Well for starters, its cleaner and less prone to errors if you group the chains together ..........
That way you can see the order within a chain more readily etc..
rules out of order
Irules need modifying
rules to remove
rules missing
/ip firewall filter
{input chain}
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LANList log=yes
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment=winbox dst-port=8291 in-interface=WAN protocol=tcp
add action=drop chain=input comment=winbox dst-port=8291 in-interface=WAN log=yes protocol=tcp
{forward chain - basically fine}
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WANList
TO
/ip firewall filter
{input chain}
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 protocol=tcp in-interface-list=WAN
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LANList log=yes
Notes:
Duplicate established related line removed
Input port for VPN is from the WAN and thus limited such access to what is required
Source address list allowed to router limited to LAN access, and thus limited only to interfaces required.
LAst input chain rule was ENABLED as it effectively blocks any WAN access and only allows LAN access for things like DNS or NTP from clients.
Now the discussion is why have the source address access list for LAN access (admins) to the router but later allow ALL LAN users access to the LAN by the last rule.
Suggesting if you want to limit access to the router do it two steps and instead of the block all not from the LAN rule create two rules.
a. Allow LAN users access to the router for DNS only both udp and tcp (similar rules for NTP is providing that as a service)
b. last rule , drop all else. ( drops all wan to router and all lan to router not authorized)
So it would look like
/ip firewall filter
{input chain}
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 protocol=tcp in-interface-list=WAN
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"
Hi anav,
thank you very much.
I have adjusted all of them based on your suggestion. See below
I added some more rules for the L2TP traffic (udp port 500 was blocked and I was not able to establish the LT2P tunnel)
I have included port 4500 and 1710 as well and I have excluded the 70.0/30 subnet because I was not able to navigate thru the NordVPN tunnel
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1194 in-interface-list=WANList protocol=tcp
add action=accept chain=input in-interface-list=LANList src-address-list=allowed_to_router
add action=accept chain=input comment=allowlanDNSqueries connection-state=new dst-port=53 in-interface-list=LANList protocol=udp
add action=accept chain=input comment=allowlanDNSqueries connection-state=new dst-port=53 in-interface-list=LANList protocol=tcp
add action=accept chain=input dst-port=4500 log=yes protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input src-address=192.168.70.0/30
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward connection-mark=TV
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANList
add action=drop chain=forward comment="drop invalid" connection-state=invalid
Thanks to your post I learnt how the firewall is basically working on the Mikrotik.
Suggesting if you want to limit access to the router do it two steps and instead of the block all not from the LAN rule create two rules.
Yes my attempt was to secure the access to the router but I got confused on how the rules are processed, how they need to be written (the order). I have just a basic experience on firewall (not for mikrotik) but here the chain were confusing me.