MikroTik Firewall Rule
Introduction
This page is to show step-by-step instructions for the correct way to configure the Firewall Rules for MikroTik Routers. It will include the necessary steps of adding the Interface Lists, Address Lists, and Firewall Filter Rules necessary.
Firewall Rules
The Firewall Rules have been updated to only allow access from inside the SECOM Secure Network. They have also been updated to rely on Interface Lists to differentiate between the LAN interfaces, those that connect to the Access Points and management devices at the tower site, and the WAN interfaces, those that connect back to the SECOM network, either via ONT's or Backhauls. The address list has also been updated allowing for better control of what address are able to access the MikroTik and devices beyond it.
Interface Lists
Creating The Lists and Adding Interfaces
Provisioning - GUI
To create the Interface Lists select the Interfaces tab on the left-side menu. This will pop up the "Interface List" window, select the Interface List tab at the top of the window and select the Lists button just underneath the top menu, this will open the "Interface Lists" window and select the blue + in the upper left-hand corner. This will pop up the "New Interface List" window, change the name to LAN and hit the OK button. Hit the blue + again and repeat with WAN.
Once your Lists are created you can add your interfaces to them. In the main "Interface List" window select the blue + and choose your List in the drop down labeled List, and your interface in the drop down labeled Interface, then select OK.
Repeat until all interfaces are assigned to the proper list. Make sure that all interfaces are assigned to a list, only 2 interfaces should be assigned to the WAN list, the uplink ethernet interface and the uplink V259 interface. It should look like below.
Provisioning - CLI
To provision via CLI you can select "New Terminal" on the left-hand side of the winbox GUI or you can open an SSH session to the MikroTik directly. To add the Interface Lists through the CLI you would use the following commands. interface list add name=WAN
interface list add name=LAN
After running the commands you can use interface list print
to make sure the lists look correct.
Once you have the Lists created you can add the interfaces to the WAN list with the following commands
interface list member add interface=ether1 list=WAN
interface list member add interface=e1.0259 list=WAN
To add the rest of the interfaces to the LAN list we will use a MikroTik scripting process to handle all of the ether() interfaces at one time. Use the following commands to do that.
local x
for x from 2 to 12 do={interface list member add interface="ether$x" list=LAN}
This will add all of the ether2-12 interfaces to the LAN list immediately, run interface list member print
to make sure that the interface list members look correct.
If there are other interfaces, such as SFP Interfaces you can use the same method or the method that was used to add the WAN interfaces, they would just go to the LAN interface list, unless they were the uplink port.
Removing the old Firewall Filter Rules and the Address List
The address list and Firewall Filter Rules will be added by importing a file containing the proper script. Before that file can be imported all existing firewall filter rules and address lists need to be deleted first. If they are not you run the risk of losing management to the device. The easiest way to delete them is through the Winbox GUI.
To delete the Firewall Filter Rules select the IP tab on the left-side menu, this will open a drop down, select the Firewall option. This will pop up the "Firewall " window, make sure you are on the Filter Rules tab at the top of the window and select all of the existing rules by hitting ctrl+A. Then you can either just press the delete button on your keyboard or the red - in the upper right hand corner.
Then go to the "Address Lists" tab at the top of the window and repeat the deleting process for all of the existing Addresses.
Replacing The Filter Rules and Address List
You should have the new Address List and Firewall Filter Rules saved to your desktop. You can then drag and drop them into the MikroTik. AddressList-11.2.23.rsc FilterList-11.1.23.rsc
Once you have the files saved to the MikroTik open a New Terminal window and input the following command
import file=AddressList-11.2.23.rsc
You should import the Address list first, if successful you will se the following.
Once you have the list added go back to the "Address List" tab in the "Firewall" window. You will need to change the Local_IPs and the Radio_IPs to the correct IP for that MikroTik. The Local_IPs will be the /16 for the tower site and the Radio_IPs need to be the individual /24's for all of the AP's on that tower. It should look similar to below
Now you can import the Firewall Filter Rules just like you did the Address List. You will need to be logged into the 192.168.21.0/24 IP for the MikroTik and selecting Safe Mode is probably a good idea. Use the following command.
import file-name=FilterList-11.1.23.rsc
Once your file is imported your Filter List should look like this.
Testing Firewall Rules
This change can only be done on the SECOM Secure Network or you will lose management to the device. If you follow all steps carefully you should not lose management and that will test the successful implementation of the firewall rules. To make sure that everything is working though, you could get on the SECOM BYOD network and attempt to connect to both the 192.168.21.0/24 and the 10.xxx.0.2 addresses. If the rules are working you should not be able to reach them.