Firewall и NAT правила

Раздел для тех, кто начинает знакомиться с MikroTik
Правила форума
Как правильно оформить вопрос.
Прежде чем начать настройку роутера, представьте, как это работает. Попробуйте почитать статьи об устройстве интернет-сетей. Убедитесь, что всё, что Вы задумали выполнимо вообще и на данном оборудовании в частности.
Не нужно изначально строить Наполеоновских планов. Попробуйте настроить простейшую конфигурацию, а усложнения добавлять в случае успеха постепенно.
Пожалуйста, не игнорируйте правила русского языка. Отсутствие знаков препинания и неграмотность автора топика для многих гуру достаточный повод проигнорировать топик вообще.

1. Назовите технологию подключения (динамический DHCP, L2TP, PPTP или что-то иное)
2. Изучите темку "Действия до настройки роутера".
viewtopic.php?f=15&t=2083
3. Настройте согласно выбранного Вами мануала
4. Дочитайте мануал до конца и без пропусков, в 70% случаев люди просто не до конца читают статью и пропускают важные моменты.
5. Если не получается, в Winbox открываем терминал и вбиваем там /export hide-sensitive. Результат в топик под кат, интимные подробности типа личных IP изменить на другие, пароль забить звездочками.
6. Нарисуйте Вашу сеть, рисунок (схему) сюда. На словах может быть одно, в действительности другое.
Ответить
CTAKAHbI4
Сообщения: 1
Зарегистрирован: 18 авг 2017, 14:00

Доброго времени суток! Решил заняться более детальным изучением фаерволла в RouterOS. Имеется домашний микротик, на котором я периодически ставлю эксперименты. Проброшен RDP порт на домашний комп и в данный момент хочу озадачиться логом подключений к нему. Создаю правило, вроде бы всё просто, но в логах пусто. Такое впечатление, что если порт проброшен через NAT то все правила раздела Firewall просто игнорируются... Прошу поправить меня, если я ошибаюсь.
 Конфиг роутера
# nov/29/2018 14:18:46 by RouterOS 6.43.2
# software id = 4J9B-60DN
#
# model = 750
# serial number = 3B0202CA990F
/interface bridge
add admin-mac=D4:CA:6D:D8:98:37 arp=proxy-arp auto-mac=no fast-forward=no mtu=\
1500 name=bridge1 protocol-mode=none
add arp=proxy-arp fast-forward=no name=bridge_vpn
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=WAN \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=LAN
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool0 ranges=192.168.0.101-192.168.0.200
add name=VPN ranges=192.168.0.71-192.168.0.100
add name=VPN_Public ranges=192.168.88.101-192.168.88.200
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no \
interface=bridge1 lease-time=1d name=dhcp1
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.0.1 name="Test VPN" \
only-one=yes remote-address=VPN use-compression=no use-encryption=yes \
use-mpls=no use-upnp=yes
add bridge=bridge_vpn change-tcp-mss=yes local-address=192.168.88.1 name=public \
remote-address=VPN_Public use-compression=yes use-encryption=yes use-upnp=\
yes
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile="Test VPN" enabled=yes
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=192.168.88.1/24 interface=bridge_vpn network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.21 comment=NAS mac-address=78:54:2E:28:DA:E7 server=dhcp1
add address=192.168.0.14 comment="\CC\EE\E9 \EA\EE\EC\EF" mac-address=\
BC:5F:F4:BC:D3:4F server=dhcp1
add address=192.168.0.20 comment="\CC\D4\D3 Samsung 4833FD" mac-address=\
00:15:99:B2:BA:1F server=dhcp1
add address=192.168.0.32 client-id=1:a0:88:b4:b8:6e:a4 mac-address=\
A0:88:B4:B8:6E:A4 server=dhcp1
add address=192.168.0.31 client-id=1:b8:70:f4:dd:70:cd comment=\
"\CD\EE\F3\F2 \D8\F3\F0\E8\EA\E0" mac-address=B8:70:F4:DD:70:CD server=\
dhcp1
add address=192.168.0.33 client-id=1:0:11:2f:b0:9f:fe comment=\
"\F2\B8\F2\FF \CB\E0\F0\E8\F1\E0" mac-address=00:11:2F:B0:9F:FE server=\
dhcp1
add address=192.168.0.30 client-id=1:74:e5:b:f0:ee:fa comment=\
"\CD\EE\F3\F2 \CB\B8\F5\E8" mac-address=74:E5:0B:F0:EE:FA server=dhcp1
add address=192.168.0.43 client-id=1:a8:26:d9:d2:4f:9f mac-address=\
A8:26:D9:D2:4F:9F server=dhcp1
add address=192.168.0.41 always-broadcast=yes client-id=1:14:6b:72:5b:7e:2a \
comment="Highscreen Easy L Pro" mac-address=14:6B:72:5B:7E:2A server=dhcp1
add address=192.168.0.42 comment="Lenovo P780" mac-address=AC:38:70:7C:0B:4D \
server=dhcp1
add address=192.168.0.44 mac-address=1C:CB:99:0B:F5:C0 server=dhcp1
add address=192.168.0.45 client-id=1:5c:f8:a1:3f:29:11 mac-address=\
5C:F8:A1:3F:29:11 server=dhcp1
add address=192.168.0.51 client-id=1:8:0:27:2d:8d:1 comment=\
"Don't Starve Together Server VM" mac-address=08:00:27:2D:8D:01 server=\
dhcp1
add address=192.168.0.52 client-id=1:8:0:27:26:1e:9f comment="WoW Server VM" \
mac-address=08:00:27:26:1E:9F server=dhcp1
add address=192.168.0.34 client-id=1:74:e5:43:5b:75:9d comment=\
"\CF\CA \CB\B8\F5\E8 \C3\E5\F1\EA\E8\ED\E0" mac-address=74:E5:43:5B:75:9D \
server=dhcp1
add address=192.168.0.53 client-id=1:8:0:27:f0:a4:b6 comment="DayZ Server VM" \
mac-address=08:00:27:F0:A4:B6 server=dhcp1
add address=192.168.0.54 always-broadcast=yes client-id=1:8:0:27:72:57:1f \
comment="NetXMS VM" mac-address=08:00:27:72:57:1F server=dhcp1
add address=192.168.0.55 client-id=1:8:0:27:4a:56:a6 comment="FreeNAS VM" \
mac-address=08:00:27:4A:56:A6 server=dhcp1
add address=192.168.0.46 mac-address=60:FE:1E:9C:D4:43 server=dhcp1
add address=192.168.0.56 always-broadcast=yes comment="Stationeers VM" \
mac-address=08:00:27:A7:59:39 server=dhcp1
add address=192.168.0.15 client-id=1:a0:af:bd:c0:30:c8 comment=\
"\CC\EE\E9 \ED\EE\F3\F2 (Wi-Fi)" mac-address=A0:AF:BD:C0:30:C8 server=dhcp1
add address=192.168.0.16 client-id=1:98:29:a6:39:ba:19 comment=\
"\CC\EE\E9 \ED\EE\F3\F2 (\EA\E0\E1\E5\EB\FC)" mac-address=98:29:A6:39:BA:19 \
server=dhcp1
add address=192.168.0.17 client-id=1:74:e5:43:7e:88:be comment=\
"ASUS EE-PC Wi-Fi" mac-address=74:E5:43:7E:88:BE server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8,8.8.4.4 gateway=\
192.168.0.1
/ip dns
set servers=8.8.8.8,94.19.255.2,93.100.1.2,8.8.4.4
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com
/ip firewall address-list
add address=111.221.29.177 list=Microsoft
add address=111.221.29.253 list=Microsoft
add address=131.253.40.37 list=Microsoft
add address=134.170.30.202 list=Microsoft
add address=134.170.115.60 list=Microsoft
add address=134.170.165.248 list=Microsoft
add address=134.170.165.253 list=Microsoft
add address=134.170.185.70 list=Microsoft
add address=137.116.81.24 list=Microsoft
add address=137.117.235.16 list=Microsoft
add address=157.55.129.21 list=Microsoft
add address=157.55.133.204 list=Microsoft
add address=157.56.121.89 list=Microsoft
add address=157.56.91.77 list=Microsoft
add address=168.63.108.233 list=Microsoft
add address=191.232.139.254 list=Microsoft
add address=191.232.80.58 list=Microsoft
add address=191.232.80.62 list=Microsoft
add address=191.237.208.126 list=Microsoft
add address=204.79.197.200 list=Microsoft
add address=207.46.101.29 list=Microsoft
add address=207.46.114.58 list=Microsoft
add address=207.46.223.94 list=Microsoft
add address=207.68.166.254 list=Microsoft
add address=212.30.134.204 list=Microsoft
add address=212.30.134.205 list=Microsoft
add address=23.102.21.4 list=Microsoft
add address=23.99.10.11 list=Microsoft
add address=23.218.212.69 list=Microsoft
add address=64.4.54.22 list=Microsoft
add address=64.4.54.32 list=Microsoft
add address=64.4.6.100 list=Microsoft
add address=65.39.117.230 list=Microsoft
add address=65.52.100.11 list=Microsoft
add address=65.52.100.7 list=Microsoft
add address=65.52.100.9 list=Microsoft
add address=65.52.100.91 list=Microsoft
add address=65.52.100.92 list=Microsoft
add address=65.52.100.93 list=Microsoft
add address=65.52.100.94 list=Microsoft
add address=65.52.108.29 list=Microsoft
add address=65.55.108.23 list=Microsoft
add address=65.55.138.114 list=Microsoft
add address=65.55.138.126 list=Microsoft
add address=65.55.138.186 list=Microsoft
add address=65.55.252.63 list=Microsoft
add address=65.55.252.71 list=Microsoft
add address=65.55.252.92 list=Microsoft
add address=65.55.252.93 list=Microsoft
add address=65.55.29.238 list=Microsoft
add address=65.55.39.10 list=Microsoft
add address=191.232.139.2 list=Microsoft
add address=64.4.23.0/24 list=Microsoft
add address=111.221.64.0/18 list=Microsoft
add address=157.55.235.0/24 list=Microsoft
add address=157.55.56.0/24 list=Microsoft
add address=157.55.52.0/24 list=Microsoft
add address=157.55.130.0/24 list=Microsoft
add address=65.55.223.0/24 list=Microsoft
add address=213.199.179.0/24 list=Microsoft
add address=195.138.255.0/24 list=Microsoft
add address=vortex.data.microsoft.com list=Microsoft
add address=vortex-win.data.microsoft.com list=Microsoft
add address=telecommand.telemetry.microsoft.com list=Microsoft
add address=telecommand.telemetry.microsoft.com.nsatc.net list=Microsoft
add address=oca.telemetry.microsoft.com list=Microsoft
add address=sqm.telemetry.microsoft.com list=Microsoft
add address=sqm.telemetry.microsoft.com.nsatc.net list=Microsoft
add address=watson.telemetry.microsoft.com list=Microsoft
add address=watson.telemetry.microsoft.com.nsatc.net list=Microsoft
add address=redir.metaservices.microsoft.com list=Microsoft
add address=choice.microsoft.com list=Microsoft
add address=choice.microsoft.com.nsatc.net list=Microsoft
add address=wes.df.telemetry.microsoft.com list=Microsoft
add address=services.wes.df.telemetry.microsoft.com list=Microsoft
add address=sqm.df.telemetry.microsoft.com list=Microsoft
add address=telemetry.microsoft.com list=Microsoft
add address=watson.ppe.telemetry.microsoft.com list=Microsoft
add address=telemetry.appex.bing.net list=Microsoft
add address=telemetry.urs.microsoft.com list=Microsoft
add address=settings-sandbox.data.microsoft.com list=Microsoft
add address=survey.watson.microsoft.com list=Microsoft
add address=watson.live.com list=Microsoft
add address=watson.microsoft.com list=Microsoft
add address=statsfe2.ws.microsoft.com list=Microsoft
add address=corpext.msitadfs.glbdns2.microsoft.com list=Microsoft
add address=compatexchange.cloudapp.net list=Microsoft
add address=a-0001.a-msedge.net list=Microsoft
add address=statsfe2.update.microsoft.com.akadns.net list=Microsoft
add address=sls.update.microsoft.com.akadns.net list=Microsoft
add address=fe2.update.microsoft.com.akadns.net list=Microsoft
add address=diagnostics.support.microsoft.com list=Microsoft
add address=corp.sts.microsoft.com list=Microsoft
add address=statsfe1.ws.microsoft.com list=Microsoft
add address=feedback.windows.com list=Microsoft
add address=feedback.microsoft-hohm.com list=Microsoft
add address=feedback.search.microsoft.com list=Microsoft
add address=rad.msn.com list=Microsoft
add address=preview.msn.com list=Microsoft
add address=ad.doubleclick.net list=Microsoft
add address=ads.msn.com list=Microsoft
add address=ads1.msads.net list=Microsoft
add address=ads1.msn.com list=Microsoft
add address=a.ads1.msn.com list=Microsoft
add address=a.ads2.msn.com list=Microsoft
add address=adnexus.net list=Microsoft
add address=adnxs.com list=Microsoft
add address=az361816.vo.msecnd.net list=Microsoft
add address=az512334.vo.msecnd.net list=Microsoft
add address=ssw.live.com list=Microsoft
add address=ca.telemetry.microsoft.com list=Microsoft
add address=i1.services.social.microsoft.com list=Microsoft
add address=i1.services.social.microsoft.com.nsatc.net list=Microsoft
add address=cs1.wpc.v0cdn.net list=Microsoft
add address=vortex-sandbox.data.microsoft.com list=Microsoft
add address=oca.telemetry.microsoft.com.nsatc.net list=Microsoft
add address=pre.footprintpredict.com list=Microsoft
add address=spynet2.microsoft.com list=Microsoft
add address=spynetalt.microsoft.com list=Microsoft
add address=fe3.delivery.dsp.mp.microsoft.com.nsatc.net list=Microsoft
/ip firewall filter
add action=add-src-to-address-list address-list=blacklist address-list-timeout=\
1h chain=input comment="Record SSH connect attempt" connection-state=new \
dst-port=22,3389,8291 in-interface=ether1 log=yes log-prefix=\
" --- SSH ATTEMPT --- " protocol=tcp
add action=log chain=input comment="Record RDP Connections" connection-state=\
new dst-port=33389 in-interface=ether1 log=yes log-prefix="RDP CONNECT" \
protocol=tcp
add action=drop chain=input comment="Drop SSH brute forcers" in-interface=\
ether1 src-address-list=blacklist
add action=accept chain=input comment="Accept WinBox" dst-port=8291 \
in-interface=bridge1 protocol=tcp
add action=accept chain=input comment="PPTP VPN" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=input comment=L2TP protocol=udp src-port=1701,500,4500
add action=accept chain=input disabled=yes protocol=tcp src-port=1701,500,4500
add action=drop chain=forward comment="Microsoft blocking rules" \
dst-address-list=Microsoft
add action=drop chain=input dst-address-list=Microsoft
add action=accept chain=forward comment="Accept forward traffic"
add action=accept chain=input comment="Accept ping" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=drop chain=input comment="Drop invalid connection" connection-state=\
invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop all other input traffic" \
in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat disabled=yes out-interface=all-ppp
add action=masquerade chain=srcnat comment="VPN PPPOE" disabled=yes \
dst-address=!192.0.0.0/8 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="PPOE VPN" disabled=yes dst-address=\
!192.168.0.0/16 src-address=192.168.0.0/16
add action=netmap chain=dstnat comment="Torrent NAS" dst-port=12000 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.21 to-ports=12000
add action=netmap chain=dstnat comment="HTTP NAS" dst-port=8888 in-interface=\
ether1 protocol=tcp to-addresses=192.168.0.21 to-ports=80
add action=netmap chain=dstnat comment=RDP dst-port=33389 in-interface=ether1 \
protocol=tcp to-addresses=192.168.0.14 to-ports=3389
add action=netmap chain=dstnat comment=Factorio disabled=yes dst-port=34197 \
in-interface=ether1 protocol=udp to-addresses=192.168.0.14 to-ports=34197
add action=netmap chain=dstnat comment="RDP \CD\EE\F3\F2\E1\F3\EA" dst-port=\
33390 in-interface=ether1 protocol=tcp to-addresses=192.168.0.15 to-ports=\
3389
add action=netmap chain=dstnat comment=TheForest disabled=yes dst-port=27000 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.14 to-ports=27000
add action=netmap chain=dstnat disabled=yes dst-port=27000 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.14 to-ports=27000
add action=netmap chain=dstnat comment=Stationeers dst-port=27015 in-interface=\
ether1 protocol=tcp to-addresses=192.168.0.14 to-ports=27015
add action=netmap chain=dstnat dst-port=27015 in-interface=ether1 protocol=udp \
to-addresses=192.168.0.14 to-ports=27015
add action=netmap chain=dstnat dst-port=27016 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.14 to-ports=27016
add action=netmap chain=dstnat dst-port=27016 in-interface=ether1 protocol=udp \
to-addresses=192.168.0.14 to-ports=27016
add action=netmap chain=dstnat comment="Stationeers Dedicated" disabled=yes \
dst-port=27500 in-interface=ether1 protocol=tcp to-addresses=192.168.0.56 \
to-ports=27500
add action=netmap chain=dstnat disabled=yes dst-port=27501 in-interface=ether1 \
protocol=tcp to-addresses=192.168.0.56 to-ports=27501
add action=netmap chain=dstnat disabled=yes dst-port=27500 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.16 to-ports=27500
add action=netmap chain=dstnat disabled=yes dst-port=27501 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.16 to-ports=27501
add action=netmap chain=dstnat comment=NetXMS disabled=yes dst-port=4700 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.54
add action=netmap chain=dstnat comment=WOW disabled=yes dst-port=3724 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.52
add action=netmap chain=dstnat disabled=yes dst-port=3724 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.52
add action=netmap chain=dstnat disabled=yes dst-port=8085 in-interface=ether1 \
protocol=tcp to-addresses=192.168.0.52
add action=netmap chain=dstnat disabled=yes dst-port=8085 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.52
add action=netmap chain=dstnat disabled=yes dst-port=6112 in-interface=ether1 \
protocol=tcp to-addresses=192.168.0.52
add action=netmap chain=dstnat comment="Don't Starve Together" disabled=yes \
dst-port=11000 in-interface=ether1 protocol=udp to-addresses=192.168.0.51 \
to-ports=11000
add action=netmap chain=dstnat disabled=yes dst-port=11001 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=11001
add action=netmap chain=dstnat disabled=yes dst-port=27019 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=27019
add action=netmap chain=dstnat disabled=yes dst-port=8768 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=8768
add action=netmap chain=dstnat disabled=yes dst-port=8769 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=8769
add action=netmap chain=dstnat comment="Don't Starve Together Public Server" \
disabled=yes dst-port=12002 in-interface=ether1 protocol=udp to-addresses=\
192.168.0.51 to-ports=11000
add action=netmap chain=dstnat disabled=yes dst-port=12001 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=11001
add action=netmap chain=dstnat disabled=yes dst-port=27020 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=11001
add action=netmap chain=dstnat disabled=yes dst-port=27021 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=11001
add action=netmap chain=dstnat disabled=yes dst-port=8770 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=11001
add action=netmap chain=8771 disabled=yes dst-port=8771 in-interface=ether1 \
protocol=udp to-addresses=192.168.0.51 to-ports=11001
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
/ppp secret
add disabled=yes name=test password=test profile="Test VPN" service=l2tp
add disabled=yes name=test2 password=test2 profile="Test VPN" service=l2tp
add name=Kurai password=tenshi profile="Test VPN" service=l2tp
add name=shurik password=sd3dvfwa profile="Test VPN" service=l2tp
add disabled=yes name=public password=password profile=public service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=217.26.163.51
/system routerboard settings
set silent-boot=no
/tool graphing interface
add interface=ether1
/tool traffic-monitor
add interface=bridge1 name=tmon1 threshold=0


Вернуться к началу
Ответить

Вернуться в «FAQ (Для начинающих)»