Mikrotik Router: Firewall Configuration & Securing Networks 192.168.88.1, 192.168.2.1, 192.168.3.1

Question

I warmly welcome, A few months ago I bought a Mikrotik router, it took some time for me before I could even make the internet work. I want to know if I did everything right to secure the router (Firewall), if there are any errors, etc. In the skin: I have 3 networks: the first 192.168.88.1 (my...

bogiebog · Accepted Answer

Wisely - from a security point Unwise - for diagnostics Added after 2 [minutes]: Bet winbox on another high port, e.g. 46831, the default rule is DROP, all other port / protocols should be allowed in writing. How do you have access to MT from winbox z z neta to - cut ip-blocks from outside PL - password: 18 characters,

bogiebog · Accepted Answer

Ping to ICMP proto, login is tcp, so ping does not affect services like ssh / www / winbox.

mikrotik wrote:
Could you develop this? What diagnostics?

It depends on what you will be hosting in MT, it is easy to check the ping - i.e. there is an IP overhead than the www / winbox service.

Input chain; too much drop; there should be many allow first and then one at the end of 'drop everything'

for example, INPUT, in order
- allow all established
- allow all related
- allow new winbox eth1
- allow DNS from ether *
- allow DHCP from ether *
...
- drop everything

Added after 16 [minutes]:

bogiebog wrote:
- allow DNS from ether *
- allow DHCP from ether *

You can also list allow services instead

- allow all from ether *
or
- allow all from! wan

mikrotik · Answer

Could you develop this? What diagnostics? And what will it give me? It's easy to get around this by scanning the ports. In the firewall I have DropWanWinboxAccess on port 8291 from WAN and I already had a dozen or so attempts detected and it was not a bot, now is the peace of mind for how long. I do not have access to the net, at least it seems to me that if I added 5 rule to Firewall (see photo), I turned off the possibility of logging in. Yes? Currently, I can log into mikrotika only with a cable, at least I think so that I managed to do it and there is no gap. I have a 8-character password, I will change it for longer. And adding this rule with ping I will be deprived of the possibility to log into the router?

mikrotik · Answer

I do not know if I completely understand the question, but when it comes to some ftp or sharing files with other household members, it's absolutely NOTHING of these things. You moved an interesting thing that bothers me, you wrote Why, in this case, I can log in to mikrotik at all, since before the rule 11 drop everything there is nowhere to allow access to router from ether2 etc.? From what I see, you let go, you block everything else, and I think I have the opposite, blocks selected ones, I release everything else ... and I do not want to ... A colleague from another forum wrote a firewall for me, for my needs. Code: text Expand Select all Copy to clipboardJa bym to widział tak: /ip firewall filter # najpierw INPUTy.  add chain=input comment=Zezwalaj na established i related connection-state=established,related add action=drop chain=input comment=Dropuj polaczenia typu invalid connection-state=invalid add action=drop chain=input comment=Dropuj zapytania DNS od strony WAN dst-port=53 in-interface=ether1 protocol=udp //Chociaż u Ciebie jest zbędne, bo z tego co widzę nie używasz DNS-Cache.  add action=drop chain=input in-interface=ether1 // ja bym tego nie stosował, bo pozbawisz się możliwości pingowania na zew z routera, traceroutów, pobierania aktualizacji MT itd. Jeżeli wszystkie usługi masz wyłączone, to nie widzę sensu robienia blokady na inpucie na wszystko.  # forwardy add chain=forward comment=Zezwalaj na established i related connection-state=established,related add action=drop chain=forward comment=Dropuj polaczenia typu invalid connection-state=invalid add action=drop chain=forward comment=Dropuj polaczenia new inne niz syn connection-state=new protocol=tcp tcp-flags=!syn add action=drop chain=forward comment=Dropuj skanowanie portow protocol=tcp tcp-flags=fin,syn,rst,ack add action=drop chain=forward in-interface=bridge1 log=yes out-interface=bridge2 comment=Blokada ruchu forward z bridge1 do bridge2 add action=drop chain=forward in-interface=bridge2 log=yes out-interface=bridge1 comment=Blokada ruchu forward z bridge2 do bridge1 # To sobie możesz zostawić, nie przeszkadza w niczym add action=tarpit chain=input comment=suppress DoS attack connection-limit=3,32 log=yes protocol=tcp src-address-list=black_list add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=detect DoS attack connection-limit=10,32 log=yes protocol=tcp add action=drop chain=forward comment=Drop Blaster Worm dst-port=135-139 protocol=tcp add action=drop chain=forward comment=Drop Blaster Worm dst-port=445 protocol=tcp add action=drop chain=forward comment=Drop Blaster Worm dst-port=445 protocol=udp add action=drop chain=forward comment=Drop Messenger Worm dst-port=135-139 protocol=udp add action=drop chain=forward comment=________ dst-port=593 protocol=tcp add action=drop chain=forward comment=________ dst-port=1024-1030 protocol=tcp add action=drop chain=forward comment=Drop MyDoom dst-port=1080 protocol=tcp add action=drop chain=forward comment=________ dst-port=1214 protocol=tcp add action=drop chain=forward comment=ndm requester dst-port=1363 protocol=tcp add action=drop chain=forward comment=ndm server dst-port=1364 protocol=tcp add action=drop chain=forward comment=screen cast dst-port=1368 protocol=tcp add action=drop chain=forward comment=hromgrafx dst-port=1373 protocol=tcp add action=drop chain=forward comment=cichlid dst-port=1377 protocol=tcp add action=drop chain=forward comment=Worm dst-port=1433-1434 protocol=tcp add action=drop chain=forward comment=Bagle Virus dst-port=2745 protocol=tcp add action=drop chain=forward comment=Drop Dumaru.Y dst-port=2283 protocol=tcp add action=drop chain=forward comment=Drop Beagle dst-port=2535 protocol=tcp add action=drop chain=forward comment=Drop Beagle.C-K dst-port=2745 protocol=tcp add action=drop chain=forward comment=Drop MyDoom dst-port=3127-3128 protocol=tcp add action=drop chain=forward comment=Drop Backdoor OptixPro dst-port=3410 protocol=tcp add action=drop chain=forward comment=Worm dst-port=4444 protocol=tcp add action=drop chain=forward comment=Worm dst-port=4444 protocol=udp add action=drop chain=forward comment=Drop Sasser dst-port=5554 protocol=tcp add action=drop chain=forward comment=Drop Beagle.B dst-port=8866 protocol=tcp add action=drop chain=forward comment=Drop Dabber.A-B dst-port=9898 protocol=tcp add action=drop chain=forward comment=Drop Dumaru.Y dst-port=10000 protocol=tcp add action=drop chain=forward comment=Drop MyDoom.B dst-port=10080 protocol=tcp add action=drop chain=forward comment=Drop NetBus dst-port=12345 protocol=tcp add action=drop chain=forward comment=Drop Kuang2 dst-port=17300 protocol=tcp add action=drop chain=forward comment=Drop SubSeven dst-port=27374 protocol=tcp add action=drop chain=forward comment=Drop PhatBot, Agobot, Gaobot dst-port=65506 protocol=tcp W IP->Services widzę masz wyłączone wszystko poza winboxem. W ustawieniach tego wpisu ustal sobie z jakich adresów IP możesz mieć dostęp.  Upewnij się jeszcze, że SNMP masz wyłączone jeżeli nie potrzebujesz (IP->SNMP)  And I have a question about what he wrote here add action = drop chain = input in-interface = ether1 // I would not use it, because you will not be able to ping from the router, tracerouts, download MT updates, etc. If you have all the services turned off, I do not see the point of making a lock on an injection for everything. Why in this case, having this rule as 11, I can still download the update, etc.

bogiebog · Answer

The interpretation of why MT does this to me without access live to MT via winbox is a straight way to madness. MT - this cat can be plucked in many different ways, depending on the administrator's preferences and knowledge.

mikrotik · Answer

I understand, but you know quite well on this? Good enough to secure the router / network? I am happy to pay for a good firewall configuration.

Mikrotik Router: Firewall Configuration & Securing Networks 192.168.88.1, 192.168.2.1, 192.168.3.1

Post #1

Post #2

Post #3

Post #4

Post #5

Post #6

Post #7

Didn't find an answer? Ask Artificial Intelligence

Topic summary