Community discussions

MikroTik App
  4. l雷竞技
  5. General

Basic Firewall Question

Post Reply
User avatar
jibanes
newbie
Topic Author
Posts: 27
Joined: Sun Mar 25, 2012 8:13 am

Basic Firewall Question

Sat May 20, 2023 10:41 pm

Below is my router's configuration (running 7.9). I would like to have my linux box on 192.168.1.5 be able to ssh to 192.168.2.2.
As you see, the 192.168.1.0/24 and 192.168.2.0/24 networks are relatively isolated (see firewall rules 3 and 4) as the 192.168.2.0/24 is reserved for wireless aka "guest network"
然而,我不能达到192.168.2.2 192.168.1。5 (the ssh just hangs); would you please help me understand why?
Alternatively, maybe I need a firewall nat rule instead? If so, how would it look like?
If you can also provide some recommendations for the other rules, in terms of ordering and such, please don't hesitate to chime in, many thanks for looking into this!
Code:Select all 
[admin@sea-rou-001] > /ip/address/print Flags: D - DYNAMIC Columns: ADDRESS, NETWORK, INTERFACE # ADDRESS NETWORK INTERFACE 0 192.168.1.1/24 192.168.1.0 ether2 1 192.168.2.1/24 192.168.2.0 ether3 2 D HIDDEN_PUBLIC_IP HIDDEN_PUBLIC_IP ether1 [admin@sea-rou-001] > /ip/firewall/filter/print Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; Necessary for the router to get ntp and upgrades. chain=input action=accept connection-state=established,related connection-mark="" log=no log-prefix="" 2 chain=forward action=accept protocol=tcp src-address=192.168.1.5 dst-address=192.168.2.2 in-interface=ether3 out-interface=ether2 dst-port=22 3 ;;; block all traffic from LAN to guest network chain=forward action=drop in-interface=ether3 out-interface=ether2 log=yes log-prefix="firewall" 4 ;;; block all traffic from guest to LAN network chain=forward action=drop in-interface=ether2 out-interface=ether3 log=yes log-prefix="firewall" 5 ;;; block all traffic from the internet to ether1 chain=input action=drop in-interface=ether1 log=no log-prefix=""
Top
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10405
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sat May 20, 2023 10:49 pm

The firewall rule #2 only allows "forward" packets, but not return packets. Default firewall filter ruleset has a rule which allows all kind of return packets:
Code:Select all 
add action=accept chain=forward comment="defconf: accept established,related, untracked" \ connection-state=established,related,untracked

and is one of top-most rules (for multiple reasons).

It's not really smart move to ditch default setup and then try to construct proper firewall setup without really good knowledge about how firewall filter rules work.

Edit: fixed rule number I'm referring to in first sentence.
Last edited bymkxon Sat May 20, 2023 11:12 pm, edited 1 time in total.
Top
User avatar
anav
Forum Guru
Forum Guru
Posts: 17588
Joined: Sun Feb 18, 2018 11:28 pm
Location:Nova Scotia, Canada
Contact:
Contact anav

Re: Basic Firewall Question

Sat May 20, 2023 10:57 pm

In other words, do not play the copy and paste crap from various places before understanding what the rules are actually doing.
Top
User avatar
jibanes
newbie
Topic Author
Posts: 27
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sat May 20, 2023 11:01 pm

Sorry, for clarity you are saying I should add this rule in position 1 or 2?
Top
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10405
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sat May 20, 2023 11:11 pm

In your case it doesn't matter because current rule #1 is for input chain .. but it does add to readability if rules for some chain are not mixed with rules for other chains. For this reason, make the new rule number 2.
Top
User avatar
jibanes
newbie
Topic Author
Posts: 27
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sat May 20, 2023 11:12 pm

Thanks I did but it didn't solve my problem though....
Top
User avatar
jibanes
newbie
Topic Author
Posts: 27
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sun May 21, 2023 1:30 am

I have this now, but when I enable rule #4 it still doesn't work.
I think the problem is that the return traffic from 192.168.2.2 to 192.168.1.5 is blocked, how can I fix that?
Also are rules 2 and 3 redundant?
Code:Select all 
Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; Drop Invalid connections chain=input action=drop connection-state=invalid 2 ;;; Allow Established/Related/Untracked connections chain=input action=accept connection-state=established,related,untracked 3 ;;; Necessary for the router to get ntp and upgrades. chain=input action=accept connection-state=established,related connection-mark="" log=no log-prefix="" 4 X chain=forward action=accept connection-state=established,related protocol=tcp src-address=192.168.1.5 dst-address=192.168.2.2 in-interface=ether3 out-interface=ether2 dst-port=22 5 ;;; block all traffic from LAN to guest network chain=forward action=drop in-interface=ether3 out-interface=ether2 log=yes log-prefix="firewall" 6 ;;; block all traffic from guest to LAN network chain=forward action=drop in-interface=ether2 out-interface=ether3 log=yes log-prefix="firewall" 7 ;;; block all traffic from the internet to ether1 chain=input action=drop in-interface=ether1 log=no log-prefix=""
Top
User avatar
anav
Forum Guru
Forum Guru
Posts: 17588
Joined: Sun Feb 18, 2018 11:28 pm
Location:Nova Scotia, Canada
Contact:
Contact anav

Re: Basic Firewall Question

Sun May 21, 2023 2:26 am

If you want comprehensive help, we dont like playing whackamole.

Provide a network diagram and a full confg
/export file=anynameyouwish (minus router serial number and any public WANIP information)
Top
User avatar
jibanes
newbie
Topic Author
Posts: 27
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sun May 21, 2023 8:11 am

Diagram:
Code:Select all 
DSL modem -> sea-rou-001 (config below) ether1 interface sea-rou-001 ether2 -> connected to dumb switch network=192.168.1.0/24 "LAN" with desktops etc. sea-rou-001 ether3 -> connected to dumb switch network=192.168.2.0/24 guest wifi

guest wifi network is considered hostile and insecure, someone may crack the wifi password and "get in" easily. It has multiple access points.
"dumb switch"(es) are just SOHO switches with all interfaces bridged, no VLANs. The dumb switches are not connected to eachother, naturally.
The firewall config is on sea-rou-001; which is shown below.

Thank you for looking.
Code:Select all 
# 5 / 20/2023 22:02:43 Roul雷竞技terOS 7.9 #软件雷电竞app下载官方版苹果id = XXXX-XXXX # # model = CCR2004-16G-2S+ # serial number = XXXXXXXX /interface ethernet set [ find default-name=ether1 ] mac-address=00:0C:42:XX:XX:XX /interface list add name=WAN /interface list add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-server add interface=ether2 lease-time=1h name=dhcp-server /ip dhcp-server option add code=17 name=ripley-root-path value="'192.168.1.201:/vol/vol1/diskless/root/ripley'" /ip dhcp-server option add code=67 name=ripley-boot-filename value="'ripley/pxelinux.0'" /ip dhcp-server option add code=66 name=tftp-server-name value="'192.168.1.201'" /ip dhcp-server option sets add name=ripley options=ripley-boot-filename,ripley-root-path,tftp-server-name /port set 0 name=serial0 /port set 1 name=serial1 /system logging action set 3 remote=192.168.1.5 /interface list member add interface=ether1 list=WAN /interface list member add list=LAN /ip address add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 /ip address add address=192.168.2.1/24 interface=ether3 network=192.168.2.0 /ip dhcp-client add interface=ether1 /ip dhcp-server lease add address=192.168.1.4 comment=ripley dhcp-option-set=ripley mac-address=FC:4D:D4:XX:XX:XX server=dhcp-server /ip dhcp-server network add address=192.168.1.0/24 dns-server=1.1.1.1 domain=XXX.com gateway=192.168.1.1 netmask=32 next-server=192.168.1.201 /ip dns set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.1.1 /ip firewall filter add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid /ip firewall filter add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked /ip firewall filter add action=accept chain=input comment="Necessary for the router to get ntp and upgrades." connection-mark="" connection-state=established,related /ip firewall filter add action=accept chain=forward disabled=yes dst-address=192.168.2.2 dst-port=22 in-interface=ether2 out-interface=ether3 protocol=tcp src-address=192.168.1.5 /ip firewall filter add action=accept chain=forward disabled=yes dst-address=192.168.1.5 in-interface=ether3 out-interface=ether2 protocol=tcp src-address=192.168.2.2 src-port=22 /ip firewall filter add action=drop chain=forward comment="block all traffic from LAN to guest network" in-interface=ether3 log=yes log-prefix=firewall out-interface=ether2 /ip firewall filter add action=drop chain=forward comment="block all traffic from guest to LAN network" in-interface=ether2 log=yes log-prefix=firewall out-interface=ether3 /ip firewall filter add action=drop chain=input comment="block all traffic from the internet to ether1" in-interface=ether1 /ip firewall nat add action=dst-nat chain=dstnat dst-port=8090 in-interface=ether1 protocol=tcp src-address=XX.XX.XX.XX to-addresses=192.168.1.XXX to-ports=XXXX /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=WAN /system clock set time-zone-name=America/Los_Angeles /system identity set name=sea-rou-001 /system logging set 0 action=remote /system logging set 1 action=remote /system logging set 2 action=remote /system logging set 3 action=remote /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=time.nist.gov
Top
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10405
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sun May 21, 2023 9:11 am

I have this now, but when I enable rule #4 it still doesn't work.

Of course it doesn't work ... the rule you added is for chain=input while the blocking one is for chain=forward. Which indicates that you don't understand the role of chains ...

Really: if you are ready to ditch (good) default firewall config and construct entirely new one (as opposed to keeping the dedault one and do minir changes), then you'll have to dive into (a very deep) cave of learning mikrotik firewall concepts ...
Top
User avatar
anav
Forum Guru
Forum Guru
Posts: 17588
Joined: Sun Feb 18, 2018 11:28 pm
Location:Nova Scotia, Canada
Contact:
Contact anav

Re: Basic Firewall Question

Sun May 21, 2023 4:05 pm

viewtopic.php?t=180838
Top
User avatar
jibanes
newbie
Topic Author
Posts: 27
Joined: Sun Mar 25, 2012 8:13 am

Re: Basic Firewall Question

Sun May 21, 2023 7:22 pm

Thank you, I will read the link you have provided, my concern is that I'm very far from the router itself, and if I lose connectivity it would be disastrous; is there a way to try a configuration only for a few minutes (like it's the case on JunOS)?
Top
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location:Ohio, USA

Re: Basic Firewall Question

Sun May 21, 2023 10:14 pm

There is nothing like Juniper commit confirmed (or vyatta commit-confirm) if that is what you are referring to (built in).

Here's an outline of a workaround by @rextendedherewith a possible implementation by @lukastribushere
Top
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10405
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic Firewall Question

Sun May 21, 2023 11:12 pm

Another possibility:safe mode.如果管理连接在安全模式我下降s enabled, then all changes since enabling safe mode are reverted.

Edit: now I noticed that linked posts from post above are mentioning safe mode ...
Top
Post Reply

Who is online

Users browsing this forum:Ahrefs [Bot],Amazon [Bot],Bing [Bot],Renfrew,Semrush [Bot]and 78 guests
  4. l雷竞技
  5. General