Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Firewall Questions regarding DMZ zone / LAN

Locked
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Firewall Questions regarding DMZ zone / LAN

Fri Jan 15, 2016 8:25 pm

Hello.
I've have my little network like this setup on a CCR1009-8G-1S-1S+

LAN 172.16.0.0/24 - bridged on ether1,2,3,4 + SPF+
DMZ 172.16.10.0/24 - created on Ether7
WAN static IP - created on Ether8.

I would like to allow traffic from LAN to DMZ but noit from DMZ to LAN.
As it is now without any rules applied - I can ping from Lan to DMZ and Backwards. Allso do https request from DMZ to LAN etc.
But how do I allow this - so that my DMZ zone on Ether7 will not be able to gain access to LAN computers if the DMZ PC get hacked the right way

THanks in advance
Per
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Firewall Questions regarding DMZ zone / LAN

Fri Jan 15, 2016 9:40 pm

I would like to allow traffic from LAN to DMZ but noit from DMZ to LAN.
In your firewall filter forward chain, have a rule set like this:

action=accept connection-state=established,related comment="allow existing connections"
action=accept out-interface=wan comment="allow internet access"
action=accept in-interface=lan comment="allow LAN to anywhere"
action=accept protocol=tcp dst-port=80,443 dst-address=172.16.10.80 comment=webserver
action=accept protocol=udp dst-port=53 dst-address=172.16.10.53 comment="dns server"
action=accept protocol=tcp dst-port=25 in-interface=dmz dst-address=172.16.0.10 comment="allow smtp to lan exchange server"
action=drop comment="default policy is deny"

of course the two server rules are just examples, but this is where in the chain you should place the ports that you want to allow to reach the servers. Use the servers' inside IP addresses here.

I also included an example where you can allow certain exceptions of DMZ -> LAN because you may have another internal server that shouldn't be open to the Internet at all, but that the DMZ hosts should be able to reach for some reason.

Note that most of these rules don't use any IP addresses at all. It's clean and efficient to use interfaces where possible.
Top
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Re: Firewall Questions regarding DMZ zone / LAN

Sat Jan 16, 2016 11:33 am

Thanks Zerobyte.

That explained it for me, allthough I managed to block With dropping all new connections from Sourceaddress 172.16.10.0/24 to Out interface LAN. Allthough I should have any rules accessing thay should be placed before this rules.

But your example did the explaination fine - Thanks
Top
Locked
  4. RouterOS
  5. Beginner Basics