Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall Newb needs help

Post Reply
 
fbc
just joined
Topic Author
Posts: 2
Joined: Wed Dec 01, 2021 3:34 pm

Firewall Newb needs help

Sun Dec 05, 2021 6:04 am

I follow the getting started firewall guide.. I think my first two firewall rules are conflicting.
Why would you have one that allows all then allows all by source list again?
Code: Select all
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
This is the whole thing in case it matters:
Code: Select all
# dec/04/2021 23:53:09 by RouterOS 6.49.1
# software id = 7JH6-RDZ4
#
# model = RB760iGS
# serial number = xxxxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] advertise="10M-half,10M-full,100M-half,100M-ful\
    l,1000M-half,1000M-full,2500M-full,5000M-full" name=Fiber \
    rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=Fiber name="Fiber Vlan" vlan-id=35
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=172.16.0.50-172.16.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-script=":local DHCPt\
    ag\
    \n:set DHCPtag \"#DHCP\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  :local ttl\
    \n  :local domain\
    \n  :local hostname\
    \n  :local fqdn\
    \n  :local leaseId\
    \n  :local comment\
    \n\
    \n  /ip dhcp-server\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network \
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  \
    \n  .. lease\
    \n  :set leaseId [ find address=\$leaseActIP ]\
    \n\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\
    \n\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\
    \n  {\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\
    \n   :error \"multiple active leases for \$leaseActIP\"\
    \n  }  \
    \n\
    \n  :set hostname [ get \$leaseId host-name ]\
    \n  :set comment [ get \$leaseId comment ]\
    \n  /\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\
    \n    :error \"empty lease host-name or comment\"\
    \n  }\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\
    \n    :error \"empty network domain name\"\
    \n  }\
    \n\
    \n  :set fqdn \"\$hostname.\$domain\"\
    \n  \
    \n  /ip dns static\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\
    \n  } else=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \
    \n  }\
    \n  /\
    \n} \\\
    \nelse=\\\
    \n{\
    \n  /ip dns static\
    \n  :local dnsDhcpId \
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \n\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\
    \n    remove \$dnsDhcpId\
    \n  }\
    \n  /\
    \n}" name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface="Fiber Vlan" list=WAN
add interface=bridge1 list=LAN
add interface=Fiber list=WAN
/ip address
add address=172.16.0.1/12 interface=bridge1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=172.16.0.0/12 dns-server=172.16.0.1 domain=local gateway=\
    172.16.0.1 netmask=12
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.0.2-172.16.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    "Fiber Vlan" log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address=!128.0.0.0/1
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address=!172.16.0.0/12
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" dst-address=\
    172.16.0.0/12 src-address=172.16.0.0/12
add action=masquerade chain=srcnat comment=NAT out-interface-list=WAN \
    src-address=172.16.0.0/12
add action=dst-nat chain=dstnat comment="http to traefik" dst-address-list=\
    wan-ip dst-port=80 protocol=tcp to-addresses=172.16.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="https to traefik" dst-address-list=\
    wan-ip dst-port=443 protocol=tcp to-addresses=172.16.0.10 to-ports=443
add action=dst-nat chain=dstnat comment=transmission dst-address-list=wan-ip \
    dst-port=55555 protocol=tcp to-addresses=172.16.0.10 to-ports=55555
add action=dst-nat chain=dstnat comment=transmission-udp dst-address-list=\
    wan-ip dst-port=55555 protocol=udp to-addresses=172.16.0.10 to-ports=\
    55555
add action=dst-nat chain=dstnat comment="ssh to dckr1" dst-address-list=\
    wan-ip dst-port=8002 protocol=tcp to-addresses=172.16.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=wan-ip dst-port=8003 \
    protocol=tcp to-addresses=172.16.0.2 to-ports=22
/ip smb
set domain=local interfaces=bridge1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="Fiber Vlan" type=external
add interface=bridge1 type=internal
/system clock
set time-zone-name=America/Halifax
/system identity
set name=rotorouter
/system package update
set channel=upgrade
Top
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: Firewall Newb needs help

Tue Dec 14, 2021 5:51 am

You'll find your answer here:
https://help.mikrotik.com/docs/display/ ... c+Concepts
Top
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 725
Joined: Tue Dec 17, 2019 1:08 pm

Re: Firewall Newb needs help

Tue Dec 14, 2021 9:11 am

The Firewall-Rules don`t necessarily conflict with each other, but ...

1. Info
When the Mikrotik communicates with other Devices on a Network
If usually gets a Answer! But if you don`t allow this, communication becomes impossible.
For Exemple : Requesting an IP from a DHCP-Server, Making a DNS-Request to 8.8.8.8, etc...

That is why most Firewall have a Rule that accepts "established" & "related" connections
In other Words : The Rule ONLY accepts Answers to Request made by the Router
Code: Select all
add action=accept chain=input comment="default configuration" connection-state=established,related
2. Warning
If you want your Device in your local Network to be able to
use Network-Services Provide by your Mikrotik, you will need
to accept this in your Firewall.

For Exemple DNS, DHCP, SMB, NTP, etc..

At the Moment, only device with an IP-Address included
in the "allowed_to_router" are allowed to communicate with the Router.

In your case , not Foolproof!!!

3. Warning
If you don`t accept anything else except "established" & "related" connections ,
you will not be able to connect to the Device via SSH, Winbox,Web, etc...

That`s is why you need a least 1x Rule for "Managing" the device.

At the Moment, only device with an IP-Address included
in the "allowed_to_router" are allowed to communicate with the Router.

That is o.k , but not perfect....
In your case someone from the "WAN" could still be able
to connect to the Router.
Top
Post Reply

Who is online

Users browsing this forum: anav, Bing [Bot], broderick, Guntis, neki and 105 guests
  4. RouterOS
  5. General