I am completely new to Mikrotik but am really enjoying my RB5009. The look, the form factor, the performance....all great. I have previously worked with PfSense and Vyos and have worked to replicate the network functionality that I had with those platforms. HOWEVER, Mikrotik does things a little differently and (as I am learning) there is far less hand holding on many fronts. With that in mind, I was hoping a more seasoned and experienced user would be able to review my config and alert me if there are any blaring deficiencies with my firewall rules etc. I think I'm good but so does everyone else that gets hacked. I removed the DHCP server lease section as no one needs to have all my MAC addresses.
I'm happy to consider any other advise people have to make my config more efficient or fast. I'm sure there are inefficiencies in there. Thanks in advance!
Code: Select all
# oct/16/2021 20:12:07 by RouterOS 7.1rc4
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number =
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface list
add include=all name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=ZainKuwait regexp="^.+kw.zain.com.*\$"
/ip pool
add name=LAN-DHCP ranges=10.20.2.100-10.20.2.254
add name=kids-DHCP ranges=10.20.20.100-10.20.20.254
add name=cameras-DHCP ranges=10.20.40.2-10.20.40.254
add name=DMZ-DHCP ranges=10.20.80.2-10.20.80.254
/ip dhcp-server
add address-pool=LAN-DHCP interface=ether2 lease-time=5m name=LAN
add address-pool=kids-DHCP interface=ether3 lease-time=5m name=Kids
add address-pool=cameras-DHCP interface=ether4 lease-time=5m name=Cameras
add address-pool=DMZ-DHCP interface=ether5 lease-time=5m name=DMZ
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Utah list=WAN
add interface=ether1 list=WAN
add interface=Mullvad list=WAN
add interface="Remote Access Wireguard" list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=utah.yawidy.com endpoint-port=\
51822 interface=Utah persistent-keepalive=30s public-key=\
"UOKuHFY1WhC6b2beXIQGmivsFuXtqY9g8KNd6eC5qTc="
add allowed-address=0.0.0.0/0 endpoint-address=89.45.224.210 endpoint-port=\
51820 interface=Mullvad persistent-keepalive=30s public-key=\
"J8QaV8tZyFBrb9atVg3mI2Vb3/DtWVJSHFYSrdy6w2w="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
public-key="S0v2v7bRuzOnzcuC35IOTqEoq7TFXZAeLuXMcqgneC0="
/ip address
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.172.48 interface=Mullvad network=10.64.172.48
add address=10.20.40.1/24 interface=ether4 network=10.20.40.0
add address=10.20.80.1/24 interface=ether5 network=10.20.80.0
add address=10.20.20.1/24 interface=ether3 network=10.20.20.0
add address=10.20.2.1/24 comment=LAN interface=ether2 network=10.20.2.0
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
10.103.103.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.20.2.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
gateway=10.20.2.1
add address=10.20.20.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
gateway=10.20.20.1
add address=10.20.40.0/24 dns-server=10.20.40.1 domain=mikrotik.overseas \
gateway=10.20.40.1
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=mikrotik.overseas \
gateway=10.20.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.2.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.20.0/24 list="Local Subnets"
add address=10.20.40.0/24 list="Local Subnets"
add address=10.20.80.0/24 list="Local Subnets"
add address=10.20.20.10 comment="Kids Devices" list=KidsDevices
add address=10.20.20.11 list=KidsDevices
add address=10.20.20.22 list=KidsDevices
add address=10.20.20.23 list=KidsDevices
add address=10.20.20.20 list=KidsDevices
add address=10.20.20.21 list=KidsDevices
add address=10.20.20.22 comment="Kids Laptops" list="Kids Laptops"
add address=10.20.20.23 list="Kids Laptops"
add address=10.20.20.10 comment="Kids Phones" list="Kids Phones"
add address=10.20.20.11 list="Kids Phones"
add address=10.20.2.50 comment=Sonos list=Sonos
add address=10.20.2.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.40.0/24 comment=Cameras list=Cameras
add address=10.20.80.0/24 comment=DMZ list=DMZ
add address=10.20.20.0/24 comment="Kids Network" list="Kids Network"
add address=10.20.2.0/24 comment="Local Trusted Subnet" list=\
"Local Trusted Network"
add address=10.20.2.4 list=Streaming
add address=10.20.2.8 list=Streaming
add address=10.20.2.9 list=Streaming
add address=10.20.2.51 list=Sonos
add address=10.20.2.52 list=Sonos
add address=10.20.2.53 list=Sonos
add address=10.20.2.54 list=Sonos
add address=10.20.2.55 list=Sonos
add address=10.20.2.56 list=Sonos
add address=10.20.2.57 list=Sonos
add address=10.20.2.58 list=Sonos
add address=10.20.2.59 list=Sonos
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.20.30 list=Streaming
add address=10.20.20.31 list=Streaming
add address=10.20.2.7 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.2.70 comment="Management devices" list="Management Devices"
add address=10.20.2.71 list="Management Devices"
add address=10.20.2.72 list="Management Devices"
add address=10.20.2.73 list="Management Devices"
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
protocol=icmp
add action=accept chain=input comment="allow ICMP" in-interface=Utah \
protocol=icmp
add action=accept chain=input comment="allow SSH" connection-state=new \
dst-port=55512 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Remote Access Wireguard" \
connection-state=new dst-port=51820 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block everything else" \
in-interface-list=WAN log-prefix=INVALID_INPUT
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related in-interface-list=LAN \
out-interface-list=WAN
add action=drop chain=forward connection-state=invalid log-prefix=\
INVALID_ESTABLISHED
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=accept chain=forward comment="Remote Access Wireguard" \
dst-address-list="Local Subnets" log-prefix=remote_inbound src-address=\
10.103.103.0/24
add action=accept chain=forward dst-address=10.103.103.0/24 log-prefix=\
remote_inbound src-address-list="Local Subnets"
add action=accept chain=forward comment=Streaming connection-mark="" \
log-prefix=local out-interface=Utah src-address-list=Streaming
add action=accept chain=forward connection-mark="" dst-address-list=Streaming \
in-interface=Utah log-prefix=local
add action=add-dst-to-address-list address-list=Zain address-list-timeout=3d \
chain=forward comment="LAN firewall" in-interface=ether2 layer7-protocol=\
ZainKuwait
add action=accept chain=forward dst-address-list="Kids Network" in-interface=\
ether2 log-prefix=local src-address-list="Local Trusted Network"
add action=accept chain=forward dst-address-list=Cameras in-interface=ether2 \
log-prefix=local src-address-list="Local Trusted Network"
add action=accept chain=forward dst-address-list="Utah Subnets" in-interface=\
ether2 src-address-list="Local Trusted Network"
add action=reject chain=forward dst-address-list=DMZ in-interface=ether2 \
reject-with=icmp-network-unreachable src-address-list=\
"Local Trusted Network"
add action=accept chain=forward in-interface=ether2 src-address-list=\
"Local Trusted Network"
add action=accept chain=forward comment="Kids network firewall" dst-address=\
10.20.2.6 dst-port=53 in-interface=ether3 protocol=udp src-address-list=\
"Kids Network"
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
in-interface=ether3 protocol=tcp src-address-list="Kids Network"
add action=reject chain=forward dst-address-list="Local Trusted Network" \
in-interface=ether3 reject-with=icmp-admin-prohibited src-address-list=\
"Kids Network"
add action=reject chain=forward dst-address-list=Cameras in-interface=ether3 \
reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=reject chain=forward dst-address-list=DMZ in-interface=ether3 \
reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=reject chain=forward dst-address-list="Utah Subnets" in-interface=\
ether3 log-prefix=kids reject-with=icmp-admin-prohibited \
src-address-list="Kids Network"
add action=accept chain=forward in-interface=ether3 src-address-list=\
"Kids Network" time=5h-20h15m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward in-interface=ether3 log-prefix=kids_blocked \
reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=accept chain=forward comment="Cameras firewall" dst-address=\
10.20.2.10 dst-port=7400-7600 in-interface=ether4 protocol=tcp \
src-address-list=Cameras
add action=accept chain=forward dst-address=10.20.2.10 dst-port=7400-7600 \
in-interface=ether4 protocol=udp src-address-list=Cameras
add action=reject chain=forward dst-address-list="Local Trusted Network" \
in-interface=ether4 reject-with=icmp-network-unreachable \
src-address-list=Cameras
add action=reject chain=forward dst-address-list="Kids Network" in-interface=\
ether4 reject-with=icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward dst-address-list=DMZ in-interface=ether4 \
reject-with=icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward dst-address-list="Utah Subnets" in-interface=\
ether4 reject-with=icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward in-interface=ether4 log=yes log-prefix=\
NoCameraOUT reject-with=icmp-admin-prohibited src-address-list=Cameras
add action=reject chain=forward comment="DMZ firewall" dst-address-list=\
"Local Trusted Network" in-interface=ether5 reject-with=\
icmp-admin-prohibited src-address-list=DMZ
add action=reject chain=forward dst-address-list=Cameras in-interface=ether5 \
reject-with=icmp-admin-prohibited src-address-list=DMZ
add action=reject chain=forward dst-address-list="Kids Network" in-interface=\
ether5 reject-with=icmp-admin-prohibited src-address-list=DMZ
add action=reject chain=forward dst-address-list="Utah Subnets" in-interface=\
ether5 reject-with=icmp-admin-prohibited src-address-list=DMZ
add action=accept chain=forward in-interface=ether5 src-address-list=DMZ
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Kuwait Zain main routing" \
dst-address-list=Zain new-routing-mark=main passthrough=no
add action=mark-routing chain=prerouting comment="local to local routing" \
dst-address-list="Local Subnets" new-routing-mark=main passthrough=no \
src-address-list="Local Subnets"
add action=mark-routing chain=prerouting comment=PiHole new-routing-mark=main \
passthrough=no src-address=10.20.2.6
add action=mark-routing chain=prerouting comment="Sonos Mangle PBR" \
new-routing-mark=main passthrough=no src-address-list=Sonos
add action=mark-routing chain=prerouting comment="Utah subnets" \
dst-address-list="Utah Subnets" new-routing-mark=Utah passthrough=no \
src-address-list="Local Trusted Network"
add action=mark-routing chain=prerouting comment="Streaming via Utah PBR" \
new-routing-mark=Utah passthrough=no src-address-list=Streaming
add action=mark-routing chain=prerouting comment="MullvadMangle PBR" \
new-routing-mark=Mullvad passthrough=no src-address-list=\
"Local Trusted Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether1 \
src-address-list="Local Subnets"
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=\
Mullvad src-address-list="Local Subnets"
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah pref-src="" \
routing-table=Utah scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah@main \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=10.10.10.0/24 gateway=Utah routing-table=main \
suppress-hw-offload=no
add disabled=no dst-address=10.10.30.0/24 gateway=Utah routing-table=main \
suppress-hw-offload=no
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.20.2.0/24
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
/system package update
set channel=development
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes