Answer the question
In order to leave comments, you need to log in
M
M
MrDZ2019-12-13 10:27:27
MrDZ, 2019-12-13 10:27:27
Optimizing firewall rules for Mikrotik?
Hello everyone, I want to understand the rules of the firewall on Mikrotik (remote). How do you think you would optimize the rules.
Everything is on a static ip. There is a vpn to the office (ipsec). For devices such as an ip camera or a bank terminal, there is full (sort of) access to the Internet. For other computers it is limited from the list.
192.168.0.0/24 - office LAN
192.168.1.0/24 - Mikrotik LAN
/ip firewall filter
#Разрешить ICMP запросы
add action=accept chain=input comment=Ping protocol=icmp
add action=accept chain=forward protocol=icmp
#ipsec
add action=accept chain=input comment="Allow IPsec" dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=udp src-port=4500
#прохождение трафика из локалки в интернет по разрешенному списку
add action=accept chain=forward comment="Local to net" dst-address-list=test \
in-interface=!ether1-gateway out-interface=ether1-gateway
#Разрешение установленных и связанных подключений для входящего и проходящего трафика
add action=accept chain=input comment="Accept connection" connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
#доступ из всей локалки к данным адресам
add action=accept chain=forward comment="Online kass" dst-address=\
91.213.144.29
add action=accept chain=forward dst-address=46.17.204.250
# ???
add action=accept chain=input comment="Local network" in-interface=\
!ether1-gateway src-address=192.168.1.0/24
#L2TP, PPTP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
# ???
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
#Доступ извне к микротику
add action=accept chain=input src-address=192.168.0.0/24
add action=accept chain=input src-address=внешний ip офиса
#прохождение трафика из локалки в интернет по разрешенному списку ip по портам
add action=accept chain=forward comment=access_list_global_ip \
dst-address-list=access_list_global_ip dst-port=\
80,443,8801,8802,5242,4244,5243,7985 protocol=tcp
add action=accept chain=forward comment=access_list_global_ip \
dst-address-list=access_list_global_ip dst-port=\
3478,3479,8801-8810,5242,4244,5243,7985 protocol=udp
#прохождение трафика из локалки определенных ip в интернет
add action=accept chain=forward comment=access_list_ip_local \
src-address-list=access_list_ip_local
#кажется это лишнее правило
add action=accept chain=forward dst-address-list=access_list_ip_local
#прохождение трафика камеры из локалки в интернет - лишнее правило
add action=accept chain=forward comment="IP Cam" src-address=192.168.1.200
#блокировка входящих подключений
add action=drop chain=input comment="Drop incoming" in-interface=\
ether1-gateway
# ???
add action=accept chain=forward comment="VPN traffic" src-address=\
192.168.0.0/24
add action=accept chain=forward src-address=192.168.10.0/24
add action=accept chain=forward dst-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.10.0/24
#блокировка проходящего трафика по tcp
add action=reject chain=forward comment="Drop all" protocol=tcp reject-with=\
tcp-reset 2 answer(s)
@Drno
D
Drno, 2019-12-13 @Drno
To begin with, I would close external access to Mikrotik. or at least limited to a list of allowed external addresses
Similar questions
W
E
D
P
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question