Securing Networks with Mikrotik Firewall Rules for Site-to-Site and Client-to-Site Tunnels

Hello,
I have a site-to-site tunnel set up between the headquarters and the branch in Mikrotiki and I connect to both places via client-to-site 2TP + IPSEC.
The branch connects to the headquarters using RDP and printers transferred in the session. Users at the headquarters and in the branch are to have access to the Internet, below I paste the firewall rules analogous to the headquarters and branches. I would like to ask for help in securing both networks, I would like to do it on the principle of letting in what needs to be done and cutting out the rest.



I don't have much experience with rules.
Thank you in advance for your help.

Hello,

I would recommend connecting to mikrotik via VPN from lan side, so distable add action = accept chain = input comment = "accept WinBox from outside" dst-port = \ 8291
And the router firmware update (especially the one with the 8291 exposed to the world, update fixes the hole)
Source: https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
Source2: https://niebezpiecznik.pl/post/ Szybko-aktualizacjicie-mikrotiki/

Do you need ICMP from the WAN side? Bots will catch that something is pinging at this address.

I did it like this, although those bigger than me would probably change something: (firewall / filter itself)

add action = drop chain = input comment = "Drop connections from blacklist" connection-state = new in-interface = "001. WAN" src-address-list = blacklist
add action = drop chain = input comment = "Drop invalid connections" connection-state = invalid
add action = accept chain = input comment = "Allow L2TP Traffic" dst-port = 1701 in-interface = "001. WAN" protocol = udp
add action = accept chain = input comment = "Allow SSTP Traffic" dst-port = 443 in-interface = "001. WAN" protocol = tcp
add action = accept chain = input comment = "Allow IKE - Internet Key Exchange for IPSEC" dst-port = 500 in-interface = "001. WAN" protocol = udp
add action = accept chain = input comment = "Allow NAT-T - IPSec Network Address Translation" dst-port = 4500 in-interface = "001. WAN" protocol = udp
add action = accept chain = input comment = "Allow VPN traffic" in-interface = all-ppp
add action = accept chain = input comment = "Allow new connections to the router from authorized networks" connection-state = new in-interface = BRIDGE_DOM \
src-address-list = ALLOW
add action = accept chain = input comment = "Allow established and dependent connections" connection-state = established, related
add action = drop chain = input comment = "Drop Everything Else"
add action = drop chain = forward comment = "Drop invalid connections" connection-state = invalid
add action = accept chain = forward comment = "Allow new connections to the router from authorized networks" connection-state = new in-interface = BRIDGE_DOM \
src-address-list = ALLOW
add action = accept chain = forward comment = "Allow established and dependent connections" connection-state = established, related
add action = accept chain = forward comment = "Allow LAPTOP to remotely access the DOM network" dst-address = 192.168.77.0 / 24 src-address = 10.100.100.100
add action = accept chain = forward comment = "Allow PHONE to remotely access the DOM network" dst-address = 192.168.77.0 / 24 src-address = 10.100.100.101
add action = drop chain = forward comment = "Drop Everything Else"

The address list includes the allowed LANs.
Blacklist includes addresses downloaded using http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/
The order of entries DOES matter
This is a simple, unused example. I won't paste the working config, but before replacing the router and rebuilding it worked steadily

Generally, I once heard the rule that it is worth allowing yourself access to the winbox, then cut everything on the inputa and forward and add the generation that you need. There is some logic to this.
Hope I helped.

best regards