Hello all,
I'm new. I got an RB3011UiAS-RM, my first ever Mikrotik device, to replace my OpenBSD router. I had heard horror stories of how hard it is to set up a Mikrotik device, but it was actually quite simple to set up the ports, ip routes and nat and failover connections.
But the firewall was hard for me. I am quite comfortable with pf but never used other firewalls much. So I made a lot of novice mistakes not understanding the chains. Also the rules order is the reverse of how I write pf. I also use a lot of macros in pf, but couldn't see a way to do those in RouterOS.
Rule 5 doesn't seem to work as I intended which is why I added rule 6. A minor issue.
Anyhoo, it seems to be working as intended. I'd appreciate any feedback in case I've missed anything obvious or insecure. Goal is a default deny policy and this is my home network.
Thanks
- Reno
Filter rules:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related log=no log-prefix=""
2 ;;; accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
3 ;;; To access modem/router
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
dst-address=192.168.2.1 in-interface-list=LAN dst-port=80 log=yes
log-prefix="modem-access"
4 ;;; Drop connections to rfc6890
chain=forward action=drop dst-address-list=rfc6890 log=no log-prefix=""
5 ;;; Block DNSoHTTPS for LAN
chain=forward action=reject reject-with=icmp-port-unreachable
protocol=tcp src-address=!192.168.88.2 dst-address-list=DNSoHTTPS
in-interface-list=LAN dst-port=443 log=no log-prefix=""
6 chain=forward action=drop protocol=tcp src-address=!192.168.88.2
dst-address-list=DNSoHTTPS in-interface-list=LAN dst-port=443 log=no
log-prefix=""
7 X ;;; Accept DSTNATed
chain=forward action=accept connection-state=new
connection-nat-state=dstnat in-interface-list=WAN log=no log-prefix=""
8 ;;; ssh
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=22 log=no log-prefix=""
9 ;;; smtp
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=25 log=no log-prefix=""
10 chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=465 log=no log-prefix=""
11 chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=587 log=no log-prefix=""
12 ;;; http
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=80 log=no log-prefix=""
13 ;;; https
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=443 log=no log-prefix=""
14 ;;; ntp
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=123 log=no log-prefix=""
15 ;;; imaps
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=993 log=no log-prefix=""
16 ;;; apple push
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=2197 log=no log-prefix=""
17 ;;; Whatsapp
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=5222 log=no log-prefix=""
18 ;;; iMessage
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=5223 log=no log-prefix=""
19 ;;; Zoom
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=8801-8802 log=no log-prefix=""
20 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=3478-3479 log=no log-prefix=""
21 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=8801-8810 log=no log-prefix=""
22 ;;; Minecraft
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=25565 log=no log-prefix=""
23 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=19132 log=no log-prefix=""
24 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=25565 log=no log-prefix=""
25 ;;; Quic
chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=443 log=no log-prefix=""
26 ;;; Facetime
chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=3478-3498 log=no log-prefix=""
27 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=16384-16387 log=no log-prefix=""
28 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=16393-16402 log=no log-prefix=""
29 ;;; wren dns
chain=forward action=accept protocol=udp src-address=192.168.88.2
in-interface-list=LAN out-interface-list=WAN dst-port=53 log=no
log-prefix=""
30 chain=forward action=accept protocol=tcp src-address=192.168.88.2
in-interface-list=LAN out-interface-list=WAN dst-port=53 log=no
log-prefix=""
31 ;;; ; don't forward connections from rfc6890
chain=forward action=drop connection-nat-state=""
src-address-list=rfc6890 log=no log-prefix=""
32 ;;; Drop everything
chain=forward action=drop log=no log-prefix=""
33 ;;; drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
34 ;;; Handy for troubleshooting
chain=input action=accept protocol=icmp src-address=192.168.88.0/24
in-interface-list=LAN log=no log-prefix=""
35 ;;; Don't use CAPsMAN but also dont usually filter lo. Added src in hope>
don't get weird routing glitches
chain=input action=accept src-address=127.0.0.0/8 dst-address=127.0.0.1
log=no log-prefix=""
36 ;;; accept established,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""
37 ;;; winbox
chain=input action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=8291 log=no log-prefix=""
38 ;;; DNS service
chain=input action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=53 log=no log-prefix=""
39 ;;; default deny
chain=input action=drop log=no log-prefix=""