Настройка фаервола на Микротике

alibek · December 17, 2014

Давно не приходилось работать с микротиком, уже подзабыл нюансы.

Помогите проверить и поправить конфигурацию.

Маршрутизатор RB2011UAS.

Порты eth1-eth5 - локальная сеть, соединены в бридж (у меня были сомнения в нормальной работе свитчипа).

Порт eth6 - провайдер1, дает доступ к локальным ресурсам (DHCP) и в интернет (PPPoE).

Порт eth7 - провайдер2, дает доступ в интернет (PPPoE).

Порты eth8, eth9 - не используются.

Порт eth10 - пока не используется, в дальнейшем будет отдельная сеть, на интерфейсе будет работать PPPoE-сервер.

Конфигурация примерно такая:

/ip pool add name=pool-lan ranges=192.168.48.0/24
/ip pool add name=dhcp-lan ranges=192.168.48.1-192.168.48.99
/ip dhcp-server add add-arp=yes address-pool=dhcp-lan disabled=no interface=bridge-lan lease-time=30m name=dhcp-lan
/interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap default-route-distance=2 dial-on-demand=no disabled=no interface=eth6,sfp1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe1 password=pwd profile=default service-name="" use-peer-dns=yes user=user1
/interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap default-route-distance=10 dial-on-demand=no disabled=no interface=eth7 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe2 password=pwd profile=default service-name="" use-peer-dns=yes user=user2
/interface bridge port
add bridge=bridge-lan interface=eth1
add bridge=bridge-lan interface=eth2
add bridge=bridge-lan interface=eth3
add bridge=bridge-lan interface=eth4
add bridge=bridge-lan interface=eth5
/ip address add address=192.168.48.250/24 interface=bridge-lan network=192.168.48.0
/ip dhcp-client add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=eth6 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=192.168.48.0/24 dns-server=192.168.48.250 gateway=192.168.48.250 netmask=24 ntp-server=192.168.48.250
/ip dns set allow-remote-requests=yes
/ip route add distance=1 dst-address=10.1.0.0/16 gateway=10.0.0.1

Настройки фаервола сделал такие:

/ip firewall address-list
add address=192.168.48.0/24 list=acl-lan
add address=192.168.48.100 list=acl-admin
add address=0.0.0.0/8 list=acl-invalid
add address=127.0.0.0/8 list=acl-invalid
add address=0.0.0.0/8 list=acl-bogon
add address=10.0.0.0/8 list=acl-bogon
add address=100.64.0.0/10 list=acl-bogon
add address=127.0.0.0/8 list=acl-bogon
add address=169.254.0.0/16 list=acl-bogon
add address=172.16.0.0/12 list=acl-bogon
add address=192.0.0.0/24 list=acl-bogon
add address=192.0.2.0/24 list=acl-bogon
add address=192.168.0.0/16 list=acl-bogon
add address=198.18.0.0/15 list=acl-bogon
add address=198.51.100.0/24 list=acl-bogon
add address=203.0.113.0/24 list=acl-bogon
add address=224.0.0.0/4 list=acl-bogon
add address=240.0.0.0/4 list=acl-bogon

/ip firewall nat
add action=masquerade chain=srcnat comment="Internet over prov1" out-interface=pppoe1 src-address-list=acl-lan
add action=masquerade chain=srcnat comment="Intranet over prov1" out-interface=eth6 src-address-list=acl-lan
add action=masquerade chain=srcnat comment="Internet over prov2" out-interface=pppoe2 src-address-list=acl-lan

/ip firewall filter
add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=pppoe1 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon
add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=pppoe2 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon
add action=drop chain=input comment="Self Normalization: Drop Invalid" connection-state=invalid
add chain=input comment="Self Normalization: Skip Established" connection-state=established
add chain=input comment="Self Normalization: Skip Related" connection-state=related
add chain=input comment="Border: Allow ICMP" protocol=icmp
add chain=input comment="Border: Allow Remote" connection-state=new dst-port=8291 protocol=tcp src-address-list=acl-admin
add chain=input comment="Border: Allow LAN" connection-state=new src-address-list=acl-lan
add action=drop chain=input comment="Border: Block not LAN" connection-state=new in-interface=!bridge-lan
add action=drop chain=input comment="Border: Default Policy" log=yes log-prefix="DROP: "
add chain=output comment="Border: Limit outgoing UDP" limit=5,20 protocol=udp
add action=drop chain=forward comment="Drop Invalid Src" log=yes log-prefix="INVALID: " src-address-list=acl-invalid
add action=drop chain=forward comment="Drop Invalid Dst" dst-address-list=acl-invalid log=yes log-prefix="INVALID: "
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add chain=forward comment="Skip Established" connection-state=established
add chain=forward comment="Skip Related" connection-state=related
add action=jump chain=forward comment="Processing ICMP" jump-target=icmp protocol=icmp
add chain=forward comment="Allow from LAN" in-interface=bridge-lan src-address-list=acl-lan
add chain=forward comment="Allow from LAN" out-interface=bridge-lan src-address-list=acl-lan
add action=drop chain=forward comment="LAST RULE" log=yes log-prefix="DROP: "
add chain=icmp comment="ICMP: echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="ICMP: network unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="ICMP: host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="ICMP: host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=icmp comment="ICMP: source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="ICMP: echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="ICMP: time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="ICMP: parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="ICMP: drop other" log=yes log-prefix="ICMP: "
add chain=forward comment="Allow to LAN" out-interface=bridge-lan src-address-list=acl-lan

Sign In

Настройка фаервола на Микротике

Recommended Posts

alibek

Join the conversation