Community discussions

MikroTik App
 
SMalltimeSphere
just joined
Topic Author
Posts: 1
Joined: Tue Feb 21, 2023 7:33 pm

Firewall Block All Fwd/In/Out

Tue Feb 21, 2023 8:41 pm

Hello everyone,

New to the forum from a posting perspective however a reader of it everyday.

I'm trying to dig deep into MikroTik and at the moment I'm looking into firewall rules. By default as I understand it (on a device with no default config) the Firewall allows all traffic to flow. No rules are present. I'm trying to have complete control of what happens within this little device (hAP ac lite). What I mean by complete control is to start off with blocking rules and then build from there. Basically everything is blocked until I let the traffic flow.

I still have lots to read and figure out but would appreciate any ideas / thoughts / criticisms / advice on how to go about this setup.

Aim is to have isolated vlans that do not route together or have their respective gateway accessible
management vlan (I know the issues with vlan 1 / native vlan and will move this, the config is just me playing around)
Wireguard (I'm happy setting this up, have used for remote monitoring with Dude & access for winbox etc)


My main reason is for firewall recommendations as I seem to tie myself in knots.

Anyway, here's the config with a few rules.

# feb/21/2023 21:43:28 by RouterOS 7.7
# software id = KY97-NHSS
#
# model = RB952Ui-5ac2nD
# serial number = hahanowayisthistheserial
/interface bridge
add name=Bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=\
"united arab emirates" mode=ap-bridge ssid="Live In Five" \
wireless-protocol=802.11
/interface wireguard
add listen-port=51800 mtu=1420 name=wireguardnl
/interface vlan
add interface=Bridge name=vlan10 vlan-id=10
add interface=Bridge name=vlan11 vlan-id=11
/interface list
add name=WAN
add name="Management(LAN)"
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=Management ranges=10.10.100.101-10.10.100.200
add name="Vlan 10" ranges=10.10.101.101-10.10.101.200
add name="Vlan 11" ranges=10.10.102.101-10.10.102.200
/ip dhcp-server
add address-pool=Management interface=Bridge lease-time=10h10m name=\
Management
add address-pool="Vlan 10" interface=vlan10 lease-time=10h10m name="Vlan 10"
add address-pool="Vlan 11" interface=vlan11 lease-time=10h10m name="Vlan 11"
/interface bridge port
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether4 pvid=11
add bridge=Bridge disabled=yes interface=ether1
add bridge=Bridge interface=ether5 pvid=11
add bridge=Bridge interface=ether3
/interface bridge settings
set allow-fast-path=no
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge tagged=Bridge untagged=ether3 vlan-ids=10
add bridge=Bridge tagged=Bridge untagged=ether4,ether5 vlan-ids=11
/interface detect-internet
set internet-interface-list=WAN wan-interface-list=WAN
/interface list member
add interface=vlan10 list=VLAN
add interface=vlan11 list=VLAN
add interface=Bridge list="Management(LAN)"
add interface=ether1 list=WAN
add interface=wireguardnl list="Management(LAN)"
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=\
51800 interface=wireguardnl persistent-keepalive=15s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=10.10.100.1/24 interface=Bridge network=10.10.100.0
add address=10.10.101.1/24 interface=vlan10 network=10.10.101.0
add address=10.10.102.1/24 interface=vlan11 network=10.10.102.0
add address=10.99.99.3/24 interface=wireguardnl network=10.99.99.0
/ip dhcp-client
add interface=wlan2
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 dns-server=10.10.100.1 gateway=10.10.100.1 \
netmask=24
add address=10.10.101.0/24 dns-server=10.10.101.1 gateway=10.10.101.1 \
netmask=24
add address=10.10.102.0/24 dns-server=10.10.102.1 gateway=10.10.102.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.10.100.0/24 list=Management
add address=10.10.101.0/24 list="Vlan 10"
add address=10.10.102.0/24 list="Vlan 11"
add address=10.10.100.0/24 list=vlans
add address=10.99.99.0/24 list=WG
add address=10.10.101.0/24 list=vlans
add address=10.10.102.0/24 list=vlans
add address=10.99.99.0/24 list=vlans
add address=10.10.101.0/24 list=User_VLans
add address=10.10.102.0/24 list=User_VLans
/ip firewall filter
add action=accept chain=input connection-state=established,related \
in-interface-list=WAN
add action=accept chain=forward connection-state=established,related,new \
out-interface-list=WAN src-address-list=Management
add action=accept chain=forward connection-state=established,related,new \
dst-address-list=Management in-interface-list=WAN
add action=accept chain=forward connection-state=established,related,new \
disabled=yes dst-address-list=Management src-address-list=Management
add action=accept chain=input connection-state=established,related,new \
dst-address-list=Management src-address-list=Management
add action=drop chain=forward comment="Drop ALL Forward"
add action=drop chain=input comment="Drop ALL INPUT"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting disabled=yes dst-address-list=Management \
src-address-list=Management
add action=accept chain=prerouting disabled=yes dst-address-list="Vlan 10" \
src-address-list="Vlan 10"
add action=accept chain=prerouting disabled=yes dst-address-list="Vlan 11" \
src-address-list="Vlan 11"
add action=accept chain=prerouting disabled=yes dst-address-list=WG \
src-address-list=Management
add action=accept chain=prerouting disabled=yes dst-address-list=WG \
src-address-list=WG
add action=drop chain=prerouting disabled=yes dst-address-list=vlans \
src-address-list=vlans
/system clock
set time-zone-name=Asia/Dubai
/tool mac-server
set allowed-interface-list="Management(LAN)"
/tool mac-server mac-winbox
set allowed-interface-list="Management(LAN)"



I'd appreciate your words MikroTik world

Thanks

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], itsbenlol and 73 guests