Dearest, knowledgeable forum dwellers!

I am completely new to Firewalls, as I've never had to configure one from scratch before.

I work as a sys admin at an elementary school, where we've got a MikroTik RB2011UiAS-IN, that I wish to configure and use as our gateway router.

What I wish to achieve, is that I want to be able to access the device ONLY via SSH from a static address list.
I'd also like to setup the device firewall, so it would do all the neccessary shenanigans a firewall does, to make our little LAN reasonably secure.

This is a single broadcast domain LAN with around a hundred devices, so I do not use VLANs.

I've checked the documentation wiki and found this https://wiki.mikrotik.com/wiki/Basic_un ... all_script article, however my experience with the MikroTik documentation tells me, that I should double check.


Thanks in advance!

Cheers!
– Imre_K

I think that "basic firewall script" is ANYTHING but basic.

Here's a good basic firewall:

Address List (make this first)
list=AdminHosts address=x.x.x.x (add one for each permitted admin station you want to grant full access to the router)

INPUT chain:
allow connection-state=established,related
allow ICMP
drop in-interface=WAN
allow protocol=udp dst-port=67,68,53
allow in-interface=LAN src-address-list=AdminHosts
drop

FORWARD chain
fasttrack-connection connection-state=established,related
allow connection-state=established,related
allow out-interface=WAN
drop

Hey there Mr. ZeroByte, thank you for the fast reply !

So I should be content with this basic setup, and not worry about SYN flood and other possible "outside" threats, correct ?

I am sorry, but my network knowledge is a bit limited at the moment, me being at around the half of the first Cisco ICND curriculum.

*Edit 1: typos

*Edit 2:
All righty, ive translated your config into the following terminal commands:
/ip firewall filter add chain=input connection-state=established,related action=accept

/ip firewall filter add chain=input protocol=icmp action=accept

/ip firewall filter add chain=input protocol=icmp action=drop in-interface=Eth2_WAN1_DIGI

/ip firewall filter add chain=input protocol=udp dst-port=67,68,53 action=accept

however, I do not really understand how I should add the last part, especially what you mean by "drop":
"
allow in-interface=Eth5_LAN src-address-list=AdminHosts
drop
FORWARD chain
fasttrack-connection connection-state=established,related
allow connection-state=established,related
allow out-interface=Eth2_WAN1_DIGI
drop
"

Thanks in advance!

Kind regards,
– Imre_K

however, I do not really understand how I should add the last part, especially what you mean by "drop":
"
allow in-interface=Eth5_LAN src-address-list=AdminHosts

That means make this rule:
chain=INPUT action=drop

(no criteria whatsoever - it will drop every packet that gets that far through the chain)

So I should be content with this basic setup, and not worry about SYN flood and other possible "outside" threats, correct ?

This isn't basic anymore. If you are worried about this, you can search and find ways to mitigate brute force attacks.

Keep reading about this subject on the forum and on the internet. Once you start to understand how Mikrotik firewall rules work, you can figure out how to mitigate various attacks.

All righty Lads, thank you so much for both of your replies, especially yours ZeroByte!

The config does seem to work properly now, I will test it out Thursday in our live network.

One more question:
Is it an okey practice that I have both of my LAN and WAN ports on the same "physical" switch within the confines of the routerboard?

One of the basic config documentation pages suggested that I shall use my LAN as a slave port to my WAN, however I do not really see the need for it.

Kind regards,
– Imre_K

One of the basic config documentation pages suggested that I shall use my LAN as a slave port to my WAN, however I do not really see the need for it.

Where did you see that suggestion? (I'm scratching my head as to why anyone would suggest this)

You don't want your LAN and WAN to share a broadcast domain - that's the entire reason you're installing a router and not just a dumb switch..... when you make port X run slave to port Y, then ports X&Y are combined into a "dumb switch" behavior.

As to your other question - is it a bad idea to have them on the same HW switch at all? No - just make sure that the WAN interface is not slaved to any LAN interfaces, and is not the master for any LAN interfaces. Also make sure that it's not bridged together with anything on the LAN.

There are plenty of valid reasons to bridge/switch several interfaces together as a group on the WAN side - but none of those apply to the basic lan/wan router you wish to deploy. (The reasons involve things like having multiple public IP addresses and you want to configure other devices with other public IPs and have them be outside the firewall. Instead of buying an extra switch to plug in between the DSL/Cable/GPON/etc device and your router, you just bridge/switch a second port for that other device.....

# jul/17/2017 10:20:09 by RouterOS 6.39.2
# software id = 5IAZ-WMI5
#
/interface ethernet
set [ find default-name=ether2 ] mac-address=F0:79:59:EB:9B:98 name=\
Eth2_WAN1_DIGI
set [ find default-name=ether5 ] name=Eth5_LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.100.2-192.168.255.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Eth5_LAN lease-time=1d \
name=DHCPS_Eth5_LAN
/ip address
add address=192.168.0.1/16 comment=LAN interface=Eth5_LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Eth2_WAN1_DIGI
/ip dhcp-server lease
add address=192.168.0.100 client-id=AP lease-time=1w mac-address=\
80:2A:A8:68:10:DF server=DHCPS_Eth5_LAN
add address=192.168.0.101 client-id=AP lease-time=1w mac-address=\
80:2A:A8:68:15:85 server=DHCPS_Eth5_LAN
add address=192.168.0.102 client-id=AP lease-time=1w mac-address=\
80:2A:A8:68:16:71 server=DHCPS_Eth5_LAN
add address=192.168.0.103 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:52:E4 server=DHCPS_Eth5_LAN
add address=192.168.0.104 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:52:DF server=DHCPS_Eth5_LAN
add address=192.168.0.105 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:53:17 server=DHCPS_Eth5_LAN
add address=192.168.0.106 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:53:5A server=DHCPS_Eth5_LAN
add address=192.168.0.107 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:53:64 server=DHCPS_Eth5_LAN
add address=192.168.0.108 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:53:6C server=DHCPS_Eth5_LAN
add address=192.168.0.109 client-id=AP lease-time=1w mac-address=\
80:2A:A8:68:10:DE server=DHCPS_Eth5_LAN
add address=192.168.0.110 client-id=AP lease-time=1w mac-address=\
80:2A:A8:68:15:D4 server=DHCPS_Eth5_LAN
add address=192.168.0.111 client-id=AP lease-time=1w mac-address=\
80:2A:A8:68:16:99 server=DHCPS_Eth5_LAN
add address=192.168.0.112 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:51:95 server=DHCPS_Eth5_LAN
add address=192.168.0.113 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:52:14 server=DHCPS_Eth5_LAN
add address=192.168.0.114 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:52:2F server=DHCPS_Eth5_LAN
add address=192.168.0.115 client-id=AP lease-time=1w mac-address=\
80:2A:A8:A0:52:77 server=DHCPS_Eth5_LAN
/ip dhcp-server network
add address=192.168.0.0/32 dns-server=192.168.0.1 gateway=192.168.0.1 \
netmask=16
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip firewall address-list
add address=192.168.1.24 list=AdminHosts
add address=192.168.3.3 list=AdminHosts
add address=192.168.3.2 list=AdminHosts
add address=192.168.3.1 list=AdminHosts
add address=192.168.3.4 list=AdminHosts
add address=192.168.3.5 list=AdminHosts
add address=192.168.3.6 list=AdminHosts
/ip firewall filter
add action=accept chain=input comment=\
"Allow established connections and related packets" connection-state=\
established,related
add action=accept chain=input comment="Allow ICMP from LAN to router" \
in-interface=Eth5_LAN protocol=icmp
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=\
53,67,68 in-interface=Eth5_LAN protocol=udp
add action=accept chain=Allow comment="Allow DHCP and DNS TCP" dst-port=\
53,67,68 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment=\
"Allow AdminHosts addresses to access router" in-interface=Eth5_LAN \
src-address-list=AdminHosts
add action=drop chain=input comment=" Drop all else input requests !" log=yes
add action=fasttrack-connection chain=forward comment="fasttrack related" \
connection-state=established,related
add action=accept chain=forward comment=" fasttrack related" \
connection-state=established,related
add action=accept chain=forward comment=" Forward packets coming from LAN" \
out-interface=Eth2_WAN1_DIGI
add action=drop chain=forward comment=" Drop all else forward requests!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Eth2_WAN1_DIGI
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org

add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface=Eth5_LAN lease-time=1w3d name=DHCPS_Eth5_LAN
/ip dhcp-server network
add address=192.168.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1 \
netmask=16

I don't think the netmask=16 is necessary since it matches the network address. Also, you might want to make authoritative be immediately (no delay, whatever the keyword should be). Lastly, you need to assign the DNS server as 192.168.0.1 and not 8.8.8.8,8.8.4.4 - but perhaps this is just how you had it set because the cache wasn't working right....

As for the firewall rules, see my annotations below:

/ip firewall filter
add action=accept chain=input comment=\
"Allow established connections and related packets" connection-state=\
established,related
add action=accept chain=input comment="Allow ping from LAN" protocol=icmp
add action=drop chain=input comment="drop ping from WAN1" in-interface=\
Eth2_WAN1_DIGI protocol=icmp <---- not necessary because your final INPUT rule is to drop all
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=\
53,67,68 protocol=udp <--- This opens you for being used in DNS-Amp DDoS attacks. Also require in-interface=Eth5_LAN
add action=accept chain=input comment=\
"Allow AdminHosts addresses to access router" in-interface=Eth5_LAN \
src-address-list=AdminHosts
add action=drop chain=input comment=" Drop all else input requests !"

Lastly, this route statement isn't necessary, because it gets added automatically as a connected route whenever you put the IP address 192.168.0.1/16 onto the interface:

/ip route
add distance=1 dst-address=192.168.0.0/16 gateway=Eth5_LAN pref-src=\
192.168.0.1

...
Lastly, this route statement isn't necessary, because it gets added automatically as a connected route whenever you put the IP address 192.168.0.1/16 onto the interface:

/ip route
add distance=1 dst-address=192.168.0.0/16 gateway=Eth5_LAN pref-src=\
192.168.0.1

Hey there, thanks for the fast reply!

I did setup everything you've suggested, however I've discovered an other interesting issue.
The router doesn't respond to PING requests, and DHCP doesn't work; if I use the ping command from the router to the end device, than the end device is suddenly capable of responding and the connection comes alive. This is true for both DHCP and STATIC configured devices on my network.



Any suggestions?

*Edit:
Other interesting thing is, that the addresses handed out from my DHCP pool seem to arrive at end devices, but with a wrong netmask.
Is it possible that the network (192.168.0.0/16) is not in the classic IANA private address space and that is causing the issue?
**Edit2:
Updated my previous post with the most current foncig.

PS.: I send you a virtual beer for your resiliently helpful spirit!

FORWARD chain
fasttrack-connection connection-state=established,related
allow connection-state=established,related
allow out-interface=WAN
drop

This would allow other customers (within your network segment) to route traffic over your line, if not properly isolated by your provider.
(Usually there is an identical masquerale rule (on out-interface) which also masquerades their traffic)

Suggested alternative:
allow in-interface=LAN

FORWARD chain
fasttrack-connection connection-state=established,related
allow connection-state=established,related
allow out-interface=WAN
drop

This would allow other customers (within your network segment) to route traffic over your line, if not properly isolated by your provider.
(Usually there is an identical masquerale rule (on out-interface) which also masquerades their traffic)

Suggested alternative:
allow in-interface=LAN

It allows all locally-attached networks to access the Internet via WAN interface - the OP stated that he has a single WAN and a single LAN and he just wants a basic stateful firewall. If he does add more LAN-side segments, they will likely be in the form of "isolated student LAN" vs "admin LAN" etc.
allow out-interface=WAN, followed by DROP ALL --> this means that any LAN may surf, but NO LAN may communicate with any other LAN - right out of the gate. This is the most secure + allowing for all LANs to reach the Internet. (OP is not a service provider or anything like that)

The router doesn't respond to PING requests, and DHCP doesn't work;

You didn't allow pings, right? (going to re-read your modified rules and re-edit this post)

EDIT: It looks like it should be working. I haven't totally read the entire config, so perhaps I've missed something. The only things I can think of right off hand are if your LAN interface is not actually Ether5, or else you have something going on with ARP (make sure the ether5 interface has arp enabled)

This is the most secure + allowing for all LANs to reach the Internet. (OP is not a service provider or anything like that)

Regarding protection of your home network, you're right. But this is certainly not most secure option.

What about campus setups: Your WAN IP is 1.1.1.10 and your neighbour's IP 1.1.1.11 (same switch, same segment). Neighbour sets gateway to 1.1.1.10 and can do anything on the web using your IP (and MAC address). Static ARP would not solve this. It depends on whether your ISP isolates L2 traffic between you and your neighbours.

When creating PPP tunnels you're introducing the same risk; the other end could route external traffic through the tunnel and via your WAN IP to the outside world.


Again, this single line:
allow out-interface=WAN

.. simply isn't most secure because a) in-interface=WAN is implicitly allowed (external hairpin NAT) and b) every new interface is accepted by default, which violates the "drop everything but.." rule.

ok - then add in-interface=!wan to the same rule

the neighbors-bouncing-IP-off-of-me problem is gone.

For the typical open home router, I'd be using forward in-interface=!wan logic anyway...
but for scenarios like this one, I shall be using out-interfce=wan in-interface=!wan

Thanks for the tip!

For the typical open home router, I'd be using forward in-interface=!wan logic anyway...

Be careful when using !interface in the rules, there is a bug: when the named interface (wan in this case) is down,
the rule will never match. This is of course wrong: it should still match on all interfaces that are not wan and that are up.
It depends a bit on the context and purpose of the rule if this is a problem. It may not matter for a forward rule in a
router that has only lan and wan, but when you would use this in the input chain, e.g. "allow input in-interface=!wan" you
will find yourself locked out of your router when your wan interface is down. And you may want to access your router to
fix that problem!

Down as in admin down, or down as in link down, or either?
(time to break out a lab router and try that - that just sounds like an insanely crazy thing to have lurking in the code)

Both of them. E.g. my wan interface is PPPoE and when it fails such a rule does not work. See viewtopic.php?f=1&t=101576

...
EDIT: It looks like it should be working. I haven't totally read the entire config, so perhaps I've missed something. The only things I can think of right off hand are if your LAN interface is not actually Ether5, or else you have something going on with ARP (make sure the ether5 interface has arp enabled)

Hey there!

Thanks for the fast reply again!

How do I enable ARP? (although I think it is working to some extent at least, because I see some addresses being added to the ARP table, but I'll double check on Monday, found this in docum: https://wiki.mikrotik.com/wiki/Manual:IP/ARP).
If it should be working, but in case it wont, shall I revert to an older OS maybe? I am on a deadline to do this stuff until Wednesday or else, I have to revert back to our old router for the time being.
All other parts of the network is layer 2 I think, with "dumb switches" all over the place, so I do not think that its an issue originating from some other device. They also work flawlessly with my other router.

FORWARD chain
fasttrack-connection connection-state=established,related
allow connection-state=established,related
allow out-interface=WAN
drop

This would allow other customers (within your network segment) to route traffic over your line, if not properly isolated by your provider.
(Usually there is an identical masquerale rule (on out-interface) which also masquerades their traffic)

Suggested alternative:
allow in-interface=LAN

It allows all locally-attached networks to access the Internet via WAN interface - the OP stated that he has a single WAN and a single LAN and he just wants a basic stateful firewall. If he does add more LAN-side segments, they will likely be in the form of "isolated student LAN" vs "admin LAN" etc.
allow out-interface=WAN, followed by DROP ALL --> this means that any LAN may surf, but NO LAN may communicate with any other LAN - right out of the gate. This is the most secure + allowing for all LANs to reach the Internet. (OP is not a service provider or anything like that)

The router doesn't respond to PING requests, and DHCP doesn't work;

You didn't allow pings, right? (going to re-read your modified rules and re-edit this post)

EDIT: It looks like it should be working. I haven't totally read the entire config, so perhaps I've missed something. The only things I can think of right off hand are if your LAN interface is not actually Ether5, or else you have something going on with ARP (make sure the ether5 interface has arp enabled)

Hey there!

I sort of have no idea what the issue is.
The interfaces are connected to the proper physical connection, ARP is enabled.

DNS doesn't respond to requests until I ping a device from the router. DHCP should work, but it won't route, it will just hand out addresses on the LAN and that's it.
Could this be something messed up in the firewall?

I attached a snippet from my log, DC0EA1 is my admin machine, and the rule we are logging is "Drop all else input" chain rule.

Maybe its because the connection is not counted as established/related until the two devices communicated once? Even than, DHCP, DNS and UDP are allowed on both TCP and UDP in-interface: LAN.


Regards,
Imre_K

*EDIT:
Edited my previous post to include most recent config.

This sounds like you have ARP disabled on the LAN interface.
Go into the settings and make sure ARP is set to enabled, or reply-only (only use the second one if you're trying to force DHCP use, and have add-arp=yes in the DHCP server settings)

As for DNS, under your settings, you've configured allow-requests=yes, but assigned the Mikrotik's own internal IP as the server. This is the problem. That setting is the one the Mikrotik itself uses as a DNS server. It's NOT the server assigned to clients. Change that to whatever DNS server(s) you should be using with your ISP, and that should fix the DNS issue.

This sounds like you have ARP disabled on the LAN interface.
Go into the settings and make sure ARP is set to enabled, or reply-only (only use the second one if you're trying to force DHCP use, and have add-arp=yes in the DHCP server settings)

As for DNS, under your settings, you've configured allow-requests=yes, but assigned the Mikrotik's own internal IP as the server. This is the problem. That setting is the one the Mikrotik itself uses as a DNS server. It's NOT the server assigned to clients. Change that to whatever DNS server(s) you should be using with your ISP, and that should fix the DNS issue.

Hey there!

ARP is enabled ( it was enabled by default, so that is why it doesn't show up in the cfg I think).

So, I should add ISP/Google/whatever DNS servers in IP/DNS and let IP/DHCP-Server use the internal DNS address of the MikroTik device?

So, I should add ISP/Google/whatever DNS servers in IP/DNS and let IP/DHCP-Server use the internal DNS address of the MikroTik device?

That's the typical SOHO configuration, yes.
IP > DNS > Settings configures how the Mikrotik itself uses DNS.
IP > DHCP-Server > Networks configures what DNS server is assigned to DHCP clients when they obtain leases.
These two have nothing to do with each other. You can assign any resolver to DNS clients independently of whatever resolvers the Mikrotik itself uses to perform DNS lookups.

However: If the DHCP server assigns clients to use the Mikrotik itself as their resolver, then the Mikrotik had better be properly configured for its own DNS resolver to work, and permit remote hosts to access it. (Additionally, the WAN interface should also have firewall rules to block incoming DNS requests from the Internet in order to prevent your router from being pressed into service as a DNS-Amplification node in a DDoS attack.)

So, I should add ISP/Google/whatever DNS servers in IP/DNS and let IP/DHCP-Server use the internal DNS address of the MikroTik device?

That's the typical SOHO configuration, yes.
IP > DNS > Settings configures how the Mikrotik itself uses DNS.
IP > DHCP-Server > Networks configures what DNS server is assigned to DHCP clients when they obtain leases.
These two have nothing to do with each other. You can assign any resolver to DNS clients independently of whatever resolvers the Mikrotik itself uses to perform DNS lookups.

However: If the DHCP server assigns clients to use the Mikrotik itself as their resolver, then the Mikrotik had better be properly configured for its own DNS resolver to work, and permit remote hosts to access it. (Additionally, the WAN interface should also have firewall rules to block incoming DNS requests from the Internet in order to prevent your router from being pressed into service as a DNS-Amplification node in a DDoS attack.)

Awesome Sir, thanks for the heads up!

I'll definitely try this config this on this thursday, and if it fixes the issues, I'll update the OP with a cleaned up version of the basic setup, so others can find it in the future.

Regards,
Imre_K