.

I'll try and explain from the top.
I have a Lidar wind measurement device connected to a BGAN satellite terminal (Cobham Explorer 540). The lidar device is normally connected via a cellular service and consumes around 1GB of data per month as it streams realitime information to a server to allow cloud based access to the lidar interface as well as viewing realtime wind data and config, alarms etc.
The BGAN satellite service only includes 5MB per month and excess data is extremely expensive. We have been successful in previous installations with the newer version of the lidar device as there is a "low data mode" setting that disables the communications with the lidar's cloud server. Unfortunately on the older devices this is not an option.
With the newer Lidars in low data mode, I was able to remotely connect to the lidar directly using filezilla and download the daily data files using less than 5MB per month and occasionally access the web interface of the lidar itself to check/alter the config (i just needed to whitelist the egress IP ranges used by my company on the satellite service and add some port forwards in the satellite terminal and voilla...)

BUT. I now need a way to stop any and all traffic from the lidar from making it to the satellite terminal (including DNS requests etc). I only want the lidar to be able to function as a remotely accessed FTP server (and I also need to occasionally access its web interface for config) - i.e. I only want to allow traffic on port 22 and 80 from my work IP range to make it to the lidar. I have tried to add the follwing rule:

add action=drop chain=forward dst-address-list=!Whitelist log=yes src-address-list=!Whitelist
(where whitelist is the list of the egress ip ranges used by my work)

but this doesn't seem to stop a whole lot of random traffic (dns requests pings and all sorts of stuff I don't recognise on seemingly random ports - in case you can't tell, I'm not very experienced in this area!)

The physical setup is as follows: <LIDAR 192.168.88.254>--------<Mikrotik Router 192.168.88.1 / 192.168.15.206>-------------------<BGAN terminal 192.168.15.15>
I'm using some port forwards in the BGAN terminal and the Mikrotik router to pass the FTP and HTTP traffic through to the lidar and I've been able to successfully access the devices remotely. I also can't ping anything except for what's in my whitelist when I connect my computer to the network, but for whatever reason, it is still not stopping data consumption (I'm well over 10MB already on the sat service...)

Thanks in advance, Josh
 
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Tue Feb 07, 2023 11:50 am

Here's my attempt at a network map - I hope it helps explain the setup
EDIT: In the diagram, I've accidentally swapped ether1 and bridge, they're meant to be the other way around.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall whitelist setup

Tue Feb 07, 2023 2:54 pm

Very nice!
Please post the current config on the MT device.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Wed Feb 08, 2023 2:04 am

Thanks, here's the config - I must apologise as I really have been fumbling my way through, I'm a measurements engineer and the extent of my networking knowledge is trying to make sure the IP settings are correct in a device (i.e. IP, netmask, gateway and DNS......)

I also have a stupid situation where I'm using the DHCP client on the Mikrotik ether1 interface to get an IP from the Sat terminal, which also has DHCP on, I'd obviously rather just set the mikrotik to use the fixed IP settings on that interface (ether1) of: 192.168.15.206, but I wasn't sure how to do that and I couldn't seem to figure it out. If I can set that up, then I would be able to disable DHCP on the satellite terminal - I've been running into problems of sometimes getting the wrong IP address from the sat terminal, so I none of my port forwards work then.

Firstly, the satellite terminal is configured as follows:
IP address: 192.168.15.1
DHCP range 192.168.15.206-192.168.15.206 :: I did this because the sat terminal is stupid and doesn't allow me to assign IP addreses to specific MAC addresses
No firewall (because it's stupid)
Port forwards:
8880 --> 192.168.15.206:8880
8822 --> 192.168.15.206:8822
8980 --> 192.168.15.206:80
8921 --> 192.168.15.206:21

That's pretty much it for the sat terminal, the rest is just BGAN configuration

Mikrotik config:

# feb/08/2023 10:48:05 by RouterOS 6.47.9
# software id = NXSX-DLR7
#
# model = RB952Ui-5ac2nD
# serial number = XXXX
/interface bridge
add admin-mac=X:X:X:X:X:X auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-8CB596 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-8CB595 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=X.X.X.X/24 comment= list=Whitelist
add address=X.X.X.X/24 comment= list=Whitelist
add address=X.X.X.X/24 comment= list=Whitelist
add address=X.X.X.X/23 comment= list=Whitelist
add address=X.X.X.X/29 comment= list=Whitelist
add address=192.168.15.1 list=Whitelist
add address=X.X.X.X/24 list=Whitelist
add address=192.168.88.0/24 list=Whitelist
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address-list=!Whitelist log=yes \
src-address-list=!Whitelist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8880 protocol=tcp to-addresses=\
192.168.88.254 to-ports=80
add action=dst-nat chain=dstnat dst-port=8822 protocol=tcp to-addresses=\
192.168.88.254 to-ports=22
/system clock
set time-zone-name=Australia/Sydney
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Thu Feb 09, 2023 12:09 pm

I apologise in advance for the horror that is my configuration. I'm pretty sure it started as factory default and I added the whitelist and whitelist rules... Please feel free to school me, I'm really keen to find a solution. Hopefully someone out there understands what I'm trying to achieve!
Thanks
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Mon Feb 13, 2023 10:31 pm

I'm just going to bump this one up one more time, it's really appreciate any help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall whitelist setup

Tue Feb 14, 2023 3:54 am

Sorry got lost in the shuffle of thread decks.
So basically you want this lidar device not to originate traffic outbound.
It seems that the device needs to communicate BUT ONLY in response to outside queries.


/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input src-address=192.168.88.254 log=yes \{ to stop any comms from hitting the router itself)
log-prefix=TempMonitorToRouter

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=drop chain=forward src-address=192.168.88.254 dst-address=192.168.88.0/24
log=yes log-prefix=MonitorToLAN

add action=drop chain=forward src-address=192.168.88.254
log=yes log-prefix=MonitorToAnythingElse

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN



Note I separated the two rules above in case you wanted to see where the lidar was trying to connect, LAN addresses or Other addresses.
In reality you only need the second rule.....
add action=drop chain=forward src-address=192.168.88.254
 
jbackwell
just joined
Topic Author
Posts: 8
Joined: Tue Mar 02, 2021 6:23 am

Re: Firewall whitelist setup

Mon Feb 20, 2023 5:18 am

Thank you so much for your help @Anav
This is working well - seems to be stopping outgoing data, but allows incoming connection to the Lidar via the sat connection!
I have one question though - it would be great if I was able to connect to the lidar with a laptop plugged into the mikrotik router (just to assist in on site deployment - obviously I could disable the firewall, but it would be great to be able to still have local access to the lidar while keeping any data from getting out to the sat terminal)

In fact, it would be great if the Mikrotk simply stopped anything from getting out to the sat terminal - this way I could safely connect to the laptop to the mikrotik and configure the connected lidar without worrying about windows or anything else on my laptop from sucking down data from the sat connection.

Thanks again for your help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall whitelist setup

Mon Feb 20, 2023 1:51 pm

Sorry you would have to provide much greater detail on your laptop idea,
I have no ideas what would be connected to what in this equation????
How it would differ from your diagram?
 
User avatar
Ca6ko
Member
Member
Posts: 498
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Firewall whitelist setup

Mon Feb 20, 2023 3:05 pm

@ jbackwell
You don't have the correct IP addresses for the Mikrotik in the diagram. On the bridge 192.168.88.1/24 on the eth 1 192.168.15.206. By the way, reassign the address to the bridge in the config, because port 2 is part of the bridge and is a slave.
To disable access for all LAN devices change the rule add action=drop chain=forward src-address=192.168.88.254 instead of the source address 192.168.88.254 to 192.168.88.0/24.

@anav
add action=drop chain=forward src-address=192.168.88.254 dst-address=192.168.88.0/24
This rule should not work, because the LAN packets do not go to the firewall, but stay in the bridge.If you need such filtration, you have to add it to bridge/filters using MAC address.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall whitelist setup

Mon Feb 20, 2023 3:25 pm

@Ca6ko: You have a keen eye sir butt you missed the OPs text on the diagram page. ( EDIT: In the diagram, I've accidentally swapped ether1 and bridge, they're meant to be the other way around.)

On the second point you are technically correct, but who cares!! Any traffiic to other devices over the bridge (aka over L2) 192.168.88.0/24 subnet is always possible, and in fact the LIDAR could multicast all over bridge attached devices. It would appear there are no such devices,, in that LIDAR is the only connected device on the bridge, so not a big concern.

The main point of the rule, however, was not to stop LAN to LAN traffic it was to stop LAN to WAN traffic!!! That was the specific reason the rule was placed before the allow LAN to WAN rule.

Now, if the OP wants to add other devices behind the MT router then some forethought would be required to ensure isolation from LIDAR. This can be solved in a myriad of ways, from simply using a port not being on the bridge with a different subnet, using a different bridge, using vlans etc..........

Who is online

Users browsing this forum: devnull0, holvoetn and 33 guests