Making sure I did not mess up my firewall protection

meazz1 · Mon Nov 01, 2021 9:35 pm

I basicall used out of the box config, except changing network IP and DNS. When every looked all right, I added a VLN and a firewall rule to prevent VLAN from accessing LAN resources.
I just want to make sure while adding the VLAN rule I did not screw up my firewall protection.
Here is the config;

# nov/01/2021 15:22:39 by RouterOS 6.49
# software id = 5MZ7-RL5B
#
# model = RB760iGS
# serial number = XXXXXXXXXB
/interface bridge
add admin-mac=XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface vlan
add comment="Untrusted IoT" interface=ether4 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add comment="DhcpPool for IoT" name=DhcpPool_20 ranges=\
    192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=DhcpPool_20 disabled=no interface=VLAN20 name=DHCP-20
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=\
    192.168.4.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf dns-server=\
    192.168.4.209,192.168.4.208 domain=clubamgg.com gateway=192.168.4.1 \
    netmask=24
add address=192.168.20.0/24 comment="VLAN20 - IoT" dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.20.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.20.0/24 comment="Addresses for untrusted vlan 20" list=\
    VLAN20
add address=192.168.4.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address-list=LAN src-address-list=VLAN20
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.4.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set note="mehdi, clubamgg.com - Authorized administrators only. Access to this\
    \_device is monitored."
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.180.133.100
/system package update
set channel=development
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=flash/user-manager

anav · Mon Nov 01, 2021 10:40 pm

Well you config is a bit confused.

What is connected on ethernet4 ( a smart device that can read vlan tags ) or a dumb device that cannot?
What are your expectations for subnets travelling over ethernet 4?

Also although possible to choose to use a firewall address list for a subnet.
you can always use interface list names and list members to do this.
Furthermore one can usually name the interface itself or even for a subnet use source-address=192.168.2.0/24 for example.

My rule of thumb is if you have a "GROUPING" consisting of
a. more than one IP address from a subnet,
b. more than one IP address and IPs from different subnets
c. any mix of subnets plus individual IPs from other subnets.

USE FIREWALL ADDRESS LISTS.

If you have a GROUPING OF ONE OR MORE SUBNETS
USE INTERFACE LISTS.

Since the Default INTERFACE LIST GROUPING already is made for LAN and WAN and since the LAN ones also affect firewall rules,
it is usually best to keep the LAN ones to DESCRIBE ALL LAN members.

If you have a control or management LAN one could create a LAN interface called CONTROL
If you have a subset of interfaces that need internet (but not all the subnets) you could create one called INTERNET.

I prefere a drop all else rule at the end of both the input chain and forward chain.
The input chain modificationi is a bit more complex for now but you should move to drop all else rule at the end of the forward chain.

Default 3 Rules
1 fasttrack......
2 accept established ....
3 drop invalid ......
ADD YOUR RULES ******
add chain=forward action=drop

****
Here is where you put allowed traffic.
For example
allow subnets to internet
allow admin to all subnets
allow all subnets to a shared printer...

in your case for example
add chain=forward action=accept in-interface-list=INTERNET out-interface-list=WAN

and
add chain=forward action=accept in-interface-list=bridge out-interface=VLAN20
{would allow you on the bridge lan to access the IOT devices, it would be better if you limited it to only the admin IP addresses by a firewall address list (source-address-list=ip of admin etc.)

Where
/interface List
add WAN
add LAN
Add INTERNET

/interface list members
ether1 list=WAN
Bridge list=LAN
vlan20 list=LAN
Bridge list=INTERNET

Of course the above assumes your bridgeport inclusion of ether2 is removed.

Oh just noticed since you do use port forwarding, you will need one additional allow rule in your ADMIN rules for the forward chain and it looks like this...
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN

karlisi · Tue Nov 02, 2021 8:38 am

I believe it's typo, there should be 'add action=allow'

Oh just noticed since you do use port forwarding, you will need one additional allow rule in your ADMIN rules for the forward chain and it looks like this...
add action=drop chain=forward comment="allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN

anav · Tue Nov 02, 2021 1:14 pm

Quite right, changed! Thanks

meazz1 · Fri Nov 05, 2021 7:03 pm

I am very novice when it comes to firewall, so I won't be able to enter all the suggested rules knowing I will mess up and bring down my home network.

Port #4 is for a smart switch where I am connecting to a unify switch and unify access points. That part is working. On the hex router, I am not using any other ports besides Wan and port#4.

If I get the rules I need to straighten the firewall in a format I could just run in a console or using ssh, I could do that but anything beyond that I don't understand yet what goes after and what need to go after in the rules.
Also, I don't see n-interface-list=INTERNET in my drop down. Is this only a command line option?

meazz1 · Sat Nov 06, 2021 3:15 pm

At this point I am ready to put a bounty of us $10.00 and fix my firewall and configurations.

anav · Sat Nov 06, 2021 7:47 pm

post your latest config.

meazz1 · Sat Nov 06, 2021 11:35 pm

My goal is , LAN LAN can access VLAN20
resource.
Port forwarding is secured.

# nov/06/2021 17:24:50 by RouterOS 6.49
# software id = 5MZ7-RL5B
#
# model = RB760iGS
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface vlan
add comment="Untrusted IoT" interface=ether4 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add comment="DhcpPool for IoT" name=DhcpPool_20 ranges=\
    192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=DhcpPool_20 disabled=no interface=VLAN20 name=DHCP-20
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=\
    192.168.4.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf dns-server=\
    192.168.4.209,192.168.4.208 domain=clubamgg.com gateway=192.168.4.1 \
    netmask=24
add address=192.168.20.0/24 comment="VLAN20 - IoT" dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.20.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.20.0/24 comment="Addresses for untrusted vlan 20" list=\
    VLAN20
add address=192.168.4.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address-list=LAN src-address-list=VLAN20
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.4.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set note="mehdi, clubamgg.com - Authorized administrators only. Access to this\
    \_device is monitored."
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.180.133.100
/system package update
set channel=development
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=flash/user-manager

anav · Sun Nov 07, 2021 4:24 am

If you have vlan20 as a vlan, and its attached to ether2, why is ether2 still part of the bridge.
Suggesting it should be removed but not until we know its purpose............what device is being connected too??

(1) Ensure you add the vlan to the LAN list
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=VLAN20 list=LAN
add comment=defconf interface=ether1 list=WAN

(2) Where you did attempt the above remove!!
/ip firewall address-list
add address=192.168.20.0/24 comment="Addresses for untrusted vlan 20" list=\
VLAN20
add address=192.168.4.0/24 list=LAN

(3) IF you want to ensure vlan20 cannot reach the Other subnet......
From
add action=drop chain=forward dst-address-list=LAN src-address-list=VLAN20
TO
add action=drop chain=forward in-interface=VLAN20 dst-address=192.168.4.0 /24

(4) Due to above changes modify this TO

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=control

/interface list member
add interface=VLAN20 list=LAN
add comment=defconf interface=bridge list=LAN
add interface=bridge list=control
add comment=defconf interface=ether1 list=WAN

/tool mac-server mac-winbox
set allowed-interface-list=control

meazz1 · Sun Nov 07, 2021 6:02 pm

My Vlan 20 is attached to either 4, port 2, 3 & 5 are Lan only.
My smart switch is connect to port 4 on the hex router, nothing else connected to lan ports on the router.

I followed your suggestions above and made the necessary changes.
Here is the newest config waiting for your approval.

# nov/07/2021 03:50:09 by RouterOS 6.49
# software id = 5MZ7-RL5B
#
# model = RB760iGS
# serial number = E1F30D1CB7FB
/interface bridge
add admin-mac=08:55:31:CD:0D:6A auto-mac=no comment=defconf name=bridge
/interface vlan
add comment="Untrusted IoT" interface=ether4 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=control
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add comment="DhcpPool for IoT" name=DhcpPool_20 ranges=\
    192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=DhcpPool_20 disabled=no interface=VLAN20 name=DHCP-20
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN20 list=LAN
add interface=bridge list=control
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=\
    192.168.4.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf dns-server=\
    192.168.4.209,192.168.4.208 domain=clubamgg.com gateway=192.168.4.1 \
    netmask=24
add address=192.168.20.0/24 comment="VLAN20 - IoT" dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.20.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.20.0/24 comment="Addresses for untrusted vlan 20" list=\
    VLAN20
add address=192.168.4.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.4.0/24 in-interface=VLAN20
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.4.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set note="mehdi, clubamgg.com - Authorized administrators only. Access to this\
    \_device is monitored."
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.180.133.100
/system package update
set channel=development
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=control
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=flash/user-manager

anav · Sun Nov 07, 2021 6:37 pm

My Vlan 20 is attached to either 4, port 2, 3 & 5 are Lan only.
My smart switch is connect to port 4 on the hex, nothing else connected to lan ports on the router.

Kewl,
So set vlan 20 to the bridge interface and not to ether4
Create vlan11 with the same IP subnet structure as your bridge and set the bridge as the interface.
Bridge will only do bridging nothing else.
So each vlan has Ip pool, ip address dhcp server, dhcp server network

Bridge ports
2,3,5 are access ports pvid=11 ingress-filtering=yes, frame-types=only untagged and priority tagged
4 is a trunk port ingress filtering=yes frame-types=only tagged

Bridge vlan
add bridge=bridge tagged=bridge,ether4 vlanid=20
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,ether5 vlanid=11

The reason to carry vlan11 to the smart switch is because the smart switch will get an IP on the trusted vlan 11. Easy for you to access from your PC/laptop.

Smart switch settings lets say ether1 is trunk port from router, ethere2 is vlan20 to PC, ether3 is vlan20 to printer, ether4 is vlan20 to a dumb access point, ether5 is vlan20 to a dumb switch and ether 6 is vlan11 spare that you sometimes hookup your laptop to....., ether7 is to another smart switch

PVID default of 1 remains for all trunk ports, in this case ether 1, and ether7 and should be left alone.
PVIDs of all other ports will be changed by you to reflect the untagging and tagging of traffic going through that port
so, etherports 2-5 have PVID of 20, etherport 6 has a pvid of 11

Ether1 is tagged for vlan20 and vlan11
Ether7 is tagged for vlan20 and vlan11
Ether 2-5 is untagged for vlan20
Ether 6 is untagged for vlan11

ENSURE ports 2-6 are also NOT i repeat NOT untagged for ether1

meazz1 · Sun Nov 07, 2021 6:42 pm

My Vlan 20 is attached to either 4, port 2, 3 & 5 are Lan only.
My smart switch is connect to port 4 on the hex, nothing else connected to lan ports on the router.
Kewl,
So set vlan 20 to the bridge interface and not to ether4
Create vlan11 with the same IP subnet structure as your bridge and set the bridge as the interface.
Bridge will only do bridging nothing else.
So each vlan has Ip pool, ip address dhcp server, dhcp server network

Bridge ports
2,3,5 are access ports pvid=11 ingress-filtering=yes, frame-types=only untagged and priority tagged
4 is a trunk port ingress filtering=yes frame-types=only tagged

Bridge vlan
add bridge=bridge tagged=bridge,ether4 vlanid=20
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,ether5 vlanid=11

The reason to carry vlan11 to the smart switch is because the smart switch will get an IP on the trusted vlan 11. Easy for you to access from your PC/laptop.

Smart switch settings lets say ether1 is trunk port from router, ethere2 is vlan20 to PC, ether3 is vlan20 to printer, ether4 is vlan20 to a dumb access point, ether5 is vlan20 to a dumb switch and ether 6 is vlan11 spare that you sometimes hookup your laptop to....., ether7 is to another smart switch

PVID default of 1 remains for all trunk ports, in this case ether 1, and ether7 and should be left alone.
PVIDs of all other ports will be changed by you to reflect the untagging and tagging of traffic going through that port
so, etherports 2-5 have PVID of 20, etherport 6 has a pvid of 11

Ether1 is tagged for vlan20 and vlan11
Ether7 is tagged for vlan20 and vlan11
Ether 2-5 is untagged for vlan20
Ether 6 is untagged for vlan11

ENSURE ports 2-6 are also NOT i repeat NOT untagged for ether1

Thank, I wlll read this few time to digest and understand.
I am kind of getting "not sure what to do" here.

anav · Sun Nov 07, 2021 6:50 pm

Something like this.

/interface bridge
add admin-mac=08:55:31:CD:0D:6A auto-mac=no comment=defconf name=bridge
/interface vlan
add comment="Untrusted IoT" interface=bridge name=VLAN20 vlan-id=20
add comment="Trusted" interface=bridge name=VLAN11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=control
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add comment="DhcpPool for IoT" name=DhcpPool_20 ranges=\
    192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=VLAN11 name=DHCP-11
add address-pool=DhcpPool_20 disabled=no interface=VLAN20 name=DHCP-20
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=ether3 pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=ether4 frame-types=admit-only-vlan-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=ether5 pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=sfp1  pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,ether5,sfp1 vlan-ids=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=VLAN20 list=LAN
add comment=defconf interface=VLAN11 list=LAN
add comment=defconf interface=VLAN11 list=control
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=VLAN11 network=\
    192.168.4.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf dns-server=\
    192.168.4.209,192.168.4.208 domain=clubamgg.com gateway=192.168.4.1 \
    netmask=24
add address=192.168.20.0/24 comment="VLAN20 - IoT" dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.20.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=VLAN20 out-interface=VLAN11
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.4.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set note="mehdi, clubamgg.com - Authorized administrators only. Access to this\
    \_device is monitored."
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.180.133.100
/system package update
set channel=development
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=control
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=flash/user-manager

meazz1 · Mon Nov 08, 2021 12:34 am

Thank you @anav.
Please message your paypal email to me, I would like to buy you some beer, if you're not into drinking pls buy some lunch.

Here's the final config.

/interface bridge
add admin-mac=08:55:31:CD:0D:6A auto-mac=no comment=defconf name=bridge
/interface vlan
add comment="Untrusted IoT" interface=bridge name=VLAN20 vlan-id=20
add comment="Trusted" interface=bridge name=VLAN11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=control
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add comment="DhcpPool for IoT" name=DhcpPool_20 ranges=\
    192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=VLAN11 name=DHCP-11
add address-pool=DhcpPool_20 disabled=no interface=VLAN20 name=DHCP-20
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=ether3 pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=ether4 frame-types=admit-only-vlan-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=ether5 pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
add bridge=bridge comment=defconf interface=sfp1  pvid=11 frame-types=admit-only-untagged-and-priority-tagged ingress filtering=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,ether5,sfp1 vlan-ids=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=VLAN20 list=LAN
add comment=defconf interface=VLAN11 list=LAN
add comment=defconf interface=VLAN11 list=control
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=VLAN11 network=\
    192.168.4.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf dns-server=\
    192.168.4.209,192.168.4.208 domain=clubamgg.com gateway=192.168.4.1 \
    netmask=24
add address=192.168.20.0/24 comment="VLAN20 - IoT" dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.20.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=VLAN20 out-interface=VLAN11
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.4.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set note="mehdi, clubamgg.com - Authorized administrators only. Access to this\
    \_device is monitored."
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.180.133.100
/system package update
set channel=development
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=control
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=flash/user-manager

anav · Mon Nov 08, 2021 3:17 am

Remuneration not required LOL.
Payback is you learning a bit more every time you play with the router.
Simply copying will lead to disasters so don't be afraid to ask WHY!!!

anav · Mon Nov 08, 2021 3:23 am

THe next step is now improving your firewall rules.
Right now the concept is accept everything except for a few things.
Better is block everything except for what we allow.

Think about what you need to allow in the INPUT chain and the FORWARD CHAIN, if I was to tell you the last rule in each
would be to block all.

For both chains the default rules of
fastrack accepted, established etc. is kept (forward chain only)
accepted established, etc. is kept
drop invalid is kept
icmp is kept (input chain only)
+++++++++++++++++
admin rules of what to allow
+++++++++++++++++++
drop all else

thats your challenge for the day!!!

meazz1 · Wed Nov 10, 2021 2:09 am

Remuneration not required LOL.
Payback is you learning a bit more every time you play with the router.
Simply copying will lead to disasters so don't be afraid to ask WHY!!!

Thank you very much.

Making sure I did not mess up my firewall protection [SOLVED]

Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection

Re: Making sure I did not mess up my firewall protection [SOLVED]

Re: Making sure I did not mess up my firewall protection

Who is online