Community discussions

MikroTik App
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

handling mikrotik ntp/dns server for multiple dhcp server with drop by default

Mon Nov 07, 2022 3:24 am

I'm not sure how to format my question, sorry if it's confusing


I have enabled dns server and ntp server on my router

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/system ntp server
set enabled=yes

I have multiple dhcp server and they have the dns / ntp ip configured as the gateway ip

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 ntp-server=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1 ntp-server=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1 ntp-server=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1 ntp-server=192.168.5.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1 ntp-server=192.168.6.1
add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1 ntp-server=192.168.7.1

my firewall rules is drop by default and because of this I need to have one rule per dhcp server entry to allow client to get dns/ntp, which mean in my current scenario, 7 rules need to be created

add action=accept chain=input dst-address=192.168.1.1 in-interface=Vlan1
add action=accept chain=input dst-address=192.168.2.1 in-interface=Vlan2
add action=accept chain=input dst-address=192.168.3.1 in-interface=Vlan3
add action=accept chain=input dst-address=192.168.4.1 in-interface=Vlan4
add action=accept chain=input dst-address=192.168.5.1 in-interface=Vlan5
add action=accept chain=input dst-address=192.168.6.1 in-interface=Vlan6
add action=accept chain=input dst-address=192.168.7.1 in-interface=Vlan7

my question is, is there a better way to handle this? is my config too complex for no reason?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: handling mikrotik ntp/dns server for multiple dhcp server with drop by default

Mon Nov 07, 2022 8:36 pm

First: your accept rules allow any kind of srrvice access from configured subnets and interfaces. Which includes management access. This may or may not be how you want it to be.

Next: filtering by dst-address doesn't filter by clients. E.g. any of clients clients can access router's services at 192.168.1.1. Which means two things:
  1. To allow access only from certain clients, you have to filter according to src-address ... which you might be already doing as you include filtering according to in-interface.
  2. you can set up all DHCP servers to pass same DNS server and NTP server address (e.g. 192.168.1.1). Then omit the dst-address property from firewall filter rules.

Whichever way you go, you can merge all filter rules into one. Either construct address list with allowed subnets as members and use property src-address-list=<allowed clients>. Or construct interface list with allowed LAN interfaces (seems like you're using vlan interfaces) and use property in-interface-lust=<allowed interfaces>.
What you'd loose is aesthetic: currently clients can only connect router at "native" IP address. With simplified rule clients woukd be able to connect router at any of router's addresses. Security wise things don't change a bit.
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: handling mikrotik ntp/dns server for multiple dhcp server with drop by default

Tue Nov 08, 2022 2:56 am

First: your accept rules allow any kind of srrvice access from configured subnets and interfaces. Which includes management access. This may or may not be how you want it to be.

Next: filtering by dst-address doesn't filter by clients. E.g. any of clients clients can access router's services at 192.168.1.1. Which means two things:
  1. To allow access only from certain clients, you have to filter according to src-address ... which you might be already doing as you include filtering according to in-interface.
  2. you can set up all DHCP servers to pass same DNS server and NTP server address (e.g. 192.168.1.1). Then omit the dst-address property from firewall filter rules.

Whichever way you go, you can merge all filter rules into one. Either construct address list with allowed subnets as members and use property src-address-list=<allowed clients>. Or construct interface list with allowed LAN interfaces (seems like you're using vlan interfaces) and use property in-interface-lust=<allowed interfaces>.
What you'd loose is aesthetic: currently clients can only connect router at "native" IP address. With simplified rule clients woukd be able to connect router at any of router's addresses. Security wise things don't change a bit.

thanks for the concern about the service port, I do have this rule to handle this scenario (I disabled everything else)
/ip firewall raw
add action=drop chain=prerouting dst-port=8291 log=yes log-prefix="Drop Winbox" protocol=tcp src-address-list=!support

interesting so I could put all of them to use the same ntp/dns ip, I didnt think of this somehow.

first reason, in my point of view, of having different (specific) address is, if there someone scanning the network, they wont know about the existence of other subnet.
of course the firewall would block any scan attempts of any existing client, I might play with this solution (single ip for all)
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: handling mikrotik ntp/dns server for multiple dhcp server with drop by default

Tue Nov 08, 2022 5:13 am


I might play with this solution (single ip for all)

so,

I created a dummy vlan, dummy dhcp-server (both can't be really used or get any ip/client) and using this as single endpoint for ntp/dns server

I created an interface list that have all the valid vlan and created a single firewall rule to allow connection to it, I disabled the 7 previous rules ... let see how it goes and it's way cleaner

only thing that worry me right now is dhcp renewal is creating drop entries, I don't think it matter? hopefully it's just noise in the log. clients are getting ip and work ... so far
drop input in:vlan, connection-state new src-mac clientmac, proto udp, clientip:68 --> gateway:67
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: handling mikrotik ntp/dns server for multiple dhcp server with drop by default

Tue Nov 08, 2022 9:55 am

hopefully it's just noise in the log
Yes, it is. The DHCP server intercepts the packets before they reach the firewall (something is telling me that this is not the case for DHCPv6), so the clients do get the assignment normally but the firewall shows drops. To get rid of that noise, add an action=accept rule for the DHCP traffic, or an action=drop one without log=yes, just before the logging drop one.
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: handling mikrotik ntp/dns server for multiple dhcp server with drop by default

Tue Nov 08, 2022 6:59 pm

hopefully it's just noise in the log
Yes, it is. The DHCP server intercepts the packets before they reach the firewall (something is telling me that this is not the case for DHCPv6), so the clients do get the assignment normally but the firewall shows drops. To get rid of that noise, add an action=accept rule for the DHCP traffic, or an action=drop one without log=yes, just before the logging drop one.
thanks for the confirmation
I'm trying to reduce the number of entries in my firewall, the noise I can live with

Who is online

Users browsing this forum: Bing [Bot], FlowerShopGuy, Google [Bot], GoogleOther [Bot], mbezuidenhout and 68 guests