Are my firewall rules in correct order

Kokkikaks · Fri Feb 24, 2023 6:27 pm

Hello all. Just switched from old Google Nest mesh network as support ran out. I've discovered Mikrotik and wasn't discouraged by the steep learning curve. However as alot rides on a good FW setup I would much appreciate feedback to what I have made. I have not searched forum or watched 1000 YouTube videos as I wouldnt know if it be worth using in my SOHO network. We are just a family of 5 where the 3 are young teenagers hauling home friends for LAN partys etc. I think you get the picture. So I've made some VLANs but it's mostly the firewall order I might have doubt about.

Thx in advance for all the help and especially suggestions for changes I should make or add.
Cheers from Denmark and sorry if I've pasted the wrong info

# feb/25/2023 08:00:54 by RouterOS 7.7
# software id = MWKQ-T6XU
#
# model = RB5009UG+S+
# serial number = xxxxxxxxx

/interface bridge
add name=Bridge_VLAN20_IoT
add name=Bridge_VLAN30_Guest
add admin-mac=xxxxxxxxxxxxx auto-mac=no name=LAN_Bridge

/interface ethernet
set [ find default-name=ether2 ] mac-address=xxxxxxxxxxxxx

/interface wireguard
add listen-port=13231 mtu=1420 name="WireGuard MikroTik"

/interface vlan
add interface=ether5 name=VLAN20_Eth5_IoT vlan-id=20
add interface=ether5 name=VLAN30_Eth5_Guest vlan-id=30

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name="DHCP LAN" ranges=10.0.0.100-10.0.0.254
add name="DHCP VLAN20" ranges=10.0.20.150-10.0.20.254
add name="DHCP VLAN30" ranges=10.0.30.150-10.0.30.254

/ip dhcp-server
add address-pool="DHCP VLAN20" interface=Bridge_VLAN20_IoT lease-time=1d \
    name="DHCP VLAN20"
add address-pool="DHCP VLAN30" interface=Bridge_VLAN30_Guest lease-time=1d \
    name="DHCP VLAN30"
add address-pool="DHCP LAN" interface=LAN_Bridge lease-time=1d name=\
    "DHCP Standard"

/interface bridge port
add bridge=Bridge_VLAN20_IoT comment=defconf interface=ether3
add bridge=LAN_Bridge comment=defconf interface=ether4
add bridge=LAN_Bridge comment=defconf interface=ether5
add bridge=LAN_Bridge comment=defconf interface=ether6
add bridge=Bridge_VLAN20_IoT comment=defconf interface=ether7
add bridge=LAN_Bridge comment=defconf interface=ether8
add bridge=Bridge_VLAN20_IoT interface=VLAN20_Eth5_IoT
add bridge=Bridge_VLAN30_Guest interface=VLAN30_Eth5_Guest

/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes

/interface list member
add interface=LAN_Bridge list=LAN
add interface=ether2 list=WAN
add interface="WireGuard MikroTik" list=LAN

/interface wireguard peers
add allowed-address=172.22.0.2/32 interface="WireGuard MikroTik" public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=172.22.0.3/32 interface="WireGuard MikroTik" public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

/ip address
add address=10.0.0.1/24 comment="DHCP Standard" interface=LAN_Bridge network=\
    10.0.0.0
add address=10.0.20.1/24 comment="VLAN IoT" interface=Bridge_VLAN20_IoT \
    network=10.0.20.0
add address=10.0.30.1/24 comment="VLAN Guest" interface=Bridge_VLAN30_Guest \
    network=10.0.30.0
add address=172.22.0.1/24 comment=WireGuard interface="WireGuard MikroTik" \
    network=172.22.0.0

/ip dhcp-client
add dhcp-options=clientid,hostname interface=ether2 use-peer-dns=no

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.10 gateway=10.0.0.1
add address=10.0.20.0/24 dns-server=10.0.0.10 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.0.10 gateway=10.0.30.1

/ip dns
set allow-remote-requests=yes servers=10.0.0.10

/ip firewall address-list
add address=10.0.0.0/24 list=AllowWinBox

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=1d chain=input dst-port=666 in-interface-list=WAN \
    log=yes protocol=tcp
add action=drop chain=input comment="Drop connections from blacklist" \
    in-interface-list=WAN src-address-list=Blacklist
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input comment="Allow WinBox from LAN" dst-port=8291 \
    in-interface-list=LAN log-prefix=winbox protocol=tcp src-address-list=\
    AllowWinBox
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow access to print from VLAN30" \
    dst-address=10.0.0.3 src-address=10.0.30.0/24
add action=accept chain=forward comment=\
    "Allow access from HMHPhone to Phillips Hue" dst-address=10.0.0.4 \
    src-address=10.0.20.249
add action=accept chain=forward comment=\
    "Allow DNS requests from VLAN20 --> 10.0.0.10" dst-address=10.0.0.10 \
    dst-port=53 in-interface=Bridge_VLAN20_IoT out-interface=LAN_Bridge \
    protocol=udp src-address=10.0.20.0/24
add action=accept chain=forward comment=\
    "Allow DNS requests from VLAN30 --> 10.0.0.10" dst-address=10.0.0.10 \
    dst-port=53 in-interface=Bridge_VLAN30_Guest out-interface=LAN_Bridge \
    protocol=udp src-address=10.0.30.0/24
add action=drop chain=forward comment="Drop external DNS requests" dst-port=\
    53 log=yes log-prefix="DNS Drop" protocol=tcp src-address=!10.0.0.10
add action=drop chain=forward comment="Drop external DNS requests" dst-port=\
    53 log=yes log-prefix="DNS Drop" protocol=udp src-address=!10.0.0.10
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip firewall raw
add action=drop chain=prerouting comment=Russia log=yes log-prefix=IPRussia \
    src-address-list=IPScope-Russia
add action=drop chain=prerouting comment=Belarus log=yes log-prefix=IPRussia \
    src-address-list=IPScope-Belarus
add action=drop chain=prerouting comment=Turkey log=yes log-prefix=IPTurkey \
    src-address-list=IPScope-Turkey
add action=drop chain=prerouting comment=Iran log=yes log-prefix=IPIran \
    src-address-list=IPScope-Iran
add action=drop chain=prerouting comment=China log=yes log-prefix=IPChina \
    src-address-list=IPScope-China
add action=drop chain=prerouting comment=Brazil log=yes log-prefix=IPBrazil \
    src-address-list=IPScope-Brazil
add action=drop chain=prerouting comment=Iraq log=yes log-prefix=IPBrazil \
    src-address-list=IPScope-Iraq
add action=drop chain=prerouting comment=Sudan log=yes log-prefix=IPSudan \
    src-address-list=IPScope-Sudan
add action=drop chain=prerouting comment="South Sudan" log=yes log-prefix=\
    IPSouthSudan src-address-list=IPScope-SouthSudan

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip route
add disabled=no dst-address=10.0.0.10 gateway=10.0.0.6 routing-table=main \
    suppress-hw-offload=no

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Copenhagen

/system identity
set name=

/system ntp client
set enabled=yes

/system ntp client servers
add address=time.google.com

/system package update
set channel=testing

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Sat Feb 25, 2023 6:04 pm

Skol !!

(1) You only need one bridge, separation at layer2 (mac address) is achieved due to being vlans and separation at layer3 (IP address) is achieved by Firewall Rules.
KISS

(2) VLANS parent interface is the bridge.......

(3) Once you have vlans, its much easier, and consistent to use vlans for all subnets ( and have the bridge just do bridgiing ) KISS!!

(4) The real gross error was assigning your vlans as if they were WLANs or ports, in the bridge port settings. THis is what happens when you make a config more complex or convoluted as necessary!!!
add bridge=Bridge_VLAN20_IoT interface=VLAN20_Eth5_IoT
add bridge=Bridge_VLAN30_Guest interface=VLAN30_Eth5_Guest

(5) On that note its clear you have a smart device on ether5 that can read vlans. All smart devices should get their IP on the trusted subnet, in this case HOMELAN.
Thus you need three vlans to go to ether5, vlan10 to manage the device and vlans 20,30 for users.

(6) in terms of access to the router for config purpose, a better firewall address list is needed. Identifying a whole subnet is useless as not all members of the HOME LAN are the admin.
Much better to limit access to those that need it.
Im assuming that in this case you actually use the wireguard as a way to remotely access the router to configure it........

(7) Along with number (6) it should be noted that your rules made no logical sense, in that first you allowed ALL LAN users to access the input chain and then the next rule tried to narrow it down to only a source address list. TOO LATE and wrong order........ and to wide open for users. As noted I fixed the source address list to finite IP addresses the admin may use, while allowing users to access needed services.!! ----> Oh and get rid of crap rules. blacklist etc........... not required.

(8) Delete RAW not required, and bad advice............ and not effective.

FIXED, mainly changes shown

/interface bridge
add name=Bridge  vlan-filtering=yes  ( enable vlan-filtering as the last step in the config ) 

/interface vlan
add interface=Bridge name=HOME10   vlan-id=10
add interface=Bridge name=VLAN20_Eth5_IoT vlan-id=20
add interface=Bridge name=VLAN30_Eth5_Guest vlan-id=30

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add name=DNS

/ip dhcp-server
add address-pool="DHCP VLAN20" interface=VLAN20_Eth5_IoT lease-time=1d \
    name="DHCP VLAN20"
add address-pool="DHCP VLAN30" interface=VLAN30_Eth5_Guest lease-time=1d \
    name="DHCP VLAN30"
add address-pool="DHCP LAN" interface=HOME10 lease-time=1d name=\
    "DHCP Standard"

/interface bridge port
add bridge=Bridge ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether3 pvid=20
add bridge=Bridge ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether4  pvid=10
add bridge=Bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5
add bridge=Bridge ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether6  pvid=10
add bridge=Bridge ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether7  pvid=20
add bridge=Bridge ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether8  pvid=10

/interface bridge vlans
add bridge=bridge tagged=bridge,ether5  untagged=ether4,ether6,ether8  vlan-ids=10
add bridge=bridge tagged=bridge,ether5  untagged=ether3,ether7  vlan-ids=20
add bridge=bridge tagged=bridge,ether5  vlan-ids=30

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/interface list member
add interface=ether2 list=WAN
add interface=HOME10  list=LAN
add interface=VLAN20_Eth5_IoT  list=LAN
add interface=VLAN30_Eth5_Guest list-LAN
add interface="WireGuard MikroTik" list=LAN
add interface=HOME10  list=MANAGE
add interface="WireGuard MikroTik"  list=MANAGE
add interface=VLAN20_Eth5_IoT list=DNS
add interface=VLAN30_Eth5_Guest list=DNS

/ip address
add address=10.0.0.1/24 comment="DHCP Standard" interface=HOME10 network=\
    10.0.0.0
add address=10.0.20.1/24 comment="VLAN IoT" interface=Bridge_VLAN20_IoT \
    network=10.0.20.0
add address=10.0.30.1/24 comment="VLAN Guest" interface=Bridge_VLAN30_Guest \
    network=10.0.30.0
add address=172.22.0.1/24 comment=WireGuard interface="WireGuard MikroTik" \
    network=172.22.0.0

/ip firewall address-list  ( set static at DHCP leases )
add address= Admin-Desktop_IP  list=AllowWinBox
add address= Admin-Laptop_IP  list=AllowWinBox
add address= Admin-Iphone/Ipad  list=AllowWinBox
add address= 172.22.0.2/32  list=AllowWinBox   { admin remote access laptop }
add address= 172.22.0.3/32  list=AllowWinBox   { admin remote access Iphone/IPad }

/ip firewall filter  ( mostly good )
{Input Chain}
(default rules)
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment="admin access"  in-interface-list=MANAGE src-address-list=AllowWinBox.
add action=accept chain=input comment="user services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"  { CAUTION:  Entered as last rule so that you dont block yourself out }
{Forward Chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="DNS access"  in-interface-list=DNS  dst-address=10.0.0.10
add action=accept chain=forward comment="Allow access to print from VLAN30" \
    dst-address=10.0.0.3 src-address=10.0.30.0/24
add action=accept chain=forward comment=\
    "Allow access from HMHPhone to Phillips Hue" dst-address=10.0.0.4 \
    src-address=10.0.20.249
add action=drop chain=forward comment="drop all else"

/tool mac-server
set allowed-interface-list=NONE

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

anav · Sat Feb 25, 2023 6:14 pm

To complete the DNS changes............ the steps I am aware of ....... be it pihole or adguard are.

1. need to have an exclusion firewall address list, for at least the Server itself. We do not want the server to check itself for DNS, it needs to go out to the WWW to get it so we need to ensure it has a path to do so. If you had any subnets or other individual users that should bypass the DNS redirect then they too would be added to the firewall address list. Assuming not at this point SO:

/firewall address list
add ip-address=10.0.0.10/32 list=EXCLUDED

2. You have the DNS servers in DHCP-server just about right, however, you include the subent the SERVER is in. Remember we dont want to turn the SERVER to itself to get DNS, SO modify to:
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.0.20.0/24 dns-server=10.0.0.10 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.0.10 gateway=10.0.30.1

Also for example if you didnt want subnet 30, to get redirected you would not put the server as dns-server aka it would revert back to 10.0.30.1

3. You need to Then Force Users to the server................
Dst Nat rules
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=tcp to-addresses=10.0.0.10
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=udp to-addresses=10.0.0.10

4. You need to allow different subnet user access to the server in forward chain rules, which you had which was good, simplified to.
add action=accept chain=forward comment="DNS access" in-interface-list=DNS dst-address=10.0.0.10

5. Last step is to ensure USERS in the same LAN as the server can access the server and get their traffic back correctly........so need hairpin nat rule.
Src Nat Hairpin Rule for Server Subnet users
add chain=srcnat action=masquerade dst-address=10.0.0.0/24 src-address=10.0.0.0/24

6. Hmm okay just remembered need this change as well..
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9 ( or whatever public DNS you like, but not pihole/adguard server )

anav · Sat Feb 25, 2023 6:18 pm

Lets get all that fixed and working and then we can discuss, other desired functionality.....

Kokkikaks · Sat Feb 25, 2023 8:07 pm

Hi @Anav and ty for a very detailed answer. I'm on my way to a concert with my wife so will intrepet tomorrow. I dunno if I can just open terminal and paste your corrected list? If so, just amazing. You are right and I don't know if it will change your answer to whether I can paste or not. I have unraid on a PC with docker running the adguard home and my unifi controller for my 2 AP's. Secondly as for the smart device I have a Cisco l3 switch where I have made trunk on port 1 and 2 to deal with the VLANs.

Looking forward to be hearing what your answer is.
And SKÅL back at you

anav · Sat Feb 25, 2023 10:09 pm

Enjoy the concert!!
The food in copenhagen is great, living expenses though..........sheesh through the roof.

Yeah, I hate to meddle too much in your config as there seem to be intricate moving parts.........
UNIFI devices are smart but they typically require one untagged vlan coming in as the managment vlan and the data vlans as tagged.
The cisco switch should be more normal, all vlans coming in as tagged.

Kokkikaks · Sun Feb 26, 2023 12:31 am

If we should start with basics and I could paste / replace would that be possible for u to make. Not for now considering stuff like VLAN10 for management but mainly securing the router by making rules in correct order and schratching RAW stuff etc.

When that is in place I can expand slowly with the stuff u suggest? Or is that the wrong approach / impossible? I also think my fasttrack over the forward rules are placed wrong.

Really appreciate learning from what u tell here

Cheers

anav · Sun Feb 26, 2023 4:57 pm

No problem I already provided a starting config above.

Kokkikaks · Sun Feb 26, 2023 5:19 pm

So as the freshman I am is the Vlan filtrering suppose to take over for the trunkin on the switch? Just trying to get my head around what happens when it's sorta happening via eth5 now ( from the switch )/And yes reg the untagged VLAN on the unifi my main so to speak there can't be altered I take being the fact I'm not running Ubiquiti equipment all the way. Having just one bridge is gonna be the big change for how I had put it together in the first place. Gotta live and learn

anav · Sun Feb 26, 2023 6:49 pm

Correct!
Its not a big deal, one bridge and all vlans associated with one bridge........... its actually easier.
All the bridge does is bridging.........

all the previous bridge ports remain to the same ether port or WLAN, but are defined as access ports to dumb devices requiring identification of what tag will be stripped when traffic exits the port and what tag incoming traffic will be tagged with aka the PVID entry.

Ever been to Somods Bolcher to watch them make candy?

Kokkikaks · Sun Feb 26, 2023 7:00 pm

Allright it makes sense. My 2 APs are POE so kinda gotta stay in the switch. What about their exit from the switch. Do I need to remove the trunkin set? There is trunk on port 1 and 2 where the APs are connected and port 12 the port going to eth5 on the Mikrotik??/Also gonna prepare a new Bridge and meanwhile move the cable to eth6 for now as the children aren't too happy with any sort of downtime. I'm not gonna win father of the year if something happens

. Gonna report back if I run into a wall and certainly also when its fixed. THX sofar for great help. Have a nice sunday.

anav · Sun Feb 26, 2023 7:08 pm

Well, you gotta be smarter, wait till the kids are asleep LOL.

In terms of switches...... are they smart switches?
If so, you need management vlan (or trusted vlan) to the switch and any subsequent smart device, and any other data vlans that need to go to the switch or any subsequent smart devices.

while waiting for their nappie time, you should make a diagram of your network...........

NETWORK DIAGRAM APPS:
https://nulab.com/cacoo/
https://online.visual-paradigm.com/diag ... -software/
https://www.lucidchart.com/pages/
https://drawio-app.com/product/
https://www.diagrams.net/ (its older sibling soon to be discontinued https://drawio-app.com/product/)
( Other links for diagrams.net - https://www.youtube.com/watch?v=P3ieXjI7ZSk & https://www.youtube.com/watch?v=mpF1i9sfEJ0 )
https://sourceforge.net/projects/dia-installer/
https://www.yworks.com/products/yed (and icons for yed --> https://github.com/danger89/yEd_cisco_network_icons )
https://www.libreoffice.org/discover/draw/

http://kilievich.com/fpinger/ - has a simple drawing program but not its main intent.

Kokkikaks · Sun Feb 26, 2023 7:12 pm

Its a spare Cisco Catalyst 3560-CX series from work

. Old but doing the job. I guess I just need to know if it has to get the stuff made removed. I kinda see where you are taking me but must also admit I'm nowhere near experienced this also being my first Tik

Will make the diagram tomorrow. Also so we are sure I'm not creating something wrong. Guess its time for a backup file I can reload if things go south.

Cheers anav

anav · Sun Feb 26, 2023 8:01 pm

Sounds like probably a decent managed switch! the diagram will show what subnets you pass to the switch and whats connected to the switch and what passed on each port of the switch etc.......

Concur, create
/export file=anynameyouwish for sharing purposes
/export show-sensitive file=formyeyesonly which keeps keys passwords etc..

also do backup

Then make changes.........

Kokkikaks · Mon Feb 27, 2023 8:00 am

Just one follow up question. Albeit my setup is "wrongly" configured is the router "safe" from the WAN side?
You know you told me to remove all my hanky panky RAW rules etc. I guess nothing really can get in having the "drop all not from LAN?"

Or?

anav · Mon Feb 27, 2023 2:24 pm

That is correct!
The default rules as well are safe in most respects.
The drop all rules are better, especially when one invariably starts making changes to the config.
The key to the input chain is to ensure FIRST you as admin have access before the drop all rule is in place or you will be doing a netinstall LOL.

Kokkikaks · Mon Feb 27, 2023 2:31 pm

That is duely noted

The fasttrack I have placed right above the forward rules is that wrong? In my head its input ~ forward ( stuff internally between subnets etc ) and then the rest. I'm asking because I remember having seen it at the bottom at a friends house

One would never put it before 1 I guess.

anav · Mon Feb 27, 2023 3:06 pm

Fastrack is the first rule in forward chain NOT AT BOTTOM, unless you do ipsec and typically there are two ispec rules BEFORE fastrack.

Kokkikaks · Mon Feb 27, 2023 3:10 pm

I figured, just checking

. Ty alot

Kokkikaks · Tue Feb 28, 2023 6:18 pm

Back again. I feel a little puzzled about the switch. Should I remove it entirely and perhaps do like this:
Make VLAN 20 and 30 on eth4 and 5
Add the VLANS to Bridge_Vlan20/30
Then run the APs directly on the 10.0.0.0/24 net

I'm not in need of mgmt VLAN I think. Would rather even though not best practice just allowing WinBox access only through my wireguard IPs.

What confuses me I guess is how the VLAN filtering works compared to having the VLANs on the switch with trunking.

On the Unifi controller I have 3 SSID

One is main (10.0.0.0) called VirusLauncher_V66.exe
One is IoT (10.0.20.0) and called Hidden_IoT
One is Guest (30.0) Hot Singles In Your Area

Now the 10.0.0.0 is untagged or VLAN1. Here I can't choose "Third Party Gateway".
Other 2 I can assign VLAN tag 20/30 to, choose Third Party Gateway. This is not possible for the "Main net".

How will everything act now if I remove the switch. Can the Mikrotik VLAN filtering do the same.
And that d... One bridge setup puzzles me

Phew.. Can you explain the procedure to me like I'm a 3 year old

anav · Tue Feb 28, 2023 7:20 pm

If you ask questions about concept and network best to attach diagrams to make sure its clear.

No you don't need a separate management vlan if you have a trusted subnet.
I prefer a management vlan and think about it, you can give yourself as admin access to the management vlan from the trusted subnet in the firewall rules.
Either way your choice!

The difference is in the input chain rule, if you only have access to the management vlan and wireguard for example the management interface list suffices for access to config the device.
Otherwise if its a trusted subnet you should add a src-address-list on the input chain rule as well as managment interface list to limit to admin IP addresses (desktop, laptop, iphone, remote connection IP)

The bridge on the MT can and for me always hosts all VPNs ( in most scenarios).
One either trunks to a smart device (managed switch, mt device, normal smart AP)
Or
hybrid to UNIFI wifi etc.
Or
access ports to dumb devices.......

IN conclusion if the unifi is hybrid, then simply hybrid port to the unifi where the trusted subnet is untagged and the other vlans are tagged.

Kokkikaks · Thu Mar 02, 2023 2:29 pm

Hi anav, I've been tied up at work and stuff in the evenings.
I have a question. In the picture my rules 18 and 19 if they are placed after the fasttrack forward rule my "allow access from HMHPhone.." doesnt work
Meaning from my E.g. Guest VLAN I can use it. Not whats intented
If placed like in pic probably not in effect but then the rule works
Have I made the rule wrong or should the rules be 18 and 19 as now?

https://imgur.com/a/0odwIig

Cheers,

anav · Thu Mar 02, 2023 3:39 pm

What kind of line of work do you do where they tie you up. ;-PP

In the picture there is no fastrack rule ??????

The order should be as per defaults

2xIPSEC rules, which can be removed if not using ipsec,
THen
Fastrack Rule.
Then
Rule 18
Then
Rule19

++++++++++++++++++++

I already lead the horse to water,,,,,,, why isnt it drinking

/ip firewall filter ( mostly good )
{Input Chain}
...
{Forward Chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ 17
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\ 18
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \ 19
connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="DNS access" in-interface-list=DNS dst-address=10.0.0.10
add action=accept chain=forward comment="Allow access to print from VLAN30" \
dst-address=10.0.0.3 src-address=10.0.30.0/24
add action=accept chain=forward comment=\
"Allow access from HMHPhone to Phillips Hue" dst-address=10.0.0.4 \
src-address=10.0.20.249
add action=drop chain=forward comment="drop all else"

Kokkikaks · Thu Mar 02, 2023 4:04 pm

The horse is currently very tied up at work. Secondly with I guess my lack of knowledge I can't get my head around what happens when I remove the switch and my 2 AP go directly to the router in say eth4/5. Can the VLAN filtering really do what the trunkin does on the switch. Guess that's why the horse isnt really drinking. And I can't read if my LAN bridge has to die also. Perhaps I just thought I could nail this easily but have to say its honestly a bit confusing sadly

What's ur rate for team viewer sessions

anav · Thu Mar 02, 2023 4:07 pm

Yes yes yes, and when did Vikings suddenly become like weak scared english farmers.............

Its easy to turn bridge lan into a VLAN.
1. add vlan to /interface vlans
2. IP pool, no change
3. DHCP server- replace bridge interface name with vlan interface name
4. DHCP server network - no change
5. IP address - replace bridge interface name with vlan interface name
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

6. add all vlans to interface list LAN ( and remove bridge entry )
7. adjust /interface bridge ports accordingly - typically add pvid of the vlan to where it was bridge only.
8. adjust /interface bridge vlans accordingly

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Kokkikaks · Thu Mar 02, 2023 4:11 pm

Yes yes yes, and when did Vikings suddenly become like weak scared english farmers.............

Challenge accepted. Shall try it and let's see

anav · Thu Mar 02, 2023 4:18 pm

Just buy tickets for the kids and wife to go to the movies and get them out of the house (your hair) LOL.

Are my firewall rules in correct order [SOLVED]

Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order

Re: Are my firewall rules in correct order [SOLVED]

Who is online