Can you please check the firewall and tell me what you think of the firewall? Is she safe? or does it still have errors?
This is what the firewall should do:
This MikroTik firewall script is designed to provide a secure and structured network environment using VLANs (Virtual LANs). VLANs are used to separate different types of devices or departments into isolated network segments — for example, VLAN_100 might be office PCs, VLAN_500 for phones, VLAN_1000 for IoT devices, and VLAN_300 for guests.
The script includes:
Filter Rules: These allow trusted traffic (like DNS, NTP, HTTPS) and block unwanted connections. It restricts access between VLANs and protects against brute-force attacks (SSH and Winbox). Only specific IPs (like 10.52.50.5) can be reached from VPN clients.
NAT Rules: These enable internet access for internal devices (masquerade) and allow port forwarding for services like VoIP (Starface), camera streams, and backup connections.
Mangle Rules: Prepared (but currently disabled) to mark VoIP traffic for potential Quality of Service (QoS) handling.
RAW Rules: These drop suspicious traffic early (e.g., fake/bogon IPs or TCP scans) before it hits the main firewall, improving performance and security.
Connection Tracking & Service Ports: Helps maintain stateful connections and disables the SIP helper to avoid VoIP issues.
In short, it’s a comprehensive, structured firewall setup suitable for segmented networks with VPN, VoIP, and secure remote access.
This is what the firewall should do:
This MikroTik firewall script is designed to provide a secure and structured network environment using VLANs (Virtual LANs). VLANs are used to separate different types of devices or departments into isolated network segments — for example, VLAN_100 might be office PCs, VLAN_500 for phones, VLAN_1000 for IoT devices, and VLAN_300 for guests.
The script includes:
Filter Rules: These allow trusted traffic (like DNS, NTP, HTTPS) and block unwanted connections. It restricts access between VLANs and protects against brute-force attacks (SSH and Winbox). Only specific IPs (like 10.52.50.5) can be reached from VPN clients.
NAT Rules: These enable internet access for internal devices (masquerade) and allow port forwarding for services like VoIP (Starface), camera streams, and backup connections.
Mangle Rules: Prepared (but currently disabled) to mark VoIP traffic for potential Quality of Service (QoS) handling.
RAW Rules: These drop suspicious traffic early (e.g., fake/bogon IPs or TCP scans) before it hits the main firewall, improving performance and security.
Connection Tracking & Service Ports: Helps maintain stateful connections and disables the SIP helper to avoid VoIP issues.
In short, it’s a comprehensive, structured firewall setup suitable for segmented networks with VPN, VoIP, and secure remote access.
Code:
############################################# CONNECTION TRACKING############################################/ip firewall connection trackingset enabled=yes############################################# FILTER RULES############################################/ip firewall filter# FastTrack for established connectionsadd chain=forward action=fasttrack-connection connection-state=established,related hw-offload=yes comment="FastTrack for established connections"# Allow established connectionsadd chain=forward action=accept connection-state=established,related comment="Allow established connections"# Allow router DNS, NTP, HTTPSadd chain=output action=accept dst-port=53 protocol=udp comment="Allow DNS from router"add chain=output action=accept dst-port=123 protocol=udp comment="Allow NTP from router"add chain=output action=accept dst-port=443 protocol=tcp comment="Allow HTTPS from router"# Block IOT VLAN outbound traffic (disabled by default)add chain=output action=add-dst-to-address-list address-list=output_blocked_vlan1000 address-list-timeout=1h src-address-list=VLAN_1000 log=yes log-prefix=DROP_OUTPUT_VLAN1000 disabled=yes comment="Log IOT VLAN output"add chain=output action=drop src-address-list=VLAN_1000 log=yes log-prefix=DROP_OUTPUT_VLAN1000 disabled=yes comment="Block IOT VLAN output"# Block VLAN500 outbound traffic (disabled by default)add chain=output action=add-dst-to-address-list address-list=output_blocked_vlan500 address-list-timeout=1h src-address-list=VLAN_500 log=yes log-prefix=DROP_OUTPUT_VLAN500 disabled=yes comment="Log VLAN500 output"add chain=output action=drop src-address-list=VLAN_500 log=yes log-prefix=DROP_OUTPUT_VLAN500 disabled=yes comment="Block VLAN500 output"# INPUT chain: allow essential servicesadd chain=input action=accept connection-state=established,related comment="Allow established connections to router"add chain=input action=accept protocol=icmp src-address-list=local comment="Allow ping from local"add chain=input action=accept dst-port=53 protocol=udp src-address-list=local comment="Allow DNS from local"add chain=input action=accept dst-port=2222 protocol=tcp src-address-list=mgmt comment="Allow SSH from mgmt"add chain=input action=accept dst-port=2222 protocol=tcp src-address-list=remote comment="Allow SSH from VPN"# SSH brute force protectionadd chain=input action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m connection-state=new dst-port=2222 protocol=tcp comment="SSH attempt stage 1"add chain=input action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage1 comment="SSH attempt stage 2"add chain=input action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1d connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage2 comment="SSH attempt stage 3"add chain=input action=drop dst-port=2222 protocol=tcp src-address-list=ssh_stage3 comment="Block SSH after multiple attempts"# Winbox brute force protectionadd chain=input action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=5m connection-state=new dst-port=8291=tcp comment="Winbox attempt stage 1"add chain=input action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=15m connection-state=new dst-port=8291=tcp src-address-list=winbox_stage1 comment="Winbox attempt stage 2"add chain=input action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1d connection-state=new dst-port=8291=tcp src-address-list=winbox_stage2 comment="Winbox attempt stage 3"add chain=input action=drop dst-port=8291=tcp src-address-list=winbox_stage3 comment="Block Winbox after multiple attempts"add chain=input action=accept dst-port=8291=tcp src-address-list=winbox_allowed comment="Allow Winbox from allowed list"# WireGuard and SNMPadd chain=input action=accept dst-port=50001,$port_wireguard2 protocol=udp in-interface-list=WAN comment="Allow WireGuard VPN"add chain=input action=accept dst-port=161 protocol=udp src-address-list=local comment="Allow SNMP"# Drop invalid and all elseadd chain=input action=drop connection-state=invalid comment="Drop invalid connections"add chain=input action=drop comment="Drop all other input"# FORWARDING rules between VLANs and Internetadd chain=forward action=accept out-interface-list=WAN src-address-list=VLAN_500 comment="VLAN_500 full internet"add chain=forward action=accept out-interface-list=WAN src-address-list=VLAN_1000 comment="VLAN_1000 full internet"add chain=forward action=accept out-interface-list=WAN src-address-list=VLAN_100 comment="VLAN_100 full internet"add chain=forward action=accept dst-address-list=VLAN_100 src-address-list=VLAN_500 comment="VLAN500 to VLAN100"add chain=forward action=accept dst-address-list=VLAN_1000 src-address-list=VLAN_500 comment="VLAN500 to VLAN1000"add chain=forward action=accept dst-address-list=VLAN_500 src-address-list=VLAN_100 comment="VLAN100 to VLAN500"add chain=forward action=accept dst-address-list=VLAN_1000 src-address-list=VLAN_100 comment="VLAN100 to VLAN1000"# Block Guest, IOT and cross VLANsadd chain=forward action=drop protocol=tcp dst-port=!80,443 src-address-list=Guest out-interface-list=WAN log=yes log-prefix=DROP_Guest comment="Guest only HTTP/HTTPS"add chain=forward action=drop src-address-list=IOT dst-address-list=Company log=yes log-prefix=DROP_IOT_Company comment="IOT to Company blocked"add chain=forward action=drop src-address-list=Company dst-address-list=IOT log=yes log-prefix=DROP_Company_IOT comment="Company to IOT blocked"# VPN to VLAN communicationadd chain=forward action=accept src-address-list=remote dst-address-list=VLAN_100 comment="VPN to VLAN_100"add chain=forward action=accept src-address-list=remote dst-address-list=VLAN_500 comment="VPN to VLAN_500"add chain=forward action=accept src-address-list=remote dst-address-list=VLAN_1000 comment="VPN to VLAN_1000"add chain=forward action=drop src-address-list=remote dst-address-list=!VLAN_100 log=yes log-prefix=DROP_VPN_TO_OTHER comment="VPN to other VLANs blocked"add chain=forward action=drop src-address-list=!VLAN_100 dst-address-list=remote log=yes log-prefix=DROP_OTHER_TO_VPN comment="Other VLANs to VPN blocked"add chain=forward action=drop connection-state=invalid comment="Drop invalid forwards"add chain=forward action=drop log=yes log-prefix=DROP_FORWARD comment="Drop all other forward traffic"############################################# NAT RULES############################################/ip firewall natadd chain=dstnat action=dst-nat protocol=tcp dst-port=5222 to-addresses=10.50.50.5 to-ports=5222 comment="Telephone XMPP"add chain=dstnat action=dst-nat protocol=tcp dst-port=5061 to-addresses=10.50.50.5 to-ports=5061 comment="Telephone TLS"add chain=dstnat action=dst-nat protocol=udp dst-port=5060 to-addresses=10.50.50.5 to-ports=5060 comment="Telephone SIP UDP"add chain=dstnat action=dst-nat protocol=tcp dst-port=5060 to-addresses=10.50.50.5 to-ports=5060 comment="Telephone SIP TCP"add chain=dstnat action=dst-nat protocol=udp dst-port=10000-20000 to-addresses=10.50.50.5 to-ports=10000-20000 comment="Telephone RTP"add chain=dstnat action=dst-nat protocol=tcp dst-port=6003 to-addresses=172.16.20.50 to-ports=6003 comment="Camera Access"add chain=dstnat action=dst-nat protocol=tcp dst-port=443 to-addresses=192.168.250.253 to-ports=443 comment="PFsense Access"add chain=srcnat action=masquerade out-interface=pppoe comment="Masquerade outgoing on WAN"############################################# RAW RULES############################################/ip firewall rawadd action=accept chain=prerouting comment="Allow Roadwarrior VPN" src-address=10.45.50.0/24add action=accept chain=prerouting comment="Allow Site-to-Site VPN" src-address=$net_sitevpnadd action=drop chain=prerouting comment="Drop bogon source IPs" src-address-list=bogonsadd action=drop chain=prerouting comment="Drop bogon destination IPs" dst-address-list=bogonsadd action=drop chain=prerouting comment="Drop bad source IPs" src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="Drop bad destination IPs" dst-address-list=bad_dst_ipv4add action=jump chain=prerouting comment="Jump to ICMP chain" jump-target=icmp4 protocol=icmpadd action=jump chain=prerouting comment="Jump to TCP scan detection" jump-target=bad_tcp protocol=tcpadd chain=icmp4 action=accept protocol=icmp icmp-options=8:0 limit=5,10:packet comment="Allow Echo Request"add chain=icmp4 action=accept protocol=icmp icmp-options=0:0 limit=5,10:packet comment="Allow Echo Reply"add chain=icmp4 action=drop protocol=icmp comment="Drop other ICMP"add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,syn comment="Drop FIN,SYN scan"add chain=bad_tcp action=drop protocol=tcp tcp-flags=fin,rst comment="Drop FIN,RST scan"add chain=bad_tcp action=drop protocol=tcp tcp-flags=syn,rst comment="Drop SYN,RST scan"############################################# DISABLE UNNEEDED SERVICE PORTS############################################/ip firewall service-portset sip disabled=yesStatistics: Posted by dima1002 — Sat May 31, 2025 9:20 pm