How to set up Firewall Mikrotik with Fasttrack?

U

unt0njs2016-10-20 16:51:03

Mikrotik

unt0njs, 2016-10-20 16:51:03

Comrades, help me set up Firewall on RB2011.
I asked at spw.ru, smoked every site with its settings, read this question . But still I'm afraid to sculpt "gag".
1. For all this time, I have repeatedly met the mention of a flood on port 53 of the WAN interface. I set it up from scratch. I made ether10 the WAN interface, initially it was gigabit ether1. I read somewhere that the default configuration omits this flood, but what if I have my own configuration?
2. I recently learned about fasttrack, somehow screwed it up. It seems to be working and the load on the CPU has decreased several times. BUT! It says here that Fasttrack should be removed, and the forward chain should be taken very seriously.
Here is my FW at the moment.

/ip firewall address-list
add address=0.0.0.0/8 list=BOGON
add address=10.0.0.0/8 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=172.16.0.0/12 list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=192.168.0.0/16 list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=224.0.0.0/4 list=BOGON
add address=240.0.0.0/4 list=BOGON
/ip firewall filter
add action=drop chain=input comment="Drop BOGON" in-interface=pppoe-out1 src-address-list=BOGON
add action=accept chain=input comment="Accept estabilished" connection-state=established
add action=accept chain=input comment="Accept related" connection-state=related
add action=accept chain=input comment="Accept ping" protocol=icmp
add action=drop chain=input comment="Drop INPUT from WAN" connection-state=new in-interface=!bridge-local
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept forward estabilished" connection-state=established
add action=accept chain=forward comment="Accept forward related" connection-state=related
add action=drop chain=forward connection-state=invalid
add action=jump chain=forward in-interface=pppoe-out1 jump-target=WAN-LAN out-interface=bridge-local
add action=jump chain=forward in-interface=bridge-local jump-target=LAN-WAN out-interface=pppoe-out1
add action=accept chain=LAN-WAN
add action=drop chain=WAN-LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

What can you advise?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Romanov, 2016-10-28
@moneron89

Hello! Your firewall is quite complete, but a bit sub-optimal. Please note that fasttrack refers to etsablished and related connections (which is absolutely true), and there are two rules for this in input. They can be combined into one. Under the fasttrack rule, Mikrotik tech support recommends adding exactly the same rule with the accept action for those packets that go along the slowpath. Invalid'y we drop, everything is correct here. And then you messed up a bit. If Mikrotik does not prohibit something in the firewall, then the traffic is allowed. Therefore, the lan-wan permission is redundant. To protect yourself from getting into your locale, you can use the connection-nat-state parameter. If you have more than one wan-interface - make an interface-list and add them there, if there is one - this is not necessary. And the rule is:

/ip firewall filter
add chain=forward in-interface-list=WANs connection-nat-state=!dst action=drop

This rule protects you from routing attempts to your LAN. However, if you forward ports using dst-nat, forwarding will occur. The list interface can be replaced with in-interface=<name of one wan>.
And your jumps are redundant, though not wrong.