some help with filter rules needed

slv · Mon Mar 07, 2016 3:59 pm

Hello

I trying to build my firewall. I found some roules on internet (on excelent Greg site). I'm using 6.34.2 code

My router config
- 4 LAN interfaces
- 1 WAN interface with 4 IPs (every network must have dedicated IP for NAT). It's IP with management services winbox is on x.y.z.170/26.
- every LAN must be sapareated from each other
- my router has DHCP for every LAN
- my router is a DNS proxy for every LAN

My firewall looks like:

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=no list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" disabled=no list=bogons
#add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" disabled=no list=bogons




/ ip firewall filter 
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept comment="Allow Established connections"  
add chain=input protocol=udp action=accept comment="Allow UDP"  
add chain=input protocol=icmp action=accept comment="Allow ICMP" 
add chain=input src-address=192.168.180.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=192.168.190.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=192.168.220.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=192.168.250.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=x.y.z.128/26 action=accept comment="Allow access to router from known network" 
add chain=input action=drop comment="Drop anything else"  

/ip firewall filter
add chain=forward comment="Accept traffic from VLAN sunets to WAN" out-interface=WAN
add action=reject chain=forward comment="Block communication between all vlan subnet" reject-with=icmp-net-prohibited src-address=192.168.0.1-192.168.255.255

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.180.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=192.168.190.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=192.168.220.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=192.168.250.0/24 out-interface=WAN


/ip firewall filter
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"

and

/tool
mac-server set [find] disabled=yes
mac-server mac-winbox set [find] disabled=yes
mac-server ping set enabled=no
romon set enabled=no

/ip settings set rp-filter=strict

/ip service disable 0,1,2,4,5,7
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no

My problems are:
1. this rules doesnt limit access to port 53 from internet - why? I'd like to limit access only from dedicated IP to 8192 port from internet only.
2. I can ping from 192.168.250.253 to 192.168.190.1 -this should be prohibited
3. I see on Connection tab from time to time connection from every interface to 255.255.255.255:5678 this should be allowed
4. winbox from 192.168.250.253 see my microtic router - in my opinion discovery is diabled...

I'm new in Mikrotik world, help me please with firewal roules. I'm counting on You and I hope that someone will help me how to correct it.

With regards
Slawek

Mon Mar 07, 2016 5:47 pm

My problems are:
1. this rules doesnt limit access to port 53 from internet - why? I'd like to limit access only from dedicated IP to 8192 port from internet only.
2. I can ping from 192.168.250.253 to 192.168.190.1 -this should be prohibited
3. I see on Connection tab from time to time connection from every interface to 255.255.255.255:5678 this should be allowed
4. winbox from 192.168.250.253 see my microtic router - in my opinion discovery is diabled...

1: This rule is the reason DNS is allowed:

add chain=input protocol=udp action=accept comment="Allow UDP"

I'm not sure why you (or the firewall recipe you're following) would want to do this. I would remove this rule - it's completely unnecessary because you're explicitly allowing your "known network segments" via the source IP address immediately afterwards in the input chain, so there's no need to do this here - this allows the entire Internet to talk to your Mikrotik on UDP-based services (including DNS).

2: This answer is long, I'll get to this later.
3: This is Neighbor discovery. You can disable neighbor discovery: /ip neighbor discovery set [ find ] discover=no
4: No, you disabled the service, but the Mikrotik is still sending discovery packets, so that's why you still see it. Your attempts to connect to it via MAC address should still fail. I notice that you left winbox IP-based service running (your ip service disable command skips #6 which is winbox)

Ok - the firewall filter. The short answer is that your forward filter chain allows everything that's not a TCP invalid. There's no default drop policy. You will need to at least allow out-interface=WAN before your drop rule, or else everything will break.

/ip firewall filter
add chain=forward out-interface=WAN action=accept
add chain=forward action=drop

This will block all lan-to-lan connections as well, so if you want all of your LANs to be isolated from each other, then this is enough.
If you want to allow all lans to access a particular lan, then you could add one more rule before the drop rule but after the out-interface=WAN rule:
add chain=forward dst-address=192.168.x.0/24 action=accept
(where x is the third octet of your "open" network)
You may also want to put an explicit drop rule in=interface=WAN in your forward chain just before any "allow" rules, just so the wan is not able to sneak in some lan access.

On the other hand, if you want to make just one LAN a "internet only" LAN, but allow all others to talk to each other, it is more efficient (both in logic and in number of rules) to simply block this one LAN and allow the rest - I'd add these to the firewall forward chain instead of the above:

/ip firewall filter
add chain=forward out-interface=WAN action=accept
add chain=forward in-interface=WAN action=drop
add chain=forward src-address=192.168.250.0/24 action=drop
add chain=forward action=accept

(I assume from your questions that 250.x is intended to be limited in permissions)

One last note - even when you block LAN-to-LAN connections in the forward chain, you're still going to be able to ping the Mikrotik's own IP in the other subnet range - but this is because such packets don't go through the forward chain, but the input chain. Even if 192.168.250.254 is pinging 192.168.190.1 - this is still INPUT, not FORWARD. This doesn't really have much impact on your router's security because if you block certain services on a certain interface, then they're going to be blocked no matter which particular interface IP you're trying to reach. (you really ought to consider using interface-name-based rules instead of IP address based rules - it's just easier IMO and more flexible because you can change IP addresses later and not need to change the rules)

slv · Mon Mar 07, 2016 11:27 pm

Hi Zerobytes

Ad1. Corrected
Ad3. Disabled
Ad4. My intention (that I left winbox active) is to use winbox for administrating purposes.
I added rules according to Your advice. Until wensday I'm out of direct access to LANs behind that router so I cant verify configurations.

Every of my LANs must be as separated as possible so I hope that
/ip firewall filter
add chain=forward out-interface=WAN action=accept
add chain=forward action=drop

do that. Sorry that I didn't explain it enought.
I know that I should use using interface-name-based rules instead of IP - thats I try to do ... but for this example sometime its easier to show problem.

Thank You so much for Your time and precise answer for my problems. I learned a lot.

On wensday I will test everything and put here corrected rules, maybe that example will help someone else.

One last question for tonight

On which interface listening management service (winbox)?, how to set it only to WAN?
I wouldn't allow to conenct to it from my LANs.

With regards
Slawek

Tue Mar 08, 2016 12:57 am

to limit winbox to the WAN interface only:
/ip firewall filter
add chain=input protocol=tcp dst-port=8291 in-interface=WAN action=accept
add chain=input protocol=tcp dst-port=8291 action=drop

slv · Wed Mar 09, 2016 1:13 pm

Hello Zerobyes

My rules now looks like:

/ ip firewall filter 
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept comment="Allow Established connections"  
add chain=input protocol=icmp action=accept comment="Allow ICMP" 
add chain=input src-address=192.168.180.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=192.168.190.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=192.168.220.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=192.168.250.0/24 action=accept comment="Allow access to router from known network" 
add chain=input src-address=x.y.z.128/26 protocol=tcp dst-port=8291 in-interface=WAN action=accept
add chain=input protocol=tcp dst-port=8291 action=drop
add chain=input action=drop comment="Drop anything else"


/ip firewall filter
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward in-interface=WAN action=drop  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections" 
add chain=forward out-interface=WAN action=accept
add chain=forward action=drop

/ip firewall nat
add chain=srcnat out-interface=WAN src-address=192.168.180.0/24 action=src-nat to-address=x.y.z.171 disabled=no
add chain=srcnat out-interface=WAN src-address=192.168.190.0/24 action=src-nat to-address=x.y.z.172 disabled=no
add chain=srcnat out-interface=WAN src-address=192.168.220.0/24 action=src-nat to-address=x.y.z.173 disabled=no
add chain=srcnat out-interface=WAN src-address=192.168.250.0/24 action=src-nat to-address=x.y.z.174 disabled=no


/queue type add name="PCQ_download" kind=pcq pcq-rate=0 pcq-classifier=dst-address
/queue type add name="PCQ_upload" kind=pcq pcq-rate=0 pcq-classifier=src-address
/queue simple add queue=PCQ_upload/PCQ_download target-addresses=LAN_1
/queue simple add queue=PCQ_upload/PCQ_download target-addresses=LAN_2
/queue simple add queue=PCQ_upload/PCQ_download target-addresses=LAN_3
/queue simple add queue=PCQ_upload/PCQ_download target-addresses=LAN_4

/ip neighbor discovery set [ find ] discover=no

I run into new problems:
- laptop 192.168.250.244 cant ping to internet (In my opinion its snat problem - but what's wrong with this roules?) I tryed to ad source interface - but it doesnt help me. Ofcourse IPs x.y.z.171 are assigned to WAN interface.
- laptop 192.168.250.244 can access to x.y.z.171:8291 I modyfied Your example a bit, now my rule:

add chain=input src-address=x.y.z.128/26 protocol=tcp dst-port=8291 in-interface=WAN action=accept

I dont understand why ... SNAT doesnt working so it isnt such path. In my opinion I need rule like

add chain=input src-address=192.168.0.0/16 protocol=tcp dst-port=8291 action=drop

before rule that allow access from x.y.z.128/26 - Do I'm right? I scared that I still doesnt understand Mikrotic packet flow

Neighbor discovery is disabled - OK
I added 3 rules for PCQ. I'd like to have QoS on every LAN(1-4) and share my connenction for every LAN IPs.
I cant test it now because SNAT doesnt working.

Regards
Slawek

Wed Mar 09, 2016 4:36 pm

Change this:

add chain=forward in-interface=WAN action=drop  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"

To this:

add chain=forward connection-state=established,related action=accept comment="allow already established connections"  
add chain=forward in-interface=WAN action=drop

Wed Mar 09, 2016 5:16 pm

If you want to ONLY allow winbox from the WAN interface, then move the two winbox port rules above the private IP "known source" rules.

slv · Thu Mar 10, 2016 11:53 am

Hello ZeroBytes

Thank You ,as usually Your advice is 100% perfect.

I moved the two winbox port rules and access to router is limited to WAN IP.
According to:

add chain=input src-address=x.y.z.128/26 protocol=tcp dst-port=8291 in-interface=WAN action=accept

Every connection from x.y.z.128/26 should be OK. So my laptop 192.168.250.253 snated to x.y.z.173 (covered by /26) in my opinion could connect to it - but it doesn't - why?

I've tryed to put

add chain=input src-address=192.168.250.253 protocol=tcp dst-port=8291 in-interface=WAN action=accept
- I know thats silly
or

add chain=input src-address=x.y.z.173 protocol=tcp dst-port=8291 in-interface=WAN action=accept

So question is - how to allow access to this router to one particular IP from LAN?

Could You advice me how to monitor (or limit) and logs amount of session generated by IPs from LAN?

In Your opinion what else is nessesary to be configured in firewall to handle every days problem for small system?

Regards
SLawek

slv · Thu Mar 17, 2016 3:43 pm

Bump .... Please respond to this post.

Thu Mar 17, 2016 4:07 pm

Every connection from x.y.z.128/26 should be OK. So my laptop 192.168.250.253 snated to x.y.z.173 (covered by /26) in my opinion could connect to it - but it doesn't - why?

Two reasons:
First, snat happens as one of the last steps in the packet handling process - even after the postrouting mangle chain - only hotspot out and queues remain to be considered. In other words, the actual source IP address is what the firewall is going to see. In fact, when forwarding pinholes, the forward chain happens after dstnat - so in general, with RouterOS filters you should always use the "real" addresses, both inside and outside, and not anything you're mapping to with NAT....

Okay - so your input filter rule should allow source address 192.168.250.253

Now reason two:
Even though you're accessing the Mikrotik's WAN IP from Winbox, the packet isn't entering the Mikrotik through the WAN interface - it's entering through the LAN interface - so you need another rule to allow this type of access - or else you need to modify your rule to use only IP addresses and not interfaces - at least for Winbox packets.

I suggest just adding one more rule to the input chain:
chain=input action=accept src-address=192.168.250.253 protocol=tcp dst-port=8291 action=accept

Computer connected to this (192.168.220.0/24)network (that has gateway changed to .254) couldnt ping host exept thier gateway. Why?

This is a bit ambiguous - do you mean that it can ping the gateway, but cannot reach the Internet? or do you mean that it can ping the gateway, but nothing else works at all, or do you mean that it can ping the gateway and reach the Internet, but it cannot reach other hosts in the same network?

I'm going to assume option 3 - ping gateway=ok, internet=ok, host-to-host inside LAN = fail.....

This would be a case of "client isolation" being activated - are these wifi hosts or ethernet hosts? If wifi, then enable the "Default Forward" option in the wlan interface configuration.

Anyway, one other thing I noticed in your example is that the IP address 220.254 is set to an interface=Kolegium , but all of the DHCP configurations and the "/ip route print" show the network as being on an interface LAN2....

slv · Thu Mar 17, 2016 6:02 pm

Hello ZeroBytes

Thank You for so detailed explanation of SNAT .. I tryed with rule:

add chain=input action=accept src-address=192.168.0.0/16 protocol=tcp dst-port=8291 interface=WAN action=accept

and the WAN was a problem because I dont understand packet flow. Now I printed traffic flow diagram and I try to analize that. Next time I hope I will not make such mistakes.

Computer connected to this (192.168.220.0/24)network (that has gateway changed to .254) couldnt ping host exept thier gateway. Why?

This I posted by mistake, but problem exist but need separated topic because is related to switch/vlan. In short. Computer connected to vlan 250 by another switch working properly. The same computer connected directly to Mikrotic router makes a lot of retransmission and even couldnt load simple webpage corectly, but without any problem can ping host on internet.
I removed that post when I realized that.
I'm not using WiFi - every connection is a cable connection.

If You will have some time (of course any other can do that too - this topic I hope will be usefull to others)

Could You advice me how to monitor (or limit) and logs amount of session generated by IPs from LAN?

In Your opinion what else is nessesary to be configured in firewall to handle every days problem for small system?

Regards
SLawek

nxs02 · Fri Mar 18, 2016 2:25 am

default-forwarding=off -> wireless clients cannot communicate with each other

default-forwarding=on -> they can.

slv · Fri Mar 18, 2016 9:15 am

Hello

I'm not using WiFi, this happend to computers connected directly to Mikrotic router.

pukkita · Fri Mar 18, 2016 11:23 am

The same behaviour can be achieved (isolating bridge members from each other) on a bridge by setting horizon values, check that if you are using bridges for your (v)lans.

slv · Fri Mar 18, 2016 12:09 pm

I'm not using any bridges

My config look like:

interface ethernet set 0 name=WAN
interface ethernet set 5 name=LAN

/interface ethernet
set ether7 master-port=LAN
set ether8 master-port=LAN
set ether9 master-port=LAN
set ether10 master-port=LAN

/interface ethernet switch port
set ether7 vlan-mode=secure vlan-header=always-strip default-vlan-id=250
set ether8 vlan-mode=secure vlan-header=always-strip default-vlan-id=220 
set ether9 vlan-mode=secure vlan-header=always-strip default-vlan-id=190 
set ether10 vlan-mode=secure vlan-header=always-strip default-vlan-id=180 
set switch2-cpu vlan-mode=secure
set LAN vlan-mode=secure


/interface ethernet switch vlan
add ports=ether7,LAN,switch2-cpu independent-learning=yes switch=switch2 vlan-id=250
add ports=ether8,LAN,switch2-cpu independent-learning=yes switch=switch2 vlan-id=220
add ports=ether9,LAN,switch2-cpu independent-learning=yes switch=switch2 vlan-id=190 
add ports=ether10,LAN,switch2-cpu independent-learning=yes switch=switch2 vlan-id=180
add ports=LAN,switch2-cpu independent-learning=yes switch=switch2 vlan-id=50

/interface vlan
add interface=LAN mtu=1594 name=LAN1 vlan-id=190
add interface=LAN mtu=1594 name=LAN2 vlan-id=220
add interface=LAN mtu=1594 name=LAN3 vlan-id=250
add interface=LAN mtu=1594 name=LAN4 vlan-id=180
add interface=LAN mtu=1594 name=Mgmt vlan-id=50

I changed

add interface=LAN mtu=1594 name=LAN1 vlan-id=190

to

add interface=LAN mtu=1500 name=LAN1 vlan-id=190

but it doesn't help me

Why this config working when computers are connected to Netgear GS110TP using trunk connected to port 6 of Mikrotik) while not working to computer connected directly to port ie.7?
Netgear has tagged VLANS on uplink port, and port based vlans on other ports.

Regards
Slawek

nxs02 · Fri Mar 18, 2016 2:13 pm

The same behaviour can be achieved (isolating bridge members from each other) on a bridge by setting horizon values, check that if you are using bridges for your (v)lans.

agree with this...
this is the best way isolating bridge port mebers from each other

slv · Tue Mar 22, 2016 12:52 pm

Hello

I discovered new odd thing:
Computer connected to port8 (port based vlan id220 on Mikrotic) _properly_ ping 8.8.8.8 when in the same time is unable to ping "wp.pl" or even worst get ansfwer from DNS about IP of wp.pl.

I found rule in what is a happening:
- if You ping IP - all is OK
- if You ping microtic.com or roger.pl - usually is OK, sometimes You need to lunch more than one time ping (for the first time it failes - UNKNOWN HOST)
- if You ping portals, like wp.pl onet.pl You can get one ping response for 20 other.

Of course same computer connected to Netgear switch can do all this test properly.

ZeroBytes could You give us Your opinion?

Regards
SLawek

some help with filter rules needed

some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Re: some help with filter rules needed

Who is online