Securing Mikrotik: default-deny-all filter rules for VLANs

deny-all-filter-rules-mikrotik.md

Securing Mikrotik: default-deny-all filter rules + VLANs

Notes: Some IPs are already rotated to protect the innocent.

Give Admin access to trusted local devices

/ip firewall filter
add action=reject chain=forward comment="Block Telkom Router access" \
    dst-address=172.31.100.1 dst-port=80 protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=!trusted-local

add action=accept chain=forward comment="allow admin access to all VLANs" \
    src-address-list=trusted-local

add action=accept chain=input comment="allow admin access mikrotik" \
    src-address-list=trusted-local

Create "fasttracked" connection (performance optimization)

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes

add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

Early drop of known bad/undesired IPs

add action=drop chain=forward comment="DROP SOME MUDFISH IPS" \
    dst-address-list=mudfish_block

add action=drop chain=forward comment="DROP KONAMI AU" \
    dst-address-list=konami-au

add action=drop chain=forward comment="DROP KONAMI HK" \
    dst-address-list=konami-hk

add action=drop chain=forward comment="DROP KONAMI JP" \
    dst-address-list=konami-jp

add action=drop chain=forward comment="DROP KONAMI KR" \
    dst-address-list=konami-kr

add action=drop chain=forward comment="DROP KONAMI TW" \
    dst-address-list=konami-tw        

Allow VLANs to access the internet

add action=accept chain=forward comment="allow VLAN to the internet" \
    in-interface=all-vlan out-interface=ether1

add action=accept chain=forward comment="allow WLAN to the internet" \
    in-interface=all-wireless out-interface=ether1

Allow whitelisted Public IPs (only Cloudflare) from internet to access exposed servers

add action=accept chain=forward comment=\
    "allow WHITELISTED INTERNET to access server port 443 on VLAN 200" \
    dst-address=172.31.102.130 dst-port=443 in-interface=ether1 \
    out-interface=vlan_200 protocol=tcp src-address-list=trusted-public

add action=accept chain=forward comment=\
    "allow TRISTIAN-OCI to access WIREGUARD" dst-address=172.31.102.71 \
    dst-port=51820 in-interface=ether1 out-interface=vlan_200 protocol=udp \
    src-address=192.29.30.26

Allow desired connections between whitelisted VLANs

add action=accept chain=forward comment=\
    "allow ALL DEVICES to access DNS server on VLAN 200" dst-address-list=\
    pihole-dns dst-port=53 out-interface=vlan_200 protocol=udp

add action=accept chain=forward comment="allow VLAN 300 to access k8s-ingress \
    on VLAN 200 using public domain name" dst-address=172.31.102.130 \
    dst-port=443 in-interface=vlan_300 out-interface=vlan_200 protocol=tcp \
    src-address-list=""

add action=accept chain=forward comment="allow VLAN 400 to VLAN 200 servers" \
    dst-port=8123,1883,1880 in-interface=vlan_400 out-interface=vlan_200 \
    protocol=tcp src-address-list=""

add action=accept chain=forward comment="allow HASS to CCTV" \
    dst-address-list=cctv in-interface=vlan_200 out-interface=vlan_400 \
    src-address=172.31.102.44 src-address-list=""

add action=accept chain=forward comment="allow HASS to XIAOMI MIIO" \
    dst-address-list=xiaomi_miio in-interface=vlan_200 out-interface=vlan_400 \
    src-address=172.31.102.44

add action=accept chain=forward comment="allow HASS to HARMONY HUB" \
    dst-address=192.168.0.3 in-interface=vlan_200 out-interface=vlan_400 \
    src-address=172.31.102.44

add action=accept chain=forward comment="allow WLAN to VLAN 400" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24

Drop everything else

add action=drop chain=forward comment="drop everything else"

add action=drop chain=input comment="drop everything else"