Community discussions

MikroTik App
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

drop ports from WAN side

Wed Dec 01, 2021 4:05 pm

this rule is on top, but ports are opened. (action is DROP)
Why?
qq.png
235.png
You do not have the required permissions to view the files attached to this post.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: drop ports from WAN side

Wed Dec 01, 2021 4:13 pm

Is your WAN interface in your WAN Interface list?
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: drop ports from WAN side

Wed Dec 01, 2021 4:20 pm

Is your WAN interface in your WAN Interface list?
yeah, ofcourse, also didnt work with single interface
r325.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: drop ports from WAN side

Wed Dec 01, 2021 10:27 pm

Please post config if you want assistance.......
/export hide-sensitive file=anynameyouwish
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: drop ports from WAN side

Thu Dec 02, 2021 9:32 pm

Please post config if you want assistance.......
/export hide-sensitive file=anynameyouwish

# dec/02/2021 20:25:24 by RouterOS 6.49.1
# software id = YTJ3-10KN
#
# model = 951Ui-2HnD
# serial number = 80F1088227E6
/interface bridge
add admin-mac=CC:2D:E0:07:87:93 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether1-GW1
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether5-GW2
/interface l2tp-client
add connect-to=L2TP_WAN1 name=l2tp-maxbet user=cukarickapadina
add connect-to=L2TP_WAN2 disabled=no name=l2tp-out1 user=mt099250
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=no_country_set default-forwarding=no disabled=no \
    distance=indoors frequency-mode=manual-txpower mode=ap-bridge ssid=\
    "MaxBet Free WiFi" station-roaming=enabled
/interface vlan
add interface=ether5-GW2 name=vlan1 vlan-id=3100

/interface list
add name=WAN
/ip pool
add name=dhcp_pool1 ranges=10.10.105.100-10.10.105.250
add name=hs-pool-6 ranges=10.5.50.2-10.5.50.254
add name=poolPrivateWiFi ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=20m \
    name=dhcp1
add address-pool=hs-pool-6 disabled=no interface=wlan1 lease-time=2h name=\
    dhcp_myWiFi
add address-pool=poolPrivateWiFi disabled=no interface="private WLAN" \
    lease-time=3d name=dhcpPrivateWiFi
/ip hotspot
add address-pool=hs-pool-6 addresses-per-mac=unlimited disabled=no interface=\
    wlan1 name=hotspot_99_250
/queue simple
add max-limit=10M/2M name=DVR target=10.10.105.116/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface list member
add interface=ether1-GW1 list=WAN
add interface=ether5-GW2 list=WAN
add interface=vlan1 list=WAN
/ip address
add address=10.10.105.1/24 interface=bridge1 network=10.10.105.0
add address=WAN1.94/30 interface=vlan1 network=WAN1.92
add address=192.168.0.200/24 interface=ether1-GW1 network=192.168.0.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan1 network=\
    10.5.50.0
add address=192.168.100.1/24 comment="private WLAN" interface=\
    "private WLAN" network=192.168.100.0
/ip arp
add address=10.10.105.116 comment=DVR interface=bridge1 mac-address=\
    9C:14:63:A3:0A:07
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=ether1-GW1 use-peer-dns=no use-peer-ntp=no
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4

/ip firewall filter
add action=drop chain=input dst-port=2000,5060,8009,8010 in-interface-list=\
    WAN protocol=tcp
add action=drop chain=input dst-port=2000,5060,8009,8010 in-interface-list=\
    WAN protocol=udp
add action=drop chain=forward comment="Drop !DNS" dst-address-list=!DNS \
    dst-port=53 protocol=udp src-address=10.10.105.0/24
add action=drop chain=forward comment="Drop !DNS" dst-address=10.10.105.0/24 \
    dst-port=53 protocol=udp src-address-list=!DNS
add action=drop chain=input dst-address=10.10.105.0/24 protocol=icmp \
    src-address=!10.100.0.100 src-address-list=BlockLAN
add action=drop chain=forward dst-address=!10.100.0.100 dst-address-list=\
    BlockLAN protocol=icmp src-address=10.10.105.0/24
add action=add-src-to-address-list address-list=trusted address-list-timeout=\
    1m chain=input in-interface=vlan1 protocol=icmp
add action=add-src-to-address-list address-list=secured address-list-timeout=\
    1h chain=input dst-port=2311 in-interface=vlan1 protocol=tcp \
    src-address-list=trusted
add action=drop chain=input dst-port=8291 in-interface=vlan1 protocol=tcp \
    src-address-list=!secured
add action=reject chain=forward dst-port=443 protocol=tcp src-address-list=\
    !Social tls-host=*.youtube.com
add action=reject chain=forward dst-port=443 protocol=tcp src-address-list=\
    !Social tls-host=*.youtube.com
add action=drop chain=forward dst-address=10.100.200.0/24 src-address=\
    10.10.105.0/24
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input protocol=ipsec-ah
add chain=input comment="default configuration-mywifi" protocol=icmp
add chain=input comment="default configuration-mywifi" connection-state=\
    established
add chain=input comment="default configuration-mywifi" connection-state=\
    related
add chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration-mywifi" \
    in-interface=ether1-GW1
add chain=forward comment="default configuration-mywifi" connection-state=\
    established
add chain=forward comment="default configuration-mywifi" connection-state=\
    related
add action=drop chain=forward comment="default configuration-mywifi" \
    connection-state=invalid
add chain=input dst-port=3799 protocol=udp
add action=accept chain=forward comment="Allow Est, Rel" connection-state=\
    established,related
add action=accept chain=input comment="Allow Est, Rel" connection-state=\
    established,related
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
    src-address-list=BGaddresses
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
    src-address-list=NSaddresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
    src-address-list=NSaddresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
    src-address-list=BGaddresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
    src-address-list=BGaddresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
    src-address-list=NSaddresses
add action=drop chain=forward comment="Drop Inv." connection-state=invalid
add action=drop chain=input comment="Drop Inv." connection-state=invalid
add action=drop chain=input comment="IN-Block Shodan" src-address-list=\
    shodan
add action=drop chain=input comment="IN-Pingers Block" \
    src-address-list=pingeri
add action=drop chain=input disabled=yes packet-size=200-65535 protocol=icmp
add action=drop chain=forward disabled=yes packet-size=200-65535 protocol=\
    icmp
add action=jump chain=forward comment="SYN Flood protect FORWARD" \
    connection-state=new disabled=yes jump-target=syn-attack protocol=tcp \
    tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" \
    connection-state=new disabled=yes jump-target=syn-attack protocol=tcp \
    tcp-flags=syn
add action=accept chain=syn-attack connection-state=new disabled=yes limit=\
    400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new disabled=yes protocol=\
    tcp tcp-flags=syn

add action=masquerade chain=srcnat out-interface=ether1-GW1
add action=masquerade chain=srcnat out-interface=bridge1
add action=masquerade chain=srcnat out-interface=vlan1
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24 to-addresses=0.0.0.0

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip route
add check-gateway=ping distance=1 gateway=8.8.4.4
add check-gateway=ping distance=2 gateway=8.8.8.8
add distance=1 dst-address=8.8.4.4/32 gateway=WAN1.93 scope=10
add distance=2 dst-address=8.8.8.8/32 gateway=192.168.0.1 scope=10
add disabled=yes distance=1 dst-address=WLAN_IP.17/32 gateway=10.63.0.0
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/radius
add address=WLAN_IP.17 service=hotspot timeout=3s
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name="SOME RANDOM "
/system ntp client
set enabled=yes primary-ntp=195.178.58.245 secondary-ntp=195.250.114.105
/tool bandwidth-server
set authenticate=no enabled=no

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: drop ports from WAN side

Thu Dec 02, 2021 10:34 pm

Reading as I go along
You have bridge and one vlan = 2 dhcp type interfaces
But you have 3 pools??

Your interface list only contains WAN ???

Now I see you have 2 WANS,
ether1
ether5 - which is what VLAN1 runs on.

Okay so you have another subnet not identified for the hotspot 10.5.50.0/24,
No dhpc no nothing........not sure how hotspots work though.

Your firewall rules and source nat rules are convoluted and messy for my taste.
Conceptually there is something missing in what you are doing with this device that I dont understand, seems overly complex.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: drop ports from WAN side

Thu Dec 02, 2021 10:36 pm

You would be far better off going back to the default firewall rules and then adding what is only necessary from there............

Such as any legitimate VPN rules on the input chain to allow initial connection of the tunnel
add action=accept chain=input "allow vpn connection" dst-ports=X,Y,Z {needed for VPN} in-interface-list=WAN

Anything not VPN should not be open on the Input chain.
There are additional rules required to block stuff from the WAN as you have done on your config, the last rule on the input chain below covers all of them.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {remove if not needed}
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: drop ports from WAN side

Fri Dec 03, 2021 9:53 am

Reading as I go along
You have bridge and one vlan = 2 dhcp type interfaces
But you have 3 pools??

Your interface list only contains WAN ???

Now I see you have 2 WANS,
ether1
ether5 - which is what VLAN1 runs on.

Okay so you have another subnet not identified for the hotspot 10.5.50.0/24,
No dhpc no nothing........not sure how hotspots work though.

Your firewall rules and source nat rules are convoluted and messy for my taste.
Conceptually there is something missing in what you are doing with this device that I dont understand, seems overly complex.
Okay so you have another subnet not identified for the hotspot 10.5.50.0/24,
No dhpc no nothing........not sure how hotspots work though.
i remove some those things irrelevant for this


in interface list is vlan also
add interface=vlan1 list=WAN
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: drop ports from WAN side

Fri Dec 03, 2021 9:57 am

You would be far better off going back to the default firewall rules and then adding what is only necessary from there............

Such as any legitimate VPN rules on the input chain to allow initial connection of the tunnel
add action=accept chain=input "allow vpn connection" dst-ports=X,Y,Z {needed for VPN} in-interface-list=WAN

Anything not VPN should not be open on the Input chain.
There are additional rules required to block stuff from the WAN as you have done on your config, the last rule on the input chain below covers all of them.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {remove if not needed}
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN
i added it but results are the same
4141.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: drop ports from WAN side

Fri Dec 03, 2021 9:31 pm

Yes some of those ports have to be open for the initial VPN connection of the tunnel as per the config.
There is nothing wrong with this behaviour.
Last edited by anav on Sat Dec 04, 2021 11:33 pm, edited 1 time in total.
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: drop ports from WAN side

Sat Dec 04, 2021 10:54 pm

Yes those ports have to be open for the initial VPN connection of the tunnel as per the config.
There is nothing wrong with this behaviour.

The only thing you could do is limit access by source address if that was possible which may make them appear closed or invisible (which is the case for ports forwarded to the LAN for dst-nat).
Unfortunately you probably have at least one vpn source which is your iphone so you can VPN in from anywhere and thus a source address list would not help.
understand your logic, but these ports are unfamiliar for me: 2000,5060,8009,8010

i know 2000 (bandwitdh server) and 5060 (sip), but i dont want to use it on mikrotik, and olo 8009 and 8010 (i dont know whats that).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: drop ports from WAN side

Sat Dec 04, 2021 11:28 pm

I can assure you that action=drop is very reliable. It's just that if rule has additional conditions, they need to match all. In this case, if you have in-interface-list=WAN, the rule will work only for packets coming from there, i.e. ether1-GW1, ether5-GW2 or vlan1. If you test it from anywhere else, from device connected to e.g. wlan1 or "private WLAN", in-interface-list=WAN won't match and rule won't block it. It doesn't matter whether you'll test IP addresses assigned to WAN ports, in-interface-list is about where packet actually came from.

And @anav is right, that firewall is not great, it's better to allow only things you want to have open and unconditionally block everything else at the end of chain. Then you don't have to worry about unknown ports at all, because if you didn't allow them, they are automatically blocked.

Who is online

Users browsing this forum: Bing [Bot], jprietove and 41 guests