MikroTik

Hello,

this could be a quite noob question to ask, but I am quite stuck now and getting dumber by the minute.
I have one MT 6.47.3v with a pretty basic setup, one static IP for the Internet and some 2 subnets inside. Most of the NATed traffic is RDP forwards from some random port to 3389 and that works fine.
Its dtsnat on the WAN interface from some port to the IP of the machine, port 3389.
The problem comes when I get a lot of brute force or pentest traffic to that particular port from some unknown IP, its not doing any harm (yet!), but, when I then try to make a filter rule to filter that IP (or its range), I am not able to do that. Packets still go through.
Only when I DISABLE that NAT, I see packets are getting filtered and dropping. But, then I don't have NAT there...

How can I filter some IPs, but still have NAT, cause my impression is that its first NATed and then goes thru a filter.

I can post some specifics of the configuration, but I assume I am just dumping and missing some simple options to do this.

Thx in advance.

Filtering dst-nat ed packets seems to work ok here.

One guess:
If you copied and modified the default defconf: drop all from WAN not DSTNATed rule and edited it.
You need to remove the connection state (! dst-nat) setting from your new rule.

Also:
You should be using a newer version of RouterOS,
(and reset to defaults and apply your changes to that, the defaults do sometimes change, usually improving)

You should be using some sort of VPN for RDP access. (Wireguard in V7 is very good, worth the upgrade by itself)

rplant wrote: ↑Tue May 07, 2024 11:49 am
One guess:
If you copied and modified the default defconf: drop all from WAN not DSTNATed rule and edited it.
You need to remove the connection state (! dst-nat) setting from your new rule.

Thx, but this is not doing the trick. I enabled that but it behaves the same as above.

I will upgrade, but it will not probably solve this problem. Also, VPN is the next thing, I just thought to solve this before VPN.

Show us firewall configuration (execute /ip firewall export file=anynameyouwish from UI, fetch the file off device, open it with text editor and copy-paste it here inside [code] [/code] environment).

Here it is. Masked the Public IP only...

# may/07/2024 15:27:06 by RouterOS 6.47.3
# software id = KXKI-1Y30
#
# model = CRS125-24G-1S-2HnD
# serial number = 523A05C0EBE6
/ip firewall address-list
add list=WL
add address=89.248.172.0/24 disabled=yes list=WL
add address=185.64.104.0/22 disabled=yes list=WL
add address=185.25.48.0/22 disabled=yes list=WL
add address=85.206.160.0/20 disabled=yes list=WL
add address=163.172.0.0/17 disabled=yes list=WL
add address=80.82.64.0/23 disabled=yes list=WL
add address=10.0.0.0/8 list=WL
add address=127.0.0.0/8 list=WL
add address=192.168.0.0/16 list=WL
add address=172.16.0.0/12 list=WL
add address=169.254.0.0/16 list=WL
/ip firewall filter
add action=drop chain=input dst-port=5678 protocol=tcp
add action=drop chain=input protocol=tcp src-address=87.251.64.0/24
add action=drop chain=input dst-port=10000-60000 protocol=tcp src-address=\
45.227.254.0/24
add action=drop chain=input protocol=tcp src-address=80.66.88.0/24
add action=drop chain=input connection-nat-state=dstnat dst-address=\
MASKED_IP protocol=tcp src-address=91.224.92.0/24
add action=reject chain=input dst-address=MASKED_IP dst-port=10000-60000 \
protocol=tcp reject-with=icmp-network-unreachable src-address=\
220.178.173.0/24
add action=reject chain=input dst-address=MASKED_IP dst-port=10000-60000 \
protocol=tcp reject-with=icmp-host-prohibited src-address=\
125.227.118.0/24
add action=drop chain=input dst-address=MASKED_IP dst-port=53 protocol=\
udp
add action=drop chain=input dst-port=10000-60000 protocol=tcp src-address=\
147.78.47.133
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input dst-port=123 log=yes protocol=udp
add action=accept chain=input disabled=yes dst-port=22 in-interface=\
internet-ether24 protocol=tcp src-address=217.23.192.72
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=internet-ether24
add action=accept chain=forward disabled=yes dst-address=192.168.0.103 \
dst-port=53 protocol=tcp src-address=172.19.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.0.103 \
dst-port=53 protocol=udp src-address=172.19.1.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.0.0/24 \
src-address=172.19.1.0/24
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=accept chain=forward disabled=yes dst-port=21 protocol=tcp
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=input dst-port=22,80,51922 protocol=tcp
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface=internet-ether24
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.190.15.40 src-address=\
192.168.0.103 to-addresses=10.150.4.41
add action=src-nat chain=srcnat dst-address=10.190.15.40 src-address=\
192.168.0.33 to-addresses=10.150.4.42
add action=accept chain=srcnat dst-address=10.190.15.40 src-address=\
10.150.4.40/29
add action=dst-nat chain=dstnat dst-address=10.150.4.41 src-address=\
10.190.15.40 to-addresses=192.168.0.103
add action=dst-nat chain=dstnat dst-address=10.150.4.42 src-address=\
10.190.15.40 to-addresses=190.168.0.33
add action=dst-nat chain=dstnat comment=TIJANA disabled=yes dst-port=56897 \
in-interface=internet-ether24 log=yes log-prefix=TIJANA-RDP protocol=tcp \
to-addresses=192.168.0.131 to-ports=3389
add action=dst-nat chain=dstnat comment=LEPTIR disabled=yes dst-port=7070 \
in-interface=internet-ether24 log=yes log-prefix=LEPTIR-RDP protocol=tcp \
to-addresses=192.168.0.26 to-ports=3389
add action=dst-nat chain=dstnat comment=DELL disabled=yes dst-port=55099 \
in-interface=internet-ether24 log=yes log-prefix=DELL-RDP protocol=tcp \
to-addresses=192.168.0.102 to-ports=3389
add action=dst-nat chain=dstnat comment=SQL disabled=yes dst-port=20154 \
in-interface=internet-ether24 log=yes log-prefix=SQL protocol=tcp \
to-addresses=192.168.0.201 to-ports=3389
add action=dst-nat chain=dstnat comment=ISO-VPC disabled=yes dst-port=58989 \
in-interface=internet-ether24 log=yes log-prefix=ISOVPC-RDP protocol=tcp \
to-addresses=192.168.0.28 to-ports=3389
add action=dst-nat chain=dstnat comment=NEWISOPC disabled=yes dst-port=58990 \
in-interface=internet-ether24 log=yes log-prefix=NEWISOPC protocol=tcp \
to-addresses=192.168.0.28 to-ports=3389
add action=dst-nat chain=dstnat comment=CONF disabled=yes dst-port=43210 \
in-interface=wlan1 log=yes log-prefix=CONF protocol=tcp to-addresses=\
172.19.1.128 to-ports=3389
add action=dst-nat chain=dstnat comment=DDSOFT disabled=yes dst-port=33344 \
in-interface=internet-ether24 log=yes log-prefix=DDSoft-RDP protocol=tcp \
to-addresses=192.168.0.32 to-ports=3389
add action=dst-nat chain=dstnat comment=ANJA dst-port=48371 in-interface=\
internet-ether24 log=yes log-prefix=ANJA-RDP protocol=tcp to-addresses=\
192.168.0.125 to-ports=3389
add action=dst-nat chain=dstnat comment=SERV-OLD disabled=yes dst-port=20153 \
in-interface=internet-ether24 log=yes log-prefix=SERVOLD-RDP protocol=tcp \
to-addresses=192.168.0.103 to-ports=3389
add action=dst-nat chain=dstnat comment=STOJANKA dst-port=59993 in-interface=\
internet-ether24 log=yes log-prefix=STOJANKA-RDP protocol=tcp \
to-addresses=192.168.0.189 to-ports=3389
add action=dst-nat chain=dstnat comment=NINA dst-port=36888 in-interface=\
internet-ether24 log-prefix=NINA-RDP protocol=tcp to-addresses=\
192.168.0.187 to-ports=3389
add action=dst-nat chain=dstnat comment="TAMARA" dst-port=51242 \
in-interface=internet-ether24 log=yes log-prefix=MILKICA-RDP protocol=tcp \
to-addresses=192.168.0.228 to-ports=3389
add action=dst-nat chain=dstnat comment=TAMARA dst-port=59992 in-interface=\
internet-ether24 log=yes log-prefix=TAMARA-RDP protocol=tcp to-addresses=\
192.168.0.225 to-ports=3389
add action=dst-nat chain=dstnat comment=MIRELA disabled=yes dst-port=59321 \
in-interface=internet-ether24 log=yes log-prefix=MIRELA-RDP protocol=tcp \
to-addresses=192.168.0.125 to-ports=3389
add action=dst-nat chain=dstnat comment=PGADMINNEW dst-port=45432 \
in-interface=internet-ether24 log=yes log-prefix=PGADMINNEW protocol=tcp \
to-addresses=192.168.0.28 to-ports=5432
add action=dst-nat chain=dstnat comment=MILKICA dst-port=56874 in-interface=\
internet-ether24 log=yes log-prefix=JELICA-RDP protocol=tcp to-addresses=\
192.168.0.226 to-ports=3389
add action=dst-nat chain=dstnat comment=MILICA dst-port=38777 in-interface=\
internet-ether24 log=yes log-prefix=MILICA-RDP protocol=tcp to-addresses=\
192.168.0.167 to-ports=3389
add action=dst-nat chain=dstnat comment="JELENA" disabled=yes \
dst-port=52478 in-interface=internet-ether24 log-prefix="JELENA K" \
protocol=tcp to-addresses=192.168.0.124 to-ports=3389
add action=dst-nat chain=dstnat comment=PGADMIN disabled=yes dst-port=55432 \
in-interface=internet-ether24 log=yes log-prefix=PGADMIN protocol=tcp \
to-addresses=192.168.0.27 to-ports=5432
add action=dst-nat chain=dstnat comment="TIJANA MILACIC" dst-port=59924 \
in-interface=internet-ether24 log=yes log-prefix=TIJANAMILACIC-RDP \
protocol=tcp to-addresses=192.168.0.149 to-ports=3389
add action=dst-nat chain=dstnat comment=MILICAC dst-port=54128 in-interface=\
internet-ether24 log=yes log-prefix=MILICAC-RDP protocol=tcp \
to-addresses=192.168.0.131 to-ports=3389
add action=dst-nat chain=dstnat comment="NATASA" dst-port=58969 \
in-interface=internet-ether24 log=yes log-prefix=NATASAKREJIC-RDP \
protocol=tcp to-addresses=192.168.0.223 to-ports=3389
add action=dst-nat chain=dstnat comment=NATASAK_NOVI dst-port=58967 \
in-interface=internet-ether24 log=yes log-prefix=NATASAK_NOVI-RDP \
protocol=tcp to-addresses=192.168.0.238 to-ports=3389
add action=dst-nat chain=dstnat comment=SASA dst-port=35444 in-interface=\
internet-ether24 log=yes log-prefix=SASA-RDP protocol=tcp to-addresses=\
192.168.0.175 to-ports=3389
add action=dst-nat chain=dstnat comment=TANJA dst-port=53761 in-interface=\
internet-ether24 log=yes log-prefix=TANJA2-RDP protocol=tcp to-addresses=\
192.168.0.229 to-ports=3389
add action=dst-nat chain=dstnat comment=ZELJKO dst-port=35828 in-interface=\
internet-ether24 log=yes log-prefix=ZELJKO-RDP protocol=tcp to-addresses=\
192.168.0.169 to-ports=3389
add action=dst-nat chain=dstnat comment=SANDRA dst-port=56247 in-interface=\
internet-ether24 log=yes log-prefix=SANDRA-RDP protocol=tcp to-addresses=\
192.168.0.221 to-ports=3389
add action=dst-nat chain=dstnat comment=SANJARDP dst-port=59715 in-interface=\
internet-ether24 log=yes log-prefix=SANJA-RDP protocol=tcp to-addresses=\
192.168.0.188 to-ports=3389
add action=dst-nat chain=dstnat comment="NATASA SKRBIC" dst-port=37555 \
in-interface=internet-ether24 log=yes log-prefix=NATASASKRBIC-RDP \
protocol=tcp to-addresses=192.168.0.133 to-ports=3389
add action=dst-nat chain=dstnat comment=SEKRET dst-port=59314 in-interface=\
internet-ether24 log=yes log-prefix=SEKRET protocol=tcp to-addresses=\
192.168.0.165 to-ports=3389
add action=dst-nat chain=dstnat comment=IGOR disabled=yes dst-port=56489 \
in-interface=internet-ether24 log=yes log-prefix=IGOR-RDP protocol=tcp \
to-addresses=192.168.0.185 to-ports=3389
add action=dst-nat chain=dstnat comment=IGORL_NOVI dst-port=56487 \
in-interface=internet-ether24 log-prefix=IGOR_NOVI-RDP protocol=tcp \
to-addresses=192.168.0.192 to-ports=3389
add action=dst-nat chain=dstnat comment=VESNA dst-port=51694 in-interface=\
internet-ether24 log=yes log-prefix=VESNA-RDP protocol=tcp to-addresses=\
192.168.0.132 to-ports=3389
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=internet-ether24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=accept chain=srcnat
add action=masquerade chain=srcnat src-address=10.0.0.0/8

Oh my, what a convoluted firewall.

It would be much easier, if you'd have explicit ultimate rule in the line of chain=forward action=drop ... preceeded by explicit allow rules.

Now, if you build a black list of addresses, it's wise to have white list as well. So you first accept connections from whitelisted addresses, then drop attempts from blacklisted addresses and later deal with the rest. Whitelist is important if you're building blacklist automatically ... it's fairly easy to fake source addresses only to make one of your trusted addresses to a black list and then you can loose access ...
If you want to do something like this for dst-nated connections, it would look something like this:

Where to place these rules? Rules get evaluated from top to bottom and first matching executes. So place the rules as high as possible because you want to drop unwanted connections as possible. But not above rules which are more specific and may have different outcome. Also keep rules which accept packets of already established connections (and related packets) at the top ... which will deal with wast majority of packets real quick and won't waste CPU cycles by evaluating rules which won't apply.
And keep in mind that NAT-ed traffic is handled by chain=forward. For dst-nated traffic, rules will see the rewritten dst-addresses (dst-nat is done before firewall).

There's another possibility: raw rules ... so you collect addresses into BL with filter rules but drop traffic in raw (similar concepts apply, but sooner).

Regarding the convolution of FW setup: if you go ahead and upgrade ROS to latest v6 stable (6.49.x), have a look at default config. Fairly recent ROS versions come with very decent default firewall ruleset ... you should study them and rework your firewall to make it more compact and yet more secure. Quite probably you'll only have to add the dst-nat rules and a very few others.

Thx for the reply.

Oh my, what a convoluted firewall.

Yeah, I know. I inherited this issue and am trying to fix it now.

I get this BL WL. I will try to make it that way. src-address-list is a path from the root or from some specific dir?

But, I think this is the key part:

And keep in mind that NAT-ed traffic is handled by chain=forward. For dst-nated traffic, rules will see the rewritten dst-addresses (dst-nat is done before firewall).

Even if I make this, how will it work if dst-ant is done before the firewall? Thats my main issue. Receiving to NATed port some strange IPs, trying to get to RDP inside, which I can not filter with firewall due to that fact you mentioned.

There's another possibility: raw rules ... so you collect addresses into BL with filter rules but drop traffic in raw (similar concepts apply, but sooner).

How does this work? What do you mean "drop traffic in raw"?

Thx in advance!

vuleta82 wrote: ↑Wed May 08, 2024 6:35 am I get this BL WL. I will try to make it that way. src-address-list is a path from the root or from some specific dir?

I'm not sure I'm getting your question. src-address-list acts similarly to src-address ... but takes name of address list as parameter. You have a feasible address list in your config already (WL, constructed in /ip firewall address-list), and you can construct other address lists similarly (static) or by using firewall filter rules (with action=add-src-to-address-list, see firewall properties list).

vuleta82 wrote: ↑Wed May 08, 2024 6:35 am Even if I make this, how will it work if dst-ant is done before the firewall? Thats my main issue. Receiving to NATed port some strange IPs, trying to get to RDP inside, which I can not filter with firewall due to that fact you mentioned.

But you can, NAT is one stage in packet processing and it doesn't make packets skip firewall. NAT indeed has some "matcher" properties (e.g. src-address or dst-address), but they only govern whether connection gets NATed or not ... it does not mean that "non-matching" connections won't pass device, it only means they will pass un-NATed if firewall doesn't block them. So seeing properties with same names as in firewall filters might mislead somebody into thinking that NAT does the blocking as well. However, default firewall filter ruleset has an ultimate rule in chain=forward which essentially says "drop all packets coming in through one of WAN interfaces and are not dstnat-ed" (which packets, not matching any dst-nat rule, aren't). You have a similar rule, but it is disabled.
The only difference between "simply routed" packets and "NAT-ed" packets is that "simply routed" packets enter firewall processing unaltered while DSTNAT-ed packets have headers already rewritten. Alas, with DST NAT only dst-address and dst-port get rewritten, src- counterparts remain unchanged. So firewall can act on both varieties of packets similarly (as long as the matcher part of rules inspects src-* fields).

You may want to study packet flow. It's dense, but after you get it, it's rewarding.

Note: I'm linking documents from older (wiki-style, accessible via https://wiki.mikrotik.com//wiki/) MT documentation, they apply to ROS v6. With ROS v7, some things changed and newer (confluence-style or whatever, accessible via https://help.mikrotik.com/docs/) documentation applies better.


So I'll again full heartedly recommend you: have a look at contemporary default firewall configuration, understand it, and try to replace the mess you have with a simpler, yet more secure, ruleset.

Only a "practical" suggestion, if I may (as a complete firewall rules n00b).

Add a CLEAR comment to EACH firewall filter rule you have, when you add a rule you have clear in your mind why you are adding it and what it should do, when, months later, you review the firewall rule if there is not such a comment you have to re-parse the rule and attempt to understand what it does (and you might make a mistake here) and remember or re-construct the actual reason why it was added (and here you might make another mistake/assumption).

When there are only a handful of such rules and they are simple enough it is not difficult, but if you have tens of them, it is easy to get confused when you review them at a later time.

I agree with the suggestion to put comments that mean something to you for each firewall rule. Makes it far easier to remember a year down the road what you were doing.

The approach is problematic ( more interested in blocking traffic vice focusing on needed traffic and simply dropping all else, Your attempt to run RDP for clients is going to cause issues. First and foremost RDP is an old protocol not considered secure. Its been replaced by citrix type functionality in most places. Why not provide Wireguard connectivity for clients if they have to reach certain devices???

There is quite frankly a freaking mess in your NAT rules ( both sourcenat and dstnat ).
I wouldn touch this with a 10 foot pole, but impressed you came up with this on your own and didnt use reddit or youtube to build it.
When your interested in simplifying let me know.

Thanks guys for all the comments and suggestions.

Yes, this router is like your old ugly friend, you know its there, but you pretend its not.
I will go thru all these suggestions, first I upgraded it to the latest stable version.

I

I wouldn touch this with a 10 foot pole, but impressed you came up with this on your own and didnt use reddit or youtube to build it.

Yeah, I am actually too old not to use forums and ask if I don't know something

I will try to figure out my own something and post when I have things sorted for a quick check up.

Thx again!