Community discussions

MikroTik App
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

Commands in "Building Your First Firewall" conflict with VPN ?

Sat Feb 04, 2023 6:25 pm

There is a Help page titled "Building Your First Firewall".
URL:
https://help.mikrotik.com/docs/display/ ... t+Firewall

It includes commands for the IPv4 "forward" chain.
Aren't some of these commands block VPN traffic which comes from WAN to LAN ?
Especially the following 3 commands:
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge

add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sat Feb 04, 2023 7:10 pm

Keep it simple.....
Start with this,
/ip firewall filter
{Input Chain}
(good default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(Admin Rules)
add action=accept chain=input in-interface-list=LAN src-address-list=Admin comment="Admin to Config Router" ***
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment="DNS services"
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="DNS services"
add action=drop chain=input comment="drop all else"
{forward chain}
(Default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec { not required if not doing ipsec }
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec { not required if not doing ipsec }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat comment="port forwarding" { not required if not doing port forwarding }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN


*** NOTE: Admin is a firewall address list- example:
add address=IP_Desktop list=Admin
add address=IP_Laptop-wired list=Admin
add address=IP_Ipad/Iphone-wired list=Admin
add address=IP_Wireguard-laptop-remote list=Admin
add address=IP_Wireguard-ipad/iphone-remote list=Adm
in

If you have additional accept traffic requirements then put them under the user rules, before the drop rule.
Ex. Router is acting as wireguard server for initial handshake.
add action=accept chain=input dst-port=wirguard_listening_port protocol=udp

Ex. You have three vlans all separated, but a shared printer on one of the vlans......
add action=accept chain=forward in-interface-list=LAN dst-address=IP_Printer
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sat Feb 11, 2023 10:15 pm

Keep it simple.....
Start with this,
/ip firewall filter
{Input Chain}
(good default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(Admin Rules)
add action=accept chain=input in-interface-list=LAN src-address-list=Admin comment="Admin to Config Router" ***
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment="DNS services"
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="DNS services"
add action=drop chain=input comment="drop all else"
{forward chain}
(Default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec { not required if not doing ipsec }
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec { not required if not doing ipsec }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat comment="port forwarding" { not required if not doing port forwarding }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN


*** NOTE: Admin is a firewall address list- example:
add address=IP_Desktop list=Admin
add address=IP_Laptop-wired list=Admin
add address=IP_Ipad/Iphone-wired list=Admin
add address=IP_Wireguard-laptop-remote list=Admin
add address=IP_Wireguard-ipad/iphone-remote list=Adm
in

If you have additional accept traffic requirements then put them under the user rules, before the drop rule.
Ex. Router is acting as wireguard server for initial handshake.
add action=accept chain=input dst-port=wirguard_listening_port protocol=udp

Ex. You have three vlans all separated, but a shared printer on one of the vlans......
add action=accept chain=forward in-interface-list=LAN dst-address=IP_Printer

Thanks for the post, it was really helpful.
It took me some time to reply, had many issues to handle and preferred to study it better instead of writing a meaningless reply.

Two questions:

1.
Regarding the command that you have written:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
I noticed that "hw-offload=yes" is missing from it.
Meaning, it could be changed to:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
Was it intentional?

Source:
https://help.mikrotik.com/docs/display/ ... onnections


2. For input chain, I want to allow Admin only on a specific interface, e.g. 'ether1'.
The problem is that 'ether1' is associated to the LAN bridge (which includes additional ports).
How this kind of thing is normally solved?
Should I create a dedicated bridge for the admin?
(and assign a dhcp-client for that bridge etc.)





Regarding scripting it (for anyone that reads it in the future):

I need to remove all firewall rules before trying to build my own firewall.

The following command removes the firewall rules:
Either:
/ip firewall filter remove [/ip firewall filter find dynamic=no] 
or:
/ip firewall filter remove [find dynamic=no]
Source:
viewtopic.php?t=181357#p898691
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sun Feb 12, 2023 4:17 am

If you dont have vlans and only a bridge......

Then simply
add chain=input action=accept in-interface=bridge src-address=AdminAccess.

The rule I have above not predisposing your setup also works because in-interface-list=LAN is followed by src-address=AdminAccess

Make the firewall address list of all the IPs the admin may use (desktop, laptop, iphone etc) static dhcp leases and then you can access just fine.

So dont worry about where the admin is coming from, just ensure that his relevant IPs are noted in a firewall address list.

No I was not being specific on HW entries, whatever the default is I normally dont touch that setting at all.
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sun Feb 12, 2023 9:43 am

If you dont have vlans and only a bridge......

Then simply
add chain=input action=accept in-interface=bridge src-address=AdminAccess.

The rule I have above not predisposing your setup also works because in-interface-list=LAN is followed by src-address=AdminAccess

Make the firewall address list of all the IPs the admin may use (desktop, laptop, iphone etc) static dhcp leases and then you can access just fine.

So dont worry about where the admin is coming from, just ensure that his relevant IPs are noted in a firewall address list.
Static IP addresses require a MAC address.
If, for some reason, I can no longer connect with the hardware of that MAC Address, then I am locked out of the Admin access.
That could happen, for example, if the hardware fails to operate (a power outage could damage the hardware).
This is why I am looking for some more robust approach.
The VLANs seems reasonable, I'll research into it.

No I was not being specific on HW entries, whatever the default is I normally dont touch that setting at all.
Ok


Thank you anav
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sun Feb 12, 2023 3:16 pm

If you are worried about mac address failure its a false fear.

For example when I make up AdminAccess src list.
It includes ip of desktop
ip of laptop
ip of iphone

In other words I have multiple devices with which to gain access.

For emergency config I always create an offbridge etherport with only a subnet address identified. I could narrow it down to 192.168.55.5 for example, NO MAC assigned.
so any IP I choose can gain entry, or if I narrow it down to 55.5, that will work too. I just set ipv4 on the laptop to 192.168.55.X or 55.5 and I am in. Its why its called emergaccess LOL.
No reliance on mac on this one.

Finally, you can easily spoof mac address, so write down your PC or laptop mac address for future need if required.
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sun Feb 12, 2023 4:49 pm

If you are worried about mac address failure its a false fear.

For example when I make up AdminAccess src list.
It includes ip of desktop
ip of laptop
ip of iphone

In other words I have multiple devices with which to gain access.
In the meantime I'm interested in only one device to have admin access.
For emergency config I always create an offbridge etherport with only a subnet address identified. I could narrow it down to 192.168.55.5 for example, NO MAC assigned.
so any IP I choose can gain entry, or if I narrow it down to 55.5, that will work too. I just set ipv4 on the laptop to 192.168.55.X or 55.5 and I am in. Its why its called emergaccess LOL.
No reliance on mac on this one.
Regarding:
"offbridge etherport with only a subnet address identified"
I don't completely understand what is this.
If it is very simple - could you please explain or show the command for creating this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Commands in "Building Your First Firewall" conflict with VPN ?

Sun Feb 12, 2023 5:04 pm

(1) When defining interfaces give your etherport a name.

/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether2 ]
set [ find default-name=ether3 ] name=ether3-EmergAccess


(2) Ensure its not part of the bridge
/interface bridge port
add bridge=Bridge interface=ether1
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether4
add bridge=Bridge interface=ether5


(3) Give the etherport an IP address
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.55.1/24 interface=ether3-EmergAccess network=192.168.55.0


DONE
+++++++++++++++++++++++++++++++++++

(4) To finish off, ensure the etherport is part of your TRUSTED or MANAGEMENT interface list.
/interface list members
add interface=ether3-EmergAccess list=MANAGE


(5) Include the subnet in your source address firewall list called AdminAccess two options

/ip firewall address
add ip-address=192.168.55.0/24 list=AdminAcce
ss
OR
add ip-address=192.168.55.5 list=AdminAccess { just have to remember what you set it to , so as to set the laptop ipv4 settings to the right IP address }

Who is online

Users browsing this forum: NimbuS and 30 guests