Optimizing firewall rules for Mikrotik?

M

MrDZ2019-12-13 10:27:27

Mikrotik

MrDZ, 2019-12-13 10:27:27

Hello everyone, I want to understand the rules of the firewall on Mikrotik (remote). How do you think you would optimize the rules.
Everything is on a static ip. There is a vpn to the office (ipsec). For devices such as an ip camera or a bank terminal, there is full (sort of) access to the Internet. For other computers it is limited from the list.
192.168.0.0/24 - office LAN
192.168.1.0/24 - Mikrotik LAN

/ip firewall filter

#Разрешить ICMP запросы
add action=accept chain=input comment=Ping protocol=icmp
add action=accept chain=forward protocol=icmp

#ipsec
add action=accept chain=input comment="Allow IPsec" dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=udp src-port=4500

#прохождение трафика из локалки в интернет по разрешенному списку
add action=accept chain=forward comment="Local to net" dst-address-list=test \
    in-interface=!ether1-gateway out-interface=ether1-gateway
  
#Разрешение установленных и связанных подключений для входящего и проходящего трафика
add action=accept chain=input comment="Accept connection" connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related

#доступ из всей локалки к данным адресам
add action=accept chain=forward comment="Online kass" dst-address=\
    91.213.144.29
add action=accept chain=forward dst-address=46.17.204.250

# ???
add action=accept chain=input comment="Local network" in-interface=\
    !ether1-gateway src-address=192.168.1.0/24
  
#L2TP, PPTP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp

# ???
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

#Доступ извне к микротику
add action=accept chain=input src-address=192.168.0.0/24
add action=accept chain=input src-address=внешний ip офиса

#прохождение трафика из локалки в интернет по разрешенному списку ip по портам
add action=accept chain=forward comment=access_list_global_ip \
    dst-address-list=access_list_global_ip dst-port=\
    80,443,8801,8802,5242,4244,5243,7985 protocol=tcp
add action=accept chain=forward comment=access_list_global_ip \
    dst-address-list=access_list_global_ip dst-port=\
    3478,3479,8801-8810,5242,4244,5243,7985 protocol=udp
  
#прохождение трафика из локалки определенных ip в интернет
add action=accept chain=forward comment=access_list_ip_local \
    src-address-list=access_list_ip_local
#кажется это лишнее правило
add action=accept chain=forward dst-address-list=access_list_ip_local

#прохождение трафика камеры из локалки в интернет - лишнее правило
add action=accept chain=forward comment="IP Cam" src-address=192.168.1.200

#блокировка входящих подключений
add action=drop chain=input comment="Drop incoming" in-interface=\
    ether1-gateway

# ???
add action=accept chain=forward comment="VPN traffic" src-address=\
    192.168.0.0/24
add action=accept chain=forward src-address=192.168.10.0/24
add action=accept chain=forward dst-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.10.0/24

#блокировка проходящего трафика по tcp
add action=reject chain=forward comment="Drop all" protocol=tcp reject-with=\
    tcp-reset

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Drno, 2019-12-13
@Drno

To begin with, I would close external access to Mikrotik. or at least limited to a list of allowed external addresses

D

Dmitry, 2019-12-13
@Tabletko

First allowing rules established, related (you have this)
Then allowing/denying connection-state=new (you have rules for all states)
At the end the Drop_ALL rule
Separate rule in raw for blocking from banlist