RB5009 help to configure (Switch, VLANs)

matumatu · Fri Nov 18, 2022 1:03 pm

Hello,

I've been trying to get the configuration to work, but after a week, I'm really fed up... I was searching for similar topics, trying to glue the configuration but without a luck.
I also followed this article viewtopic.php?t=143620&sid=02eafc2a9fa8 ... d0#p706998
and no luck.

Could you help me to get the router to work, please?

# VLAN Overview 
###############
# VLAN_10: Backend devices - 10.0.10.0/24
# - Linux device - Controller for UniFi
# - UniFi AP device
# Services:
# - Pi-hole as DNS forwarder - for all VLANs
# 
# VLAN_20: Media Services (TV modem)  - 10.0.20.0/24
# - Access to the Internet
# - Blocked access to other VLANs
# 
# VLAN_30: Wi-Fi Home users  - 10.0.30.0/24
# - Access to the Internet
# - Access to IoT VLAN to the printer (AirPrint)
# - Access to VLAN_10 ports (22,53,80,443)
# - Access to VLAN_50 ports (22,80,443,3389)
# 
# VLAN_40: Wi-Fi Guest  - 10.0.40.0/24
# - Access only to the Internet (80,443)
# - Access to VLAN_10 DNS server (53)
# 
# VLAN_50: IoT (printer as well?)  - 10.0.50.0/24
# - Access to the Internet
# - DNS for devices 1.1.1.1
# - Printer IP: 10.0.50.2
# 
# VLAN_60: DMZ  - 10.0.60.0/24
# - Access to the Internet
# - Access to VLAN_10 DNS server (53)
# - Access from the Internet: exposed ports to the Internet (8888) from IP 10.0.60.2
#
# VLAN_100: Management port ether8  - 10.0.100.0/24
# - Outgoing: Access to all VLANs and Internet
# - Incoming: Blocked from other VLANs

# Port overview
# ether1 - WAN (dhcp client)
# ether2 - Backend devices (VLAN_10 Access)
# ether3 - Unifi AP device (VLAN_10 Access, VLAN_30 SSID:HOME, VLAN_40 SSID:GUEST, VLAN_50 SSID:IoT)
# ether4 - Linux device (VLAN_20 Access)
# ether5 - Linux Device (VLAN_60 Access)
# ether6 - Management port (VLAN_100)

# VPN: OpenVPN Server 
# - Access to the Internet
# - Access to VLAN_10 to ports (53, 443, 22)
# - Access to VLAN_30 to IP 10.0.30.2 (3389)
# - Access to VLAN_50 to printer 10.0.50.2 (AirPrint)
# - Access to VLAN_60 to ports 22,3389

anav · Fri Nov 18, 2022 6:11 pm

Post your complete config please.

/export file=anynameyouwish ( minus the router serial number and any public WANIP information )

Then I can guide you in the right direction.

matumatu · Fri Nov 18, 2022 7:01 pm

Here is the output:
I haven not configured more than below, as I wanted to solve this issue first.

# jan/02/1970 06:42:38 by RouterOS 7.5
# software id = 2XKJ-KFM8
#
# model = RB5009UPr+S+
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BLUE_VLAN vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

anav · Fri Nov 18, 2022 7:10 pm

what i dont get on your diagram is why is vlan10 which seems to be home users, not used for home wifi?
Why change to vlan30 for home users. What is the purpose of vlan20....... IOT devices, media devices?

Or is vlan10 the stated vlan for your ISP connection on ether1 ???

matumatu · Fri Nov 18, 2022 8:43 pm

Yes, you are right @anav.
I've updated network diagram and VLAN/Port overview.
Should be better now unless you have comments to the design of network.

anav · Fri Nov 18, 2022 8:45 pm

Its making more sense now thanks!
Except for the DMZ, what do you mean by that specifically what will you be using it for.............. will it need internet access for example??

matumatu · Fri Nov 18, 2022 9:10 pm

Good catch!, Updated the code block at the first post. Added also VPN part.

anav · Fri Nov 18, 2022 9:48 pm

Im no good with opnvpn, Good at wireguard though which is faster and easier to implement.

Do you have a bunch of vpn users that need access to your subnets?

matumatu · Fri Nov 18, 2022 11:01 pm

No, no, just me.
Wireguard is fine as well.

anav · Sat Nov 19, 2022 10:33 pm

Here is a sample setup.............
I didnt have the IP address of the pihole server..........
Also its easier to allow a lan subnet or users to access a particular IP or set of IP addresses in another LAN, doing it by ports alone is unknown to me.

/interface bridge
add name=onebridge
/interface wireguard
add name=WG listen-port=55820
/interface wireguard peers
add interface=WG public-key=<remote device1 generaged public key> allowed-address=192.168.50.2/32  { remote laptop }
add interface=WG public-key=<remote device2 generaged public key> allowed-address=192.168.50.3/32 { remote iphone/ipad }
/interface vlan
add interface=onebridge name=vlan10_control vlan-id=10
add interface=onebridge name=vlan20-Media vlan-id=20
add interface=onebridge name=vlan30-Home vlan-id=30
add interface=onebridge name=vlan40-Gwifi vlan-id=40
add interface=onebridge name=vlan50-IOT vlan-id=50
add interface=onebridge name=vlan60-DMZ vlan-id=60
add interface=onebridge name=vlan100-Manage vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
add name=block-printer
/ip pool
add name=dhcp_control ranges=10.0.10.2-192.168.10.254
add name=dhcp_media ranges=10.0.20.2-192.168.20.254
add name=dhcp_home ranges=10.0.30.2-192.168.30.254
add name=dhcp_gwifi ranges=10.0.40.2-192.168.40.254
add name=dhcp_iot ranges=10.0.50.2-192.168.50.254
add name=dhcp_dmz ranges=10.0.60.2-192.168.60.254
add name=dhcp_manage ranges=10.0.100.5-192.168.100.10
/ip dhcp-server
add address-pool=dhcp-control interface=vlan10-Control name=control-server
add address-pool=dhcp_media interface=vlan20-Media name=media-server
add address-pool=dhcp_home interface=vlan30-Home name=home-server
add address-pool=dhcp_gwifi interface=vlan40-Gwifi name=gwifi-server
add address-pool=dhcp_iot interface=vlan50-IOT name=iot-server
add address-pool=dhcp_dmz interface=vlan60-DMZ name=dmz-server
add address-pool=dhcp_manage interface=vlan100-Manage name=manage-server
/interface bridge port
add bridge=onebridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=onebridge ingress-filtering=no interface=ether3 pvid=10
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=60
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=100
/interface bridge vlans
add bridge=onebridge tagged=onebridge untagged=ether2,ether3 vlan-ids=10
add bridge=onebridge tagged=onebridge,ether3  vlan-ids=30,40,50
add bridge=onebridge tagged=onebridge untagged=ether4 vlan-ids=20
add bridge=onebridge tagged=onebridge untagged=ether5 vlan-ids=60
add bridge=onebridge tagged=onebridge untagged=ether8 vlan-ids=100
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=ether1 list=WAN
add interface=vlan10-Control list=LAN
add interface=vlan20-Media list=LAN
add interface=vlan30-Home list=LAN
add interface=vlan40-Gwifi list=LAN
add interface=vlan50-IOT list=LAN
add interface=vlan60-DMZ list=LAN
add interface=vlan100-Manage list=LAN
add interface=vlan100-Manage list=MANAGE
add interface=WG list=MANAGE
add interface=vlan60-DMZ list=block-printer
add interface=vlan40-Gwifi list=block-printer
/ip address
add address=10.0.10.1/24 interface=vlan10-Control network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Media network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Home network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-Gwifi network=10.0.40.0
add address=10.0.50.1/24 interface=vlan50-IOT network=10.0.50.0
add address=10.0.60.1/24 interface=vlan60-DMZ network=10.0.60.0
add address=10.0.100.1/24 interface=vlan100-Manage network=10.0.100.0
add address=192.168.50.1/24 interface=WG network=192.168.50.0
/ip dhcp-server network
add address=10.0.10.0/24  gateway=10.0.10.1 dns-server=10.0.10.1
add address=10.0.20.0/24   gateway=10.0.20.1 dns-server=Pihole(IP)
add address=10.0.30.0/24  gateway=10.0.30.1 dns-server=Pihole(IP)
add address=10.0.40.0/24  gateway=10.0.40.1  dns-server=Pihole(IP)
add address=10.0.50.0/24  gateway=10.0.50.1  dns-server=1.1.1.1
add address=10.0.60.0/24  gateway=10.0.60.1  dns-server=Pihole(IP)
add address=10.0.100.0/24   gateway=10.0.100.1  dns-server=Pihole(IP)
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address list
add address=10.0.50.0/24 list=exclude-pihole
add address=10.0.10.2  list=exclude-pihole
add address=10.0.10.2  list=thirty2ten  {  destination IP on vlan10 being accessed by home users }
add address=10.0.10.3  list=thirty2ten  {  destination IP on vlan10 being accessed by home users }
add address=10.0.50.2 list=thirty2fifty  {  destination IP on vlan50 being accessed by home users }
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=55820 protocol=udp log=yes
add action=accept chain=input in-interface-list=MANAGE
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=MANAGE out-interface-list=LAN
add action=accept chain=forward in-interface=WG
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward in-interface-list=block-printer out-interface=Vlan50-IOT
add action=accept chain=forward in-interface-list=LAN out-interface=vlan50-IOT dst-address=10.0.50.2/32
add action=accept chain=forward in-interface-list=LAN dst-address=10.0.10.2  dst-port=53 protocol=tcp
add action=accept chain=forward in-interface-list=LAN dst-address=10.0.10.2  dst-port=53 protocol=udp
add action=accept chain=forward in-interface=vlan30-Home out-interface=vlan10-Control  dst-address-list=thirty-2-ten
add action=accept chain=forward in-interface=vlan30-Home out-interface=vlan50-IOT  dst-address-list=thirty-2-fifty
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=udp dst-port=53 action=dst-nat to-addresses=10.0.10.2
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=tcp dst-port=53 action=dst-nat to-addresses=10.0.10.2
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=8888 \
 protocol=tcp to-addresses=10.0.60.2
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

matumatu · Sun Nov 20, 2022 1:33 am

Thank you very much @anav for your support.

I've applied the following config and PC cannot obtain IP from DHCP on ports: ether2 and ether3 - getting IP 169.254.x.x. On the ether4 and ether5 DHCP works fine.
What could be wrong?

Also its easier to allow a lan subnet or users to access a particular IP or set of IP addresses in another LAN, doing it by ports alone is unknown to me.

Sure, will get back to this.

/interface bridge
add name=onebridge vlan-filtering=yes
/interface vlan
add interface=onebridge name=vlan10_control vlan-id=10
add interface=onebridge name=vlan20-Media vlan-id=20
add interface=onebridge name=vlan30-Home vlan-id=30
add interface=onebridge name=vlan40-Gwifi vlan-id=40
add interface=onebridge name=vlan50-IOT vlan-id=50
add interface=onebridge name=vlan60-DMZ vlan-id=60
add interface=onebridge name=vlan100-Manage vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
add name=block-printer
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_control ranges=10.0.10.2-10.0.10.254
add name=dhcp_media ranges=10.0.20.2-10.0.20.254
add name=dhcp_home ranges=10.0.30.2-10.0.30.254
add name=dhcp_gwifi ranges=10.0.40.2-10.0.40.254
add name=dhcp_iot ranges=10.0.50.2-10.0.50.254
add name=dhcp_dmz ranges=10.0.60.2-10.0.60.254
add name=dhcp_manage ranges=10.0.100.5-10.0.100.10
/ip dhcp-server
add address-pool=dhcp_media interface=vlan20-Media name=media-server
add address-pool=dhcp_home interface=vlan30-Home name=home-server
add address-pool=dhcp_gwifi interface=vlan40-Gwifi name=gwifi-server
add address-pool=dhcp_iot interface=vlan50-IOT name=iot-server
add address-pool=dhcp_dmz interface=vlan60-DMZ name=dmz-server
add address-pool=dhcp_manage interface=vlan100-Manage name=manage-server
/interface bridge port
add bridge=onebridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=onebridge ingress-filtering=no interface=ether3 pvid=10
add bridge=onebridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=20
add bridge=onebridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=60
add bridge=onebridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=100
/interface bridge vlan
add bridge=onebridge tagged=onebridge untagged=ether2,ether3 vlan-ids=10
add bridge=onebridge tagged=onebridge,ether3 vlan-ids=30,40,50
add bridge=onebridge tagged=onebridge untagged=ether4 vlan-ids=20
add bridge=onebridge tagged=onebridge untagged=ether5 vlan-ids=60
add bridge=onebridge tagged=onebridge untagged=ether8 vlan-ids=100
/interface list member
add interface=vlan20-Media list=LAN
add interface=vlan30-Home list=LAN
add interface=vlan40-Gwifi list=LAN
add interface=vlan50-IOT list=LAN
add interface=vlan60-DMZ list=LAN
add interface=vlan100-Manage list=LAN
add interface=vlan60-DMZ list=block-printer
add interface=vlan40-Gwifi list=block-printer
/ip address
add address=10.0.20.1/24 interface=vlan20-Media network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Home network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-Gwifi network=10.0.40.0
add address=10.0.50.1/24 interface=vlan50-IOT network=10.0.50.0
add address=10.0.60.1/24 interface=vlan60-DMZ network=10.0.60.0
add address=10.0.100.1/24 interface=vlan100-Manage network=10.0.100.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.50.0/24 dns-server=1.1.1.1 gateway=10.0.50.1
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1
add address=10.0.100.0/24 dns-server=10.0.100.1 gateway=10.0.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

Buckeye · Sun Nov 20, 2022 5:53 am

I've applied the following config and PC cannot obtain IP from DHCP on ports: ether2 and ether3 - getting IP 169.254.x.x. On the ether4 and ether5 DHCP works fine.
What could be wrong?

If seems this was left out?

/ip address
add address=10.0.10.1/24 interface=vlan10-Control network=10.0.10.0

anav · Sun Nov 20, 2022 1:30 pm

Yup, concur that is the problem but its in my config, so just not copied over quite right. That addition should make a slight difference

matumatu · Mon Nov 21, 2022 12:12 am

Yes, you were right @anav& @Buckeye.
Everything works as expected now - a HUGE THANK YOU @anav for your support!

I'm trying to understand the config and firewall rules, and of course there are multiple questions, but I have to dive into the documentation first, and so far, I would like to ask for the following:

There is a rule to allow ICMP;

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

This rule allows ICMP to WAN from the Internet, I changed action to drop, and there is no option to PING WAN port from the Internet, but this blocked ping to the VLAN Gateways. What to do Sir?

What those two rules does mean?

/ip firewall nat
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=udp dst-port=53 action=dst-nat to-addresses=10.0.10.2
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=tcp dst-port=53 action=dst-nat to-addresses=10.0.10.2

jvanhambelgium · Mon Nov 21, 2022 12:39 am

There is a rule to allow ICMP;
Code: Select all
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
This rule allows ICMP to WAN from the Internet, I changed action to drop, and there is no option to PING WAN port from the Internet, but this blocked ping to the VLAN Gateways. What to do Sir?

The solution is to be more "specific". After all, also your "vlan gateways" will be "hit" with this rule since they are part of the router and the default rules does not specify interfaces etc.
So DUPLICATE this rule, and on the top one edit the rule and add the incoming WAN/Internet interface! (so be more specific that you want to drop ICMP *coming in from Internet*
Then edit the rule below, change it to "allow" again (you changed it to "drop", change that) and you should be able to ping all your VLAN-gateways from internally your LAN.

The other rules with the DNAT is to prevent the DNAT-action to be executed specifically on the packets coming from your PIHOLE itself. (which sits on the "LAN").
Your PIHOLE should be the only device that can remotely do "dns" from the Internet without being intercepted/dnat'ted to itself

Any other device on the network (= src-address-list=!exclude-pihole) doing DNS (either UDP or TCP) on 53 will be "intercepted" / NAT'ted and delivered to your Pihole on 10.0.10.2

anav · Mon Nov 21, 2022 1:09 am

I do not recommend to block ICMP its valid to allow and it performs useful functions and should be left at is.
Any other advice is questionable and what is the source of that advice??

As to the the second question you will note that to use pi-hole there is a two part strategy,
one is to assign pi hole as the dns-server in the dhcp-server network settings and the second are the 2 rules to ensure that people cannot bypass what you have set in the dns-server!!

As you can see below, all the subnets are assigned to the pihole EXCEPT the IOT subnet which you wanted to use 1.1.1.1.
Furthermore the dns server for the subnet which the pi-hole is in is set to the gateway as we dont want to corral the pi-hole and send it to itself.
So the users of IOT based on this will go to 1.1.1.1 and the users on 10.0.10.0/24 will use the routers IP DNS services 8.8.8.8,1.1.1.1

/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1 dns-server=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1 dns-server=Pihole(IP)
add address=10.0.30.0/24 gateway=10.0.30.1 dns-server=Pihole(IP)
add address=10.0.40.0/24 gateway=10.0.40.1 dns-server=Pihole(IP)
add address=10.0.50.0/24 gateway=10.0.50.1 dns-server=1.1.1.1
add address=10.0.60.0/24 gateway=10.0.60.1 dns-server=Pihole(IP)
add address=10.0.100.0/24 gateway=10.0.100.1 dns-server=Pihole(IP)

So in step 2, we have to ensure that
a. users cannot bypass the entries above and
b. we have to then force the OTHER USERS in 10.0.10.0/24 ( but not the pi-hole) to also use the pi-hole.

Hence the identification of the targetted IPs, to exclude from these destination rules ( the pi-hole and the 10.0.50.0 subnet )

Then by the below rules any user from the LAN that needs DNS services ( like browsing ) will be "forced" to the pi-hole address.
/ip firewall nat
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=udp dst-port=53 action=dst-nat to-addresses=10.0.10.2
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=tcp dst-port=53 action=dst-nat to-addresses=10.0.10.2.

However we also in the same rule besides saying all users from the LAN, we add the other statement or condition for the rule to be true and the action to be carried out AS.
everybody NOT on the source address list.
ALL USERS ON LAN AND ALL USERS NOT ON SOURCE ADDRESS LIST ----------> if true then carry out the action.

So the two conditions are almost the same, the first one says all users on the LAN, and the second in effect ANY user except those identified on list).

(the ! symbol is not to be used lightly however as in the wrong hands it can create a mess of unintended consequences )

anav · Mon Nov 21, 2022 1:15 am

Yikes I noticed on your post of the config you FAILED to copy the ip dhcp-server network properly ?????????????

Buckeye · Mon Nov 21, 2022 3:13 am

I started this post, then didn't finish it until @anav had several new post, so he already found this

Yup, concur that is the problem but its in my config, so just not copied over quite right.

Now that you mention it, I just did a comparison of the two configs with winmerge, and there are some other differences as well, and this is also missing from matumatu's config, and it also looks significant to the problem:

/ip dhcp-server
add address-pool=dhcp-control interface=vlan10-Control name=control-server

It's easy to stop looking once you find a problem that could cause the problem, even if there are more things that could also cause the same problem.

It appears that there are other difference things removed (wireguard and firewall), but it does look like he fixed an unfinished edit you made in the /ip pool section where some of the 192.168 substrings didn't get changed to 10.0. and a few syntax fixes (changed admit- to admit-only-)

But I am quite impressed by @anav's ability to create complete configs without being able to test them, so I am not meaning to throw stones; I didn't notice them until WinMerge showed the differences. The config @anav posted in post #10 got @matumatu going in the correct direction.

Buckeye · Mon Nov 21, 2022 3:28 am

I do not recommend to block ICMP its valid to allow and it performs useful functions and should be left at is.
Any other advice is questionable and what is the source of that advice??

There's a lot of differing advice on disabling at least icmp echo-requests. This it probably the most common reason people do: Blocking ICMP echo (ping) to make grc.com happy

Does it really enhance security? Probably not as long as you don't have other problems in your config. The intent is to reduce the knocking on the door. It doesn't prevent the scanning for open ports, but it probably does reduce the quantity. Similar to not putting your phone number on checks, which used to be recommended, but isn't any longer. Or publishing your email address on forums. Some people also recommend using "hidden" SSIDs for the same reason. These measures make it marginally less convenient for war drivers.

What is ironic is that some users block icmp echo-requests, but then expose their router's webfig to the internet, which is a much bigger risk.

anav · Mon Nov 21, 2022 3:39 am

I cannot control the ability to copy and paste LOL.
But I do understand the difficulty for a new person having made the mistake to find it easily.

That is why I prefer clean and organized configs that one can then more easily spot errors.
What you stated though is a useful exercise for anyone, to compare configs.

I do this using notepadd++ which has that capability.

In can be found in PLUGINS and the function of COMPARE!
++++++++++++++++++++++++++++++++++++++++++++++++
But I am quite impressed by @anav's ability to create complete configs without being able to test them,
I have an internal CHR

matumatu · Mon Nov 21, 2022 2:29 pm

Yikes I noticed on your post of the config you FAILED to copy the ip dhcp-server network properly ?????????????

Yes, this was at the very beginning, as this is new for me, I checked configuration several times, and found a few typos - thanks to them, it forced me to review config carefully, which was quite valuable to me

I do this using notepadd++ which has that capability.

I switched to Visual Studio Code +Mikrotik RouterOS script extension, so looking at the config is much easier.

Blocking ICMP to WAN port - @anav I wanted to get rid of the guys "who knocks to the door" - that's all. As @Buckeye said, it does not enhance security of the router itself.

@jvanhambelgium - thanks for the hint - ICMP to WAN has been blocked, and internally, ICMP works as expected.

The other rules with the DNAT is to prevent the DNAT-action to be executed specifically on the packets coming from your PIHOLE itself. (which sits on the "LAN").
Your PIHOLE should be the only device that can remotely do "dns" from the Internet without being intercepted/dnat'ted to itself
Any other device on the network (= src-address-list=!exclude-pihole) doing DNS (either UDP or TCP) on 53 will be "intercepted" / NAT'ted and delivered to your Pihole on 10.0.10.2

/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1 dns-server=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1 dns-server=Pihole(IP)
add address=10.0.30.0/24 gateway=10.0.30.1 dns-server=Pihole(IP)
add address=10.0.40.0/24 gateway=10.0.40.1 dns-server=Pihole(IP)
add address=10.0.50.0/24 gateway=10.0.50.1 dns-server=1.1.1.1
add address=10.0.60.0/24 gateway=10.0.60.1 dns-server=Pihole(IP)
add address=10.0.100.0/24 gateway=10.0.100.1 dns-server=Pihole(IP)

So in step 2, we have to ensure that
a. users cannot bypass the entries above and
b. we have to then force the OTHER USERS in 10.0.10.0/24 ( but not the pi-hole) to also use the pi-hole.

Hence the identification of the targetted IPs, to exclude from these destination rules ( the pi-hole and the 10.0.50.0 subnet )

Then by the below rules any user from the LAN that needs DNS services ( like browsing ) will be "forced" to the pi-hole address.
/ip firewall nat
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=udp dst-port=53 action=dst-nat to-addresses=10.0.10.2
add chain=dstnat in-interface-list=LAN src-address-list=!exclude-pihole protocol=tcp dst-port=53 action=dst-nat to-addresses=10.0.10.2.

However we also in the same rule besides saying all users from the LAN, we add the other statement or condition for the rule to be true and the action to be carried out AS.
everybody NOT on the source address list.
ALL USERS ON LAN AND ALL USERS NOT ON SOURCE ADDRESS LIST ----------> if true then carry out the action.

Thanks for the explanation.

If I understood correctly, then being connected to address=10.0.30.0/24 gateway=10.0.30.1 dns-server=Pihole(IP) and have set DNS manually to 8.8.4.4 all my requests should be forwarded to Pihole(IP), and Pihole(IP) will care about resolving DNS query?
I performed a check, and manually set DNS to 8.8.4.4 on PC connected to 10.0.30.0/24 and Firewall > Connections says that I'm using 8.8.4.4 to resolve DNS queries.

@anav: Furthermore the dns server for the subnet which the pi-hole is in is set to the gateway - you mean as a gateway for DNS?

anav · Mon Nov 21, 2022 2:37 pm

Not sure what you are asking................

I was pretty clear...................... its two steps.....
ONE - in dhcp-server networks for dns-server put in what is on the config supplied.

All of them should be the IP address of the Pihole device except for
a. the subnet the pihole is on, just stick the address of the LAN subnet for dns server 10.0.10.1
b. the subnet for the IOT LAN and one puts 1.1.1.1 as you requested.

Then in dst nat rules, we force all users to the pihole, in case they try to pass the dns setting you put in dhcp-server networks above.
However we have to put two exceptions in the FORCE rules, we have to exculde the iot subnet and we have to exclude the pihole device itself.

matumatu · Mon Nov 21, 2022 2:43 pm

By forcing the configuration for users, I thought these rules would also not allow, the use of DNS addresses that were changed manually by the users.
Now I understand, by FORCE you mean to assign Pihole(IP) as DNS server for users.

anav · Mon Nov 21, 2022 3:39 pm

By forcing the configuration for users, I thought these rules would also not allow, the use of DNS addresses that were changed manually by the users.
Now I understand, by FORCE you mean to assign Pihole(IP) as DNS server for users.

That is correct, the dst-nat rules will not allow a user to select their own DNS server on their computer
Without those rules they could bypass the dns settings we put at dhcp-server network by manually putting it in.

matumatu · Mon Nov 21, 2022 7:11 pm

@anav - Being connected to 10.0.30.0/24 network, and manually changed DNS on PC to 8.8.4.4 - I'm still able to browse the Internet (secure DNS is disabled in Chrome/Edge), do nslookup or dig using the 8.8.4.4 server.

My fault!
Once I disconnected cable from Pi-hole, then I wasn't able to resolve DNS queries even the config was manually changed to custom DNS provider on PC.
You were right!

anav · Mon Nov 21, 2022 7:36 pm

Not sure what you mean again LOL.
Pi hole should be connected by cable to the network ????? ( on subnet 10.0.10.0/24)

What do you have on your pi-hole for it to conduct DNS, it must use some DNS service ????

mkx · Mon Nov 21, 2022 7:54 pm

@anav, can't you just live with ...

You were right!

Gosh, sometimes it seems Canadians are out of this universe

matumatu · Mon Nov 21, 2022 8:25 pm

Having Pi-hole connected to the router and using custom DNS, I was able to resolve DNS query like i.e.dig google.com - and get response from 8.8.4.4 (set as a custom DNS). So, such behaviour led me to the conclusion that the firewall rule is not working.

I wanted to test out firewall rule that DNS query won't be resolved having custom DNS set on PC - that was only possible once Pi-hole was disconnected from the router. Maybe there is another way to check, but I don't know it.

anav · Mon Nov 21, 2022 9:16 pm

Firstly, MKX, I agree,,,,,,,,,, I mean we had no revolution like in the US, we were part of the BR empire and FR empire and somehow we formed an independent country.
Its almost as if it was just too hard for the British and French to deal with and they sort of gave up and left.
Thank god the americans didnt get north greedy LOL. Although how the heck they got Alaska is bizarre.

As far as being right, my take is the OP is reporting that despite the config,
he can go to any PC on 10.0.30.024 subnet stick in 8.8.4.4 for DNS server on the ipV4 setting and go directly to 8.8.4.4
This is NOT what is supposed to happen I thought. The PC should have been directed to the Pihole DNS server.

Unless I am mistaken which is more than likely that indeed the pC was redirected to pi hole and then from pi-hole went to 8.8.4.4???
For me the missing part of this equation is we have no idea how the pi-hole is setup???
Further does he have all pi-hole queries going to 9.9.9.9 for example.??

So I dont understand the mechanics, perhaps you can wax eloquently ??

In other words, althoughtit is comforting that no DNS occurred from that PC when PIhole was removed.
How the heck did it get to 8.8.4.4 ??????????

mkx · Mon Nov 21, 2022 10:18 pm

The idea of configuring the two dst-nat rules for port 53 (both TCP and UDP) is to make redirection to pihole transparent (as in: invisible) to users. So it should intercept any connection to any DNS server and direct it to pihole. Since the whole thing is transparent, DNS client in LAN can not find out it's actually talking to pihole when it thinks it's talking to 8.8.4.4.
There are a few ways of checking whether redirection really works, the most straight-forward (and brutal) is to disconnect pihole. Other ways involve sniffing and snooping on different interfaces to reconstruct packet flow, but going this way implies confidence in one's own troubleshooting skills.

So cable disconnection was what @matumatu did and result is as expected according to recipe by @anav (i.e. no DNS resolving possible).

anav · Mon Nov 21, 2022 11:37 pm

I understand the explanation and the logic and that its working, but why then is the OP complaining that the PC gets to 8.8.4.4 which it put into the dns server at IPV4 on the PC.
That is the part that escapes me.......... The only conclusion is that the pi-hole directs that user to 8.8.4.4 and since we dont know the instruction set in the pihole who knows!!!

OR, the other possibility is that the router kinda sourcenats the whole thing.
the request comes from the PC on 8.8.4.4 and the router reroutes the request to pihole and the response from pihole comes back (using lets say 1.1.1.1) and the router unsource nats the response as though it came from 8.8.4.4 or something to that effect,...........

Buckeye · Tue Nov 22, 2022 9:16 am

How effective is this "forcing the use of the PiHole" for DNS really? especially with DoH? It's easy to enable in FireFox connection settings

FireFox DoH.png

broderick · Tue Nov 22, 2022 10:19 am

How effective is this "forcing the use of the PiHole" for DNS really? especially with DoH? It's easy to enable in FireFox connection settings

FireFox DoH.png

yeah, I don't think that there is anything you can do if someone wants to work around being redirected to pihole by using DoH.

matumatu · Tue Nov 22, 2022 11:12 am

How effective is this "forcing the use of the PiHole" for DNS really? especially with DoH? It's easy to enable in FireFox connection settings

FireFox DoH.png

The rules applies to port 53, using DoH users will bypass the restrictions configured on the router.
That's a good question though, how to protect and not allowed users to use DoH in your network. Blocking the IPs?

@anav & @mkx
You are right!!!
Even if custom DNS (8.8.4.4) is set on the PC, the DNS request goes to the Pi-hole and Pi-hole forwards to the DNS, which is set in Pi-hole configuration, in my case 1.1.1.1.
...but for the PC, this is transparent and while user is executing command nslookup google.com, as a result will see that response comes from 8.8.4.4 which is not really true.

BTW.
1. Do you know any good document I can read about Mikrotik firewall with examples to understand more?
2. Should I disable IPv6 on Mikrotik? I'm not going to use it, but I see some configuration i.e. in IPv6 Address List.
3. What FW rules must be created to allow WinBox access from VLAN_30 (10.0.30.0/24) to 10.0.30.1 port: 8219?
I managed to do this by: add action=accept chain=input in-interface=vlan30-Home src-address=10.0.30.2
4. What does this rule do add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN? Allows the router to forward the traffic from LAN through the WAN port to the Internet?

anav · Tue Nov 22, 2022 2:36 pm

Broderick, the intention was not to defeat advanced attempts at DNS avoidance like using DOH. That is much more complex task and not sure if possible at all.
If dealing with such sophisticated abuse of a home router, the answer is to pull the plug, or at least the ethernet cable to such a device or turn off wifi for such users etc..........

3. That will work just fine!!
You will note I already have rules to allow you to manage the router via winbox.........
For the interface list called MANAGE, we defined/included the management vlan as I assumed thats where you were doing your managing, AND we also include the WG interface so if you were remotely trying to reach the mikrotik via wireguard you could could also reach it by winbox from away.

What you are stating is a new requirement which you didnt note before.........
SO your addition works! for the purpose of adding a single user; well done!

4. Correct, it says any user on the LAN interface list has access to the local WAN interface. It doesnt route them there it just says if they want to go there the firewall rules permit it.
As per your requirements, all vlans would have internet access!

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=55820 protocol=udp log=yes
add action=accept chain=input in-interface-list=MANAGE
add action=accept chain=input in-interface=vlan30-Home src-address=10.0.30.2
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=MANAGE out-interface-list=LAN
add action=accept chain=forward in-interface=WG
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward in-interface-list=block-printer out-interface=Vlan50-IOT
add action=accept chain=forward in-interface-list=LAN out-interface=vlan50-IOT dst-address=10.0.50.2/32
add action=accept chain=forward in-interface-list=LAN dst-address=10.0.10.2 dst-port=53 protocol=tcp
add action=accept chain=forward in-interface-list=LAN dst-address=10.0.10.2 dst-port=53 protocol=udp
add action=accept chain=forward in-interface=vlan30-Home out-interface=vlan10-Control dst-address-list=thirty-2-ten
add action=accept chain=forward in-interface=vlan30-Home out-interface=vlan50-IOT dst-address-list=thirty-2-fifty
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"

mkx · Tue Nov 22, 2022 8:33 pm

That is the part that escapes me..........

You're trying to harden the point made in post #29 above about French and British giving up on Canadians, right?

I wrote:

Since the whole thing is transparent, DNS client in LAN can not find out it's actually talking to pihole when it thinks it's talking to 8.8.4.4.

And the detail about DNS client not being able to tell which DNS server it's talking to ... obviously escaped @matumatu as well.

anav · Tue Nov 22, 2022 9:20 pm

I'm good now! I drank some czech beer, and its all clear.

matumatu · Tue Nov 22, 2022 10:41 pm

@anav
You will note I already have rules to allow you to manage the router via winbox.........
For the interface list called MANAGE, we defined/included the management vlan as I assumed thats where you were doing your managing, AND we also include the WG interface so if you were remotely trying to reach the mikrotik via wireguard you could could also reach it by winbox from away.

Yes, I remember, but started playing with firewall rules to understand each one - one by one

I need to find a way to set up a virtual lab, to easier test out the firewall rules.

Thank you all of you for help!
I'm sure the topic will be enormously useful to new ones who wants to configure the router from scratch and understand each line of the config.
Brilliant

anav · Sat Nov 26, 2022 4:55 pm

From the other thread, there is one last step to ensure users within the same subnet as pihole can use teh service.

add chain=srcnat action=masquerade dst-address=10.0.10.0/24 src-address=10.0.10.0/24

I suppose you could even get more particular and accurate.
add chain=srcnat action=masquerade protocol=udp src-address=10.0.10.0/24 dst-address=10.0.10.0/24 dst-port=53
add chain=srcnat action=masquerade protocol=tcp src-address=10.0.10.0/24 dst-address=10.0.10.0/24 dst-port=53

matumatu · Sun Nov 27, 2022 6:27 pm

Thank you!