Home Firewall configuration

Spartacus · Thu Jun 07, 2018 3:31 pm

Hello,
I am a very new Mikrotik user and I am working on my firewall rules for my home network on a RB3011. I red a lot of wikis but I am not sure, if I am on the right way.
I have developed the rules in a text editor and not deployed to the productive system, yet.
I am also not sure, if my rules are working correctly, therefore I would like to ask, if someone can keep an eye on it, if the network, especially the WAN connection, or if there are some "holes" which have been closed.

To make it readability, i have structured the rules, so i hope that the order of the rules is correct.
For a my better understanding I also used comments beginning with "#" The comments will not be posted into the RB later.

Prerequisites:
- interface list add name=WAN
- interface list add name=LAN
- interface list member add interface=ether1 list=WAN
- interface list member add interface=br_vlan list=LAN
- allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

Requirements:
- block Bogons but not own Subnets
- Allow all Subnets to connect to Internet
- Allow only VLANFriends to talk to each other
- Allow AdminSubnet to connect to Internet and all other Subnets
- Allow AdminSubnet to connect to Router via HTTPS, SSH and Winbox
- Block DNS Requests from WAN
- Spam prevention (SMTP-Port 25)
- blocking of LAN users from asking external DNS servers

Thanks in advanced,
Christian

# Firewall Filter
#
# Prerequisites:
# /interface list add name=WAN
# /interface list add name=LAN
# /interface list member add interface=ether1 list=WAN
# /interface list member add interface=br_vlan list=LAN
# /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
# Requirements:
# - block Bogons but not own used Subnets
# - Allow Subnets to connect to Internet
# - Allow only VLANFriends to talk to each other
# - Allow AdminSubnet to connect to Internet and all other Subnets
# - Allow AdminSubnet to connect to Router via HTTPS, SSH and Winbox
# - Block DNS Requests from WAN
# - Spam prevention (SMTP-Port 25)
# - blocking of LAN users from asking external DNS servers
#
# Bogons
#
/ip firewall address-list add list=bogons address=0.0.0.0/8			disable=no 
/ip firewall address-list add list=bogons address=10.0.0.0/8		        disable=no
/ip firewall address-list add list=bogons address=100.64.0.0/10		disable=no
/ip firewall address-list add list=bogons address=127.0.0.0/8		disable=no
/ip firewall address-list add list=bogons address=169.254.0.0/16	        disable=no
/ip firewall address-list add list=bogons address=172.16.0.0/12		disable=yes
/ip firewall address-list add list=bogons address=192.0.0.0/24		disable=no
/ip firewall address-list add list=bogons address=192.0.2.0/24		disable=no
/ip firewall address-list add list=bogons address=192.168.0.0/16	       disable=yes
/ip firewall address-list add list=bogons address=198.18.0.0/15		disable=no
/ip firewall address-list add list=bogons address=198.51.100.0/24	disable=no
/ip firewall address-list add list=bogons address=203.0.113.0/24	        disable=no
/ip firewall address-list add list=bogons address=240.0.0.0/4		disable=no
#
#
# private Subnetze
#
/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets
#
#
# Admin subnet
#
/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet
#
#
# VLAN friends can talk to each other
#
/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends
#
#
# Input Chain
#
/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept 
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input protocol=icmp action=jump jump-target=allow-icmp
/ip firewall filter add chain=input src-address-list=AdminSubnet dst-address-list=AdminSubnet in-interface-list=LAN protocol=tcp action=jump jump-target=allow-admin
/ip firewall filter add chain=input src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=udp dst-port=53 comment="accept DNS-UDP from LAN" action=accept 
/ip firewall filter add chain=input src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=tcp dst-port=53 comment="accept DNS-TCP from LAN" action=accept 
/ip firewall filter add chain=input comment="drop" action=drop
#
# End of Input Chain
#
#
#
#
# Forward Chain
#
/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward src-address-list=bogons in-interface-list=WAN comment="drop bogons from WAN" action=drop
/ip firewall filter add chain=forward connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop to WAN w/o DSTNAT" action=drop
/ip firewall filter add chain=forward out-interface-list=WAN protocol=tcp dst-port=25 comment="reject SMTP to WAN" action=reject
/ip firewall filter add chain=forward src-address-list=AdminSubnet in-interface-list=LAN comment="Accept VLAN Admin"  action=accept
/ip firewall filter add chain=forward src-address-list=VlanFriends dst-address-list=VlanFriends in-interface-list=LAN comment="Accept VLAN friends"  action=accept
/ip firewall filter add chain=forward comment="drop" action=drop
#
# End of Forward Chain
#
#
#
# output Chain
#
/ip firewall filter add chain=output dst-port=53 out-interface-list=WAN protocol=udp src-address=!172.16.1.1 action=drop
/ip firewall filter add chain=output dst-port=53 out-interface-list=WAN protocol=tcp src-address=!172.16.1.1 action=drop
#
# End of output Chain
#
#
#
# customized Chains
#
# permit ICMP-commands
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=0:0 comment="accept ICMP echo reply from WAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=3:0-1 comment="accept ICMP destination unreachable from WAN" action=accept
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=8:0 comment="accept ICMP echo request from WAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=11:0 comment="accept ICMP time exceeded from WAN" action=accept
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=0:0 comment="accept ICMP echo reply from LAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=3:0-1 comment="accept ICMP destination unreachable from LAN" action=accept
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=8:0 comment="accept ICMP echo request from LAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=11:0 comment="accept ICMP time exceeded from LAN" action=accept
/ip firewall filter add chain=allow-icmp comment="drop" action=drop
#
# permit Admin-Access for SSH, HTTPS and Winbox
/ip firewall filter add chain=allow-admin dst-port=22 comment="accept SSH from LAN" action=accept
/ip firewall filter add chain=allow-admin dst-port=443 comment="accept HTTPS from LAN" action=accept
/ip firewall filter add chain=allow-admin dst-port=8291 comment="accept WinBox from LAN" action=accept
/ip firewall filter add chain=allow-admin comment="drop" action=drop
#
#
# NAT
/ip firewall nat add chain=srcnat comment="masquerade LAN->WAN" disabled=yes out-interface=ether1 action=masquerade

anav · Thu Jun 07, 2018 7:08 pm

Just taking a quick look and don't understand the complexity of your input rules and overkill on jumping. Eat a lot of beans??
Simply
add chain=input action=accept in-interface-list=adminsubnet

Same for DNS
add chain=input action=accept in-interface-list=LAN protocol TCP port 53
add chain=input action=accept in-interface-list=LAN protocol UDP port 53

Since you have an input list drop all as the last rule implicitly all else is dropped including WAN to Router DNS queries so no separate drop rule required for that (remove).

Also ensure in winbox services or settings (can't rememeber) you limit to and allow same subnet for winbox and SSH.
Set ssh as strong crypto and change default (use different SSH port.
Not sure if using HTTPS is recommended, not required if you are on the LAN and have access already through Winbox or SSH.
If you want external admin access from the internet use VPN.

Moving to forward chain, lets discuss BOGON list because I too am wondering how to best apply this list.......

I have seen two variations........
/ip firewall filter
add chain=forward action=drop in-interface-list=WAN src-address-list=bogons (STOP FORWARDED TRAFFIC coming from internet FROM PRIVATE ADDRESSES)
AND
add chain=forward action=drop in-interface-list=WAN dst-address-list=bogons (STOP FORWARDED TRAFFIC coming from internet TO PRIVATE ADDRESSES)

WHICH IS CORRECT ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

In any case, I would apply this rule either way in RAW , not it Filter.
One has to be careful on direction of traffic and may have to remove/disable any private address blocks that encompass the private IP structures you use on your own router. (trust stupid me that forgets to use Sandbox Mode for firewall changes.

)

The next rule I dont understand is your drop not dsnated rules??? First of all you have an implicit drop all except allowed traffic as the last rule in your forward chain, so thats great and I do that myself. But think about it. What this means is you only need to make ALLOW rules, as everything else will be dropped if not matched to one of the allow rules!!!!!

So you NEED to allow dstnat (if you have any port forwardings.
add chain=forward action=accept in-interface-list=WAN ( I think connection state=dstnat) but will confirm later.

In terms of port 25 smtp, I cant advise as i dont understand the requirement? Do you mean incoming traffic to the router on port 25 (more like scan then spam), do you mean traffic being forwarded from the net on port 25? or do you mean LAN traffic going on port 25 which I wouldn't block because I need it for email)? Thus need a bit more clarity on purpose.
If it strictly no TCP 25 from the LAN then you don't need outbound interface in the rule.
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=25
If you wanted to find out which PCs were spamming
/ip firewall filter
add chain=forward action=add-src-to-address-list address-list=spanking_list address-list-timeout=2d in-interface-list=LAN protocol=tcp dst-port=25
add chain=forward action=drop in-interface-list=LAN protocol=tcp dst-port=25 src-address-list=spanking_list

Personally this is a rule I would simply move to raw
/ip raw
add chain=prerouting action=drop dst-port=25 protocol tcp (all traffic coming or going with dest of port 25 is dropped).
add chain=prerouting action=drop dst-port=25 protocol udp (if also needed)

The VLAN friends to VLAN friends I understand and makes sense, if the source and destination are VLAN friends allow the traffic coming from the LAN interface and route it at layer 3.

The admin rule however I don't quite get. You state except all traffic coming from the ADMIN subnet, fine so its allowed to exist at the LAN interface but then it will be dropped because you dont state where it is allowed to go after that???
/ip firewall filter
add chain=forward src-address-list=AdminSubnet in-interface-list=LAN comment="Accept VLAN Admin" action=accept

it should read
/ip firewall filter
add chain=forward action=accept in-interface-list-LAN src-address-list=AdminSubnet dst-address=PrivateSubnets

Lastly before I forget, we didnt talk SRCNAT rules but I do recommend some additional dstnat rules which redirect your users
forcing them to use DNS that is supplied through your selections......... for me I force users to use my LANgateway IPs.

Spartacus · Thu Jun 07, 2018 10:26 pm

Hi,
thank you very much for the detailed answer. I will rework my rules again, but I am not really sure, if I understood all your comments correctly. I will come back to you tomorrow!

Regarding the SPAM rule: I want to prevent my clients from sending SPAM mails to WAN.
I'm also confused about the bogons now. Are you saying you have to use both rules? And in which of these case is it better to remove your own subnets from the bogon-list?

Thank you
Christian

anav · Thu Jun 07, 2018 10:59 pm

Christian the bogon question was not directed at you. It was meant for the guru's here that lurk but dont often have the cojones (gender correct - gonads) to get their hands dirty and dive in to help. ;-P
Usually, after hearty laughter or tears, I am not sure which, Sob or CZFAN or Sindy will come to the rescue, so they think, to impart great wisdom. Often all I hear the first time around is flatulence as their lips move, but after a time or a few times anyway the advice sinks in. I am learning too so patience is required. By all means I will attempt to answer any questions.

As to the spam rule I am with you.
Observation: Must mean no one behind your router uses email requiring port 25?
So to you I ask - does it matter to find out where this spam is coming from?

To ask the wider, audience to block port 25 outbound spam what is most drop efficient rule?
filter or raw and in terms of content
tcp 25 outchain in-interface-list=LAN
or simply
tcp 25 outchain period

Sob · Fri Jun 08, 2018 5:42 am

..., after hearty laughter or tears, I am not sure which, ...

It's a secret.

About bogons, that's an interesting thing. It's invalid (well, sort of) addresses that you should never receive anything from or send anything to. With private addresses being an exception, when you use them in your internal network.

When we're talking about usual home setup or something similar, it doesn't seem too important to worry about bogons too much. You don't accept any input from WAN anyway, and you don't forward any incoming traffic to LAN either, except few selected ports using dstnat. If something happens to come from bogon address, to port forwarded to internal server, what will happen? If it's from 127.0.0.0/8, it might bypass some ACL on server, but won't be able to establish a connection. So it's not completely impossible, but quite unlikely that it could do something bad. Private networks may be a little more dangerous, because you can have a broader ACL on server (e.g. that anything from 192.168.0.0/16 can access some restricted interface), but when you'd have only some /24 in LAN, the rest of /16 would be routable to WAN, and would allow full bidirectional communication. But it's wrong configuration on server, fix that and they have no chance. And it should go for the rest of bogons as well, because they are likely to have the same level of access as any other random address.

If you want to stop them, that's a question what's best. I think it's good idea to prevent private networks from leaking between LAN and WAN. One simple way is to just add unreachable routes for them, which will prevent leaks from LAN to WAN. But it also screws up pure IPSec VPNs. And it doesn't prevent spoofed packets from private networks coming from WAN. So firewall might be better. But that's another question, regular filter or raw? On one hand, it's good idea to get rid of them as soon as possible, so that would be raw. But every single packet comes through raw, and while connection tracking is resource intensive, checking each packet against several subnets can't be too cheap either, so regular filter might be better after all, because you only need to check for bogons for connection-state=new. It would need some tests to see what's better.

For blocking port 25, less contions = more efficient rule. So if you know that you don't need tcp/25 in any direction, it can be the only condition, no need to bother with source interface. Downside is that it might be less clear what you meant by it, e.g. if someone else gets to manage the firewall after you. I'd probably do something like:

/ip firewall filter
...
add chain=forward in-interface=LAN action=jump jump-target=outgoing
add chain=outgoing protocol=tcp dst-port=25 src-address=!<my local mailserver> action=reject reject-with=tcp-reset
add chain=outgoing ... <other filtering rules>
add chain=outgoing action=accept

And it's perfectly clear that I wanted to filter outgoing traffic. And if I have multiple filtering rules, I'll save on checking in-interface for each of them.

Spartacus · Fri Jun 08, 2018 11:54 am

Hi all,
puuh! Many thanks for your replies. It is not easy for me to follow up, because I used a consumer router with a preconfigured Subnet and firewall (FritzBox) until now and my first steps with Mikrotik HW is only 6 weeks ago.
I will rework my rules to my best knowledge and it would be great if I can still count on your support in order to make my network save.

Many many thanks and see you soon,
Christian

anav · Fri Jun 08, 2018 1:49 pm

Sob, its great your example bared no resemblance to your advice and to the questions, but I am getting used to it.

(I have no idea what your example was trying to do LOL - like you were working on two threads at the same time and mixed up the responses}
(No one mentioned having an email server on the LAN, and your jump rule jumps ALL LAN traffic - did you let the grandchild sit down at the puter while you went to the bathroom?)

What I read was
/ip firewall raw
add chain=output action=drop protocol=tcp port=25 comment="Sob said to tell the next manager of this device that this rule is for blocking any port 25 traffic outbound (spam) - which also means there is no valid or needed email traffic on port 25 emanating from the LANs"

/ip firewall filter
add chain=forward action=drop in-interface=LAN connection-state=new source-address-list=bogons comment="Sob thinks this is more efficient than a RAW rule but without testing and despite DDOS folks saying raw is very efficient compared to other methods, I am sure he will test and get back to us for fear of losing credibility"

Spartacus · Fri Jun 08, 2018 2:33 pm

Dears,
it is difficult for me, to follow the discussion, because it requires very deep knowledge and I can't see what I have to do now! Your answers raise up 1,000 new questions for me (That's because of my limited knowledge about Firewall-rules!)

There are some internal SMTP-Systems (e.g. NAS-Server) which will send out messages, but the use not Port 25. My E-Mail clients use port 587, so blocking port 25 would be the easiest way for me!
And therefore I can use a very simple rule in raw:

/ip raw
add chain=prerouting action=drop dst-port=25 protocol tcp (all traffic coming or going with dest of port 25 is dropped).
add chain=prerouting action=drop dst-port=25 protocol udp (if also needed)

I also cannot follow the "Bogons" discussion either. I understood, that it is good to implement prevention, but I do not have a clue how this looks like concretely.

@anav:
One question to you: How did you realized that?

Lastly before I forget, we didnt talk SRCNAT rules but I do recommend some additional dstnat rules which redirect your users
forcing them to use DNS that is supplied through your selections......... for me I force users to use my LANgateway IPs.

Since I have different networks, I have to refer to different GWs running as internal DNS.

Thanks a lot for the discussion and your support,
Christian

Steveocee · Fri Jun 08, 2018 3:33 pm

A really nice trick for not allowing DNS to the outside world is to use a NAT redirect. It's slightly different to a dst-nat in that dst-nat you can direct the traffic to anything you want but a redirect will point the traffic back to the router. Ideal in the situation you are mentioning for not allowing external DNS as the devices will "presume" they are getting the DNS from wherever they are pointed but in actual fact the packets end up at the router and being queried.

With regards to the firewall, I'd advise to build yourself a decent firewall from the outside world and then concentrate on the additional filters you want to add in like VLAN friends etc. Break it down into easy to follow chunks and you'll have no issues rather than trying to write 1 big firewall from the off.

anav · Fri Jun 08, 2018 4:49 pm

Just be patient Spartacus.
The raw rule you stated looks ok to me.
As Sob said we can leave bogons till later
(they are simply a list of private addresses that have no business coming to your router or leaving your router)

I don't probably need them either as my default setup is DROP ALL at the end of input chain and forward chain and thus if I have not explicitly allowed traffic it should get dropped.

DNS
For DNS I make an allow rules in the input chain for my LAN so that PCs can request DNS resolving from the router. (A. see below)
For /IP DNS I allow remote requests, you have to decide whether or not to use the dynamic servers from the IP or stick some other at the top as fixed servers.
in /ip firewall NAT I redirect users to their lan gateway for DNS queries (B. see below)
In /ip dhcp server go to NETWORK TAB and ensure you select the LAN GW as per normal and then put in the LAN GW as the DNS server.

A. /ip firewall filter
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp

These and any other rules in the input chain must be prior to the drop all rule, the most important input rule being
add action=accept chain=input comment="ADMIN ACCESS TO ROUTER" \
in-interface-list=LAN src-address-list=adminaccess
(one creates the adminaccess list in /ip firewall address lists)

B. /ip firewall nat
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" dst-port=53 protocol=udp

So as above, in the dhcp server network tab, is where you state all the LAN Networks go to their LAN gateway for DNS.
In /ip DNS you state which DNS servers all will use. IN the input chain you allow lan to router DNS traffic,
In NAT your force users to use the router for DNS, regardless of what they put in on their PCs.

Sob · Fri Jun 08, 2018 4:58 pm

@anav: Come on, I was trying really hard to answer your questions.

One of OP's requirements is "Allow all Subnets to connect to Internet", so unlimited access except port 25 (to prevent infected clients from spamming) and DNS. The firewall draft fails to do the first part, there's no rule allowing access from LAN to internet and any attempt will be dropped by last unconditional drop rule. DNS is not handled either (there's some attempt in output chain, but it won't do what it should), which is fine now, because it will be blocked by default, but if the first mistake (internet access) is fixed, even DNS will be allowed, so it's going to need another blocking rule (unless a redirect is used, as suggested by @Steveocee).

So there can be either:

/ip firewall filter
...
add chain=forward in-interface-list=LAN protocol=tcp dst-port=25 action=reject (or out-interface=WAN, or no interface at all)
add chain=forward in-interface-list=LAN protocol=tcp dst-port=53 action=reject (same as above, if no forwarded DNS traffic is needed)
add chain=forward in-interface-list=LAN protocol=udp dst-port=53 action=reject
add chain=forward in-interface-list=LAN action=accept
...

Or you can use my beautiful jump, and have everything nice and clear. Jump for all outgoing traffic is intentional, it's a way to separate it from everything else early, and then you have dedicated chain for all outgoing traffic and you can do easy filtering, without risk of interfering with anything else. The extra local mailserver not previously mentioned by OP was free bonus, showing how easily it can be exempted from blocking rule.

And about bogons filtering and Sob's credibility, no thanks, it's a trap. Nobody said anything about DDoS. Most likely the real bogons are already filtered by ISP, so if they would be used for DDoS, they won't get to you. And if somebody is going to DDoS you, then no matter what kind of filtering you do, it will be useless, because the connection from ISP to you will be already saturated, so even if you drop those packets super-efficiently, it's not going to help you. The bogons you're likely to encounter will be random leaks of private subnets, or some wannabe hacker connected to same ISP's network (depending how much ISP cares about security). In other words, it should be a rare occurence, so checking each packets against bogons list might be waste of resources.

anav · Fri Jun 08, 2018 5:14 pm

Sob, good catch, I will send you a cookie, when I was looking at port 25 I had realized it needed to go before an allow all LAN to WAN rule for the subnets, if placed in the forward chain filter set. I then forget to add the LAN to WAN rule for the subnets. Trying to do too much too fast LOL.

In any casy, eff your fancy pants filter puzzle, that is why I prefer
/ip raw
add chain=prerouting in-interface=LAN protocol=tcp dest port=25

Indeed he needs the following rule added in the forward chain to allow internet access.
/ip firewall filter
add chain=forward action=accept in-interface=LAN out-interface=WAN source-address-lists=PrivateSubnets

Spartacus · Fri Jun 08, 2018 5:26 pm

Hi Anav, Sob,
you are so fast with your answers, it´s hard for me to follow up!
...give me some more time to understand, what is going on here...

@ anav:
A: is clear to me, I´ve also included this in my ruleset.

Let me summarize what I understood:

DNS - Section of RB:

setup external DNS-Servers (e.g. Google)
Allow remote requests:

DHCP - Section of RB:

each Subnet has its own DNS-Server, this points to the GW:

If I will add the following to my ruleset:

 /ip firewall nat
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" dst-port=53 protocol=udp

I will automatically force the clients on the different subnets to use their GW as its DNS-Server which is distributed by the DHCP-Server.

With best regards,
Christian.

anav · Fri Jun 08, 2018 9:13 pm

Yes correct, remember its the /ip dhcp section but its the NETWORK TAB, not the general tab where one assigns the gateway address but below that there is an entry for the DNS server and that is where you also put in that same gateway IP.

Spartacus · Mon Jun 11, 2018 1:12 pm

Hi all,
thank you very much for your support. But seems to be, that I am a little bit lost, because there are different ways for implementation, evidently.
I am also not sure, if I understood the contex, but let me share my new ruleset with you. Please be patient, if this is not correct, I would be very grateful for further support.

Bogons:
this is not really a need for a private Home network, therefore I do not need this, and it costs only performance.

DNS:

 Allow LAN-User to use local DNS:
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP port 53 comment="Allow LAN DNS queries-UDP" action=accept

Force User to use local DNS-Server
/ip firewall nat add action=redirect chain=dstnat comment= "Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
/ip firewall natadd action=redirect chain=dstnat comment= "Force Users to Router for DNS - UDP" dst-port=53 protocol=udp

SPAM (filtered in separate Chain for output traffic):

/ip firewall filter add chain=forward in-interface=LAN action=jump jump-target=outgoing
/ip firewall filter add chain=outgoing protocol=tcp dst-port=25 action=reject reject-with=tcp-reset
/ip firewall filter add chain=outgoing action=accept

Firewall Rule-set

# Firewall Filter
#
# Prerequisites:
# /interface list add name=WAN
# /interface list add name=LAN
# /interface list member add interface=ether1 list=WAN
# /interface list member add interface=br_vlan list=LAN
# /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
# Requirements:
# - Allow Subnets to connect to Internet
# - Allow only VLANFriends to talk to each other
# - Allow AdminSubnet to connect to Internet and all other Subnets
# - Allow AdminSubnet to connect to Router
# - Block DNS Requests from WAN
# - Spam prevention (SMTP-Port 25)
# - redirect LAN users to internal DNS-Server
#
#
#
# private Subnetze
#
/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets
#
#
# Admin subnet
#
/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet
#
#
# VLAN friends can talk to each other
#
/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends
#
#
# Input Chain
/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept 
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input in-interface-list=AdminSubnet action=accept 
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP port 53 comment="Allow LAN DNS queries-UDP" action=accept
/ip firewall filter add chain=input comment="drop" action=drop
# End of Input Chain
#
#
#
#
# Forward Chain
/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward connection state=dstnat in-interface-list=WAN action=accept
/ip firewall filter add chain=forward in-interface=LAN action=jump jump-target=outgoing
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=AdminSubnet dst-address=PrivateSubnets comment="Accept VLAN Admin" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=VlanFriends dst-address-list=VlanFriends comment="Accept VLAN friends"  action=accept
/ip firewall filter add chain=forward comment="drop" action=drop
# End of Forward Chain
#
#
#
# customized Chains
#
# outgoing Traffic-Filter
/ip firewall filter add chain=outgoing protocol=tcp dst-port=25 action=reject reject-with=tcp-reset
/ip firewall filter add chain=outgoing action=accept
#
#
# NAT
# force all users with custom defined DNS server to use 172.16.1.1 as their DNS server,
/ip firewall filter add chain=dstnat to-addresses=172.16.1.1 to-ports=53 protocol=tcp dst-port=53 action=dst-nat
/ip firewall filter add chain=dstnat to-addresses=172.16.1.1 to-ports=53 protocol=udp dst-port=53 action=dst-nat
/ip firewall nat add chain=srcnat comment="masquerade LAN->WAN" disabled=yes out-interface=ether1 action=masquerade

Thanks,
Christian

anav · Mon Jun 11, 2018 2:53 pm

Get rid of the spam jump output crap.
First of all what is being jumped??? Seems like the rule would include everything on the in-interface LAN
Also there is no requirement for an outgoing accept rule............. get rid of it.

Two choices
/ip firewall filter
add chain=input action=drop in-interface-list=LAN protocol=tcp dest-port=25
or
/ip raw
add chain=prerouting action=drop in-interface-list=LAN protocol=tcp dest-port=25

Your input rule needs work for admin access!!!
/ip firewall filter
add chain=input action=accept in-interface=LAN source-address-list=AdminSubnet

in fact where you have in-interface-list there is no such thing, that should in-interface=LAN
Same goes for your forward filter rules, replace the non-existant in-interface-list with in-interface=LAN
Also destination-address-list=PrivateSubnets

Forget that forward jump rule dont know what that is doing at all.

Also you forget again to provide internet access for your lan.
in-interface=LAN out-inteface=WAN

There is more but ran out of time.

Please show me your interfaces to see how your vlans are configured and on what interfaces and bridges if any???

Spartacus · Mon Jun 11, 2018 3:32 pm

Hi anav,
sorry, but now, I am completey lost

in fact where you have in-interface-list there is no such thing, that should in-interface=LAN
Same goes for your forward filter rules, replace the non-existant in-interface-list with in-interface=LAN
Also destination-address-list=PrivateSubnets

If I open winbox, I cannot select any "LAN" unter "in-interface", this choice does only exist for "in-interface List"
In my "prerequisits" (see comments in FW-rule) I have defined "LAN" and "WAN" as an interface-List (not in the config, because I only want to focus on the FW-Rules). So what is wrong in my rule-set with "interface-List"?

sorry, Christian

anav · Mon Jun 11, 2018 4:42 pm

Sorry my bad Christian had a gazillion things on my mind this morning and was rushing.
Ignore my stupid comments.......... I will reread and post an edited config shortly

anav · Mon Jun 11, 2018 5:11 pm

Okay Im lazy so quoted your post and will fix the config using that.
DNS:

Allow LAN-User to use local DNS:
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP dst-port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP dst-port 53 comment="Allow LAN DNS queries-UDP" action=accept

Force User to use local DNS-Server
/ip firewall nat add action=redirect chain=dstnat comment= "Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
/ip firewall nat add action=redirect chain=dstnat comment= "Force Users to Router for DNS - UDP" dst-port=53 protocol=udp

SPAM:

/ip firewall filter add chain=forward protocol=tcp dst-port=25 in-interface-list=LAN out-interface=ether1 action=drop

Firewall Rule-set

# Firewall Filter
#
# Prerequisites:
# /interface list add name=WAN
# /interface list add name=LAN
# /interface list member add interface=ether1 list=WAN
# /interface list member add interface=br_vlan list=LAN

WHAT OTHER INTERFACES ON YOUR LAN??
What interface do all the subnets use??
The private ones etc..

# /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
# Requirements:
# - Allow Subnets to connect to Internet
# - Allow only VLANFriends to talk to each other
# - Allow AdminSubnet to connect to Internet and all other Subnets
# - Allow AdminSubnet to connect to Router
# - Block DNS Requests from WAN
# - Spam prevention (SMTP-Port 25)
# - redirect LAN users to internal DNS-Server
#
# private Subnets
#
/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets
#
#
# Admin subnet
#
/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet
#
#
# VLAN friends can talk to each other
#
/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends
#
#
# Input Chain
/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input in-interface-list=LAN source-address-list=AdminSubnet action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP dst-port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP dst-port 53 comment="Allow LAN DNS queries-UDP" action=accept
/ip firewall filter add chain=input comment="drop" action=drop
# End of Input Chain
#
# Forward Chain
/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward connection state=dstnat in-interface=ether1 action=accept (not required if not doing any port forwarding from the WAN ???)
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=PrivateSubnets out-interface=ether1 action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=AdminSubnet dst-address=PrivateSubnets comment="Accept VLAN Admin" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=VlanFriends dst-address-list=VlanFriends comment="Accept VLAN friends" action=accept
/ip firewall filter add chain=forward comment="drop" action=drop
# End of Forward Chain
#
# customized Chains
outgoing action=accept

# NAT
/ip firewall nat add chain=srcnat comment="masquerade LAN->WAN" in-interface-list=LAN out-interface=ether1 action=masquerade

# force all users to use the DNS the admin selects from the /ip DNS pagever,
/ip nat
add chain=dstnat protocol=tcp dst-port=53 action=redirect
add chain=dstnat protocol=udp dst-port=53 action=redirect

anav · Mon Jun 11, 2018 5:18 pm

The problem I am having is that the interface-list vice interface is used when you have MORE THAN ONE....
So if you only have one WANIP, then use ether1 for any WAN entries.
If you had two WANIPs, the using in-interface-list makes sense for when you are stating both for a rule (sometimes one makes rules for specific WANs).

Similarly for the LAN side. so far I only see one LAN interface defined but you have many subnets defined.
How are they related and what interfaces have you assigned them too....

I would need to see all your config to put it in context
at the terminal box type
/export compact hide-sensitive file=configreview

Go to files and download it to your computer.......... and post here.
etc...

Spartacus · Mon Jun 11, 2018 5:36 pm

Hi anav,
thanks for your quick reply, I will work through it today. I used the interface-lists, because the cofing will be extended during the next few months and I guess I will add a WLAN interface, soon. Therefore I think, it is better to use the "lists"

Please find below my Config (without FW-Rule). This is the preliminary config and will be also extended during the next months. Also ithe Subnet-Addresses will be changed later:
This is not a download fom RB, because I have to make a stable version before I will paste it into the RB. At the moment RB is running in a test environment until I can replace my existing FritzBox (I'm in real trouble with my family, if the network will not work, therefore everything is experimental)

# Interface List
/interface list
add name=WAN
add name=LAN
#
# Interface List:
/interface list member
add interface=ether1 list=WAN
add interface=br_vlan list=LAN
#
# IP Addresses:
/ip address
add address=172.16.1.1/24 interface=vlan1 network=172.16.1.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
add address=192.168.1.1/24 interface=vlan99 network=192.168.1.0
#
# Bridge config:
/interface bridge
add fast-forward=no name=br_vlan vlan-filtering=yes
#
# VLAN config
/interface vlan
add interface=br_vlan name=vlan1 vlan-id=1
add interface=br_vlan name=vlan10 vlan-id=10
add interface=br_vlan name=vlan20 vlan-id=20
add interface=br_vlan name=vlan99 vlan-id=99
#
#
# Bridge Port:
/interface bridge port
add bridge=br_vlan hw=no interface=sfp1
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=99

# Bridge VLAN
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan,vlan1 untagged=sfp1 vlan-ids=1
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether3 vlan-ids=10
add bridge=br_vlan tagged=sfp1,br_vlan,vlan20 untagged=ether4 vlan-ids=20
add bridge=br_vlan tagged=sfp1,br_vlan,vlan99 untagged=ether10 vlan-ids=99
#
#
# IP Pool
/ip pool
add name=pool_admin ranges=172.16.1.101-172.16.1.199
add name=pool_vlan10 ranges=172.16.10.100-172.16.10.199
add name=pool_vlan20 ranges=172.16.20.100-172.16.20.199
add name=pool_vlan99 ranges=192.168.1.100-192.168.1.199
#
#
# DHCP - Server
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.1.1 domain= admin.x.y.de gateway=172.16.1.1
add address=172.16.10.0/24 dns-server=172.16.10.1 domain= vlan10.x.y.de gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 domain= vlan20.x.y.de gateway=172.16.20.1
add address=192.168.1.0/24 dns-server=192.168.1.1 domain= vlan99.x.y.de gateway=192.168.1.1
#
/ip dhcp-server
add address-pool=pool_admin disabled=no interface=vlan1
add address-pool=pool_vlan10 disabled=no interface=vlan10
add address-pool=pool_vlan20 disabled=no interface=vlan20
add address-pool=pool_vlan99 disabled=no interface=vlan99
#
# DHCP Client on ether1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
#
# DNS
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

And an additional question:
do we need this rule in Forward- and Input- Chain?

/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop

If I understood correctly, we do not need this "drop" - rules, because we have a "drop everything" at the end of the chain, Is this a correct

anav · Mon Jun 11, 2018 5:44 pm

Sweet, I am jealous of your VLAN acumen. I am heading in that direction soon......

What I do know IN GENERAL is that putting things on the same bridge means they are like connected at layer 2.
Well for normal subnets anyway. I am not sure for VLANS ???

The reason I bring this up is that none of the firewall rules we made would be useful if the subnets could all talk to each other at layer2.

I think you are safe with VLANs if on separate interfaces, i just dont know about bridges and VLANS, out of my depth.

If they are all on the bridge then you could use in-interface=bridgename (and not lists)
It all depends if your configuration will have other LAN interfaces or other LAN bridges.

Spartacus · Mon Jun 11, 2018 6:24 pm

Hi anav,
Hm! You make me feel insecure. I followed this guide because this is the valid way since OS v6.41
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

BTW:
How can I test the Layer 2 connection? Do you have a clue?

Christian.

anav · Mon Jun 11, 2018 7:39 pm

Nope and nope, I am a newbie, dont be fooled by my voluminous number of posts. I get paid by the post you see~
Oh and yes you need the invalid rules in both spots, both for router performance and security I believe.

Spartacus · Mon Jun 11, 2018 9:24 pm

anav,
I am learning networking from scratch. "Understanding VLANs" was my first topic. After that, I have had to secure my network and I hope I can migrate the current 192er FritzBox-networt to Mikrotik RB, soon (Alll clients will be in VLAN 99, first). After that I will start to switch the clients to the specific subnets, step by step.
Please keep in mind, I never have had anything to do with networking before and all I knew was that you need IP addresses for the clients, the rest was a black box for me.
I thought I have finished with VLANs but now it seems to be open again! I hope the experts can explain which should be done (viewtopic.php?f=13&t=134831&e=1&view=unread#unread)

But anyway:
regarding the FW-Rules. There is an additional question left for me:

/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop

Why do I need this rules? If we have a "everything-drop" rule at the end of the chain, why do we need this drop rule in addition?

Here the current rule-set with your modification (with interface-lists instead of interfaces

, and not sure, if the SPAM rule should be installed in forward chain instead of raw-section)

# Firewall Filter
#
# Prerequisites:
# /interface list add name=WAN
# /interface list add name=LAN
# /interface list member add interface=ether1 list=WAN
# /interface list member add interface=br_vlan list=LAN
# /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
# Requirements:
# - Allow Subnets to connect to Internet
# - Allow only VLANFriends to talk to each other
# - Allow AdminSubnet to connect to Internet and all other Subnets
# - Allow AdminSubnet to connect to Router
# - Block DNS Requests from WAN
# - Spam prevention (SMTP-Port 25)
# - redirect LAN users to internal DNS-Server
#
#
#
# private Subnetze
#
/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets
#
#
# Admin subnet
#
/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet
#
#
# VLAN friends can talk to each other
#
/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends
#
#
# Input Chain
/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept 
#
<<do we need this because of common drop at the end?>>
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
#
/ip firewall filter add chain=input in-interface-list=LAN source-address-list=AdminSubnet action=accept 
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP dst-port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP dst-port 53 comment="Allow LAN DNS queries-UDP" action=accept
/ip firewall filter add chain=input comment="drop everything" action=drop
# EOF Input Chain
#
#
#
#
# Forward Chain
/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN out-interface-list=WAN protocol=tcp dst-port=25 comment "prevent SPAM" action=drop
#
<<do we need this rule, because of common drop at the end?>>
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
#
/ip firewall filter add chain=forward connection state=dstnat in-interface-list=WAN comment"only required for port forwarding from WAN" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=PrivateSubnets out-interface-list=WAN comment="accept Internet Access from PrivateSubnets" action accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=AdminSubnet dst-address-list=PrivateSubnets comment="Accept AdminSubnet-> PrivateSubnet" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=VlanFriends dst-address-list=VlanFriends comment="Allow inter VLAN communication with VLAN friends"  action=accept
/ip firewall filter add chain=forward comment="drop everything" action=drop
# EOF Forward Chain
#
# NAT
/ip firewall nat add chain=dstnat dst-port=53 protocol=tcp comment= "Force Users to Router for DNS - TCP" action=redirect
/ip firewall nat add chain=dstnat dst-port=53 protocol=udp comment= "Force Users to Router for DNS - UDP" action=redirect
/ip firewall nat add chain=srcnat in-interface-list=LAN out-interface-list=WAN comment= "masquerade LAN->WAN" action=masquerade
# EOF NAT

Regards,
Christian

anav · Tue Jun 12, 2018 1:17 am

invalid - a packet that does not have determined state in connection tracking (ussualy - sevear out-of-order packets, packets with wrong sequence/ack number, or in case of resource overusage on router), for this reason invalid packet will not participate in NAT (as only connection-state=new packets do), and will still contain original source IP address when routed. We strongly suggest to drop all connection-state=invalid packets in firewall filter forward and input chains

In this case I dont want this traffic being reviewed in my other rules especially the allow ones................. so ditch it sooner rather than later!!
There are tons of ways to program this and for now program what to the level that you understand.

Spartacus · Tue Jun 12, 2018 2:09 pm

Hi,
thank you anav for setting up the FW rules. Seems to be that the config above is a good approch and I will start implementing now!

But what can be done to harden the Home-Network? Means, what is recommendable in addition?
If I read through the forum threads and wiki pages I find a lot of examples, which should be a "must"

What about DoS? Does it make sense?
What about to deny some tcp ports from and to WAN?
other restrictions?

Maybe that's a matter of opinion., but what makes sense?
Is there anything to recommend?
Christian

anav · Tue Jun 12, 2018 11:23 pm

Well, you have a solid core to start.
I have found after playing around a lot that for the home side, there is not to much more to do.
The only other thing I would think about is a blacklist of some sort to block incoming attempts at my router (input) or forward, coming in on the wan interface and blocking it (raw prerouting).

Spartacus · Wed Jun 13, 2018 6:07 pm

Hi anav,
thanks for reply.
I´ve implemented the rules in my RB and it seems to be working. I have had to change some syntax-errors, but now it is running.

There is an interesting thing, which I noticed during my tests:

br_vlan was the only interface in the interface-list and this did not work
I have added the vlanxx to the list and the rules were processed correctly.

I think, this is an good indicator, that nothing is bridged on Layer 2 if vlan filtereing on a bridge is used. The vlans are isolated from each other.

Blacklist:
what do you think about this:

# Script which will download the SquidBlacklistMalicious list as a text file
/system script add name="Download_SquidBlacklistMalicious" source={
  /tool fetch url="http://www.squidblacklist.org/downloads/drop.malicious.rsc" mode=http;
  :log info "Downloaded drop.malicious.rsc from squidblacklist.org";
}

# Script which will Remove old SquidBlacklistMalicious list and add new one
/system script add name="Replace_SquidBlacklistMalicious" source={
  /system logging disable 0
  /ip firewall address-list remove [find where comment="SquidBlacklistMalicious"]
  /import file-name=drop.malicious.rsc;
  /system logging enable 0
  :log info "Removed old SquidBlacklistMalicious records and imported new list";
}

# Schedule the download and application of the SquidBlacklistMalicious list
/system scheduler add comment="Download SquidBlacklistMalicious list" interval=3d \
  name="DownloadSquidBlacklistMaliciousList" on-event=Download_SquidBlacklistMalicious \
  start-date=jan/01/1970 start-time=04:26:52
/system scheduler add comment="Apply SquidBlacklistMalicious List" interval=3d \
  name="InstallSquidBlacklistMaliciousList" on-event=Replace_SquidBlacklistMalicious \
  start-date=jan/01/1970 start-time=04:31:52

# Install the firewall rules of the SquidBlacklistMalicious list
/ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=yes log-prefix=drop.dshield
/ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=yes log-prefix=drop.spamhaus1
/ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=yes log-prefix=drop.spamhaus2
/ip firewall filter add chain=input dst-address-list=drop.dshield action=drop log=yes log-prefix=drop.dshield
/ip firewall filter add chain=input dst-address-list=drop.spamhaus1 action=drop log=yes log-prefix=drop.spamhaus1
/ip firewall filter add chain=input dst-address-list=drop.spamhaus2 action=drop log=yes log-prefix=drop.spamhaus2

Christian.

anav · Wed Jun 13, 2018 6:51 pm

kewl, yes I would suspect that bridges respect that VLANS would not be connected at layer 2, unlike normal interfaces, but the firewall rules are still needed.

Spartacus · Thu Jun 14, 2018 12:42 am

yes, firewall is necessary!

Have you seen my blacklist-proposal? Is this what you mean? Or is it oversized?
Christian

anav · Thu Jun 14, 2018 12:51 am

I take it that this squid source automatically produces the separate lists........
I hope your not paying for those lists as there may be better options out there then squid for paid subscriptions but to be honest I have not looked at them before.

I would not use those lists in the input chain......

I would use them in raw

/ip firewall raw
add chain=prerouting in-interface=WAN (or in-interface-list=WAN for multi-wans) source-address-list=nameoflist action=drop

I would also log them initially to get a sense of how many hits you are getting per minute, hour, day etc.........

Sob · Thu Jun 14, 2018 2:23 am

@Spartacus:

1) You want only src-address-list, not dst-address-list. Anything that ends up in chain=input will have destination address owned by router.

2) I guess those lists may be rather large, so you can test anav's theory. Try them in "/ip firewall raw" and in "/ip firewall filter" (for new connections) and compare CPU usage.

Edit: Although, on second look, why block incoming traffic to router from listed addresses, when it's better to not allow anything from internet, except for few whitelisted addresses? Or the simplest explanation, you probably meant chain=forward, not chain=input. In that case, both src-address-list and dst-address-list make sense.

anav · Thu Jun 14, 2018 9:15 pm

So to cut through Sobs post, it should read see anavs articulate and accurate post above.

Sob · Thu Jun 14, 2018 9:29 pm

Well ... lets say anav's post correctly addressed those rules not making much sense in input. But I'd be really careful with raw, so my point 2) still stands, it's perfect opportunity for scientific study.

anav · Thu Jun 14, 2018 9:46 pm

Yes, well I am sure you are not offended by a new nickname..... "Evidenced Base Sob".
Completely agree but based on what Ive read in the past, I suspect, but not proven, that RAW will perform better.

Home Firewall configuration

Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration

Re: Home Firewall configuration