Community discussions

MikroTik App
 
User avatar
samea
just joined
Topic Author
Posts: 9
Joined: Tue Jan 31, 2023 7:33 pm

Sanity check my firewall rules and other config

Fri Feb 03, 2023 8:48 pm

This week I got Mikrotik Hex S running ROS 7 and began to learn more about networking by building a simple home network. I am software engineer but haven't worked with networking so you can consider me techy, but beginner with networking topics. While I have had a blast tinkering with Router OS and implementing configs for VLANs, Wireguard VPN etc. I'd like to have someone more experienced to take a look at my config before I fully "go live" with it as my only home network. Any improvement suggestions are welcome.

My goals/requirements are following:
  • Separate IoT/home automation devices to own VLAN and "regular" devices to other VLAN (iot-vlan, main-vlan)
  • Give access to Home Assistant in iot-vlan from main-vlan and remotely by wireguard
  • Use Ubiquiti AP to broadcast iot and regular wifi networks (still don't have the AP. Will connect it to the ethernet5 and leave ethernet4 unused.)
  • PC and HA Raspberry Pi are connected via ethernet to ports 2 and 3 respectively. PC belongs to main vlan while HA is located into iot-vlan.
First here are my interface definition with firewall rules which I'd like to have an opinion since those are probably most important for the security of the system:
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=PC
set [ find default-name=ether3 ] comment=HomeAssistant
set [ find default-name=ether4 ] comment=IoT
set [ find default-name=ether5 ] comment="Home AP"
/interface wireguard
add comment="Wireguard for iPhone" listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=iot-vlan vlan-id=20
add interface=bridge name=main-vlan vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=main-pool ranges=10.0.10.2-10.0.10.254
add name=iot-pool ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=main-pool interface=main-vlan name=main-dhcp
add address-pool=iot-pool interface=iot-vlan name=iot-dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether5 vlan-ids=10
add bridge=bridge comment=iot-vlan tagged=bridge untagged=ether4,ether3 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=main-vlan list=MGMT
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.0.50.2/32 comment=iPhone interface=wireguard1 public-key="XXX"
/ip address
add address=10.0.10.1/24 interface=main-vlan network=10.0.10.0
add address=10.0.20.1/24 interface=iot-vlan network=10.0.20.0
add address=10.0.50.1/24 interface=wireguard1 network=10.0.50.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.0.20.5 mac-address=E8:68:E7:C3:8A:E4 server=iot-dhcp
add address=10.0.20.7 client-id=1:e4:5f:1:32:1b:2b mac-address=E4:5F:01:32:1B:2B server=iot-dhcp
/ip dhcp-server network
add address=10.0.10.0/24 comment=main-dhcp-network gateway=10.0.10.1
add address=10.0.20.0/24 comment=iot-dhcp-network gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=10.0.20.7 name=homeassistant.home.arpa
add address=10.0.10.1 name=router.home.arpa

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=10.0.50.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=drop chain=input comment="Drop all other traffic"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new \
    disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard VPN to iot-vlan" in-interface=wireguard1 out-interface=iot-vlan
add action=accept chain=forward comment="Access IoT devices from main-vlan" in-interface=main-vlan out-interface=iot-vlan protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
I used the following resources to setup the current config:
Thanks in advance. I'm especially interested in how to keep the config maintainable and how best practices on how to configure firewall rules.

Also looks like I connected the router without ipv6 firewall rules to the internet for about a day, yikes! Reason for this blunder was that after upgrade to the RouterOS7 the device lost the default config and while I setup config based on my RouterOS6.x exported config, I missed ipv6 rules. Noticed today that ipv6 was enabled without firewall rules. I added rules AND disabled ipv6 for extra measure. I did not have IPv6 DHCP server configured.

Realistically speaking, in how big of a danger I have put myself and is there specific extra measures I need to do now? My PCs' had their software firewalls on and according to my port scans there wasn't any unintentional ports open on my devices.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sanity check my firewall rules and other config

Mon Feb 06, 2023 3:39 pm

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN { Removed not required }
add name=MGMT
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether5,sfp1 vlan-ids=10
add bridge=bridge comment=iot-vlan tagged=bridge untagged=ether4,ether3 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN { Remove not required }
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=main-vlan list=VLAN { Remove not required }
add interface=iot-vlan list=VLAN
{ Remove not required }
add interface=main-vlan list=MGMT
add interface=wireguard1 list=LAN
/ip firewall filter { fixed }
(Default Rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(Admin Rules)
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard1 src-address=10.0.50.0/24
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT ******
add action=accept chain=input comment="Allow Users to Router Services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow Users to Router Services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all other traffic"
(Default Rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec { Remove if not doing ipsec }
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec {Remove if not doing ispec }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment=" Internet Access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding"connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="Allow Wireguard VPN to iot-vlan" in-interface=wireguard1 out-interface=iot-vlan
add action=accept chain=forward comment="Access IoT devices from main-vlan" in-interface=main-vlan out-interface=iot-vlan protocol=tcp
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=MGMT



***** In terms of access from MGMT interface to config the router, that includes all users on the MAIN VLAN.
Strictly speaking, from an IT security perspective only the Admin requires full access to the router so one
could use a firewall address in that line..........
add action=accept chain=input comment="Allow admin" in-interface-list=MGMT src-address-list=Authorized

Where........
/ip firewall address-list
add address=IP1 list=Authorized (desktop - wired)
add address=IP2 list=Authorized (laptop - wired)
add address=IP3 list=Authorized (laptop - wifi - local )
add address=IP4 list=Authorized (smartphone - wifi - local)

If its only you coming in wireguard remote then,
add interface=wireguard1 list=MGMT
add address=10.0.50.2 list=Authorized (smartphone - remote - wireguard)

Then you can combine two rules in the input chain.
add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard1 src-address=10.0.50.0/24
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT


To one Rule.....
add action=accept chain=input in-interface-list=MGMT src-address-list=Authorized comment="Admin Access"
 
User avatar
samea
just joined
Topic Author
Posts: 9
Joined: Tue Jan 31, 2023 7:33 pm

Re: Sanity check my firewall rules and other config

Sun Feb 26, 2023 7:18 pm

Sorry for a late response. Things happened and the end result is that I'm now running RoS 6.x on Mikrotik Hex (not Hex S) :D

Thank you for looking through my earlier config. I have adapted the config and would like to have your feedback for this new config. Main difference is that now I am hosting Wireguard on my home server instead of using RoS 7.x for it. Another difference is that in port 5 is a VLAN aware access point serving different wifi-ssids for iot and main vlans.

I have some questions :
  1. Any clear problems or misconfiguration in this config considering security? You can assume that I am only user in MGMT network and only user of Wireguard connections.
  2. Atm I had to add two firewall rules and NAT rule to get WG traffic going on. Is there any nice (and secure) way to add firewall rule which would allow to forward all ports which have NAT rule? This way in future I could just add NAT-rules. One way to do that I saw today was the following rule but I'd rather keep my drop all rules:
    add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT  
    This is still a bit work in progress as you can see from my filter rules, any tips are appreciated.
Finally here is my config:
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=PC
set [ find default-name=ether3 ] comment=HomeServer
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=WAP
/interface vlan
add interface=bridge name=iot-vlan vlan-id=20
add interface=bridge name=main-vlan vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=main-pool ranges=10.0.10.2-10.0.10.254
add name=iot-pool ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=main-vlan list=MGMT
/ip address
add address=10.0.10.1/24 interface=main-vlan network=10.0.10.0
add address=10.0.20.1/24 interface=iot-vlan network=10.0.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.10.251 client-id=1:2:84:57:49:d9:bd mac-address=02:84:57:49:D9:BD server=main-dhcp
add address=10.0.10.100 comment=Proxmox mac-address=6C:4B:90:24:D4:0C server=main-dhcp
add address=10.0.10.234 client-id=1:aa:f9:fc:10:da:a7 mac-address=AA:F9:FC:10:DA:A7 server=main-dhcp
add address=10.0.10.232 client-id=1:a2:46:f5:a9:7b:79 mac-address=A2:46:F5:A9:7B:79 server=main-dhcp
/ip dhcp-server network
add address=10.0.10.0/24 comment=main-dhcp-network dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment=iot-dhcp-network dns-server=10.0.10.1 gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes servers=10.0.10.1,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard to HA" dst-port=51820 log=yes protocol=udp
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="Drop all other traffic"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 \
    log=yes log-prefix=!NAT
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard traffic to internet" dst-port=51820 in-interface=ether1 log=yes log-prefix="WG forward" \
    out-interface=main-vlan protocol=udp
add action=accept chain=forward comment="Access IoT devices from main-vlan" in-interface=main-vlan out-interface=iot-vlan protocol=tcp
add action=drop chain=forward comment="Drop all other traffic" log-prefix="Drop all forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forward Wireguard to HA" dst-port=51820 in-interface-list=WAN log=yes protocol=udp to-addresses=10.0.10.251 \
    to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Helsinki
/system identity
set name=RouterOS
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=10.0.10.0/24 interface=main-vlan
add allow-address=10.0.10.0/24 interface=iot-vlan
/tool graphing resource
add allow-address=10.0.10.0/24
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

Thanks again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sanity check my firewall rules and other config

Sun Feb 26, 2023 7:27 pm

If the access point, is normal, and accepts all vlans (trunk port) you shouldnt have pvid=10 on the corresponding /bridge interface port entry for ether5
On the other hand if its unifi, they expect the mngmt vlan, untagged and the rest of the vlans tagged, aka a hybrid port.

Your /interface bridge vlans for ether5 dont line up with either hypothesis LOL
+++++++++++++++++++

Okay lets say its unifi - (hybrid port) thus you need.
add bridge=bridge comment=defconf interface=ether5 pvid=10 AS IS
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether3,ether4.ether5 vlan-ids=10 ( modified )
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 vlan-ids=20 ( as is )

A NORMAL AP (trunk port)
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 modified
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=ether2,ether3,ether4 vlan-ids=10 ( as is )
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 vlan-ids=20
(as is)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sanity check my firewall rules and other config

Sun Feb 26, 2023 7:29 pm

Remove bridge member here.
/interface list member
add comment=defconf interface=bridge list=LAN

Forward chain.....
/ip firewall filter
{forward chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(admin rules)
add action=accept chain=input comment="Allow Wireguard to HA" dst-port=51820 log=yes protocol=udp
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="Drop all other traffic"

remove second instance is a duplicate....
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=LAN protocol=icmp
removed not needed.
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=LAN protocol=udp
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sanity check my firewall rules and other config

Sun Feb 26, 2023 7:48 pm

{Forward Chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="VLAN Internet Access Only" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="wg to local subnet" in-interface=wireguard1 out-interface=main-vlan
add action=accept chain=forward comment="Access IoT devices from main-vlan" in-interface=main-vlan out-interface=iot-vlan protocol=tcp
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other traffic" log-prefix="Drop all forward"


remove this old default rules which is useless once you start doing real configuration on the bridge, its a safe startup rule which needs to go! Plus you have already setup the rules to takes its place!
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 \
log=yes log-prefix=!NAT

Remove this rule, not sure what you are trying to do but it speaks to either not understanding firewall rules, wireguard or both. The input chain is too the router, NOT the forward chain.
Forward chain is for lan to lan, wan to lan and lan to wan type traffic (through the router). Wireguard connects as a service TOO the router (aka the initial handshake), you have this covered.
In the forward chain and concerning WG, you either need a rule to allow traffic that has exited the tunnel locally to travel to a local subnet, or the WAN AND/OR let local traffic enter the wireguard tunnel.
add action=accept chain=forward comment="Allow Wireguard traffic to internet" dst-port=51820 in-interface=ether1 log=yes log-prefix="WG forward" \
out-interface=main-vlan protocol=udp


Note: Typically if there is a roadwarrior coming in on wireguard, on the client device, one puts allowed-ips=0.0.0.0/0 which covers three things, internet, wireguard IP and any local subnets to visit.
On the server side, on the router, we make firewall rules allowing access to router for config, access to local subnets, access to local WAN
Typically we add the road warrior to the input chain (aka add wireguard interface to MGMT interface list member, ( and the IP address if you further refine by a firewall address list)
Typically we add the road warrior to the LAN type interface list member (wireguard to the VLAN list in your case) and thus automatically included in the VLAN to WAN firewall rule!!
Typically we have to manually add a forward chain rule to allow local subnet access!!! ( provided above ).

/tool mac-server
set allowed-interface-list=NONE mac-server is not a secure access method and should be set to none!
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sanity check my firewall rules and other config

Sun Feb 26, 2023 7:49 pm

Please explain what you are trying to accomplish with the destination nat rule ????

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forward Wireguard to HA" dst-port=51820 in-interface-list=WAN log=yes protocol=udp to-addresses=10.0.10.251 \
to-ports=51820



Okay I get it, the MT is not hosting wireguard LOL.
Okay so you need to port forward to the hosting server ( to me this is nuts as MT is a perfectly better suited host).

In that case you no longer need any rule on the INPUT CHAIN for the initial handshake........
This can be removed.......
add action=accept chain=input comment="Allow Wireguard to HA" dst-port=51820 log=yes protocol=udp

Also you dont need the forward chain rule either as its no longer valid........
add action=accept chain=forward comment="wg to local subnet" in-interface=wireguard1 out-interface=main-vlan

In fact, you have negated much of the need for any wireguard on the Router so I cannot help you any longer with any wireguard aspect..........
 
User avatar
samea
just joined
Topic Author
Posts: 9
Joined: Tue Jan 31, 2023 7:33 pm

Re: Sanity check my firewall rules and other config

Sun Feb 26, 2023 11:09 pm

Hi, thanks for help. Few comments and additional questions. Please ignore my original config in my very first post, since it was for Router 7.x where I used MK WG. I had some trouble with it a month ago. For now I'm going to use RoS 6.x until either Mikrotik releases 7.x lts version or I get an itch to upgrade anyway :)
If the access point, is normal, and accepts all vlans (trunk port) you shouldnt have pvid=10 on the corresponding /bridge interface port entry for ether5
On the other hand if its unifi, they expect the mngmt vlan, untagged and the rest of the vlans tagged, aka a hybrid port.
The AP is TPLink EAP225 so I guess it's normal. I modified the interface ether5 as you suggested, though the Winbox GUI did not let me to remove the pvid and didn't figure out how to do that in cli.

Anyway the end result is:
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5 pvid=10
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 vlan-ids=20
--------------
remove second instance is a duplicate....
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=LAN protocol=icmp
removed not needed.
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=LAN protocol=udp
I don't completely understand what you refer here as "removed not needed". I removed the "Allow VLAN ICMP Ping" rule and everything is fine. However, if I remove the
second rule "Allow VLAN DHCP" my Wireguard connection seems to stop working and probably anything else which uses DHCP...?
Did you mean I'd have to remove this rule too?

--------------
Remove this rule, not sure what you are trying to do but it speaks to either not understanding firewall rules, wireguard or both. The input chain is too the router, NOT the forward chain.
Forward chain is for lan to lan, wan to lan and lan to wan type traffic (through the router). Wireguard connects as a service TOO the router (aka the initial handshake), you have this covered.
In the forward chain and concerning WG, you either need a rule to allow traffic that has exited the tunnel locally to travel to a local subnet, or the WAN AND/OR let local traffic enter the wireguard tunnel.
add action=accept chain=forward comment="Allow Wireguard traffic to internet" dst-port=51820 in-interface=ether1 log=yes log-prefix="WG forward" \
out-interface=main-vlan protocol=udp
If I remove this forward rule, my WG connection won't work. Atm my Wireguard server runs on a container in my home server, not on MK. Today I had a problem with WG not working and after some debugging by inspecting dropped udp packages I noticed that my WG traffic required this rule to work. If I disable the rule, the WG roadwarrior client cannot connect anything since these udp packages get dropped on "Drop all other traffic" rule. In light of this does this still make sense to you or is there something I'm missing here? Other than not using Wireguard on MK ofc :D

--------------
Okay I get it, the MT is not hosting wireguard LOL.
Okay so you need to port forward to the hosting server ( to me this is nuts as MT is a perfectly better suited host).

In that case you no longer need any rule on the INPUT CHAIN for the initial handshake........
This can be removed.......
add action=accept chain=input comment="Allow Wireguard to HA" dst-port=51820 log=yes protocol=udp

Also you dont need the forward chain rule either as its no longer valid........
add action=accept chain=forward comment="wg to local subnet" in-interface=wireguard1 out-interface=main-vlan
Thanks for pointing these out. I could swear the connection didn't work without these this afternoon but now it certainly looks like these are not required. Which I'm glad to since it didn't really made sense to me that these were required...

So after these changes my firewall rules look like this:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all other traffic"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard traffic to internet" dst-port=51820 in-interface=ether1 log=yes log-prefix="WG forward" \
    out-interface=main-vlan protocol=udp
add action=accept chain=forward comment="Access IoT devices from main-vlan" in-interface=main-vlan out-interface=iot-vlan protocol=tcp
add action=drop chain=forward comment="Drop all other traffic" log-prefix="Drop all forward"
Last edited by samea on Mon Feb 27, 2023 7:18 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sanity check my firewall rules and other config

Mon Feb 27, 2023 3:13 pm

If its working for you great, I wont comment further as the config is probably more complex than I am qualified to comment on...........
For example no other config I have worked on or read, requires an input chain for port 67, so no clue what you are doing there.
 
User avatar
samea
just joined
Topic Author
Posts: 9
Joined: Tue Jan 31, 2023 7:33 pm

Re: Sanity check my firewall rules and other config

Mon Feb 27, 2023 7:16 pm

Looks like you are actually right. That port 67 rule seemed like a strange requirement and seemed to prevent using WG yesterday night when I tested removing it. Now when testing it everything is ok without it as far as I can tell. Probably I was too tired when debugging this yesterday and somehow screwed the test... Or my VPN has some intermittent problems elsewhere.

Who is online

Users browsing this forum: Bing [Bot], SMARTNETTT and 38 guests