Mikrotik Firewall Regeln - Hilfe erbeten

Hallo,

bin gerade dabei meine Firewall ein wenig aufzuräumen bzw. weiter auszubauen.

Hab mein Netzwerk in mehrere Vlan unterteilt und einen Raspi mit Pihole drauf in Vlan 10. Dieser hat vorher jede anfrage angenommen und dann an den Router weitergeleitet. Jetzt hab ich das umgestellt und der Router schickt die Anfragen an den Pi und dann weiter an die Upstreamserver 9.9.9.9 usw.
Wie wäre da am besten eine Regel für einzustellen? Muss ich eine Input oder Forward Chain oder doch deine NAT Regel erstellen für den DNS wenn ja wie?

add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \  
    dst-port=53 protocol=udp src-address=!10.10.9.26 to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \  
    dst-port=53 protocol=tcp src-address=!10.10.9.26 to-ports=53
add action=accept chain=input comment=\
    "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?" dst-port=53 \  
    log-prefix="DNS TEST" protocol=udp  
add action=accept chain=input comment=\
    "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?" dst-port=53 \  
    log-prefix="DNS TEST" protocol=tcp  
add action=accept chain=forward comment="DNS TEST" dst-port=53 log-prefix=\  
    tetsdns protocol=tcp
add action=accept chain=forward comment="DNS TEST" dst-port=53 log-prefix=\  
    tetsdns protocol=udp

Die andere Frage ist nach einer weiteren Optimierung. Kann man das so belassen oder was könnte man noch verbessern bzw. fehlt noch was?

Ich hoffe ihr könnt mir ein wenig helfen..

Grüße
Jascha

# oct/27/2019 19:16:30 by RouterOS 6.45.6
# software id = FK2U-MQW7
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09496644
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
add address=api.openweathermap.org list="Allowed Websites Robocop"  
add address=10.10.50.250 list="Allowed VPN Privat"  
add address=10.10.50.249 list="Allowed VPN Privat"  
add address=10.10.9.10 list="Allowed VPN Privat"  
add address=10.10.9.20 list="Allowed VPN Privat"  
add address=10.10.30.1 list="Allowed VPN Privat"  
add address=10.10.9.1 list="Allowed VPN Privat"  
add address=10.10.9.21 list="Allowed VPN Privat"  
add address=10.10.9.26 list="Allowed VPN Privat"  
add address=10.10.9.240 list="Allowed VPN Privat"  
add address=10.10.9.247 list="Allowed VPN Privat"  
add address=10.10.9.250 list="Allowed VPN Privat"  
add address=10.10.9.251 list="Allowed VPN Privat"  
add address=10.10.9.249 list="Allowed VPN Privat"  
add address=10.10.30.250 list="Allowed VPN Privat"  
add address=10.10.9.222 list="Allowed VPN Privat"  
add address=10.10.9.25 list=FritzBox_access
add address=10.10.9.10 list=FritzBox_access
add address=10.10.9.25 list="Access Kameras"  
add address=10.10.9.1 list="Access Kameras"  
add address=10.10.9.10 list="Access Kameras"  
add address=10.10.50.249 list="Access Kameras"  
add address=10.10.50.250 list="Access Kameras"  
add address=10.10.9.25 list="Access Hue Bridge"  
add address=10.10.9.10 list="Access Hue Bridge"  
add address=10.10.9.24 list="Access Kameras"  
add address=10.10.9.24 list="Access Hue Bridge"  
add address=10.10.9.24 list=FritzBox_access
/ip firewall filter
add action=accept chain=input comment=\
    "Input Chain - accept L2TP (500,1701,4500) from internet to vlan10" \  
    connection-state=new dst-port=500,1701,4500 in-interface=pppoe-out1-wtnet \
    protocol=udp
add action=accept chain=input comment=\
    "Input Chain - accept IPSec (Prot. 50) from internet to vlan10" \  
    connection-state="" in-interface=pppoe-out1-wtnet protocol=ipsec-esp  
add action=accept chain=input comment=\
    "Input Chain - accept L2TP (500,1701,4500) from internet to vlan99" \  
    connection-state=new dst-port=500,1701,4500 in-interface=vlan99 protocol=\
    udp
add action=accept chain=input comment=\
    "Input Chain - accept IPSec (Prot. 50) from internet to vlan99" \  
    connection-state=new in-interface=vlan99 protocol=ipsec-esp
add action=drop chain=input comment="Input Chain - drop invalid " \  
    connection-state=invalid log=yes log-prefix="drop invalid - "  
add action=accept chain=input comment=\
    "Input Chain - accept established and related" connection-state=\  
    established,related log-prefix="accept established, related - "  
add action=accept chain=input comment=\
    "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?" dst-port=53 \  
    log-prefix="DNS TEST" protocol=udp  
add action=accept chain=input comment=\
    "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?" dst-port=53 \  
    log-prefix="DNS TEST" protocol=tcp  
add action=accept chain=forward comment="DNS TEST" dst-port=53 log-prefix=\  
    tetsdns protocol=tcp
add action=accept chain=forward comment="DNS TEST" dst-port=53 log-prefix=\  
    tetsdns protocol=udp
add action=accept chain=input comment=\
    "Input Chain - allow ICMP echo reply (0) from internet" dst-address=\  
    !10.10.9.0/24 icmp-options=0:0 in-interface=pppoe-out1-wtnet protocol=\
    icmp src-address=!10.10.9.0/24
add action=accept chain=input comment=\
    "Input Chain - accept ICMP destination unreachable (3) from internet" \  
    dst-address=!10.10.9.0/24 icmp-options=3:0-1 in-interface=\
    pppoe-out1-wtnet protocol=icmp src-address=!10.10.9.0/24
add action=accept chain=input comment=\
    "Input Chain - accept ICMP echo request (8) from internet" dst-address=\  
    !10.10.9.0/24 icmp-options=8:0 in-interface=pppoe-out1-wtnet protocol=\
    icmp src-address=!10.10.9.0/24
add action=accept chain=input comment=\
    "Input Chain - accept ICMP time exceeded (11) from internet" dst-address=\  
    !10.10.9.0/24 icmp-options=11:0 in-interface=pppoe-out1-wtnet protocol=\
    icmp src-address=!10.10.9.0/24
add action=accept chain=input comment=\
    "Input Chain - accept VPN privat to Winbox " dst-address=10.10.9.254 \  
    dst-port=8291,8080 log=yes log-prefix="VPN privat to winbox - " protocol=\  
    tcp src-address=10.10.0.1-10.10.0.10
add action=accept chain=input comment=\
    "Input Chain - allow traffic from vlan10 (privat)" in-interface=vlan10 \  
    log-prefix="accept vlan10 (privat) - "  
add action=accept chain=input comment=\
    "Input Chain - accept fritzbox to accesslist" disabled=yes \  
    dst-address-list=FritzBox_access log=yes log-prefix=\
    "accept fritzbox to lan - " src-address=192.168.178.1  
add action=drop chain=input comment="Input Chain - drop all" log=yes \  
    log-prefix="drop all - "  
add action=fasttrack-connection chain=forward comment=\
    "fasttrack established,related" connection-mark=!ipsec connection-state=\  
    established,related
add action=drop chain=forward comment="Forward Chain - drop invalid" \  
    connection-state=invalid log=yes log-prefix="drop invalid - "  
add action=reject chain=forward comment="Forward Chain - Ausgehende SMTP Verbi\  
    ndung Port 25 zur\FCckweisen (Spam etc.)" dst-port=25 out-interface=\  
    pppoe-out1-wtnet protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Forward Chain - drop all bogons" \  
    in-interface=pppoe-out1-wtnet src-address-list=bogons
add action=drop chain=forward comment=\
    "Forward Chain - drop all from internet without destination nat" \  
    connection-nat-state=!dstnat connection-state=new in-interface=\
    pppoe-out1-wtnet
add action=drop chain=forward comment=\
    "Forward Chain - drop udp port 1900 for hue bridge" log-prefix=\  
    "drop hue udp1900 - " protocol=udp src-address=10.10.30.250 src-port=1900  
add action=accept chain=forward comment=\
    "Forward Chain - accept established and related" connection-state=\  
    established,related log-prefix="accept established, related - "  
add action=accept chain=forward comment=\
    "Forward Chain - Reverseproxy port 443" dst-address=10.10.9.26 dst-port=\  
    443 in-interface=pppoe-out1-wtnet log=yes log-prefix=\
    "reverseproxy port 443 - " out-interface=vlan10 protocol=tcp  
add action=accept chain=forward comment=\
    "Forward Chain - Let's Encrypt port 80 (only open when use it)" disabled=\  
    yes dst-address=10.10.9.26 dst-port=80 in-interface=pppoe-out1-wtnet log=\
    yes log-prefix="Let's Encrypt port 80 - " out-interface=vlan10 protocol=\  
    tcp
add action=accept chain=forward comment=\
    "Forward Chain - accept vlan10 (privat) to internet" in-interface=vlan10 \  
    log-prefix="accept vlan10 to internet - " out-interface=pppoe-out1-wtnet  
add action=accept chain=forward comment=\
    "Forward Chain - accept vlan99 (guest) to internet" in-interface=vlan99 \  
    log-prefix="accept vlan99 to internet - " out-interface=pppoe-out1-wtnet  
add action=accept chain=forward comment=\
    "Forward Chain - accept vpn guest (vlan99)  to internet" log-prefix=\  
    "accept vpn (guest) to internet - " out-interface=pppoe-out1-wtnet \  
    src-address=10.10.1.100-10.10.1.110
add action=accept chain=forward comment=\
    "Forward Chain - accept VPN guest to edomi server" dst-address=10.10.9.10 \  
    src-address=10.10.1.100-10.10.1.110
add action=accept chain=forward comment=\
    "Forward Chain - accept vpn (privat) to internet" log-prefix=\  
    "vpn privat to internet - " out-interface=pppoe-out1-wtnet src-address=\  
    10.10.0.1-10.10.0.10
add action=accept chain=forward comment=\
    "Forward Chain - accept VPN privat to all vlan" dst-address-list=\  
    "Allowed VPN Privat" log=yes log-prefix="vpn privat to all vlan - " \  
    out-interface=all-vlan src-address=10.10.0.1-10.10.0.10
add action=accept chain=forward comment=\
    "Forward Chain - accept robocop (vlan30) to internet (weatherdata)" \  
    dst-address-list="Allowed Websites Robocop" dst-port=80 in-interface=\  
    vlan30 log-prefix="accept robocop weather - " out-interface=\  
    pppoe-out1-wtnet protocol=tcp src-address=10.10.30.1
add action=accept chain=forward comment=\
    "Forward Chain - accept vlan10 -> vlan50 accesslist kamera" \  
    dst-address-list="Access Kameras" in-interface=vlan10 log-prefix=\  
    "vlan10 -> vlan50 - " out-interface=vlan50 src-address-list=\  
    "Access Kameras"  
add action=accept chain=forward comment=\
    "Forward Chain - accept vlan50 -> vlan10 accesslist kamera" \  
    dst-address-list="Access Kameras" in-interface=vlan50 log-prefix=\  
    "vlan50 -> vlan10 - " out-interface=vlan10 src-address-list=\  
    "Access Kameras"  
add action=accept chain=forward comment=\
    "Forward Chain - accept lan to accesslist fritzbox" dst-address=\  
    192.168.178.1 src-address-list=FritzBox_access
add action=accept chain=forward comment=\
    "Forward Chain - accept vlan30 (iot) to internet (only when you needed)" \  
    disabled=yes in-interface=vlan30 log=yes log-prefix=\
    "vlan30 to internet - " out-interface=pppoe-out1-wtnet  
add action=accept chain=forward comment=\
    "Forward Chain - accept accesslist to hue bridge" in-interface=vlan10 \  
    log-prefix="accesslist to hue bridge - " out-interface=vlan30 \  
    src-address-list="Access Hue Bridge"  
add action=drop chain=forward comment="Forward Chain - drop forward" log=yes \  
    log-prefix="drop all - "  
add action=drop chain=output comment="Output Chain - drop invalid" \  
    connection-state=invalid log=yes log-prefix="drop invalid - "  
/ip firewall nat
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \  
    dst-port=53 protocol=udp src-address=!10.10.9.26 to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \  
    dst-port=53 protocol=tcp src-address=!10.10.9.26 to-ports=53
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" \  
    out-interface=pppoe-out1-wtnet
add action=masquerade chain=srcnat comment="masquerade VLAN 10 -> WAN" \  
    dst-address=!10.10.9.0/24 log-prefix="Masq NAT Vlan10" out-interface=\  
    pppoe-out1-wtnet src-address=10.10.9.0/24
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1-wtnet \
    log=yes log-prefix=5656151 protocol=tcp to-addresses=10.10.9.26 to-ports=\
    443
add action=dst-nat chain=dstnat comment=test1 disabled=yes dst-port=80 \
    in-interface=pppoe-out1-wtnet log=yes log-prefix=2050050 protocol=tcp \
    to-addresses=10.10.9.26 to-ports=80
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Please also mark the comments that contributed to the solution of the article

Content-Key: 509420

Url: https://administrator.de/contentid/509420

Printed on: April 26, 2024 at 02:04 o'clock

2 Comments

Latest comment

Hallo,

Zu Optimierung: beim kurz drüber schauen ist mir aufgefallen, dass du ein paar Regeln doppelt drinnen hast, sei es auch nur mit anderen Logging Präferenzen. Ich würd da Mal drüber schauen.

Wegen NAT vs. Firewall: meiner Meinung ist es immer empfehlenswert NAT und Firewall Regeln zu definieren, speziell wenn die Chain Incoming, also Anfragen direkt an den Router, betroffen ist.

Zur Umleitung: wenn du willst, dass alle DNS Anfragen (ausser vom Pihole), die über den Router AN den Pihole gehen, hast du zwei Möglichkeiten:

1. Du leitest alle Anfragen ÜBER den Mikrotik auf den DNS Server vom Tik um und hast dort dann als statischen DNS den Pihole. Die Regel zur Umleitung hast du (soweit ich das sehen kann) bereits implementiert. Dafür müssen dann halt am Tik DNS remote Anfragen zugelassen werden.

2. Du machst ein direktes dst-nat auf den Pihole. Damit ersparst du dir die Freigabe vom Tik DNS, musst dafür aber ein sogn. Hairline NAT implementieren, d.h. DNS Abfragen aus dem LAN, die dst-natted werden, müssen dann auch maskiert werden. Wenn du das nicht tust schickt der Pihole die Antworten auf die Abfragen direkt an den anfragenden LAN Teilnehmer, der aber keine Pakete vom Pihole erwartet und dessen Pakete dann dropped.
Auch in der Variante musst du dann natürlich den Pihole vom dst-nat und dem masquerading ausnehmen.

LG
Areanod

Hi,

vielen Dank für deine Antwort.
Also ich seh da keine doppelten

So ich hab mir jetzt mehrfach deine beiden Punkte durchgelesen aber ich komm immer noch nicht drauf was ich genau einstellen muss. Wie du siehst hab ich ja bereits was als NAT eingetragen und auch in der Firewall. Jetzt ist nur die Frage was werde ich genau benötigen an Einträgen. Also was muss ich genau eintragen bzw. löschen?
Also vorher hatte ich den DNS im DHCP auf den Pihole verwiesen. Erst die letzten Tage hatte ich den Weg gewählt das der TIK den DNS machen sollen und alles an den Pihole weiterleitet. Daraufhin hab ich ein Script eingebaut welches bei Ausfall des Pihole auf einen anderen DNS umschaltet.
Ich taste mich halt so langsam ran an die ganzen Einstellungen aber da hapert es ein wenig bei mir.

Grüße

German Question Firewall Security

Hotly discussed

Check of ZFW Firewallgleixnerd - 5 Comments