Community discussions

MikroTik App
 
whuupwhuup
just joined
Topic Author
Posts: 8
Joined: Sun Jul 21, 2024 9:13 pm

Could anyone audit my setup?

Sun Nov 24, 2024 12:26 pm

Hi everyone

I went through the forum and set up my router based on what I have read. I would however be very grateful if any forum guru could verify whehther I got it right. I am particularly concerned whether:
1. My Wifi Setup is correctly configured and safe
2. My IPv4 rules are correctly cofigured and my IPv6 settings correctly disabled, so my router is safe to use

My entire config is as follows (any help would be greatly appreciated):

# 2024-11-19 16:30:13 by RouterOS 7.15.3
# software id = KSYB-YVIV
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
/interface list
add name=WAN
add name=LAN
/interface wifi configuration
add channel.band=2ghz-ax .width=20/40mhz-eC country=Germany disabled=no \
mode=ap name="2.4ghz Config" security.authentication-types=wpa3-psk .wps=\
disable ssid=TestNet
add channel.band=5ghz-ax .width=20/40mhz-eC country=Germany disabled=no \
mode=ap name="5ghz Config" security.authentication-types=wpa3-psk .wps=\
disable ssid=TestNet5G
/interface wifi
set [ find default-name=wifi1 ] configuration="5ghz Config" \
configuration.mode=ap name=Wifi1-5ghz security.authentication-types=\
wpa3-psk .wps=disable
set [ find default-name=wifi2 ] configuration="2.4ghz Config" \
configuration.mode=ap disabled=no name=Wifi2-2.4ghz \
security.authentication-types=wpa3-psk
/ip pool
add name=dhcp_pool1 ranges=192.168.0.20-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-LAN name=dhcp1
/interface bridge port
add bridge=Bridge-LAN interface=ether2-LAN
add bridge=Bridge-LAN interface=ether3-LAN
add bridge=Bridge-LAN interface=ether4-LAN
add bridge=Bridge-LAN interface=ether5-LAN
add bridge=Bridge-LAN interface=Wifi2-2.4ghz
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface list member
add interface=ether1-WAN list=WAN
add interface=Bridge-LAN list=LAN
/ip address
add address=192.168.0.1/24 interface=Bridge-LAN network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.0.15 client-id=1:XX:XX:XX:XX:XX:XX comment=XAdmin \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.0.15 comment=XAdmin list=Authorized
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2421
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="Drop all IPv6 ICMP traffic" protocol=\
icmpv6
add action=drop chain=input comment="Drop all other IPv6 traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
add action=drop chain=output comment="Drop all IPv6 output traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12978
Joined: Thu Mar 03, 2016 10:23 pm

Re: Could anyone audit my setup?

Sun Nov 24, 2024 2:33 pm

It seems fine. It's on a paranoid side, I'd do two more things:
  1. for performance reasons I'd enable fasttrack:
    /ip firewall filter
    add action=fasttrack-connection chain=forward comment="fasttrack established,related" connection-state=established,related
    
    It should be pushed to the top of rules for forward chain, above existing "accept established,related,untracked" rule.
  2. I'd allow some means of management other than winbox over IP. It might come handy if your only allowed management becomes unavailable for some reason. Personally I'm fan of winbox MAC access for ultimate backup access, but I don't know if that's feasible ... you're limiting management access to certain IP address. Which, BTW, is not very safe as IP address can be set manually bypassing DHCP server's static lease.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21890
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Could anyone audit my setup?  [SOLVED]

Sun Nov 24, 2024 3:17 pm

1. You forgot to include your 5ghz wifi WLAN in /interface bridge port settings
/interface bridge port
add bridge=Bridge-LAN interface=ether2-LAN
add bridge=Bridge-LAN interface=ether3-LAN
add bridge=Bridge-LAN interface=ether4-LAN
add bridge=Bridge-LAN interface=ether5-LAN
add bridge=Bridge-LAN interface=Wifi2-2.4ghz

add bridge=Bridge-LAN interface=Wifi1-5ghz

2. Use neighbours discovery set to LAN ( works with winbox and max and 7. to make your router config access easy )
/ip neighbor discovery-settings
set discover-interface-list=LAN

3. Use RP filter loose, not strict and forget about tcp syncookies
/ip settings
set rp-filter=loose tcp-syncookies=no


4. I would add a dynamic dns server if not using the ISP one
/ip dns
set allow-remote-requests=yes server=1.1.1.1

5. FIREWALL RULES look familiar and are fine except as MKX pointed out missing fasttrack
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"


6. All you need to do for ipv6 if not using is to not use ipv6 services as you have done but only need two simple rules
add chain=input action=drop
add chain=forward action=drop


7. Set to LAN, this facilitates encrypted winbox access when on the router.
/tool mac-server mac-winbox
set allowed-interface-list=LAN

8. Your address list is lacking.................... You should be using static DHCP leases!
/ip firewall address-list
add address=192.168.0.15 comment="admin local desktop wired" list=Authorized
add address=192.168.0.X comment="admin laptop wifi" list=Authorized
add address=192.168.0.Y comment=" admin smartphone/ipad" list=Authorized
 
whuupwhuup
just joined
Topic Author
Posts: 8
Joined: Sun Jul 21, 2024 9:13 pm

Re: Could anyone audit my setup?

Mon Dec 23, 2024 1:51 pm

It seems fine. It's on a paranoid side, I'd do two more things:
  1. for performance reasons I'd enable fasttrack:
    /ip firewall filter
    add action=fasttrack-connection chain=forward comment="fasttrack established,related" connection-state=established,related
    
    It should be pushed to the top of rules for forward chain, above existing "accept established,related,untracked" rule.
  2. I'd allow some means of management other than winbox over IP. It might come handy if your only allowed management becomes unavailable for some reason. Personally I'm fan of winbox MAC access for ultimate backup access, but I don't know if that's feasible ... you're limiting management access to certain IP address. Which, BTW, is not very safe as IP address can be set manually bypassing DHCP server's static lease.

mkx, sorry for the late reply, December has been a busy month. Thank you for your insights, I highly appreciate it!
 
whuupwhuup
just joined
Topic Author
Posts: 8
Joined: Sun Jul 21, 2024 9:13 pm

Re: Could anyone audit my setup?

Mon Dec 23, 2024 1:52 pm

1. You forgot to include your 5ghz wifi WLAN in /interface bridge port settings
/interface bridge port
add bridge=Bridge-LAN interface=ether2-LAN
add bridge=Bridge-LAN interface=ether3-LAN
add bridge=Bridge-LAN interface=ether4-LAN
add bridge=Bridge-LAN interface=ether5-LAN
add bridge=Bridge-LAN interface=Wifi2-2.4ghz

add bridge=Bridge-LAN interface=Wifi1-5ghz

2. Use neighbours discovery set to LAN ( works with winbox and max and 7. to make your router config access easy )
/ip neighbor discovery-settings
set discover-interface-list=LAN

3. Use RP filter loose, not strict and forget about tcp syncookies
/ip settings
set rp-filter=loose tcp-syncookies=no


4. I would add a dynamic dns server if not using the ISP one
/ip dns
set allow-remote-requests=yes server=1.1.1.1

5. FIREWALL RULES look familiar and are fine except as MKX pointed out missing fasttrack
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"


6. All you need to do for ipv6 if not using is to not use ipv6 services as you have done but only need two simple rules
add chain=input action=drop
add chain=forward action=drop


7. Set to LAN, this facilitates encrypted winbox access when on the router.
/tool mac-server mac-winbox
set allowed-interface-list=LAN

8. Your address list is lacking.................... You should be using static DHCP leases!
/ip firewall address-list
add address=192.168.0.15 comment="admin local desktop wired" list=Authorized
add address=192.168.0.X comment="admin laptop wifi" list=Authorized
add address=192.168.0.Y comment=" admin smartphone/ipad" list=Authorized

Also anav, thank you very much for your insights, truely appreciated!

Who is online

Users browsing this forum: Alone65, dipalpatel and 9 guests