Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Mikrotik - Default config
skewt

752 posts

Ultimate Geek
+1 received by user: 215


#214643 22-May-2017 16:01
Send private message

Is the default config for a mikrotik now okay to use out of the box?

 

 

 

I recently updated mine to 6.39.1 and the only rule I had to block myself was block ICMP/Ping from WAN

 

GRC ShieldsUp is reporting 100% Passed

 

Connecting via BigPipe (IPoE)

 

 

 

Are there other rules and settings I should be using?

 

 

 

 

 

 

 

 

 

 

Create new topic
sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1786129 22-May-2017 18:35
Send private message

The default is fine. I use that along with allowing ICMP and have additional rules to detect and block ICMP flood and SYN flood.

 

 



chevrolux
4962 posts

Uber Geek
+1 received by user: 2638
Inactive user


  #1786170 22-May-2017 19:55
Send private message

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.

 

As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 

Aaroona
3204 posts

Uber Geek
+1 received by user: 169


  #1786799 23-May-2017 14:58
Send private message

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

 

 



DonGould
3892 posts

Uber Geek
+1 received by user: 164


  #1787068 23-May-2017 20:59
Send private message

chevrolux:

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.


As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 



can you post an export




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

chevrolux
4962 posts

Uber Geek
+1 received by user: 2638
Inactive user


  #1787127 23-May-2017 22:20
Send private message 

 
 
/ip firewall filter
add chain=input comment="Input. All all ICMP" in-interface=pppoe-wan \
 protocol=icmp
add chain=input comment="Input. Allow established/related" connection-state=\
 established,related in-interface=pppoe-wan
add chain=input comment="Allow known hosts." in-interface=pppoe-wan \
 src-address-list=safe-hosts
add action=add-src-to-address-list address-list=port-scanners \
 address-list-timeout=1w chain=input comment="Identify port scanners" \
 in-interface=pppoe-wan protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn-flooders \
 address-list-timeout=30m chain=input comment="SYN flood detector" \
 connection-limit=30,32 in-interface=pppoe-wan protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop port scanners" in-interface=\
 pppoe-wan src-address-list=port-scanners
add action=drop chain=input comment="Drop SYN flooders" in-interface=\
 pppoe-wan src-address-list=syn-flooders
add action=drop chain=input comment="Input. Drop All." in-interface=pppoe-wan
add chain=forward comment="Forward. Allow established/related." \
 connection-state=established,related
add action=drop chain=forward comment="Forward. Drop Invalid" \
 connection-state=invalid
add action=drop chain=forward comment="Drop all not dstnat'd" \
 connection-nat-state=!dstnat connection-state=new in-interface=pppoe-wan
 

 

Edit: I use "pppoe-wan" for my wan interface. So obviously substitute that for whatever your wan interface is

fe31nz
1294 posts

Uber Geek
+1 received by user: 423


  #1787131 23-May-2017 22:27
Send private message

Aaroona:

 

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

Path MTU discovery uses ICMP packets, but not ICMP Ping packets.  If you block just the ICMP Ping packets, it is unaffected.  If you block all ICMP packets, then Path MTU Discovery stops working and also several other subtle things, so it is not recommended to do that.  Blocking ICMP Ping packets is entirely up to you - I can not think of anything that is damaged by doing that.  I prefer to leave pings enabled myself, as there are times when I need to ping my router from my phone to see if the data networking on the phone is working properly.

 

For IPv6, ICMPv6 is required for the protocol to work, and there is an RFC that tells you what ICMPv6 packets you should be allowing:

 

http://www.ietf.org/rfc/rfc4890.txt

 

Unfortunately, for IPv4 there is no such straightforward set of recommendations and requirements available.  I tend to have my routers allow rather than drop ICMP packets.  If I find a problem, I can then drop the problem packets if I need to, but I do not then wind up with strange problems caused by the lack of certain ICMP packets.

 
 
 
 

Shop now for Dell laptops and other devices (affiliate link).
chevrolux
4962 posts

Uber Geek
+1 received by user: 2638
Inactive user


  #1787173 23-May-2017 23:56
Send private message

We leave ICMP open purely because we use it for basic diagnostics for connection uptime/stability.

By no means a perfect method but can be a dam handy quick way to check stuff.

skewt

752 posts

Ultimate Geek
+1 received by user: 215


  #1787294 24-May-2017 09:58
Send private message

Thanks for all that,

 

Will have to add that filter to my setup

 

 

 

Changing my BigPipe to connect with IpoE instead of PPPoE has made the setup so much easier after resetting my config

MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #1787772 24-May-2017 20:25
Send private message

If you're not port-forwarding or accepting services to your router from the world (eg vpn) there's no need for complicated port-scanner detections or address-list compilations (ie poor-man's fail2ban) as everything will be blocked anyway under the default config.  It's only useful maybe if you're curious or if there's a risk that someone may detect an active port forward and start abusing it.  That has the presumption that they will port scan before trying said open ports in the first place.

 

 

 

Also, instead of blindly accepting ICMP, use the following:

 

/ip firewall filter
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings"




You're not on Atlantis anymore, Duncan Idaho.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright