Community discussions

MikroTik App
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

CCR2004 Finally Working... now what do I do??

Sun Feb 05, 2023 6:42 pm

Starting out. This guide, after about 30 youtubers talking too fast and numerous web searches, was the first one that finally worked in terms of getting me a basic setup for using the internet with the CCR2004 router.

https://help.gowifi.co.nz/support/solut ... -to-finish

Thank you, author. Its obvious this router was not prosumer, the config was way harder than a Ubiquiti. With that means there is probably a lot of next steps I need.

Can anyone point me to these "next steps" and next "must do's" and can an anyone help with:

How "good" is this firewall list? How can it be changed or improved?
0 - Drop invalid connections on the forward chain.
1 - Drop invalid connections on the input chain.
2 - Accept connections from the LAN on the input chain.
3 - Accept established connections on the input chain.
4 - Drop everything else on the input chain as we have allowed everything we want to allow.
5 - Accept connections from the LAN on the forward chain.
6 - Accept related connections on the forward chain.
7 - Accept established connections on the forward chain.
8 - Drop new connections on the forward chain from ether1 as we have allowed everything we want to allow.
I have read that "bridging is bad" - if true - this guide does that, what do I do?

My cisco router has link aggregation, I would like to dedicate a few ports of the router for this on a dedicated IP, can anyone help with a good guide for it? Or just set the IP of 4 ports to "X" and point the link agg screen in the router to them?

Is there a way for this router to create a "network share" ---> have something that can be typed in an explorer window? Now I have \\nas\share... is there a way I can just go right to share?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CCR2004 Finally Working... now what do I do??

Sun Feb 05, 2023 11:43 pm

Post your config for advice.

/export file=anynameyouwish ( minus router serial number and any public WANIP information IP or gateway )
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: CCR2004 Finally Working... now what do I do??

Mon Feb 06, 2023 12:18 am

Thank you, please see here...


# feb/05/2023 16:15:24 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number = ############
/interface bridge
add name=bridge1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.2.1.2-10.2.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
/ip address
add address=10.2.1.1/24 interface=bridge1 network=10.2.1.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.2.1.0/24 dns-server=10.2.1.1 gateway=10.2.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.2.1.0/24 list=LAN
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address-list=LAN
add action=accept chain=input connection-state=established
add action=drop chain=input
add action=accept chain=forward connection-state=new src-address-list=LAN
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established
add action=drop chain=forward in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=
/system identity
set name="MikroTik CCR2004"
/system routerboard settings
set enter-setup-on=delete-key
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CCR2004 Finally Working... now what do I do??

Mon Feb 06, 2023 1:04 am

(1) I would add,
interface list
add name=WAN
add name=LAN

/inteface list members
add interface=bridge1 list=LAN
add interface=ether1 list=WAN

(2) For a decent Firewall setup here ya go.
/ip firewall filter { order is critical and organization is good practice }
{Input Chain}
(Default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(Admin Rules)
add action=accept chain=input comment="allow admin" in-interface-list=LAN src-address-list=TRUSTED { to configure router by admin } ***
add action=accept chain=input comment="users to Router services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="users to Router services" in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="Drop all else" { this goes in last so you don't lock yourself out of the router }
{Forward Chain}
(Default Rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec { can remove if not doing ipsec }
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec { can remove if not doing ipsec }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment="allow internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { optional: can remove if dont have servers }
add action=drop chain=forward comment="Drop all else"

*** Where firewall address list = TRUSTED contains any Ip addresses the admin uses on the local lan subnet ex.
( based on setting static leases )
add ip-address=Admin_desktop-IP list=TRUSTED
add ip-address=Admin_laptop-IP_wired list=TRUSTED
add ip-address=Admin_laptop-IP_wifi list=TRUSTED
add ip-address=Admin_iphone/ipad IP list=TRUSTED
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: CCR2004 Finally Working... now what do I do??

Mon Feb 06, 2023 4:11 am


(2) For a decent Firewall setup here ya go.
/ip firewall filter { order is critical and organization is good practice }
{Input Chain}
(Default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(Admin Rules)
add action=accept chain=input comment="allow admin" in-interface-list=LAN src-address-list=TRUSTED { to configure router by admin } ***
add action=accept chain=input comment="users to Router services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="users to Router services" in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="Drop all else" { this goes in last so you don't lock yourself out of the router }
{Forward Chain}
(Default Rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec { can remove if not doing ipsec }
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec { can remove if not doing ipsec }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment="allow internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { optional: can remove if dont have servers }
add action=drop chain=forward comment="Drop all else"

*** Where firewall address list = TRUSTED contains any Ip addresses the admin uses on the local lan subnet ex.
( based on setting static leases )
add ip-address=Admin_desktop-IP list=TRUSTED
add ip-address=Admin_laptop-IP_wired list=TRUSTED
add ip-address=Admin_laptop-IP_wifi list=TRUSTED
add ip-address=Admin_iphone/ipad IP list=TRUSTED

You mean replace the one I shared, right? Can you comment on it versus the one you posted? I would like to understand the firewall setup better because it tends to cause a lot of problems down the road.

Many thanks for the reply.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: CCR2004 Finally Working... now what do I do??

Mon Feb 06, 2023 4:15 am

I mean to ask another follow up question...

With this setup, are all ports basically "dead" except for the 2 allocated?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CCR2004 Finally Working... now what do I do??

Mon Feb 06, 2023 6:40 am

An exercise for you is to understand each firewall rule and what it does.

You only allocated spf-sfpplus1 to the bridge and ether1 to the WAN.
To ensure the other ports are not active, disable them in interface menu.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: CCR2004 Finally Working... now what do I do??

Wed Feb 08, 2023 3:39 am

Thank you.

In configuring the following rule:

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes

Where is this setting? It's not under any of the config menus that I see. I tried to run this from the command line and get errors, the others rules worked via the gui. Is there some component that is not present yet that would allow for this offload setting?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CCR2004 Finally Working... now what do I do??

Wed Feb 08, 2023 5:09 am

If its not available on that device just dont put in that part of the command.......

Who is online

Users browsing this forum: FlowerShopGuy, nepotu, tangent and 57 guests