Community discussions

MikroTik App
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Check my config please

Tue Oct 18, 2022 12:52 pm

Just got a new Hex to replace a Verizon G3100 (while waiting for an RB5009).

Could someone please check my config to see if I'm secure? I forward ports 5800 and 5900 for VNC, and 8123 for Home Assistant.

Thank you!
# oct/18/2022 05:47:15 by RouterOS 6.49.7
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=18:FD:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-port=5800 in-interface=ether1 log=yes \
    protocol=tcp
add action=accept chain=forward dst-port=5900 in-interface=ether1 log=yes \
    protocol=tcp
add action=accept chain=forward dst-port=8123 in-interface=ether1 log=yes \
    protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input in-interface=ether1 log=yes
add action=accept chain=forward in-interface=ether1 out-interface=bridge
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN src-address=192.168.0.0/16
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5800 log=\
    yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5900 log=\
    yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
/ip route
add disabled=yes distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=104.16.132.229
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
Last edited by Josephny on Fri Oct 21, 2022 12:27 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14485
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check my config please  [SOLVED]

Tue Oct 18, 2022 1:54 pm

It would appear you no clue on how to use firewall rules.
Start with the defaults...... and then add DST nat rules for the specific ports.
Only one rule required in forward chain for port forwarding in general.
Suggest some reading.....
viewtopic.php?t=179343

also firewall basic something like this will work for you....
THen simply add any additional rules required in the forward chain which will be few to none....
Order of rules is important...........
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Check my config please

Tue Oct 18, 2022 5:05 pm

Thank you so much for your help!

I did not want to leave the VPN active, but unchecking it leaves all the VPN-related entries in the exported config file. I don't know how to remove them permanently.

Is this better:
# oct/18/2022 10:00:15 by RouterOS 6.49.7
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = Hxxxxxxx
/interface bridge
add admin-mac=18:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE bridge-learning=no local-address=192.168.89.1 remote-address=\
    vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else" log=yes
add action=fasttrack-connection chain=forward comment=\
    "NEW defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
    "NEW defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="NEW allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="NEW allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward dst-port=5800 in-interface=ether1 log=yes \
    protocol=tcp
add action=accept chain=forward dst-port=5900 in-interface=ether1 log=yes \
    protocol=tcp
add action=accept chain=forward dst-port=8123 in-interface=ether1 log=yes \
    protocol=tcp
add action=drop chain=forward comment=NEW
/ip firewall nat
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=accept chain=forward comment="NEW allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5800 log=\
    yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5900 log=\
    yes protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add disabled=yes distance=1 gateway=192.168.2.1
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=104.16.132.229
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14485
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check my config please

Tue Oct 18, 2022 5:29 pm

There was no VPN config in your first post??
Okay I see them in your second,
Why all the VPN, did you consider using just wireguard for example?

What are the requirements???


(1) You have the required handshake INPUT CHAIN RULES, to access the router VPN services.
One does not put the same rules in the forward chain ??? Should be removed!!

add action=accept chain=forward dst-port=5800 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=forward dst-port=5900 in-interface=ether1 log=yes \
protocol=tcp
add action=accept chain=forward dst-port=8123 in-interface=ether1 log=yes \
protocol=tcp


(2) You have a duplicate forward chain LAN TO WAN RULE but LOL< you stuck in the DST NAT rules.................. Remove part in orange.
Then you have the wrong format for you port forwarding rules.
On what planet is an external user pointing at your local LAN server IP ???
An external user points at your WANIP, and then via Router rules you move that traffic with the correct destination port to the local LAN server IP.

The correct entry depends on what type of WANIP connection you have. ( Dynamic WANIP, or fixed STATIC WANIP
dynamic use: in-interface-list=WAN
Static use: dst-address=static WANIP


/ip firewall nat
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN

add action=accept chain=forward comment="NEW allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN

add action=src-nat chain=srcnat dst-address=192.168.2.22 dst-port=5800 log=\
yes protocol=tcp to-addresses=192.168.2.22


(3) plain mac-server only is not encrypted/secure thus change it to NONE.
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Check my config please

Tue Oct 18, 2022 6:30 pm

In QUICK SET, I checked the VPN checkbox. Then I unchecked it. But the entries remain when I export the config.

I removed the port forwarding from the INPUT CHAIN RULES -- thank you.

When I removed this line I lose outbound (LAN to WAN) connectivity:

add action=accept chain=forward comment="NEW allow internet traffic" in-interface-list=LAN out-interface-list=WAN

I was going to tackle Wireguard next. You previously helped me setting up Wireguard with another Hex so I hope I can get it working on this one without further help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14485
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check my config please

Tue Oct 18, 2022 7:49 pm

When I removed this line I lose outbound (LAN to WAN) connectivity:
add action=accept chain=forward comment="NEW allow internet traffic" in-interface-list=LAN out-interface-list=WAN
(1) You removed the wrong internet traffic rule...... I said duplicate and told you which copy to delete even.......
to reiterate..............

NOT THIS ONE (in correct spot in forward chain)
/ip firewall filter
add action=accept chain=forward comment="NEW allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat


THIS ONE: ( in nat rules wrong!!)
/ip firewall nat
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=accept chain=forward comment="NEW allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN




(2) You just need to go into the PPP menus do remove all those settings..................

YOu can go into the input chain on /ip firewall filter and remove all the added rule s there;
IPSEC nat
IKE
l2TP
pptp
sstp
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Check my config please

Tue Oct 18, 2022 9:21 pm

Thank you again very much.

I posted another question about VLAN config on a CSS326 in SWoS. Should I post it here instead?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14485
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check my config please

Tue Oct 18, 2022 10:26 pm

No that is a separate enough topic and you should keep it there.............
If you are using any etherport on the MT device here though, to connect to that switch, that would be good to know, as it will be a trunk port.....
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Check my config please

Tue Oct 18, 2022 10:37 pm

Yes, the CSS326 is connected to the Hex port #2 (ether2).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14485
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check my config please

Tue Oct 18, 2022 11:53 pm

No vlans coming from the h ex though.
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Check my config please

Wed Oct 19, 2022 5:24 am

I'm still having problems.

I have Home Assistant on private IP 192.168.2.176 port 8123

From outside my LAN I can access it fine.

From inside the LAN, if I point a browser to 192.168.2.176:8123 it works.

But, if from inside the LAN I point to the <publicIP>:8123 it fails.

Do I need some sort of rule to allow this?

Here's what I've got in the firewall.

Thank you!
/ip firewall filter

add action=accept chain=input comment="NEW defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="NEW defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment="NEW defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="NEW defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="NEW allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="NEW defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=NEW

/ip firewall nat

add action=masquerade chain=srcnat comment="NEW defconf: masquerade" out-interface-list=WAN
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat dst-port=8123 log=yes protocol=tcp to-addresses=192.168.2.176

 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Check my config please

Wed Oct 19, 2022 1:29 pm

Whew -- solve it!

You had mention previously about Hairpin Nat and that is what solved my problem.

I used this thread:

viewtopic.php?t=172380
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14485
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Check my config please

Wed Oct 19, 2022 4:28 pm

Excellent, yes the article on port forwarding I linked at the top of the thread, explains hairpin nat in detail.

Who is online

Users browsing this forum: BillyVan, itnik, muk and 51 guests