Community discussions

MikroTik App
 
globalmedia
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 11:09 pm

Firewall input drop all except LAN

Mon Mar 20, 2023 11:14 pm

I have enabled the defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN

After that I am getting a lot of these messages in the log:

OUT-OF-LAN input: in:ether1-pppoe-out1 out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:53->PPPOE-DYNAMIC-IP-ADDRESS:54398, len 144

I am trying to find an explanation about that. I see some topics in this forum related with similar problem, but no solutions.

Do you have some idea about how to get it fixed?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Firewall input drop all except LAN

Tue Mar 21, 2023 8:46 am

You want to fix scanning bots or other abusing devices sweeping all router ports to check if your device is vulnerable.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Firewall input drop all except LAN

Tue Mar 21, 2023 9:47 am

You can disable logging on this firewall rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall input drop all except LAN

Tue Mar 21, 2023 2:01 pm

First of all why do you use such a twisted rule??
defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN

Much better and clearer to simply say

accept all coming from LAN
drop all else


This leads to the logical next step, which you may have not noticed with the original default (designed for simple flat network).

accept all coming from LAN but only with source address of ADMIN
accept all coming from LAN for ONLY required services, normally DNS and sometimes NTP
drop all else.


Because the whole LAN does not require full access to the router!! (input chain = to the router) better security practice!
 
globalmedia
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 11:09 pm

Re: Firewall input drop all except LAN

Tue Mar 21, 2023 10:48 pm

Dear,

I absolutely agree with you. But the comments came from the examples that I have used.
I will make necessary changes with your suggestions.
Accept all only from admin IPs.
Accept from all only 53 and 123 ports.

And I have observed the following... I am also getting a lot of ACK,PSH messages and apparently all the messages gone when I have added a new condition to the rule:

Now the rule is chain input !LAN !DSTNAT. Apparently all that messages are from connections from nat.

Sincerely,
First of all why do you use such a twisted rule??
defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN

Much better and clearer to simply say

accept all coming from LAN
drop all else


This leads to the logical next step, which you may have not noticed with the original default (designed for simple flat network).

accept all coming from LAN but only with source address of ADMIN
accept all coming from LAN for ONLY required services, normally DNS and sometimes NTP
drop all else.


Because the whole LAN does not require full access to the router!! (input chain = to the router) better security practice!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall input drop all except LAN

Wed Mar 22, 2023 2:07 am

Its simple for both chains
a few default rules
a few user rules
drop all


No need to get cute............

allow Admin to router
allow users to needed services
drop all else

allow subnets to WAN
**************
allow port forwarding
drop all else


**** any other needed traffic like to a shared printer for example.
 
globalmedia
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 11:09 pm

Re: Firewall input drop all except LAN

Thu Mar 23, 2023 3:52 am

I got it. Thank you so much!
Mindset changes! :-D
Its simple for both chains
a few default rules
a few user rules
drop all


No need to get cute............

allow Admin to router
allow users to needed services
drop all else

allow subnets to WAN
**************
allow port forwarding
drop all else


**** any other needed traffic like to a shared printer for example.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall input drop all except LAN

Thu Mar 23, 2023 4:13 am

 
globalmedia
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 11:09 pm

Re: Firewall input drop all except LAN

Fri Mar 24, 2023 7:45 am

Recommended that topic for all mikrotik new user.

Who is online

Users browsing this forum: baragoon, BinaryTB, Google [Bot], raphaps, rplant and 63 guests