Community discussions

MikroTik App
 
Boban84
just joined
Topic Author
Posts: 4
Joined: Wed Mar 08, 2023 2:27 pm

Check please my configuration and firewall

Tue Mar 14, 2023 3:34 pm

Hi, I am starting with Mikrotik. Can somebody help me check if this config is right ? I am beginer with firewall configuration and any advice is welcome. My config and network scheme is in attachment.
Thanks

Here I have the configuration export:
# # mar/14/2023 11:42:49 by RouterOS 7.8
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add arp=proxy-arp frame-types=admit-only-vlan-tagged name=bridge pvid=50 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="ether1_WAN(Public IP)"
set [ find default-name=ether2 ] name=ether2_PC
set [ find default-name=ether3 ] name=ether3_PC
set [ find default-name=ether4 ] name=ether4_PC
set [ find default-name=ether5 ] name=ether5_PC
set [ find default-name=ether6 ] name=ether6_NAS
set [ find default-name=ether7 ] comment="Trunk port ( VLAN20,50 )" name=\
    ether7_Zyxel
set [ find default-name=ether8 ] comment="Trunk port (VLAN10,20,50)" name=\
    ether8_CISCO
set [ find default-name=ether9 ] comment="Trunk port(VLAN20,40,50)" name=\
    ether9_UBNT
set [ find default-name=ether10 ] name=ether10_MGMT poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13232 mtu=1420 name=VPN_Cameras
add listen-port=13231 mtu=1420 name=VPN_MGMT
/interface vlan
add interface=bridge name="VLAN10(Cameras)" vlan-id=10
add interface=bridge name="VLAN20(PC)" vlan-id=20
add interface=bridge name="VLAN30(NAS)" vlan-id=30
add interface=bridge name="VLAN40(Guest)" vlan-id=40
add interface=bridge name="VLAN50(MGMT)" vlan-id=50
/interface list
add name=MGMT
add name=WAN
add name=VLAN
add name="VLAN all"
add name="VLAN 10"
add name="VLAN 20"
add name="VLAN 30"
add name="VLAN 40"
add include="VLAN 10,VLAN 20,VLAN 30,VLAN 40" name="VLAN 10,20,30,40"
add include="VLAN 20,VLAN 30,VLAN 40" name="VLAN 20,30,40"
add include="VLAN 10,VLAN 30,VLAN 40" name="VLAN 10,30,40"
add include="VLAN 10,VLAN 20,VLAN 40" name="VLAN 10,20,40"
add include="VLAN 10,VLAN 20,VLAN 30" name="VLAN 10,20,30"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Cameras ranges=172.25.10.31-172.25.10.45
add name=PC ranges=172.25.20.2-172.25.20.50
add name=NAS ranges=172.25.30.2-172.25.30.4
add name=Guest ranges=172.25.40.2-172.25.40.50
add name=VPN_Cameras ranges=172.25.60.2-172.25.60.11
add name=VPN_MGMT ranges=172.25.70.71-172.25.70.75
add name=MGMT ranges=172.25.50.50-172.25.50.70
/ip dhcp-server
add address-pool=Cameras interface="VLAN10(Cameras)" name=Cameras
add address-pool=PC interface="VLAN20(PC)" name=PC
add address-pool=NAS interface="VLAN30(NAS)" name=NAS
add address-pool=Guest interface="VLAN40(Guest)" name=Wifi_Guest
add address-pool=MGMT interface="VLAN50(MGMT)" name=MGMT
/ip vrf
add disabled=yes interfaces="VLAN50(MGMT),VPN_MGMT" name=vrf1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6_NAS pvid=30
add bridge=bridge comment="Trunk port ( VLAN20,50 )" frame-types=\
    admit-only-vlan-tagged interface=ether7_Zyxel
add bridge=bridge comment="Trunk port (VLAN10,20,50)" frame-types=\
    admit-only-vlan-tagged interface=ether8_CISCO
add bridge=bridge comment="Trunk port(VLAN20,40,50)" frame-types=\
    admit-only-vlan-tagged interface=ether9_UBNT
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10_MGMT pvid=50
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=ether8_CISCO,bridge vlan-ids=10
add bridge=bridge tagged=bridge,ether8_CISCO,ether7_Zyxel,ether9_UBNT \
    untagged=ether2_PC,ether3_PC,ether4_PC,ether5_PC vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether6_NAS vlan-ids=30
add bridge=bridge tagged=bridge,ether9_UBNT vlan-ids=40
add bridge=bridge tagged=bridge,ether7_Zyxel,ether8_CISCO,ether9_UBNT \
    untagged=ether10_MGMT vlan-ids=50
/interface list member
add interface="VLAN50(MGMT)" list=MGMT
add interface="ether1_WAN(Public IP)" list=WAN
add interface="VLAN10(Cameras)" list=VLAN
add interface="VLAN20(PC)" list=VLAN
add interface="VLAN40(Guest)" list=VLAN
add interface="VLAN30(NAS)" list=VLAN
add interface="VLAN10(Cameras)" list="VLAN all"
add interface="VLAN20(PC)" list="VLAN all"
add interface="VLAN30(NAS)" list="VLAN all"
add interface="VLAN40(Guest)" list="VLAN all"
add interface="VLAN50(MGMT)" list="VLAN all"
add interface="VLAN10(Cameras)" list="VLAN 10"
add interface="VLAN20(PC)" list="VLAN 20"
add interface="VLAN30(NAS)" list="VLAN 30"
add interface="VLAN40(Guest)" list="VLAN 40"
/interface wireguard peers
add allowed-address=172.25.70.72/32 comment="VPN MGMT" interface=VPN_MGMT \
    persistent-keepalive=30s public-key=\
    "xxxxx"
add allowed-address=172.25.60.2/32 comment="VPN Cameras " interface=\
    VPN_Cameras public-key="xxxxxx"
/ip address
add address=172.25.10.30/24 interface="VLAN10(Cameras)" network=172.25.10.0
add address=172.25.20.1/24 interface="VLAN20(PC)" network=172.25.20.0
add address=172.25.30.1/24 interface="VLAN30(NAS)" network=172.25.30.0
add address=172.25.40.1/24 interface="VLAN40(Guest)" network=172.25.40.0
add address=172.25.50.1/24 interface="VLAN50(MGMT)" network=172.25.50.0
add address=172.25.70.1/24 interface=VPN_MGMT network=172.25.70.0
add address=172.25.60.1/24 interface=VPN_Cameras network=172.25.60.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1_WAN(Public IP)"
/ip dhcp-server network
add address=172.25.10.0/24 dns-server=172.25.10.30 gateway=172.25.10.30 \
    ntp-server=172.25.10.30
add address=172.25.20.0/24 dns-server=172.25.20.1 gateway=172.25.20.1 \
    ntp-server=172.25.20.1
add address=172.25.30.0/24 dns-server=172.25.30.1 gateway=172.25.30.1 \
    ntp-server=172.25.30.1
add address=172.25.40.0/24 dns-server=172.25.40.1 gateway=172.25.40.1 \
    ntp-server=172.25.40.1
add address=172.25.50.0/24 dns-server=172.25.50.1 gateway=172.25.50.1 \
    ntp-server=172.25.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.25.50.20 name=switchc.local
add address=172.25.50.5 name=switchz.local
add address=172.25.10.20 name=cameras.local
add address=172.25.30.10 name=nas.local
/ip firewall filter
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="NTP client" in-interface=\
    "ether1_WAN(Public IP)" protocol=udp src-port=123
add action=accept chain=input comment="Allow VPN MGMT on WAN" dst-port=13231 \
    in-interface="ether1_WAN(Public IP)" protocol=udp
add action=accept chain=input comment="Allow VPN CAM on WAN" dst-port=13232 \
    in-interface="ether1_WAN(Public IP)" protocol=udp
add action=accept chain=input comment="NTP local server" dst-port=123 \
    in-interface="VLAN50(MGMT)" protocol=tcp
add action=accept chain=input comment="NTP local server" dst-port=123 \
    in-interface="VLAN50(MGMT)" protocol=udp
add action=accept chain=input comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow access to local DNS" dst-port=53 \
    in-interface=all-vlan protocol=udp
add action=accept chain=forward comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment=\
    "VPN MGMT access to -> VLAN 10,20,30,40 " connection-state="" \
    in-interface=VPN_MGMT out-interface-list=VLAN
add action=accept chain=forward comment="Allow access VPN_Cameras -> NVR" \
    dst-address=172.25.10.20 in-interface=VPN_Cameras out-interface-list=\
    "VLAN 10"
add action=accept chain=forward comment="Allow access FTP -> NAS" \
    dst-address=172.25.30.10 dst-port=21 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 443" \
    dst-address=172.25.10.20 dst-port=443 in-interface="VLAN20(PC)" \
    out-interface="VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 80" dst-address=\
    172.25.10.20 dst-port=80 in-interface="VLAN20(PC)" out-interface=\
    "VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 8000" \
    dst-address=172.25.10.20 in-interface="VLAN20(PC)" out-interface=\
    "VLAN10(Cameras)" port=8000 protocol=tcp
add action=accept chain=forward comment=SAMBA connection-state="" \
    dst-address=172.25.30.10 dst-port=445 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment=SAMBA dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=tcp
add action=accept chain=forward comment=SAMBA dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=udp
add action=accept chain=forward comment=\
    "Allow access  MGMT -> VLAN 10,20,30,40" in-interface-list=MGMT \
    out-interface-list="VLAN 10,20,30,40"
add action=drop chain=input comment="Drop access WAN" connection-state="" \
    in-interface="ether1_WAN(Public IP)"
add action=drop chain=input comment="Drop DNS access from the Internet" \
    dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
    "DNS_INET_protokol=udp" protocol=udp
add action=drop chain=input comment="Drop DNS access from the Internet" \
    dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
    "DNS_INET_protokol=tcp" protocol=tcp
add action=drop chain=forward comment=\
    "Drop access to MGMT From VLAN 10,20,30,40" in-interface-list=\
    "VLAN 10,20,30,40" out-interface-list=MGMT
add action=drop chain=forward comment=\
    "Drop access to VLAN10  from VLAN20,30,40" in-interface-list="VLAN 10" \
    out-interface-list="VLAN 20,30,40"
add action=drop chain=forward comment=\
    "Drop access to VLAN20  from VLAN10,30,40" in-interface-list="VLAN 20" \
    out-interface-list="VLAN 10,30,40"
add action=drop chain=forward comment=\
    "Drop access to VLAN30  from VLAN10,20,40" in-interface-list="VLAN 30" \
    out-interface-list="VLAN 10,20,40"
add action=drop chain=forward comment=\
    "Drop access to VLAN40  from VLAN10,20,30" in-interface-list="VLAN 40" \
    out-interface-list="VLAN 10,20,30"
add action=drop chain=forward comment=\
    "Drop access to VLAN_Cameras  from VLAN10" in-interface=VPN_Cameras \
    out-interface="VLAN10(Cameras)"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1_WAN(Public IP)"
/ip firewall service-port
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="172.25.50.69/32,172.25.50.70/32,172.25.50.68/32,172.25.50.\
    67/32,172.25.50.66/32,172.25.50.65/32,172.25.70.72/32"
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment="" domain="" interfaces="VLAN30(NAS)"
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Prague
/system clock manual
set dst-delta=+01:00 time-zone=+01:00
/system identity
set name=Routr
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=195.113.144.201 iburst=no
add address=195.113.144.238
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Here I have the graph:
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check please my configuration and firewall

Tue Mar 14, 2023 10:16 pm

Excellent diagram!!!

1) Bridge itself, Remove frame-types=admit-only-vlan-tagged name=bridge pvid=50 \ and reset the vlan to default=1

(2) Confused as to why you have 5 vlans identified but magically 7 IP addresses???

/interface vlan
add interface=bridge name="VLAN10(Cameras)" vlan-id=10
add interface=bridge name="VLAN20(PC)" vlan-id=20
add interface=bridge name="VLAN30(NAS)" vlan-id=30
add interface=bridge name="VLAN40(Guest)" vlan-id=40
add interface=bridge name="VLAN50(MGMT)" vlan-id=50
/ip address
add address=172.25.10.30/24 interface="VLAN10(Cameras)" network=172.25.10.0
add address=172.25.20.1/24 interface="VLAN20(PC)" network=172.25.20.0
add address=172.25.30.1/24 interface="VLAN30(NAS)" network=172.25.30.0
add address=172.25.40.1/24 interface="VLAN40(Guest)" network=172.25.40.0
add address=172.25.50.1/24 interface="VLAN50(MGMT)" network=172.25.50.0

add address=172.25.70.1/24 interface=VPN_MGMT network=172.25.70.0
add address=172.25.60.1/24 interface=VPN_Cameras network=172.25.60.0

Then you have 7 IP pools but 5 IP DCHP Servers, and 5 DHCP Server-Networks!!!

(3) AHH OKAY I SEE THE PROBLEM

A wireguard VPN is not a USER subnet, its a network to join DEVICES together, such that users or devices can be accessed over Wireguard.
Wireguard ONLY gets an IP address!!


(4) You only need ONE wireguard interface as well...................... it can handle multiple peers just fine. (unless there is overlap on peers but not a usual problem).

(5) YOur firewall rules are not organized. Order is important within a chain and by mixing input and forward chains together its a mess and frankly I dont feel like even looking at them until organized. Just browsing I see many errors due to disorganization and also WRONG format or place in the config for some of the rules.............

(6) What is the purpose of using etherport alone for vlan50? Is there a pc attached?
Where is the admin attached to the network, I am assuming vlan20.
Well no need for an ether50 port as you can give yourself access to all vlans.....including vlan50 as admin.

I recommend instead taking ether10 OFF the bridge to be able to access the router directly in case the bridge burps and quite frankly is a safe place to config in general.

set [ find default-name=ether10 ] name=ether10_emerg
Remove from bridge
ip-address=192.168.55.1/24 interface=ether10_emerg network=192.168.55.0
add ether10_emerg as an interface list member of MGMT

All you need to do is plug in your laptop into ether10 and put in ipv4 settings of 192.168.55.X 255.255.255.0 gateway and dns of 192.168.55.1

(7) /interface bridge ports look okay for the most part, I would add ingress-filtering=yes for all the ports.

(8) Just to confirm the unifi AP accepts the management vlan as a tagged vlan or did you change them to do so? I only ask because I believe the default is (and most people posting here) use a hybrid port untagged vlan for the management subnet and tagged for the WLAN vlans.

(9) /interface bridge vlans look okay

+++++++++++++++++++++++++++++++++++++++++++++++

In summary,
1 . FIX WG/VLAN mixup. Treat cameras as any other vlan its not a wireguard thing.
If you need wireguard to remotely access your network, then ensure you define the needs prior to configuring the router for wireguard.
I imagine its just the admin so
a. access to config router
b. access to any vlans

(2) Clean up FIREWALL RULES> Once done I will probably advise some change.

Till then.............
Last edited by anav on Wed Mar 15, 2023 5:07 pm, edited 1 time in total.
 
Boban84
just joined
Topic Author
Posts: 4
Joined: Wed Mar 08, 2023 2:27 pm

Re: Check please my configuration and firewall

Wed Mar 15, 2023 4:06 pm

Hi,

1) done

2) corrected

4) corrected

5) sorted by input and forward only, can you please help me sort them as they should be?

6) Port 10 was intended only for configuration, no PC will be connected there. set as recommended

7) ingress-filtring added to all ports

8 ) unifi AP is managed by a unifi controller which is connected in VLAN50, in Unifi AP I set the management to VLAN50

WG users "VPN CAM1" and "VPN CAM2" will only have access to the NVR (ip 172.25.10.20) to view the camera footage, but nowhere else.
The WG user "VPN MGMT" will then have access to all VLANs.
# mar/15/2023 14:36:25 by RouterOS 7.8
# software id = xxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add arp=proxy-arp frame-types=admit-only-vlan-tagged name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="ether1_WAN(Public IP)"
set [ find default-name=ether2 ] name=ether2_PC
set [ find default-name=ether3 ] name=ether3_PC
set [ find default-name=ether4 ] name=ether4_PC
set [ find default-name=ether5 ] name=ether5_PC
set [ find default-name=ether6 ] name=ether6_NAS
set [ find default-name=ether7 ] comment="Trunk port ( VLAN20,50 )" name=\
    ether7_Zyxel
set [ find default-name=ether8 ] comment="Trunk port (VLAN10,20,50)" name=\
    ether8_CISCO
set [ find default-name=ether9 ] comment="Trunk port(VLAN20,40,50)" name=\
    ether9_UBNT
set [ find default-name=ether10 ] name=ether10_emerg poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=VPN_WG
/interface vlan
add interface=bridge name="VLAN10(Cameras)" vlan-id=10
add interface=bridge name="VLAN20(PC)" vlan-id=20
add interface=bridge name="VLAN30(NAS)" vlan-id=30
add interface=bridge name="VLAN40(Guest)" vlan-id=40
add interface=bridge name="VLAN50(MGMT)" vlan-id=50
/interface list
add name=MGMT
add name=WAN
add name=VLAN
add name="VLAN all"
add name="VLAN 10"
add name="VLAN 20"
add name="VLAN 30"
add name="VLAN 40"
add include="VLAN 10,VLAN 20,VLAN 30,VLAN 40" name="VLAN 10,20,30,40"
add include="VLAN 20,VLAN 30,VLAN 40" name="VLAN 20,30,40"
add include="VLAN 10,VLAN 30,VLAN 40" name="VLAN 10,30,40"
add include="VLAN 10,VLAN 20,VLAN 40" name="VLAN 10,20,40"
add include="VLAN 10,VLAN 20,VLAN 30" name="VLAN 10,20,30"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Cameras ranges=172.25.10.31-172.25.10.45
add name=PC ranges=172.25.20.2-172.25.20.50
add name=NAS ranges=172.25.30.2-172.25.30.4
add name=Guest ranges=172.25.40.2-172.25.40.50
add name=MGMT ranges=172.25.50.50-172.25.50.70
/ip dhcp-server
add address-pool=Cameras interface="VLAN10(Cameras)" name=Cameras
add address-pool=PC interface="VLAN20(PC)" name=PC
add address-pool=NAS interface="VLAN30(NAS)" name=NAS
add address-pool=Guest interface="VLAN40(Guest)" name=Wifi_Guest
add address-pool=MGMT interface="VLAN50(MGMT)" name=MGMT
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6_NAS pvid=30
add bridge=bridge comment="Trunk port ( VLAN20,50 )" frame-types=\
    admit-only-vlan-tagged interface=ether7_Zyxel
add bridge=bridge comment="Trunk port (VLAN10,20,50)" frame-types=\
    admit-only-vlan-tagged interface=ether8_CISCO
add bridge=bridge comment="Trunk port(VLAN20,40,50)" frame-types=\
    admit-only-vlan-tagged interface=ether9_UBNT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=ether8_CISCO,bridge vlan-ids=10
add bridge=bridge tagged=ether8_CISCO,bridge,ether7_Zyxel,ether9_UBNT \
    untagged=ether2_PC,ether3_PC,ether4_PC,ether5_PC vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether6_NAS vlan-ids=30
add bridge=bridge tagged=ether9_UBNT,bridge vlan-ids=40
add bridge=bridge tagged=bridge,ether8_CISCO,ether9_UBNT vlan-ids=50
/interface list member
add interface="VLAN50(MGMT)" list=MGMT
add interface="ether1_WAN(Public IP)" list=WAN
add interface="VLAN10(Cameras)" list=VLAN
add interface="VLAN20(PC)" list=VLAN
add interface="VLAN40(Guest)" list=VLAN
add interface="VLAN30(NAS)" list=VLAN
add interface="VLAN10(Cameras)" list="VLAN all"
add interface="VLAN20(PC)" list="VLAN all"
add interface="VLAN30(NAS)" list="VLAN all"
add interface="VLAN40(Guest)" list="VLAN all"
add interface="VLAN50(MGMT)" list="VLAN all"
add interface="VLAN10(Cameras)" list="VLAN 10"
add interface="VLAN20(PC)" list="VLAN 20"
add interface="VLAN30(NAS)" list="VLAN 30"
add interface="VLAN40(Guest)" list="VLAN 40"
add interface=ether10_emerg list=MGMT
/interface wireguard peers
add allowed-address=172.25.60.2/32 comment="VPN CAM1" interface=VPN_WG \
    public-key="xxxx"
add allowed-address=172.25.60.3/32 comment="VPN CAM2" interface=VPN_WG \
    public-key="xxx"
add allowed-address=172.25.60.4/32 comment="VPN MGMT" interface=VPN_WG \
    public-key="xxx"
/ip address
add address=172.25.10.30/24 interface="VLAN10(Cameras)" network=172.25.10.0
add address=172.25.20.1/24 interface="VLAN20(PC)" network=172.25.20.0
add address=172.25.30.1/24 interface="VLAN30(NAS)" network=172.25.30.0
add address=172.25.40.1/24 interface="VLAN40(Guest)" network=172.25.40.0
add address=172.25.50.1/24 interface="VLAN50(MGMT)" network=172.25.50.0
add address=172.25.60.1/24 interface=VPN_WG network=172.25.60.0
add address=192.168.55.1/24 interface=ether10_emerg network=192.168.55.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1_WAN(Public IP)"
/ip dhcp-server lease
add address=172.25.50.10 client-id=1:b8:27:eb:94:23:b mac-address=\
    B8:27:EB:94:23:0B server=MGMT
/ip dhcp-server network
add address=172.25.10.0/24 dns-server=172.25.10.30 gateway=172.25.10.30 \
    ntp-server=172.25.10.30
add address=172.25.20.0/24 dns-server=172.25.20.1 gateway=172.25.20.1 \
    ntp-server=172.25.20.1
add address=172.25.30.0/24 dns-server=172.25.30.1 gateway=172.25.30.1 \
    ntp-server=172.25.30.1
add address=172.25.40.0/24 dns-server=172.25.40.1 gateway=172.25.40.1 \
    ntp-server=172.25.40.1
add address=172.25.50.0/24 dns-server=172.25.50.1 gateway=172.25.50.1 \
    ntp-server=172.25.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.25.50.20 name=switchc.local
add address=172.25.50.5 name=switchz.local
add address=172.25.10.20 name=cameras.local
add address=172.25.30.10 name=nas.local
/ip firewall filter
add action=accept chain=input comment="Allow VPN" dst-port=13231 \
    in-interface="ether1_WAN(Public IP)" protocol=udp
add action=accept chain=input comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="NTP client" in-interface=\
    "ether1_WAN(Public IP)" protocol=udp src-port=123
add action=accept chain=input comment="NTP local server" dst-port=123 \
    in-interface="VLAN50(MGMT)" protocol=tcp
add action=accept chain=input comment="NTP local server" dst-port=123 \
    in-interface="VLAN50(MGMT)" protocol=udp
add action=accept chain=input comment="Allow access to local DNS" dst-port=53 \
    in-interface=all-vlan protocol=udp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop access WAN" connection-state="" \
    in-interface="ether1_WAN(Public IP)"
add action=drop chain=input comment="Drop DNS access from the Internet" \
    dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
    "DNS_INET_protokol=udp" protocol=udp
add action=drop chain=input comment="Drop DNS access from the Internet" \
    dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
    "DNS_INET_protokol=tcp" protocol=tcp
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Allow access FTP -> NAS" \
    dst-address=172.25.30.10 dst-port=21 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 443" \
    dst-address=172.25.10.20 dst-port=443 in-interface="VLAN20(PC)" \
    out-interface="VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 80" dst-address=\
    172.25.10.20 dst-port=80 in-interface="VLAN20(PC)" out-interface=\
    "VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 8000" \
    dst-address=172.25.10.20 in-interface="VLAN20(PC)" out-interface=\
    "VLAN10(Cameras)" port=8000 protocol=tcp
add action=accept chain=forward comment=SAMBA connection-state="" \
    dst-address=172.25.30.10 dst-port=445 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment=SAMBA dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=tcp
add action=accept chain=forward comment=SAMBA dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=udp
add action=accept chain=forward comment=\
    "Allow access  MGMT -> VLAN 10,20,30,40" in-interface-list=MGMT \
    out-interface-list="VLAN 10,20,30,40"
add action=drop chain=forward comment=\
    "Drop access to MGMT From VLAN 10,20,30,40" in-interface-list=\
    "VLAN 10,20,30,40" out-interface-list=MGMT
add action=drop chain=forward comment=\
    "Drop access to VLAN10  from VLAN20,30,40" in-interface-list="VLAN 10" \
    out-interface-list="VLAN 20,30,40"
add action=drop chain=forward comment=\
    "Drop access to VLAN20  from VLAN10,30,40" in-interface-list="VLAN 20" \
    out-interface-list="VLAN 10,30,40"
add action=drop chain=forward comment=\
    "Drop access to VLAN30  from VLAN10,20,40" in-interface-list="VLAN 30" \
    out-interface-list="VLAN 10,20,40"
add action=drop chain=forward comment=\
    "Drop access to VLAN40  from VLAN10,20,30" in-interface-list="VLAN 40" \
    out-interface-list="VLAN 10,20,30"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1_WAN(Public IP)"
/ip firewall service-port
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="172.25.50.69/32,172.25.50.70/32,172.25.50.68/32,172.25.50.\
    67/32,172.25.50.66/32,172.25.50.65/32,172.25.60.4/32,192.168.55.5/32"
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment="" domain="" interfaces="VLAN30(NAS)"
/ip ssh
set strong-crypto=yes
/ip vrf
add disabled=yes interfaces="VLAN50(MGMT),*13" name=vrf1
/system clock
set time-zone-name=Europe/Prague
/system clock manual
set dst-delta=+01:00 time-zone=+01:00
/system identity
set name=Routr
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=195.113.144.201 iburst=no
add address=195.113.144.238
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Thank you for your help

I am attaching a modified graph:
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check please my configuration and firewall

Wed Mar 15, 2023 6:18 pm

(1) FROM
/interface bridge
add arp=proxy-arp frame-types=admit-only-vlan-tagged name=bridge \
vlan-filtering=yes

TO
/interface bridge
add arp=proxy-arp name=bridge vlan-filtering=yes

(2) INGRESS-FILTERING=YES missing from all /interface bridge port settings.

(3) WG info, good clarity on requirements.
WG clients CAM1 and CAM2 peer allowed IP settings for the main router should be something like
allowed-addresses=172.25.60.0/24,172.25.10.30.0

For admin
allowed-addresses=0.0.0.0/0 ( to allow admin full flex, all subnets and internet thru router if desired )

(4) If not already stated /tool mac-server should be set to NONE as is not a secure access method.

(5) Don't recommend this approach............
set winbox address="172.25.50.69/32,172.25.50.70/32,172.25.50.68/32,172.25.50.\
67/32,172.25.50.66/32,172.25.50.65/32,172.25.60.4/32,192.168.55.5/32"

instead use it to narrow down to subnets only and leave refinement to firewall rules.. much easier to manage and thus one only needs one spot to adjust where one looks frequently!!
set winbox address="172.25.50.0/2, 172.168.25.60.0/24, 192.168.55.0/24"

Think about it, there is a reason to have and use functionality of lists, such as firewall address list.

(6) In the forward chain you have all your port forwarding/server rules and they all belong in the DST NAT chain LOL. Besides the fact they are all formatted incorrectly.

(7) Interface lists/members & Firewall address list/rules/nat { KEEP IT SIMPLE }

a. /interface list
add name=WAN
add name=LAN
add name=MGMT


b. /interface list members
add interface="VLAN50(MGMT)" list=MGMT
add interface=ether10_emerg list=MGMT
add interface=VPN_WG list=MGMT
add interface="ether1_WAN(Public IP)" list=WAN
add interface="VLAN10(Cameras)" list=LAN
add interface="VLAN20(PC)" list=LAN
add interface="VLAN30(NAS)" list=LAN
add interface="VLAN40(Guest)" list=LAN
add interface="VLAN50(MGMT)" list=LAN
add interface=VPN_WG list=LAN


c. /ip firewall address list (how many admin IPs do you have LOL, \
add address=172.25.50.69/32 list=Authorized comment="add what each line is"
add address=172.25.50.70/32 list=Authorized ???
add address=172.25.50.68/32 list=Authorized ???
add address=172.25.50.67/32 list=Authorized ???
add address=172.25.50.66/32 list=Authorized ???
add address=172.25.50.65/32 list=Authorized ???
add address=172.25.60.4/32 list=Authorized comment="Remote Admin WG"
add address=192.168.55.5/32 list=Authorized comment="Off Bridge Access
"

d. /ip firewall filter
/ip firewall filter
add action=accept chain=input comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="handshake VPN_WG" dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=Authorized
add action=accept chain=input comment="Allow access to local DNS" dst-port=53 \
    in-interface=LAN protocol=udp
add action=accept chain=input comment="Allow access to local DNS" dst-port=53 \
    in-interface=LAN protocol=tcp
add action=accept chain=input comment="NTP local server" dst-port=123 \  { NTP is udp only }
    in-interface="VLAN50(MGMT)" protocol=udp
add action=drop chain=input comment="Drop all else"  { dont put this rule until allow admin rule, firewall address and MGMT interface list members are complete}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all vlans"  in-interface-list=MGMT \
    out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="cam access" in-interface=WG_VPN \
    out-interface="VLAN10(Cameras)"  dst-address=172.25.10.20/32
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
....

e. NAT RULES
...
/ip firewall nat
add chain=srcnat action=masquerade out-interface="ether1_WAN(Public IP)"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add chain=dstnat action=dst-nat comment="Allow access FTP -> NAS" \
    to-addresses=172.25.30.10 dst-port=21 in-interface="ether1_WAN(Public IP)" \
     protocol=tcp
add chain=dstnat action=dst-nat comment="Allow access to NVR 443" \
    to-addresses=172.25.10.20 dst-port=443 in-interface="ether1_WAN(Public IP)" \
    protocol=tcp
add chain=dstnat action=dst-nat comment="Allow access to NVR 80" \
    to-addresses=172.25.10.20 dst-port=80 in-interface="ether1_WAN(Public IP)" \
    protocol=tcp
add chain=dstnat action=dst-nat comment="Allow access to NVR 8000" \
    to-addresses=172.25.10.20 in-interface="ether1_WAN(Public IP)" dst-port=8000 \
	protocol=tcp
add chain=dstnat action=dst-nat comment=SAMBA to-addresses=172.25.30.10 \
    dst-port=445 in-interface="ether1_WAN(Public IP)" protocol=tcp
add chain=dstnat action=dst-nat comment=SAMBA to-addresses=172.25.30.10 \
    dst-port=135-139 in-interface="ether1_WAN(Public IP)"protocol=tcp
add chain=dstnat action=dst-nat comment=SAMBA to-addresses=172.25.30.10 \
    dst-port=135-139 in-interface="ether1_WAN(Public IP)" protocol=udp
 
Boban84
just joined
Topic Author
Posts: 4
Joined: Wed Mar 08, 2023 2:27 pm

Re: Check please my configuration and firewall

Fri Mar 17, 2023 2:29 pm

Hi,
1 ) done
2 ) The ports have been checked and they all have INGRESS-FILTERING=YES enabled, but it is not visible in the export
mikrotik.PNG
4 ) done
5 ) done
6 ) I don't want to be able to access the NVR or the NAS from the internet. Only PCs (VLAN20) will have access to the NVR, only PCs (VLAN20) will also have access to the NAS but only to FTP and SAMBA
7 ) supplemented
# mar/17/2023 13:29:54 by RouterOS 7.8
# software id = ZYIX-0CKR
#
# model = RB4011iGS+

/interface bridge
add arp=proxy-arp name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="ether1_WAN(Public IP)"
set [ find default-name=ether2 ] name=ether2_PC
set [ find default-name=ether3 ] name=ether3_PC
set [ find default-name=ether4 ] name=ether4_PC
set [ find default-name=ether5 ] name=ether5_PC
set [ find default-name=ether6 ] name=ether6_NAS
set [ find default-name=ether7 ] comment="Trunk port ( VLAN20,50 )" name=\
    ether7_Zyxel
set [ find default-name=ether8 ] comment="Trunk port (VLAN10,20,50)" name=\
    ether8_CISCO
set [ find default-name=ether9 ] comment="Trunk port(VLAN20,40,50)" name=\
    ether9_UBNT
set [ find default-name=ether10 ] name=ether10_emerg poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=VPN_WG
/interface vlan
add interface=bridge name="VLAN10(Cameras)" vlan-id=10
add interface=bridge name="VLAN20(PC)" vlan-id=20
add interface=bridge name="VLAN30(NAS)" vlan-id=30
add interface=bridge name="VLAN40(Guest)" vlan-id=40
add interface=bridge name="VLAN50(MGMT)" vlan-id=50
/interface list
add name=MGMT
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Cameras ranges=172.25.10.31-172.25.10.45
add name=PC ranges=172.25.20.2-172.25.20.50
add name=NAS ranges=172.25.30.2-172.25.30.4
add name=Guest ranges=172.25.40.2-172.25.40.50
add name=MGMT ranges=172.25.50.50-172.25.50.70
/ip dhcp-server
add address-pool=Cameras interface="VLAN10(Cameras)" name=Cameras
add address-pool=PC interface="VLAN20(PC)" name=PC
add address-pool=NAS interface="VLAN30(NAS)" name=NAS
add address-pool=Guest interface="VLAN40(Guest)" name=Wifi_Guest
add address-pool=MGMT interface="VLAN50(MGMT)" name=MGMT
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6_NAS pvid=30
add bridge=bridge comment="Trunk port ( VLAN20,50 )" frame-types=\
    admit-only-vlan-tagged interface=ether7_Zyxel
add bridge=bridge comment="Trunk port (VLAN10,20,50)" interface=ether8_CISCO
add bridge=bridge comment="Trunk port(VLAN20,40,50)" frame-types=\
    admit-only-vlan-tagged interface=ether9_UBNT
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2_PC pvid=20
/ip firewall connection tracking
set tcp-established-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether8_CISCO vlan-ids=10
add bridge=bridge tagged=bridge,ether7_Zyxel,ether8_CISCO,ether9_UBNT \
    untagged=ether2_PC,ether3_PC,ether4_PC,ether5_PC vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether6_NAS vlan-ids=30
add bridge=bridge tagged=bridge,ether9_UBNT vlan-ids=40
add bridge=bridge tagged=bridge,ether8_CISCO,ether9_UBNT,ether7_Zyxel \
    vlan-ids=50
/interface list member
add interface="VLAN50(MGMT)" list=MGMT
add interface="ether1_WAN(Public IP)" list=WAN
add interface=ether10_emerg list=MGMT
add interface=VPN_WG list=MGMT
add interface="VLAN10(Cameras)" list=LAN
add interface="VLAN20(PC)" list=LAN
add interface="VLAN30(NAS)" list=LAN
add interface="VLAN40(Guest)" list=LAN
add interface="VLAN50(MGMT)" list=LAN
add interface=VPN_WG list=LAN
/interface wireguard peers
add allowed-address=172.25.60.2/32 comment="VPN CAM1" interface=VPN_WG \
    public-key="xxx"
add allowed-address=172.25.60.3/32 comment="VPN CAM2" interface=VPN_WG \
    public-key="xx"
add allowed-address=172.25.60.4/32 comment="VPN MGMT" interface=VPN_WG \
    public-key="xxx"
/ip address
add address=172.25.10.30/24 interface="VLAN10(Cameras)" network=172.25.10.0
add address=172.25.20.1/24 interface="VLAN20(PC)" network=172.25.20.0
add address=172.25.30.1/24 interface="VLAN30(NAS)" network=172.25.30.0
add address=172.25.40.1/24 interface="VLAN40(Guest)" network=172.25.40.0
add address=172.25.50.1/24 interface="VLAN50(MGMT)" network=172.25.50.0
add address=172.25.60.1/24 interface=VPN_WG network=172.25.60.0
add address=192.168.55.1/24 interface=ether10_emerg network=192.168.55.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1_WAN(Public IP)"
/ip dhcp-server network
add address=172.25.10.0/24 dns-server=172.25.10.30 gateway=172.25.10.30 \
    ntp-server=172.25.10.30
add address=172.25.20.0/24 dns-server=172.25.20.1 gateway=172.25.20.1 \
    ntp-server=172.25.20.1
add address=172.25.30.0/24 dns-server=172.25.30.1 gateway=172.25.30.1 \
    ntp-server=172.25.30.1
add address=172.25.40.0/24 dns-server=172.25.40.1 gateway=172.25.40.1 \
    ntp-server=172.25.40.1
add address=172.25.50.0/24 dns-server=172.25.50.1 gateway=172.25.50.1 \
    ntp-server=172.25.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.25.50.20 name=switchc.local
add address=172.25.50.5 name=switchz.local
add address=172.25.10.20 name=cameras.local
add address=172.25.30.10 name=nas.local
/ip firewall address-list
add address=172.25.50.68 list=Authorized
add address=172.25.60.4 comment="Remote Admin WG" list=Authorized
add address=192.168.55.5 comment="Off Bridge Access" list=Authorized
add address=172.25.50.67 list=Authorized
/ip firewall filter
add action=accept chain=input comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="handshake VPN_WG" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=\
    Authorized
add action=accept chain=input comment="Allow access to local DNS UDP" \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow access to local DNS TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="NTP client" in-interface=\
    "ether1_WAN(Public IP)" protocol=udp src-port=123
add action=accept chain=input comment="NTP local server" dst-port=123 \
    in-interface="VLAN50(MGMT)" protocol=udp
add action=drop chain=input comment="Drop access WAN"
add action=drop chain=input comment="Drop DNS access from the Internet" \
    dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
    "DNS_INET_protokol=udp" protocol=udp
add action=drop chain=input comment="Drop DNS access from the Internet" \
    dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
    "DNS_INET_protokol=tcp" protocol=tcp
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow access all VLAN " \
    in-interface-list=MGMT out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="Allow access VPN CAM" dst-address=\
    172.25.10.20 in-interface=VPN_WG out-interface="VLAN10(Cameras)"
add action=accept chain=forward comment=\
    "Allow access to NVR 443 for only VLAN20(PC)" dst-address=172.25.10.20 \
    dst-port=443 in-interface="VLAN20(PC)" out-interface="VLAN10(Cameras)" \
    protocol=tcp
add action=accept chain=forward comment=\
    "Allow access to NVR 80 for only VLAN20(PC)" dst-address=172.25.10.20 \
    dst-port=80 in-interface="VLAN20(PC)" out-interface="VLAN10(Cameras)" \
    protocol=tcp
add action=accept chain=forward comment=\
    "Allow access to NVR 8000 for only VLAN20(PC)" dst-address=172.25.10.20 \
    in-interface="VLAN20(PC)" out-interface="VLAN10(Cameras)" port=8000 \
    protocol=tcp
add action=accept chain=forward comment=SAMBA connection-state="" \
    dst-address=172.25.30.10 dst-port=445 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment="SAMBA TCP" dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=tcp
add action=accept chain=forward comment="SAMBA UDP" dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=udp
add action=accept chain=forward comment="Allow access FTP -> NAS" \
    dst-address=172.25.30.10 dst-port=21 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1_WAN(Public IP)"
/ip firewall service-port
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=172.25.50.0/24,172.25.60.0/24,192.168.55.0/24
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment="" domain="" interfaces="VLAN30(NAS)"
/ip ssh
set strong-crypto=yes
/ip vrf
add disabled=yes interfaces="VLAN50(MGMT),*13" name=vrf1
/system clock
set time-zone-name=Europe/Prague
/system clock manual
set dst-delta=+01:00 time-zone=+01:00
/system identity
set name=Routr
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=195.113.144.201 iburst=no
add address=195.113.144.238
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check please my configuration and firewall

Fri Mar 17, 2023 4:06 pm

(1) I can understand you making changed to the forward chain, aka to refine access but what I dont understand is the BS rules you add in the input chain.

/ip firewall filter
add action=accept chain=input comment="established, related, untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="handshake VPN_WG" dst-port=13231 \
protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=\
Authorized
add action=accept chain=input comment="Allow access to local DNS UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow access to local DNS TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="NTP local server" dst-port=123 \
in-interface="VLAN50(MGMT)" protocol=udp


All the above is fine............ then you start deviating.

a. NTP does not require any input chain rules on the WAN incoming side REMOVE.
add action=accept chain=input comment="NTP client" in-interface=\
"ether1_WAN(Public IP)" protocol=udp src-port=123


b. You do not need a drop access wan rule here ITS the LAST rule in the input chain (order wrong) and the comment is wrong its "drop all else" and belongs as last rule.
add action=drop chain=input comment="Drop access WAN"

( Funny note--: your next two rules both redundant and so the above rule is actually placed correctly when you get rid of the last two rules LOL )
add action=drop chain=input comment="Drop all other traffic"

c. Considering the rule above just dropped ALL OTHER TRAFFIC, what is the purpose of adding the next to rules, they will never be used.
Because we drop all else at the end of chain, rules such as this are completely useless and need to be REMOVED.
add action=drop chain=input comment="Drop DNS access from the Internet" \
dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
"DNS_INET_protokol=udp" protocol=udp
add action=drop chain=input comment="Drop DNS access from the Internet" \
dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
"DNS_INET_protokol=tcp" protocol=tcp


(2) Your attention to detail is poor.
Upon reviewing your config in POST#3 I noted the following in your config:
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT


LOOK AT MY POST #4, para 4.
[ (4) If not already stated /tool mac-server should be set to NONE as is not a secure access method. ]

Then this is what you did.............
/tool mac-server
set allowed-interface-list=none { good }
/tool mac-server mac-winbox
set allowed-interface-list=none {wrong}


(5) You could if you wanted simplify the forward chain rules from

add action=accept chain=forward comment=\
"Allow access to NVR 443 for only VLAN20(PC)" dst-address=172.25.10.20 \
dst-port=443 in-interface="VLAN20(PC)" out-interface="VLAN10(Cameras)" \
protocol=tcp
add action=accept chain=forward comment=\
"Allow access to NVR 80 for only VLAN20(PC)" dst-address=172.25.10.20 \
dst-port=80 in-interface="VLAN20(PC)" out-interface="VLAN10(Cameras)" \
protocol=tcp
add action=accept chain=forward comment=\
"Allow access to NVR 8000 for only VLAN20(PC)" dst-address=172.25.10.20 \
in-interface="VLAN20(PC)" out-interface="VLAN10(Cameras)" port=8000 \
protocol=tcp

TO:
add action=accept chain=forward "Allow access to NVR (80,443,8000) for only VLAN20(PC)" \
dst-address=172.25.10.20 dst-port=80,443,8000 in-interface="VLAN20(PC)" \
out-interface="VLAN10(Cameras)" protocol=tcp
 
Boban84
just joined
Topic Author
Posts: 4
Joined: Wed Mar 08, 2023 2:27 pm

Re: Check please my configuration and firewall

Tue Mar 28, 2023 3:30 pm

Hi, sorry for the delay, I didn't have time to deal with it. I'm sending the modified configuration for review, I hope I didn't make another unnecessary mistake.
# software id = ZYIX-0CKR
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add arp=proxy-arp name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1_WAN(Public IP)"
set [ find default-name=ether2 ] name=ether2_PC
set [ find default-name=ether3 ] name=ether3_PC
set [ find default-name=ether4 ] name=ether4_PC
set [ find default-name=ether5 ] name=ether5_PC
set [ find default-name=ether6 ] name=ether6_NAS
set [ find default-name=ether7 ] comment="Trunk port ( VLAN20,50 )" name=\
    ether7_Zyxel
set [ find default-name=ether8 ] comment="Trunk port (VLAN10,20,50)" name=\
    ether8_CISCO
set [ find default-name=ether9 ] comment="Trunk port(VLAN20,40,50)" name=\
    ether9_UBNT
set [ find default-name=ether10 ] name=ether10_emerg
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=VPN_WG
/interface vlan
add interface=bridge name="VLAN10(Cameras)" vlan-id=10
add interface=bridge name="VLAN20(PC)" vlan-id=20
add interface=bridge name="VLAN30(NAS)" vlan-id=30
add interface=bridge name="VLAN40(Guest)" vlan-id=40
add interface=bridge name="VLAN50(MGMT)" vlan-id=50
/interface list
add name=WAN
add name=MGMT
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Cameras ranges=172.25.10.31-172.25.10.45
add name=PC ranges=172.25.20.2-172.25.20.50
add name=NAS ranges=172.25.30.2-172.25.30.4
add name=Guest ranges=172.25.40.2-172.25.40.50
add name=MGMT ranges=172.25.50.50-172.25.50.70
/ip dhcp-server
add address-pool=Cameras interface="VLAN10(Cameras)" name=Cameras
add address-pool=PC interface="VLAN20(PC)" name=PC
add address-pool=NAS interface="VLAN30(NAS)" name=NAS
add address-pool=Guest interface="VLAN40(Guest)" name=Guest
add address-pool=MGMT interface="VLAN50(MGMT)" name=MGMT
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6_NAS pvid=30
add bridge=bridge comment="Trunk port ( VLAN20,50 )" frame-types=\
    admit-only-vlan-tagged interface=ether7_Zyxel
add bridge=bridge comment="Trunk port (VLAN10,20,50)" frame-types=\
    admit-only-vlan-tagged interface=ether8_CISCO
add bridge=bridge comment="Trunk port(VLAN20,40,50)" frame-types=\
    admit-only-vlan-tagged interface=ether9_UBNT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether8_CISCO vlan-ids=10
add bridge=bridge tagged=bridge,ether7_Zyxel,ether8_CISCO,ether9_UBNT \
    untagged=ether2_PC,ether3_PC,ether4_PC,ether5_PC vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether6_NAS vlan-ids=30
add bridge=bridge tagged=bridge,ether9_UBNT vlan-ids=40
add bridge=bridge tagged=bridge,ether7_Zyxel,ether8_CISCO,ether9_UBNT \
    vlan-ids=50
/interface list member
add interface="ether1_WAN(Public IP)" list=WAN
add interface="VLAN50(MGMT)" list=MGMT
add interface=ether10_emerg list=MGMT
add interface="VLAN10(Cameras)" list=LAN
add interface="VLAN20(PC)" list=LAN
add interface="VLAN30(NAS)" list=LAN
add interface="VLAN40(Guest)" list=LAN
add interface=VPN_WG list=MGMT
add interface="VLAN50(MGMT)" list=LAN
add interface=VPN_WG list=LAN
/interface wireguard peers
add allowed-address=172.25.60.2/32 comment="VPN CAM1" interface=VPN_WG \
    public-key="xxxx"
add allowed-address=172.25.60.3/32 comment="VPN CAM2" interface=VPN_WG \
    public-key="xxxx"
add allowed-address=172.25.60.4/32 comment="VPN MGMT" interface=VPN_WG \
    public-key="xxxx"
/ip address
add address=172.25.10.30/24 interface="VLAN10(Cameras)" network=172.25.10.0
add address=172.25.20.1/24 interface="VLAN20(PC)" network=172.25.20.0
add address=172.25.30.1/24 interface="VLAN30(NAS)" network=172.25.30.0
add address=172.25.40.1/24 interface="VLAN40(Guest)" network=172.25.40.0
add address=172.25.50.1/24 interface="VLAN50(MGMT)" network=172.25.50.0
add address=192.168.55.1/24 interface=ether10_emerg network=192.168.55.0
add address=172.25.60.1/24 interface=VPN_WG network=172.25.60.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1_WAN(Public IP)"
/ip dhcp-server network
add address=172.25.10.0/24 dns-server=172.25.10.30 gateway=172.25.10.30 \
    ntp-server=172.25.10.30
add address=172.25.20.0/24 dns-server=172.25.20.1 gateway=172.25.20.1 \
    ntp-server=172.25.20.1
add address=172.25.30.0/24 dns-server=172.25.30.1 gateway=172.25.30.1 \
    ntp-server=172.25.30.1
add address=172.25.40.0/24 dns-server=172.25.40.1 gateway=172.25.40.1 \
    ntp-server=172.25.40.1
add address=172.25.50.0/24 dns-server=172.25.50.1 gateway=172.25.50.1 \
    ntp-server=172.25.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.25.50.20 name=switchc.local
add address=172.25.50.5 name=switchz.local
add address=172.25.10.20 name=cameras.local
add address=172.25.30.10 name=nas.local
/ip firewall address-list
add address=172.25.50.68 list=Authorized
add address=172.25.60.4 comment="Remote Admin WG" list=Authorized
add address=192.168.55.5 comment="Off Bridge Access" list=Authorized
add address=172.25.50.67 list=Authorized
/ip firewall filter
add action=accept chain=input comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="handshake VPN_WG" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=\
    Authorized
add action=accept chain=input comment="Allow access to local DNS UDP" \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow access to local DNS TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="NTP local server" dst-port=123 \
    in-interface="VLAN50(MGMT)" protocol=udp
add action=drop chain=input comment="Drop all other traffic"
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="established, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow access all VLAN " \
    in-interface-list=MGMT out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="Allow access VPN CAM" dst-address=\
    172.25.10.20 in-interface=VPN_WG out-interface="VLAN10(Cameras)"
add action=accept chain=forward comment=\
    "Allow access to NVR 443,80,8000 for only VLAN20(PC)" dst-address=\
    172.25.10.20 dst-port=443,80,8000 in-interface="VLAN20(PC)" \
    out-interface="VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment=SAMBA connection-state="" \
    dst-address=172.25.30.10 dst-port=445 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment="SAMBA TCP" dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=tcp
add action=accept chain=forward comment="SAMBA UDP" dst-address=172.25.30.10 \
    dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
    protocol=udp
add action=accept chain=forward comment="Allow access FTP -> NAS" \
    dst-address=172.25.30.10 dst-port=21 in-interface="VLAN20(PC)" \
    out-interface="VLAN30(NAS)" protocol=tcp
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1_WAN(Public IP)"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=172.25.50.0/24,172.25.60.0/24,192.168.55.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system clock manual
set dst-delta=+01:00 time-zone=+01:00
/system identity
set name=Routr
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=195.113.144.201
add address=195.113.144.238
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

Who is online

Users browsing this forum: GoogleOther [Bot] and 60 guests