Thus we make use of BOGONS to block any private subnets or non-public IPs from entering the router.You can now get MikroTik training direct from Manito Networks. (1) RAW RULE Inbound/Source Address - Designed to Stop Cold, any incoming traffic (passing inbound on the WAN) whose source-address indicates that the traffic is not from a legitimate Public IP address. The key for any MT admin is to never apply BOGONS such that they include any local or remote subnets traversing your local router. We will make use of BOGONs where applicable.īOGONs are simply sets of subnets that are not valid public IPs and include all sorts of private IP schemas. This approach focuses on adding two /ip firewall RAW filter rules and the use of /ip route and blackhole functionality. The main changes made in this configuration relate to the minimum bloat required to stop any leaking of private IP addresses in any direction on the router.
(2B) APPRENTICE SETUP input courtesy of DarkNate
*** NTP port 123 protocol udp may be blocked by your ISP (on the client side aka in-bound on port123), in which case sourcenat 123 to something likely not blocked 12300 may solve the issue!Īdd action=src-nat chain=srcnat out-interface-list=WAN protocol=udp src-port=123 to-ports=12300 If it is an issue simply match the rule with a slight modificationĪdd action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited dst-address= !multicast Typically, firewall filter comes after routing, and multicast traffic is only routed if you explicitly enable and configure that, so in most installations the rule doesn't have to care about multicast traffic because it never sees it.
NOTE5: A problem with the reject rule may stem from broadcast traffic. NOTE4: The purpose of the action=reject rule is to prevent users in LAN from waiting for tens of seconds to get a timeout if they are trying to connect to forbidden destinations, and of course for the admin to be aware of traffic that has the potential to be a problem ( aka pinpoint device with issues ). It is internal to RoS and a functionality where127.0.0.1 means "itself", that is the loopback interface (localhost / 127.0.0.1/32) always exists, and can be used by the CPU for packets that are sent between internal services of the RouterBoard,įor example, The Dude, RADIUS, user-manager, CAPsMAN on a wireless interface on the routerboard itself, and reportedly Wireguard. NOTE3: Loopback rule is not specific only to capsman. NOTE2: Option 2, is effective if the admin needs to access the config from many subnets or if incoming VPN access is required. NOTE1: Lines in Green can be disabled/removed if not required. Add action=drop chain=forward comment="drop all else"Īdd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
0 kommentar(er)
