I am new to mikrotik and would like to ask if my settings are so safe. Maybe someone has suggestions for improvement.
I use a Mikrotik Hex S, Mikrotik CAP AC with a DrayTek Vigor 167.
1. admin user deleted and new one created.
2. password changed.
3. upgrade to 7.8
4. deactivated telnet, ftp, www, www-ssl, api, api-ssl.
5. Ports from SSH + Winbox changed
6. deactivated:
- IPv6
- bandwidth server
- MAC-Access (MAC Telnet Server = local / listBridge / MAC-Winbox-Server = local / listBridge)
- Neighbor-Discovery (MNDP, CDP, LLDP)
- IPv6 Neighbor-Discovery
- Proxy
- Socks
- upnp
- cloud
7. enabled IP -> SSH -> Strong Crypto
8. IPv4 -> DNS
9. Firewall -> NAT (action = masquerade) 10. IP -> Firewall -> Filter -> Print
Code: Select all
XXX@RouterOS] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; WAN -> FW | deny ping
chain=input action=drop protocol=icmp in-interface=ether1WAN log=no
log-prefix=""
1 ;;; ALLG. | aufgebaute Verbindungen erlauben (established)
chain=input action=accept connection-state=established src-address-list=""
dst-address-list="" in-interface=br-local log=no log-prefix=""
2 ;;; ALLG. | aufgebaute Verbindungen erlauben (related)
chain=input action=accept connection-state=related in-interface=br-local
log=no log-prefix=""
3 ;;; LAN (local) -> FW | Zugriff zur Firewall erlauben
chain=input action=accept dst-address=192.168.1.1 in-interface=br-local
log=no log-prefix=""
4 ;;; LAN (local) -> FW | Ping erlauben
chain=input action=accept protocol=icmp dst-address=192.168.1.1
in-interface=br-local log=no log-prefix=""
DEACTIVATED
5 X ;;; LAN (local) -> FW | DNS erlauben UDP
DEACTIVATED
6 X ;;; LAN (local) -> FW | DNS erlauben TCP
chain=input action=accept protocol=tcp dst-address=192.168.1.1 in-interface=br-local dst-port=53 log=no log-prefix=""
7 ;;; DNS allow TCP from br-local
chain=input action=accept protocol=tcp in-interface=br-local dst-port=53 log=no log-prefix=""
8 ;;; DNS allow UDP from br-local
chain=input action=accept protocol=udp in-interface=br-local dst-port=53 log=no log-prefix=""
9 ;;; DNS drop WAN request TCP
chain=input action=drop connection-state=new protocol=tcp in-interface=ether1WAN dst-port=53 log=no log-prefix=""
10 ;;; DNS drop WAN request UDP
chain=input action=drop connection-state=new protocol=udp in-interface=ether1WAN dst-port=53 log=no log-prefix=""
11 ;;; ALLG. | drop all else
chain=input action=drop connection-state="" log=yes log-prefix=""
12 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid protocol=tcp
13 ;;; accept established connections
chain=forward action=accept connection-state=established log=no log-prefix=""
14 ;;; allow related connections
chain=forward action=accept connection-state=related
15 ;;; accept br-local -> WAN
chain=forward action=accept in-interface=br-local out-interface=ether1WAN log=no log-prefix=""
16 ;;; Drop Bogon
chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix=""
17 ;;; Drop Bogon
chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix=""
18 ;;; Drop Bogon
chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix=""
19 ;;; Drop Bogon
chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix=""
20 ;;; Drop Bogon
chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix=""
21 ;;; Drop Bogon
chain=forward action=drop dst-address=224.0.0.0/3 log=no log-prefix=""
22 ;;; JUMP TCP
chain=forward action=jump jump-target=tcp protocol=tcp log=no log-prefix=""
23 ;;; JUMP UDP
chain=forward action=jump jump-target=udp protocol=udp log=no log-prefix=""
24 ;;; JUMP ICMP
chain=forward action=jump jump-target=icmp protocol=icmp log=no log-prefix=""
25 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69
26 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111
27 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135
28 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139
29 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445
30 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049
31 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346
32 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034
33 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133
34 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68
35 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69
36 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111
37 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135
38 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139
39 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049
40 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133
41 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
42 ;;; ALLG. | drop all else
chain=forward action=drop log=no log-prefix=""
1. is this okay? (yellow) 2. Is the DNS port 53 forwarding in the firewall rules ok so that I can use Quad9 (9.9.9.9)?
3. i am most unsure about the forward rules..
currently i have only 1 bridge with DHCP /24 IP addresses. i would like to create 3 bridges + on it 3 vlan's based on this:
- br-local -> VLAN-1
- br-wlan -> VLAN-10
- br-public -> VLAN-20
VLAN-20 contains webserver, mailserver etc. where I want to forward corresponding ports in the firewall
Thanks for any help!
best regards
mymikro