Community discussions

MikroTik App
 
Sigma

New to Mikrotik - Config Help FW

Fri Jun 19, 2020 12:51 am

Hello Mikrotik-Community,

I am very new to the Mikrotik product line and how things work with the Router/Firewall. My main concern is the Firewall part!

What I try to do?

PC ---> Switch ---> Router(Mikrotik) ----Ethernet Connection---> Modem(ISP) ---> Internet

With a Default Deny from LAN to WAN except HTTP and HTTPS and Port forwarding defined under NAT. ATM I got the NAT working as intended but as soon as I Enable the "Drop all" Rule - The DNS does not work anymore?!

That is the reason why I have a Allow LAN Rule under the "forward" chain.

What should it be then?

A Firewall with a Default Deny Policy and only allow specific tcp / udp connections. I try to get around the forums but I get confused on the "chain" at what point should I go "Input" or "forward" and so on... The Wiki explains allot but in some point for me overwhelming.

Image
At the uploaded config just ignore the "Portscanner" Rules is just an experiment. :D
RoConfigSig.rsc
Many many thanks in advance

Sigma
You do not have the required permissions to view the files attached to this post.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 843
Joined: Wed Mar 25, 2020 4:04 am

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 1:38 am

To simplify things I would suggest to use two routers in series, then on the border router you would have NAT, and on the inner router disable NAT (and this step simplifies all the rest).

Firewall chains:
input: traffic destined to the router itself
output: traffic from the router itself
forward: the traffic from other sources to other targets, ie. PC to PC, PC to Internet etc. and vice-versa.

The image is hard to read.
DNS is usually port 53/udp. You have to accept that traffic before the "drop all" rule.
Last edited by mutluit on Fri Jun 19, 2020 1:50 am, edited 1 time in total.
 
Sigma

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 1:50 am

The idea behind it is that the Router will do the Layer 3 things and behind it there will be another Firewall placed but first this just needs to work on that part. ;)

PC-----> Switch ----> Firewall Appliance Layer 7 ----> Router (Mikrotik) Layer3---> ISP Modem

But for now this should suffice its for home use and private lab. :D

PC----> Switch ---> Router (Mikrotik) ----> ISP Modem

Best regards
Sigma
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 843
Joined: Wed Mar 25, 2020 4:04 am

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 1:53 am

Which router do you have and which OS and version does it have?
If it has RouterOS then you should post the output of this CLI command:
/ip export hide-sensitive
 
Sigma

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 1:54 am

It is already on the first post as attachment :D
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 843
Joined: Wed Mar 25, 2020 4:04 am

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 2:01 am

It is already on the first post as attachment :D
Ok, I see.
But come on, man, are you joking? :-) This is a full-blown very complex configuration, not a basic/initial configuration.
Sorry, I'm out. Maybe someone else can take a look.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1579
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 2:03 am

First of all, what chain does what. Traffic that is destined to something on the router itself (Winbox, SSH to the router, etc) is affected by the INPUT chain.
Traffic that is destined to something other than the router but has to be routed through the router (A PC accessing a web page, etc) is affected by the FORWARD chain.
Traffic that is originates from the router itself (The router making a DNS or SNTP query, etc) is affected by the OUTPUT chain. Very often there is nothing in the Output chain.
The order of rules within a chain is critical. Rules are processed in order. With the exception of a couple of rule types (passthrough for example), as soon as a rule accepts a packet, the rest of that chain is ignored. So for example if I have a rule that accepts all TCP traffic, and the next rule drops TCP traffic on port 2020, the second rule will never drop because the first rule will have already accepted it. Although you CAN mix chains - HOWEVER, DON'T DO IT. The router does not care, and it won't affect operation at all, however it makes the rules FAR harder for us poor humans to read.
If a packet gets to the end of a chain and still has not been accepted or deleted, that packet will be accepted. Therefore, it is essential to put a drop everything rule at the end of each chain. The general concept that most of us use is to explicitly allow what we want to allow and let the drop all at the end drop the packets.
Here are a couple of specifics:
add action=accept chain=input comment=\
    "Allow everything from the LAN interface to the router" in-interface=\
    bridge
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list" dst-port=8291 protocol=tcp src-address-list=!support
The first rule will allow any local address full access to the router. The second rule blocks WinBox access except for selected addresses. Wrong order. The first rule will have allowed the access and the second rule will not every be seen.
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local
I assume you really meant ... router's IP address". If the pocket is not destined to the router, it won';t be in the input chain.
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
What about a DHCP request? That is a broadcast a I recall.
add action=drop chain=input comment="Drop to bogon list" dst-address-list=\
    Bogons in-interface=ether1
That one is a major debate. Some people will tell you that this is absolutely essential, and some people don't care. I can tell you that I had Bogon drop rules in my routers for several years, and NEVER counted a single packet. So is it important?

You went to great effort to drop twitter and facebook by blocking screen fulls of IP addresses. Unless you have a way to keep that up to date, my guess is that it will only be partially effective - and may well block other stuff over time.
add action=drop chain=forward comment=\
    "Drop all other connections through the router"
add action=jump chain=forward disabled=yes jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=yes jump-target=udp protocol=udp
You are dropping all traffic that gets this far in the Forward chain, and then have two more rules that will never see traffic because of the drop all rule (and they are disabled - along with all the rules in the TCP and UDP chains - so maybe those were put in for some testing only).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21895
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 2:39 am

Suggest you reset to defaults first as that is clean and efficient and works.
Then describe what you wish to accomplish and we can go from there.
Working from a bloated mess picking and modifying is way to long of a process for me.
 
Sigma

Re: New to Mikrotik - Config Help FW

Fri Jun 19, 2020 11:48 pm

Hello to all,

1st Thank you to all here in this Topic for helping out so fast I rly appreciate the effort. :D

I streamlined the Rule-Set as much as I can and it seems to work.

What did I do?
- Changed Rule Priority as suggested
- Added (udp) Rule in Chain=udp for DNS / DoH Still works! :D
- Made Portscan from the Internet no Ports Open (NICE)
- Speed is great got my full bandwidth of 1Gbit/s

About Facebook and Twitter:
"I created the List according to a youtuber from the Channel=MAICT Consult" It is easy to recreate and Update if needed. <- Shows a few Mikrotik Tips and Tricks.

Here is the Updated Config:
UpdRoSig.rsc
A Screenshot of the Rules in action:
Image

If someone would double check if things are in order? <- Many Thanks again

Sincerely
Sigma

P.S. Rule 46 and Rule 47 are Disabled - They just exist for troubleshooting if something does not work as intended.
You do not have the required permissions to view the files attached to this post.
 
creatin
Member Candidate
Member Candidate
Posts: 108
Joined: Sat Nov 23, 2019 2:59 am

Re: New to Mikrotik - Config Help FW

Sat Jun 20, 2020 12:10 am

Does URL filtering works for you?
 
Sigma

Re: New to Mikrotik - Config Help FW

Sat Jun 20, 2020 1:17 pm

Does URL filtering works for you?
Hello @creatin

I does not work for me coz allot of Apps today do not visit "Facebook" or "Twitter" over the known URLs. Like that I can go deeper and kill of the referral URLs as well that point to the general Site.

The other Part is to bring in a NAT-Less Firewall appliance that does SSL Inspection, Web Content Filter and Application Control. All at Layer 7... Like this the Mikrotik is my Layer 3 FW and the Firewall Appliance is my Layer 7 with more horse power. ^^

Best regards
Sigma
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21895
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik - Config Help FW  [SOLVED]

Sat Jun 20, 2020 6:35 pm

(1) I do not see the association between the bridge/dhcp pool with IP address???
/ip pool
add name=dhcp ranges=192.168.200.97-192.168.200.109
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=3d name=dhcp1
/ip address
add address=192.168.200.110/28 comment=defconf interface=ether2 network=192.168.200.96
/ip dhcp-server network
add address=192.168.200.96/28 dns-server=192.168.200.110 gateway=192.168.200.110

(2) It is not clear to me what you are trying to accomplish via the rule below??
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=!DNSForward dst-port=53 in-interface-list=LAN protocol=\
tcp to-addresses=192.168.200.110 to-ports=53
 
Sigma

Re: New to Mikrotik - Config Help FW

Sun Jun 21, 2020 1:30 pm

(1) I do not see the association between the bridge/dhcp pool with IP address???
/ip pool
add name=dhcp ranges=192.168.200.97-192.168.200.109
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=3d name=dhcp1
/ip address
add address=192.168.200.110/28 comment=defconf interface=ether2 network=192.168.200.96
/ip dhcp-server network
add address=192.168.200.96/28 dns-server=192.168.200.110 gateway=192.168.200.110

(2) It is not clear to me what you are trying to accomplish via the rule below??
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=!DNSForward dst-port=53 in-interface-list=LAN protocol=\
tcp to-addresses=192.168.200.110 to-ports=53
Hello @anav
on the part of (1) it is just a Comment Line forgot to rename the Comment my bad. In terms of function all is great with DHCP. :D

The (2) part of the DNAT Rule is a thing were Rouge DNS server address come in to play. I have a Nvidia Shield even if all settings are set manually to a specific DNS Server it will still call out to Google DNS 8.8.8.8. So what the rule is looking at is if something tries to go to a different DNS Server then the one specified (192.168.200.110 <- Router DNS) it would Port forward it to the Router Address with Port 53.

Hope it helps clear some things up. ^^

Sincerely
Sigma

Who is online

Users browsing this forum: No registered users and 14 guests