Community discussions

MikroTik App
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Basic Firewall Question

Sat May 20, 2023 10:41 pm

Below is my router's configuration (running 7.9). I would like to have my linux box on 192.168.1.5 be able to ssh to 192.168.2.2.
As you see, the 192.168.1.0/24 and 192.168.2.0/24 networks are relatively isolated (see firewall rules 3 and 4) as the 192.168.2.0/24 is reserved for wireless aka "guest network"
However, I can't reach 192.168.2.2 from 192.168.1.5 (the ssh just hangs); would you please help me understand why?
Alternatively, maybe I need a firewall nat rule instead? If so, how would it look like?
If you can also provide some recommendations for the other rules, in terms of ordering and such, please don't hesitate to chime in, many thanks for looking into this!
[admin@sea-rou-001] > /ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK       INTERFACE
0   192.168.1.1/24     192.168.1.0   ether2
1   192.168.2.1/24     192.168.2.0   ether3
2 D HIDDEN_PUBLIC_IP HIDDEN_PUBLIC_IP  ether1
[admin@sea-rou-001] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; Necessary for the router to get ntp and upgrades.
      chain=input action=accept connection-state=established,related connection-mark="" log=no log-prefix=""

 2    chain=forward action=accept protocol=tcp src-address=192.168.1.5 dst-address=192.168.2.2 in-interface=ether3 out-interface=ether2 dst-port=22

 3    ;;; block all traffic from LAN to guest network
      chain=forward action=drop in-interface=ether3 out-interface=ether2 log=yes log-prefix="firewall"

 4    ;;; block all traffic from guest to LAN network
      chain=forward action=drop in-interface=ether2 out-interface=ether3 log=yes log-prefix="firewall"

 5    ;;; block all traffic from the internet to ether1
      chain=input action=drop in-interface=ether1 log=no log-prefix=""
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sat May 20, 2023 10:49 pm

The firewall rule #2 only allows "forward" packets, but not return packets. Default firewall filter ruleset has a rule which allows all kind of return packets:
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked

and is one of top-most rules (for multiple reasons).

It's not really smart move to ditch default setup and then try to construct proper firewall setup without really good knowledge about how firewall filter rules work.

Edit: fixed rule number I'm referring to in first sentence.
Last edited by mkx on Sat May 20, 2023 11:12 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic Firewall Question

Sat May 20, 2023 10:57 pm

In other words, do not play the copy and paste crap from various places before understanding what the rules are actually doing.
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sat May 20, 2023 11:01 pm

Sorry, for clarity you are saying I should add this rule in position 1 or 2?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sat May 20, 2023 11:11 pm

In your case it doesn't matter because current rule #1 is for input chain .. but it does add to readability if rules for some chain are not mixed with rules for other chains. For this reason, make the new rule number 2.
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sat May 20, 2023 11:12 pm

Thanks I did but it didn't solve my problem though....
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sun May 21, 2023 1:30 am

I have this now, but when I enable rule #4 it still doesn't work.
I think the problem is that the return traffic from 192.168.2.2 to 192.168.1.5 is blocked, how can I fix that?
Also are rules 2 and 3 redundant?
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; Drop Invalid connections
      chain=input action=drop connection-state=invalid 

 2    ;;; Allow Established/Related/Untracked connections
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; Necessary for the router to get ntp and upgrades.
      chain=input action=accept connection-state=established,related connection-mark="" log=no log-prefix="" 

 4 X  chain=forward action=accept connection-state=established,related protocol=tcp src-address=192.168.1.5 dst-address=192.168.2.2 in-interface=ether3 
      out-interface=ether2 dst-port=22 

 5    ;;; block all traffic from LAN to guest network
      chain=forward action=drop in-interface=ether3 out-interface=ether2 log=yes log-prefix="firewall" 

 6    ;;; block all traffic from guest to LAN network
      chain=forward action=drop in-interface=ether2 out-interface=ether3 log=yes log-prefix="firewall" 

 7    ;;; block all traffic from the internet to ether1
      chain=input action=drop in-interface=ether1 log=no log-prefix="" 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic Firewall Question

Sun May 21, 2023 2:26 am

If you want comprehensive help, we dont like playing whackamole.

Provide a network diagram and a full confg
/export file=anynameyouwish (minus router serial number and any public WANIP information)
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sun May 21, 2023 8:11 am

Diagram:
DSL modem -> sea-rou-001 (config below) ether1 interface
             sea-rou-001 ether2 -> connected to dumb switch network=192.168.1.0/24 "LAN" with desktops etc.
             sea-rou-001 ether3 -> connected to dumb switch network=192.168.2.0/24 guest wifi

guest wifi network is considered hostile and insecure, someone may crack the wifi password and "get in" easily. It has multiple access points.
"dumb switch"(es) are just SOHO switches with all interfaces bridged, no VLANs. The dumb switches are not connected to eachother, naturally.
The firewall config is on sea-rou-001; which is shown below.

Thank you for looking.
# may/20/2023 22:02:43 by RouterOS 7.9
# software id = XXXX-XXXX
#
# model = CCR2004-16G-2S+
# serial number = XXXXXXXX
/interface ethernet set [ find default-name=ether1 ] mac-address=00:0C:42:XX:XX:XX
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server add interface=ether2 lease-time=1h name=dhcp-server
/ip dhcp-server option add code=17 name=ripley-root-path value="'192.168.1.201:/vol/vol1/diskless/root/ripley'"
/ip dhcp-server option add code=67 name=ripley-boot-filename value="'ripley/pxelinux.0'"
/ip dhcp-server option add code=66 name=tftp-server-name value="'192.168.1.201'"
/ip dhcp-server option sets add name=ripley options=ripley-boot-filename,ripley-root-path,tftp-server-name
/port set 0 name=serial0
/port set 1 name=serial1
/system logging action set 3 remote=192.168.1.5
/interface list member add interface=ether1 list=WAN
/interface list member add list=LAN
/ip address add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip address add address=192.168.2.1/24 interface=ether3 network=192.168.2.0
/ip dhcp-client add interface=ether1
/ip dhcp-server lease add address=192.168.1.4 comment=ripley dhcp-option-set=ripley mac-address=FC:4D:D4:XX:XX:XX server=dhcp-server
/ip dhcp-server network add address=192.168.1.0/24 dns-server=1.1.1.1 domain=XXX.com gateway=192.168.1.1 netmask=32 next-server=192.168.1.201
/ip dns set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.1.1
/ip firewall filter add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Necessary for the router to get ntp and upgrades." connection-mark="" connection-state=established,related
/ip firewall filter add action=accept chain=forward disabled=yes dst-address=192.168.2.2 dst-port=22 in-interface=ether2 out-interface=ether3 protocol=tcp src-address=192.168.1.5
/ip firewall filter add action=accept chain=forward disabled=yes dst-address=192.168.1.5 in-interface=ether3 out-interface=ether2 protocol=tcp src-address=192.168.2.2 src-port=22
/ip firewall filter add action=drop chain=forward comment="block all traffic from LAN to guest network" in-interface=ether3 log=yes log-prefix=firewall out-interface=ether2
/ip firewall filter add action=drop chain=forward comment="block all traffic from guest to LAN network" in-interface=ether2 log=yes log-prefix=firewall out-interface=ether3
/ip firewall filter add action=drop chain=input comment="block all traffic from the internet to ether1" in-interface=ether1
/ip firewall nat add action=dst-nat chain=dstnat dst-port=8090 in-interface=ether1 protocol=tcp src-address=XX.XX.XX.XX to-addresses=192.168.1.XXX to-ports=XXXX
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=WAN
/system clock set time-zone-name=America/Los_Angeles
/system identity set name=sea-rou-001
/system logging set 0 action=remote
/system logging set 1 action=remote
/system logging set 2 action=remote
/system logging set 3 action=remote
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=time.nist.gov
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sun May 21, 2023 9:11 am

I have this now, but when I enable rule #4 it still doesn't work.

Of course it doesn't work ... the rule you added is for chain=input while the blocking one is for chain=forward. Which indicates that you don't understand the role of chains ...

Really: if you are ready to ditch (good) default firewall config and construct entirely new one (as opposed to keeping the dedault one and do minir changes), then you'll have to dive into (a very deep) cave of learning mikrotik firewall concepts ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic Firewall Question

Sun May 21, 2023 4:05 pm

 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sun May 21, 2023 7:22 pm

Thank you, I will read the link you have provided, my concern is that I'm very far from the router itself, and if I lose connectivity it would be disastrous; is there a way to try a configuration only for a few minutes (like it's the case on JunOS)?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Basic Firewall Question

Sun May 21, 2023 10:14 pm

There is nothing like Juniper commit confirmed (or vyatta commit-confirm) if that is what you are referring to (built in).

Here's an outline of a workaround by @rextended here with a possible implementation by @lukastribus here.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sun May 21, 2023 11:12 pm

Another possibility: safe mode. If management connection drops while safe mode is enabled, then all changes since enabling safe mode are reverted.

Edit: now I noticed that linked posts from post above are mentioning safe mode ...

Who is online

Users browsing this forum: BinaryTB, Bing [Bot], rolling, rplant and 80 guests