How to secure Mikrotik with FW rules?

mailalert · Thu Apr 28, 2022 7:25 pm

Hello guys,
I've had quite simple question, but .. I have static IP and I've create VPN for myself and RDP connection to network (I know this is not very secure, but I will use this very rarely and most of the time this computer will be off), and the question is .. how should I secure mikrotik more from outside attacks? or is this enough?
/ip firewall filter
add chain=input comment="accept established,related" connection-state=established,related
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input connection-state=invalid
add chain=input comment="allow Winbox" in-interface=ether1-gateway port=8291 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes
what do you think?

own3r1138 · Thu Apr 28, 2022 7:51 pm

What you have is almost the same as the default firewall + PPTP
When you have Fasttrack you have to check untracked in connection state input and forward chain.
You are asking about security and using PPTP? That's the first thing to get rid of.
Disable any services that you don't use, also why forward chain you don't trust your LAN side?

Check these links
https://help.mikrotik.com/docs/display/ ... our+router
https://help.mikrotik.com/docs/display/ ... t+Firewall
https://help.mikrotik.com/docs/display/ ... d+Firewall
https://help.mikrotik.com/docs/pages/vi ... d=28606504

rextended · Thu Apr 28, 2022 7:55 pm

I think: DoS attacks must be blocked from your ISP.

mailalert · Thu Apr 28, 2022 8:10 pm

own3r1138 - thank you! I will read those

and what else should I use instead of PPTP?

also why forward chain you don't trust your LAN side? - I do, this is maybe my mistake

thx, I will correct it

rextended - sure, but you know, more secure is not so bad thing I think

rextended · Thu Apr 28, 2022 8:13 pm

I explain myself better (I hope)
drop all remaining at the end is how the firewall must be set, and is the only that count (if you do not put before absurd "accept" rules...)
but do not deplete CPU for try to block DDoS attacks,
or put dozen of useless rules inside the firewall....
Only your ISP can help about that...

mailalert · Thu Apr 28, 2022 8:20 pm

rextended - I understand, but have no idea what should I delete

should I use only "add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes" or what exactly do you think please? and be aware I am kind of newbie ..

rextended · Thu Apr 28, 2022 8:30 pm

on your rules I do not see something like this:

/ip firewall filter
add chain=input action=accept protocol=icmp
add chain=input action=accept dst-address=127.0.0.1

also read what @own3r1138 has wrote

For reference, the default firewall rules for IPv4 and IPv6 are:
viewtopic.php?f=13&t=175129&p=856824#p856824

mailalert · Thu Apr 28, 2022 8:39 pm

why should I use ICMP? I dont get it

And with your rules of course I cannot use RDP or VPN, at least one I need .. Of course RDP computer will be turned on only when I need to .. so maybe this one?
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1570 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=192.168.88.100 to-ports=3389

rextended · Thu Apr 28, 2022 8:43 pm

ICMP is not only used for "PING", but also for PMTUD... read this:
https://en.wikipedia.org/wiki/Path_MTU_Discovery

anav · Thu Apr 28, 2022 8:50 pm

Instead of nickeling and diming the OP,
Just to to this link and choose Option/Para B. - viewtopic.php?t=182373

Besides that, this tells me you dont really know what the firewall rules do and need to learn more before adding rules from the default.
DANGER
add chain=input comment="allow Winbox" in-interface=ether1-gateway port=8291 protocol=tcp

Why would you allow input FROM the WAN to your winbox port?
Why would you use the default port anyway?

Another clue dont know what you are doing>
MISSING the action function in many rules including the danger rule above which saves your bacon in that respect!!

mailalert · Thu Apr 28, 2022 8:55 pm

ICMP is not only used for "PING", but also for PMTUD... read this:
https://en.wikipedia.org/wiki/Path_MTU_Discovery

- ok, I've learnt something new, thx

mailalert · Thu Apr 28, 2022 8:59 pm

Instead of nickeling and diming the OP,
Just to to this link and choose Option/Para B. - viewtopic.php?t=182373

Besides that, this tells me you dont really know what the firewall rules do and need to learn more before adding rules from the default.
DANGER
add chain=input comment="allow Winbox" in-interface=ether1-gateway port=8291 protocol=tcp

Why would you allow input FROM the WAN to your winbox port?
Why would you use the default port anyway?

Another clue dont know what you are doing>
MISSING the action function in many rules including the danger rule above which saves your bacon in that respect!!

- yes, you are corrent .. maybe I should read "little bit more" before I mess with FW rules ..

ok, I will read it tomorrow, today I just create two rules ..
/ip firewall filter
add chain=input action=accept protocol=icmp - this is for MTU path
add chain=input action=accept dst-address=127.0.0.1 - this drops everything what comes from WAN and didnt ask for it

am I right?

own3r1138 · Thu Apr 28, 2022 9:26 pm

Do yourself a favor Firstly, read all of the above links and topics very helpful then add new rules.
add chain=input action=accept protocol=icmp - this is for MTU path
I posted the recommendations for ICMP although, you should monitor your network and reduce these rules to what you use in your network.
https://www.iana.org/assignments/icmp-p ... ters.xhtml
/ip firewall filter add chain=input action=accept dst-address=127.0.0.1
this will allow any incoming that the destination is 127.0.0.1
but this rule will drop whatever is not coming from your LAN in interface-list

/ip firewall filter add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!LAN

TIP this rule should be the last rule in your input chain.

/ip firewall filter
add action=jump chain=input comment="ICMP Flow" jump-target=ICMP protocol=icmp
add action=accept chain=ICMP icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP icmp-options=3:0-4 protocol=icmp
add action=accept chain=ICMP icmp-options=3:9-10 protocol=icmp
add action=accept chain=ICMP icmp-options=3:13 protocol=icmp
add action=accept chain=ICMP icmp-options=8:0 protocol=icmp
add action=accept chain=ICMP icmp-options=11:0-1 protocol=icmp
add action=accept chain=ICMP icmp-options=12:0 protocol=icmp
add action=drop chain=ICMP log=yes log-prefix=--->ICMP
add action=accept chain=input comment="Established Connections" connection-state=established,related,untracked
add action=drop chain=input comment=Invalid connection-state=invalid
add action=accept chain=input comment="IP Services" dst-port=WINBOX protocol=tcp
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!LAN
add action=jump chain=forward comment="Jump Flow" jump-target=ICMP protocol=icmp
add action=accept chain=forward comment="IPsec Policy" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established Connections" connection-state=established,related,untracked
add action=reject chain=forward comment=Invalid connection-state=invalid reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=output comment=Invalid connection-state=invalid reject-with=icmp-admin-prohibited
add action=jump chain=output comment="Jump Flow" jump-target=ICMP protocol=icmp

anav · Thu Apr 28, 2022 9:29 pm

Avoid anything that smells of cute, I think this will be the result and so forth or wouldnt this be nice.......
Go with fact!!

mailalert · Thu Apr 28, 2022 9:55 pm

thank you guys! I promise, that I will read all of your links and study it properly, but tomorrow, today is quite late

but I did this:
/ip firewall filter
add chain=input action=accept protocol=icmp
add chain=input action=accept dst-address=127.0.0.1

this I didnt add, because "expected end of command (line 1 column 68)">
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!LAN

in-interface-list=!LAN - here is some error, but friday is the day

own3r1138 · Thu Apr 28, 2022 10:14 pm

There is no problem with the command maybe you didn't add ip/firewall/filter

2022-04-28_23-29-22.png

2022-04-28_23-39-41.png

2022-04-28_23-29-55.png

rextended · Thu Apr 28, 2022 11:54 pm

/ip firewall filter
add chain=input action=accept dst-address=127.0.0.1

This permit the correct functionality of internal CPU loopback interface ("localhost"),
nothing to do with WAN or LAN.
This permit the correct behavior of CPU internal functions like CAPsMAN, Wireguard, and others.
The 127.0.0.1 traffic can not come from WAN, not from LAN either, because each device know than that IP is own "localhost" IP...

own3r1138 · Fri Apr 29, 2022 4:41 am

Ah, I see thank you for making this clear I thought this was only for CAPsMAN and didn't know this rule has anything to do with other services, etc WG.

mailalert · Fri Apr 29, 2022 12:39 pm

guys you are awesome

I've read links which you gave me and I have this BIG HEAD from it

ok, nevermind, I need to study little bit more .. but it's is possible simple do this? :
- allow remote access only from one IP (via RDP)
- drop everything else, that noone even can see login mikrotik page

I know how to do first one, but I dont know how to restrict it only for one IP, maybe like this? :
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1572 in-interface=ether1-gateway log=yes protokol=tcp src-address=50.48.42.147 to-addresses=192.168.88.45 to ports=3389

anav · Fri Apr 29, 2022 4:33 pm

If you are contacting a server behind the router, correct dst nat is the way to go, you need the generic allow rule in the forward chain to allow port forwarded type traffic and all the details for the traffic flow are in the dst-nat rule. Having a source address on the dst-nat rule is an excellent idea!!

The safe way to access the router itself for config purposes, from an external location is ONLY by VPN.

own3r1138 · Fri Apr 29, 2022 5:24 pm

I used to have a DST-nat rule for remote for a long time and then bots started to brute force the RDP remote VMs, I prefer the VPN idea even for simple RDP.

rextended · Fri Apr 29, 2022 5:28 pm

The problem is everytime the same:
Until someone is not hacked, the basic users (and some self called professional) open port on Firewall/NAT and/or using PPTP
instead of use secured VPN with certificates.

own3r1138 · Fri Apr 29, 2022 5:32 pm

I was using RDS-Knight and allowed only my customer country but still got a lot of logs regarding that. The customer didn't want to use a VPN they were specific about that. After showing them the logs they changed their minds.

rextended · Fri Apr 29, 2022 5:44 pm

Nice move!
I'll copy that...

Thanks

anav · Fri Apr 29, 2022 7:06 pm

Well yes, if the RDP is used for secure access, VPN is a better mode.
If forced to use RDP, then at least change the port to something like 11677 and then translate it to RDP port within the router.
with a source address on the dst-nat rule, the port will not be visible on scans.

mailalert · Fri Apr 29, 2022 7:57 pm

guys and it is possible to hack into network if computer with NAT and RDP possible connection would be turn off?

becasue if computer is turned off, port will be closed, so .. if any bot will try my network, it wont receive response

own3r1138 · Fri Apr 29, 2022 7:57 pm

usually dynamic so cant

own3r1138 · Fri Apr 29, 2022 8:16 pm

becasue if computer is turned off, port will be closed

Thats the problem, management of something like MT routers that have so many capabilities comes with the responsibility that you have to accept. You should be responsible and config your network as secure as it can be regardless of whether the client's device is ON or OFF. When you entire this category well, you are on your own.

anav · Fri Apr 29, 2022 10:11 pm

Yes, do not rely upon whether a PC is on or off for security protocols.
Assume that it is on, and thus plan accordingly.
Wireguard is fairly easy to implement as far a VPN goes.

I am curious though from the experts, if RDP is on port 11268, and the dst-nat address has a source address and thus the port is not visible on scans.
What makes the RDP unsafe? Isnt RDP a password proteced login as well?? Not overly familiar with RDP.......

It seems to me the safest approach would be to wireguard into the router and then access RDP from there !!

own3r1138 · Fri Apr 29, 2022 10:35 pm

I am curious though from the experts, if RDP is on port 11268, and the dst-nat address has a source address and thus the port is not visible on scans.
What makes the RDP unsafe? Isnt RDP a password proteced login as well?? Not overly familiar with RDP.......

Did I catch your point correctly?

/ip firewall nat
add action=dst-nat chain=dstnat comment="RDP" disabled=yes dst-address="router public IP" dst-port=11268 protocol=tcp src-address=2.2.2.2 to-addresses=192.168.1.2 to-ports=3389

anav · Sat Apr 30, 2022 4:12 am

Yes you did, exactly.
Do a simple test, go to gibsons port checker (and scan your router).
Then remove the source address part of the dst nat rule and do it again...
https://www.grc.com/shieldsup

The first test should no port visible at all.
The second test should show the port as visible but closed.

own3r1138 · Sat Apr 30, 2022 6:20 am

Yes you did, exactly.

True, But that's for the static public IP. most of the remote clients don't have one which will eliminate the possibility of assignment to the specific src address. these days I saw many VDSs with a cracked credential for sale, I assume they are password protected too.

anav · Sat Apr 30, 2022 5:22 pm

You are not being clear, do you mean the Router hosting the server is not static, (then use mynetname).
If you have clients that need to reach the server, it depends.

For someone with an office or home (not mobile) device, then there is no excuse not to get a dyndns name for their side of the house (public IP).
It should be a condition of connecting! No whining please, there are lots of free dyndns providers.
Just stick the dyndns name in the firewall address list and the router will resolve it to IP.
................

/ip firewall addresses
add ip=static-client1   list=authorizedServer
add ip=static-client2  list=authorizedServer
.....
add ip=static-clientX   list=authorizedServer
add ip=dyndnsname1  list=authorizedServer
add ip=dyndnsname2  list=authorizedServer
.....
add ip=dyndnsnameX  list=authorizedServer

...............

Now if you have mobile clients well, VPN is the only way to do that..... Wireguard is good.
I would probably do wireguard for all if security was at all an issue.

own3r1138 · Sat Apr 30, 2022 6:08 pm

Okay, What I meant by remote clients was roadwarriors like LTE the last part of your replay is the scenario.

anav · Sat Apr 30, 2022 6:51 pm

Yes of course, road warriors, VPN is the way to go.

Jotne · Sat Apr 30, 2022 11:15 pm

add chain=input comment="allow Winbox" in-interface=ether1-gateway port=8291 protocol=tcp

DO NOT OPEN ADMIN INTRAFACE FROM INTERNET!!!!!!
This is just asking for trouble.

Use VPN to administrate your device from remote location.
If VPN can not be used, follow this list to make connection some more secure.

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

How to secure Mikrotik with FW rules?

How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?

Re: How to secure Mikrotik with FW rules?