Help with auditing my Firewall

sk325 · Wed Nov 10, 2021 7:30 pm

I followed the instructions here https://help.mikrotik.com/docs/display/ ... theClients and here https://wiki.mikrotik.com/wiki/Manual:S ... our_Router as best I could. Unfortunately, they do have slightly different firewall rules and settings.

So I’m hoping someone could take a look at my IP> Firewall settings, and give me some insight as to whether it looks good (or bad), any changes I need to make, and for extra credit – I’d like to get my VPN working.

My confusion is mostly in regards to the sequence or order of the interpreted rules, but I’m learning as I go

.

In regards to my VPN, I’m running OpenVPN on a local raspberrypi server. When I turn on the Firewall> Filter Rules> “allow OpenVPN” (and NAT rule), it fails to connect. This could easily be an issue with my vpn server, windows firewall, etc – and I’ll probably be able to troubleshoot through it, but in the event something is glaring in my Mikrotik Firewall settings, I’d be very grateful for the insight someone may have. Note, the VPN worked fine with the previous router with the same settings, only change is new Mikrotik router.

Sorry, for the long post, just trying to give all info. Thank you!

IP> Firewall> Filter Rules:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1 X  ;;; Kept trying to ssh in. This blocked him, but instead set an IP Services Available From for SSH to only local IPs. 
      chain=input action=drop src-address=185.53.90.111 log=no log-prefix="" 

 2    ;;; accept established,related
      chain=input action=accept log=no log-prefix="" 

 3    chain=input action=accept src-address-list=allowed_to_router 

 4    chain=input action=drop connection-state=invalid log=no log-prefix="" 

 5 X  ;;; allow OpenVPN
      chain=input action=accept protocol=udp dst-port=1194 log=yes log-prefix="vpn_filter_rules" 

 6    ;;; Allow Port Forwarding - DSTNAT
      chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="dstnat_portf" 

 7    ;;; allow ICMP
      chain=input action=accept protocol=icmp in-interface=ether1 log=no log-prefix="" 

 8    ;;; allow Winbox
      chain=input action=accept protocol=tcp in-interface=ether1 src-port="" port=8291 log=no log-prefix="" 

 9    ;;; allow SSH
      chain=input action=accept protocol=tcp in-interface=ether1 src-port="" port=2200 log=no log-prefix="" 

10    ;;; block everything else
      chain=input action=drop in-interface=ether1 log=yes log-prefix="fw5" 

11    ;;; fast-track for established,related
      chain=forward action=fasttrack-connection connection-state=established,related 

12    ;;; accept established,related
      chain=forward action=accept connection-state=established,related 

13    chain=forward action=drop connection-state=invalid 

14    ;;; drop access to clients behind NAT form WAN
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 

15    ;;; Drop packets from LAN that do not have LAN IP
      chain=forward action=drop src-address=!192.168.88.0/24 in-interface=local log=yes log-prefix="LAN_!LAN"

IP> Firewall> NAT

0 X  chain=dstnat action=dst-nat to-addresses=192.168.88.254 protocol=tcp in-interface=ether1 port=3389 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 2 X  ;;; OpenVPN
      chain=dstnat action=dst-nat to-addresses=192.168.88.229 to-ports=1194 protocol=udp in-interface=ether1 dst-port=1194 port=1194 log=yes log-prefix="vpn_nat_rules" 

 3    ;;; Send and redirect all DNS requests to the piHole
      chain=dstnat action=dst-nat to-addresses=192.168.88.229 protocol=udp src-address=!192.168.88.229 dst-address=!192.168.88.229 in-interface=local dst-port=53 log=no log-prefix="piholednsrule1" 

 4    ;;; Masquerade rules for both types of traffic to hide the source
      chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.229 dst-port=53 log=no log-prefix="piholednsrule2" 

 5    ;;; PLEX
      chain=dstnat action=dst-nat to-addresses=192.168.88.237 protocol=tcp in-interface=ether1 dst-port=32400 log=no log-prefix=""

IP> Firewall> Address List

0   allowed_to_router                                                                           192.168.88.2-192.168.88.254                                                                                      sep/22/2021 08:30:27
 1   ;;; RFC6890
     not_in_internet                                                                             0.0.0.0/8                                                                                                        sep/22/2021 08:36:20
 2   ;;; RFC6890
     not_in_internet                                                                             172.16.0.0/12                                                                                                    sep/22/2021 08:36:20
 3   ;;; RFC6890
     not_in_internet                                                                             192.168.0.0/16                                                                                                   sep/22/2021 08:36:20
 4   ;;; RFC6890
     not_in_internet                                                                             10.0.0.0/8                                                                                                       sep/22/2021 08:36:20
 5   ;;; RFC6890
     not_in_internet                                                                             169.254.0.0/16                                                                                                   sep/22/2021 08:36:20
 6   ;;; RFC6890
     not_in_internet                                                                             127.0.0.0/8                                                                                                      sep/22/2021 08:36:20
 7   ;;; Multicast
     not_in_internet                                                                             224.0.0.0/4                                                                                                      sep/22/2021 08:36:20
 8   ;;; RFC6890
     not_in_internet                                                                             198.18.0.0/15                                                                                                    sep/22/2021 08:36:20
 9   ;;; RFC6890
     not_in_internet                                                                             192.0.0.0/24                                                                                                     sep/22/2021 08:36:20
10   ;;; RFC6890
     not_in_internet                                                                             192.0.2.0/24                                                                                                     sep/22/2021 08:36:20
11   ;;; RFC6890
     not_in_internet                                                                             198.51.100.0/24                                                                                                  sep/22/2021 08:36:20
12   ;;; RFC6890
     not_in_internet                                                                             203.0.113.0/24                                                                                                   sep/22/2021 08:36:20
13   ;;; RFC6890
     not_in_internet                                                                             100.64.0.0/10                                                                                                    sep/22/2021 08:36:20
14   ;;; RFC6890
     not_in_internet                                                                             240.0.0.0/4                                                                                                      sep/22/2021 08:36:20
15   ;;; 6to4 relay Anycast [RFC 3068]
     not_in_internet                                                                             192.88.99.0/24                                                                                                   sep/22/2021 08:36:27

anav · Fri Nov 12, 2021 9:08 pm

Anything in red get rid of.
anything not changed keep
anything in green modified
anything in blue recommended add.
anything purple danger
orange I dont understand.........

BUT FIRST AND FOREMOST BY STRAYING FROM DEFAULT FIREWALL RULES YOU HAVE MADE YOUR ROUTER UNSAFE.
Besides the ssh rule not required. check out the second rule. What do you think is wrong?
add action=accept chain=input comment="accept established,related"

it should be pretty clear to you that this rule is allowing ALL traffic from anywhere to access your router!!!!!

ip firewall filter
add action=drop chain=input comment="Kept trying to ssh in. This blocked him, \
but instead set an IP Services Available From for SSH to only local IPs. " \
disabled=yes src-address=185.53.90.111
add action=accept chain=input comment="accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid {modified order}
add action=accept chain=input comment="allow ICMP" protocol=icmp {modified order and removed ether1}
add action=accept chain=input src-address-list=allowed_to_router {optional here to only allow IP addresses from device admin uses via firewall address list}
add action=accept chain=input comment="allow OpenVPN" disabled=yes dst-port=\
1194 log=yes log-prefix=vpn_filter_rules protocol=udp in-interface-list=WAN

add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
port=8291 protocol=tcp src-port="" NOT REQUIRED< you limit access to the router to the admin already above.......
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=\
2200 protocol=tcp src-port=""
add action=drop chain=input comment="block everything else" in-interface= \
ether1 log=yes log-prefix=fw5\ You WANT TO BLOCK ALL TRAFFIC , WAN to router and LAN to router.
No one needs access to the router except the admin, what you need to do is allow DNS queries from the LAN UDP/TCP prior to the block DROP ALL RULE>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=\
"allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\ NOT REQUIRED But do tell me the purpose of the rule and we will find something better.........
"Drop packets from LAN that do not have LAN IP" in-interface=local log=\
yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

add action=drop chain=forward comment="drop all other traffic"
HOWEVER, you need to put one allow rule BEFORE the drop rule.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN

/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1 port=3389 \
protocol=tcp to-addresses=192.168.88.254
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=OpenVPN disabled=yes dst-port=1194 \
in-interface=ether1 log=yes log-prefix=vpn_nat_rules port=1194 protocol=\
udp to-addresses=192.168.88.229 to-ports=1194
add action=dst-nat chain=dstnat comment=\
"Send and redirect all DNS requests to the piHole" dst-address=\
!192.168.88.229 dst-port=53 in-interface=local log-prefix=piholednsrule1 \
protocol=udp src-address=!192.168.88.229 to-addresses=192.168.88.229
add action=masquerade chain=srcnat comment=\
"Masquerade rules for both types of traffic to hide the source" \
dst-address=192.168.88.229 dst-port=53 log-prefix=piholednsrule2 \
protocol=udp src-address=192.168.88.0/24

The above rule may be fine but its above my understanding of how it will actually work, or not.........

sk325 · Sat Nov 13, 2021 6:27 pm

Thank you anav! I'm still learning, but your help is definitely appreciated!

BUT FIRST AND FOREMOST BY STRAYING FROM DEFAULT FIREWALL RULES YOU HAVE MADE YOUR ROUTER UNSAFE.
Besides the ssh rule not required. check out the second rule. What do you think is wrong?
add action=accept chain=input comment="accept established,related"

it should be pretty clear to you that this rule is allowing ALL traffic from anywhere to access your router!!!!!

This firewall rule was taken from here https://wiki.mikrotik.com/wiki/Manual:S ... our_Router:

add action=accept chain=forward comment="Established, Related"  connection-state=established,related

. Should I still remove that rule, or move it down the list perhaps? Part of my trouble is the firewall rules are different per each mikrotik link (Securing Your Router and First Time Configuration), and considering firewall rules are interpreted in order, I'm confused as to why the links/tutorials don't simply put the rules in one list 1-x for example? I'm guessing one size doesn't fit all is the reason, but as I mentioned, I'm still learning.

Some of the other rules come from https://help.mikrotik.com/docs/display/ ... t+Firewall. For example your question

NOT REQUIRED But do tell me the purpose of the rule and we will find something better.........

is explained as "drop packets from LAN that does not have LAN IP, 192.168.88.0/24 is local network used subnet;" from there. I think (as related to the above) maybe my order is the problem?

To explain about the pihole part (your last section in orange) I want to force everything to use my pihole dns server. This was my example https://itimagination.com/mikrotik-piho ... k-all-ads/

Thanks again, I think I'm following your notes. As you may have noticed, I'm trying to stitch together tutorials from a bunch of different places to suit my needs; but I think my order is definitely a bit messed up. I still wish there was a master firewall list that encompasses all the linked miktrotik tutorials (First Time Configuration, Securing Your Router, and Building Your First Firewall)...maybe someday I'll learn enough to write it myself!

anav · Sat Nov 13, 2021 10:28 pm

Listen, the first thing you have to do is PAY ATTENTION TO DETAIL!!

here is what is listed on your exported config. I just copied it.

ip firewall filter
add action=drop chain=input comment="Kept trying to ssh in. This blocked him, \
but instead set an IP Services Available From for SSH to only local IPs. " \
disabled=yes src-address=185.53.90.111
add action=accept chain=input comment="accept established,related"
add action=accept chain=input src-address-list=allowed_to_router

Now your are telling me you only copied the rule from MT and you state correctly show the rule from MT documentation to be THIS.........
add action=accept chain=forward comment="Established, Related" connection-state=established,related

CAN YOU SPOT THE DIFFERENCE AND OMISSION??

Help with auditing my Firewall

Help with auditing my Firewall

Re: Help with auditing my Firewall

Re: Help with auditing my Firewall

Re: Help with auditing my Firewall

Who is online