Page 1 of 1
How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 11:39 am
by alex3025
Hello,
I've just bought an RB5009 for my homelab to get better at my networking skills.
I have started from ground up, so I'm not using the defconf of the MT.
Currently I've set-up just a PPPoE client (my modem is in bridge mode) and a NAT rule to get internet access on the router and made some VLANS.
The only thing that's missing to put the RB5009 in "production" is the firewall rules... and I'm a bit lost here.
How can I "secure" my router? What are the must-have/suggested firewall rules?
P.S. I would also like to use the BackToHome service.
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 12:08 pm
by mkx
I have started from ground up, so I'm not using the defconf of the MT.
IMO this is a pretty bad decision. Default MT firewall is quite good and allows for easy adaptation (e.g. for using PPPoE instead of DHCP client as WAN "technology"). It also allows to make adjustments (e.g for port forwarding).
If you want to learn, then start with default config, play with changes and observe effects.
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 12:38 pm
by alex3025
I've started without the default configuration to know exactly what was going on under the hood and what I did with my hands :/
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 1:33 pm
by anav
Why will you need BTH, its only for the case where you dont have a public IP or the ISP router doesnt get a public IP or the ISP router gets a public IP but you cannot forward a port to the MT device.
Further, its only good for single devices to your router, it will not support remote router to your router.
Ref Firewall: what is the point of us giving you a firewall rule set .............it would be the same as using the default............ you still dont know what its doing.
So mkxs advice of using the default to start.........then see what it is, and try to make sense of the rules they have implemented, and then ask intelligent questions about the default.....
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 1:38 pm
by jvanhambelgium
> How can I "secure" my router? What are the must-have/suggested firewall rules?
Focus on adding rules to the INPUT-chain.
These are packets targetting the RouterOS itself.
Securing the router would mean ;
-> you want to filter out crap hitting the INPUT-chain, eg coming on from your WAN and hitting your box on unwanted ports (eg ssh, winbox,...) and/or create white-list to only allow certain public IP's to hit your router.
-> you want to additionally tighten security that winbox,ssh,https, api interfaces are not just "open" from any IP but narrow down also at that level. (see "ip" -> "services"
-> you want to remove/rename the default "admin" user to something else AND also at this level narrow down the "allowed-ip" ranges from that are allowed
-> Look at VPN ; so setup VPN-layer through which you perform admin-activities
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 1:44 pm
by alex3025
Why will you need BTH
I need it to easily have a VPN to my home from my phone (with MT app), not PTP routers.
I know how to setup a "normal" Wireguard server and so on but BTH seemed a good "integrated" feature, along with the Android app.
Ref Firewall: what is the point of us giving you a firewall rule set .............it would be the same as using the default............ you still dont know what its doing.
So mkxs advice of using the default to start.........then see what it is, and try to make sense of the rules they have implemented, and then ask intelligent questions about the default.....
I don't need a rule set, I was searching for suggestions like @jvanhambelgium did in their post up here. I can figure it out myself the implementation.
Is the default rule set a good starting point to allow me to expose my router and "not be hacked"?
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 1:52 pm
by alex3025
deleted
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 1:58 pm
by holvoetn
Is the default rule set a good starting point to allow me to expose my router and "not be hacked"?
Simple answer: yes.
And if you do not have any or
very limited port forwarding on your ISP router towards that RB5009, chances are even slimmer that anything will happen.
I have the same setup at home. I only allow ports which I need for my wireguard connections through ISP router, nothing else.
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 3:46 pm
by alex3025
I only allow ports which I need for my wireguard connections through ISP router, nothing else.
So you have a double-nat going on?
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 3:51 pm
by holvoetn
Yes, so what ?
I got no problems with that setup.
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 4:13 pm
by anav
Ahh now I understand your BTH approach.
There is no need for BTH if your router gets a public IP, but as you note personal choice it is an option and a bit easier.
The main difference is that BTH uses and relies upon the a Mikrotik cloud server ( and only covers devices to the home router, not router to router connections)
In your case with a public IP, I believe BTH can figure this out and bypasses the cloud server so in effect is the same as a manual setup.
I use MT routers behind my main router, mainly to ensure they can apply wireguard etc, but its the only time I dont use firewall rules on MT devices ( if behind an MT router that does ).
I would do the same as holvoetn, aka not pretend NAT of an upstream ISP router is a security solution.
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 4:16 pm
by alex3025
Yes, so what ?
I got no problems with that setup.
Nothing, just wanted to confirm if I understood correctly
Re: How to firewall when behind ISP modem
Posted: Wed Nov 13, 2024 10:30 pm
by alex3025
Ok so, I've created the following rules.
How do they look to you? Are they OK to secure my network? (and did some other stuff from the
First Time Configuration docs)
/ip firewall filter
add action=drop chain=input comment="drop <invalid> packets" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop <invalid> packets" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop NAT overtake (to LAN from WAN w/o NAT)" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=accept chain=input comment="accept <established>, <related> and <untracked> packets" connection-state=established,related,untracked
add action=accept chain=input comment="allow icmp (ping)" in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="drop everything else" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="fast-track for <established> and <related> connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="fallback accept for <established> and <related> connections" connection-state=established,related
Re: How to firewall when behind ISP modem
Posted: Thu Nov 14, 2024 12:21 am
by anav
Keep chains together.
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="drop <invalid> packets" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input protocol=icmp
{ admin added rules }
add action=accept chain=input comment="any incoming vpn" dst-port=vpnPort protocol=udp/tcp? { if required }
add action=accept chain=input comment="Users to services" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward comment="fast-track for <established> and <related> connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="fallback accept for <established> and <related> connections" connection-state=established,related,untracked
add action=drop chain=forward comment="drop <invalid> packets" connection-state=invalid log=yes log-prefix=invalid
{ admin rules }
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="vpn traffic entering or leaving in or out-interface=VPN dst or src-address=subnet { if required }
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"