Mikrotik Packet Filter

paranoids Uncategorized

Got Mikrotik?
Here is my config
Q: which guy needs vlans @ home
A: a guy with a summit24 :-) thanks to http://www.cheat.at

/ip firewall filter export
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=8291 protocol=tcp src-address-list=\
    safe
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=21 protocol=tcp src-address-list=safe
add action=drop chain=in_vlan10 comment="" disabled=no dst-port=22 protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=22 protocol=tcp
add action=accept chain=in_vlan10 comment="" disabled=no icmp-options=8:0-255 protocol=icmp
add action=accept chain=in_vlan10 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan10 comment="" connection-state=related disabled=no
add action=log chain=in_vlan10 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan10 comment="" disabled=no

Here ist my input chain of vlan10 (wan) with sshcrawler autoblacklister

add action=accept chain=in_vlan11 comment="" disabled=no dst-port=8291 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=80 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=22 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=21 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=53 protocol=udp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=67 protocol=udp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \
    src-address-list=lan
add action=accept chain=in_vlan11 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan11 comment="" connection-state=related disabled=no
add action=log chain=in_vlan11 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan11 comment="" disabled=no

Here my input chain of vlan11 my (lan)

add action=accept chain=in_vlan12 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \
    src-address-list=vlan12
add action=accept chain=in_vlan12 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan12 comment="" connection-state=related disabled=no
add action=log chain=in_vlan12 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan12 comment="" disabled=no

Here my input chain of vlan12 (switch mgmt)

add action=accept chain=in_vlan13 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \
    src-address-list=vlan13
add action=accept chain=in_vlan13 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan13 comment="" connection-state=related disabled=no
add action=log chain=in_vlan13 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan13 comment="" disabled=no

Here my input chain of vlan13 (wlan) “pwgen -s 60” for wpa key

add action=accept chain=forward_vlan11 comment="" disabled=no out-interface=vlan10 src-address-list=lan
add action=accept chain=forward_vlan11 comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xx \
    out-interface=vlan11 protocol=tcp src-address-list=safe
add action=accept chain=forward_vlan11 comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xxxx \
    out-interface=vlan11 protocol=tcp
add action=accept chain=forward_vlan11 comment="" connection-state=established disabled=no
add action=accept chain=forward_vlan11 comment="" connection-state=related disabled=no
add action=log chain=forward_vlan11 comment="" disabled=yes log-prefix=""
add action=drop chain=forward_vlan11 comment="" disabled=no

Here my forward chain for vlan11 (lan) with2 portforwards and out-interface vlan10
so no wlan client is able to get from vlan13 to vlan10 to vlan12 etc or reverse

add action=accept chain=forward_vlan12 comment="" disabled=no out-interface=vlan10 src-address-list=\
    vlan12
add action=accept chain=forward_vlan12 comment="" connection-state=established disabled=no
add action=accept chain=forward_vlan12 comment="" connection-state=related disabled=no
add action=log chain=forward_vlan12 comment="" disabled=yes log-prefix=""
add action=drop chain=forward_vlan12 comment="" disabled=no

Here my forward chain for vlan12 (switch mgmt) for ntpdate :-)

add action=accept chain=forward_vlan13 comment="" disabled=no out-interface=vlan10 src-address-list=\
    vlan13
add action=accept chain=forward_vlan13 comment="" connection-state=established disabled=no
add action=accept chain=forward_vlan13 comment="" connection-state=related disabled=no
add action=log chain=forward_vlan13 comment="" disabled=yes log-prefix=""
add action=drop chain=forward_vlan13 comment="" disabled=no

Here my forward chain for vlan13 (wlan)

add action=jump chain=input comment="" disabled=no in-interface=vlan10 jump-target=in_vlan10
add action=jump chain=input comment="" disabled=no in-interface=vlan11 jump-target=in_vlan11
add action=jump chain=input comment="" disabled=no in-interface=vlan12 jump-target=in_vlan12
add action=jump chain=input comment="" disabled=no in-interface=vlan13 jump-target=in_vlan13
add action=accept chain=input comment="" connection-state=established disabled=no
add action=accept chain=input comment="" connection-state=related disabled=no
add action=log chain=input comment="" disabled=yes log-prefix=""
add action=drop chain=input comment="" disabled=no

Here are the jumps to the input chains

add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan11 src-address-list=lan
add action=jump chain=forward comment="" disabled=no dst-address-list=lan jump-target=forward_vlan11
add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan12 src-address-list=vlan12
add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan13 src-address-list=vlan13
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=log chain=forward comment="" disabled=yes log-prefix=""
add action=drop chain=forward comment="" disabled=no

Here are the jumps to the forward chains

/ip firewall nat export
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \
    to-addresses=xxx.xxx.xxx.xxx
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \
    to-addresses=xxx.xxx.xxx.xxx
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \
    to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xxxx \
    protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=xx
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=xxx.xxx.xxx.xxx/xx dst-port=xxxx \
    protocol=tcp to-addresses=xxx.xxx.xxx.xxx/xx to-ports=xxxx

Here my nat table

Have fun