Community discussions

MikroTik App
 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Firewall for VLANs on Home Network

Thu Aug 25, 2022 3:49 am

With some help from Anav, I have the VLAN syntax straightened out and they appear to be working fine. My intention is to segment the network like this:

Image

Would a veteran be kind enough to review my config, specifically the firewall and point out what might be fundamentally wrong with it or any redundancy etc. before I move all the hardware to it's "forever home"?
I have not decided how to deal with Bogons yet until I flip the cable modem into bridge mode. I had previously just used a list on the RB4011 but it seems routes might be a better way to go? This is the first config I have attempted from scratch so I have very likely missed something basic. Be gentle :)

Much appreciated

Mongoid
Aug24-22.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall for VLANs on Home Network

Thu Aug 25, 2022 1:20 pm

(1) Input chain, improvement on use of invalid rules...........
Ensure in IP firewall you find the tab at the top that says CONNECTIONS.
THen look for the buttong that says "TRACKING"

Ensure Enabled reads auto or yes but that LOOSE TCP Tracking is NOT checked off.
We want strict TCP tracking.

(2) Why did you add 10.10.70.99 REMOVE IT.......... Its not the place to identify the actual server IP........... (that is done in dst nat rules)
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat dst-address=10.10.70.99

(3) Dont see this rule......
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

(4) Finally I am assuming that deafult winbox port number you have (the default number) is not the one you actually use, a. because its default and b. because you have published it here.
 
Mongoid
just joined
Topic Author
Posts: 14
Joined: Thu Nov 24, 2016 7:31 pm

Re: Firewall for VLANs on Home Network

Thu Aug 25, 2022 6:08 pm

Hi anav,

Thank you again! I chose to not continue posting to the old thread for this question as I thought it might seem like I thought you were my personal trainer :)

1. I read your post regarding this and had done it to the RB4011. I like this idea and intended to do it. Good catch.
2. Just for my own edification, not specifying the dst-address here would allow this one rule to cover all dst-nat'd traffic in the forward chain.
Is specifying the address when there is only one ip address accepting dst-nat inherently wrong or just a case of bad form and redundancy?
3. Good catch.
4. I don't intend to use Winbox remotely at all. In my newbie ignorance, I was afraid to lose access to Winbox while I was configuring so I didn't place any restrictions. I intend to patch that up but as it stands, yeah, if i plugged that into the internet I'd be sorry I bet.

I will adjust according to your observations. Thank you again for responding.

Mongoid
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall for VLANs on Home Network

Thu Aug 25, 2022 10:41 pm

The only way I config my router FROM WITHIN the LAN is via winbox.
Its encrypted and only a few devices have access as well.
I do remote VPN into the router then using winbox access the router.

The rule opens up your entire LAN directly to the internet as long as that port is the destination, not hard to find on a scan.......
By using destination NAT, the router ensures
a. a firewall is in place generally allowing such traffic (which is what we cleared up)
b. that the packet information is legit, the proper destination port and a server are identified and that he traffic originally is headed towards the public IP or coming from the WAN etc.
c. the source address in the destination nat rule narrows down access to specific source IPs.

Who is online

Users browsing this forum: Bing [Bot], CGGXANNX and 24 guests