Zdravim som relativne novy uzivatel Mikrotiku a mam par nejasnosti a dotazov aj ked s niecim mi uz pomohli na inych forach tak este si nieco potrebujem ujasnit.
Moja siet vyzera momentalne takto:
VDSL modem v rezime bridge zapojeny do routeru Mikrotik RB3011UIAS v porte ETH1. Samotny internet sa vytaca na Mikrotiku cez vytvoreneho PPPoE klienta (premenovany na WAN)
Manazovatelny switch TPlink zapojeny do routeru ETH2. v routery mam nastaveny jeden bridge v ktorom su prebridgovane porty ETH2 - ETH5 (premenovany na LAN) zatial ale vyuzivam z bridgeu len ETH2 v ktorom je TPlink switch. V bridgei je povoleny HW offload.
V TPlink switchi su zapojene vsetky ethernet koncove zariadenia spolu s 1x AP Ubiquiti nanoHD + 1x AP Ubiquiti Mesh (vonkajsi) + dalsi TPlink switch ktory je na druhom poschodi a su v nom zapojene koncove zariadenia (dva servery) z druheho poschodia. Ten switch na druhom poschodi je ale nemanazovatelny
Prva vec ktorej asi uplne nerozumiem je firewall - Pravidla mam nastavene takto (pri dropovovacich pravidlach je zapnute logovanie):
Kód:
/ip firewall filter> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Accept established and related packets chain=input action=accept connection-state=established,related log=no log-prefix=""
1 ;;; Accept all connections from local network chain=input action=accept in-interface=LAN log=no log-prefix=""
2 ;;; Accept established and related packets chain=forward action=accept connection-state=established,related log=no log-prefix=""
3 ;;; Drop invalid packets chain=input action=drop connection-state=invalid log=yes log-prefix="invalid-input"
4 ;;; Drop all packets which are not destined to routes IP address chain=input action=drop dst-address-type=!local log=yes log-prefix="input-not-destinated-for-route-ip"
5 ;;; Drop all packets which does not have unicast source IP address chain=input action=drop src-address-type=!unicast log=yes log-prefix="input-no-unicast-ip"
6 ;;; Drop all packets from public internet which should not exist in public network chain=input action=drop src-address-list=NotPublic in-interface=WAN log=yes log-prefix="input-from-wan-but-should-no-exist"
7 ;;; drop DNS chain=input action=drop protocol=udp in-interface=WAN dst-port=53 log=yes log-prefix="drop-dns"
8 ;;; drop DNS chain=input action=drop protocol=tcp in-interface=WAN dst-port=53 log=yes log-prefix="drop-dns"
9 ;;; Drop invalid packets chain=forward action=drop connection-state=invalid log=yes log-prefix="forward-invalid"
10 ;;; Drop new connections from internet which are not dst-natted chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=yes log-prefix="forward-new-wan-but-not-dst-nat"
11 ;;; Drop all packets from public internet which should not exist in public network chain=forward action=drop src-address-list=NotPublic in-interface=WAN log=yes log-prefix="forward-wan-but-should-not-exist-in-public-net"
12 ;;; Drop all packets from local network to internet which should not exist in public network chain=forward action=drop dst-address-list=NotPublic in-interface=LAN log=yes log-prefix="forward-LAN--but-should-not-exist-in-public-net"
13 ;;; Drop all packets in local network which does not have local network address chain=forward action=drop src-address=!lan.adresa.siete.0/24 in-interface=LAN log=yes log-prefix="forward-LAN-but-no-lan-ip"
14 ;;; Drop new connections from internet which are not dst-natted chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=yes log-prefix="forward-new-from-WAN-but-not-dst-nated"
Kód:
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=lan.adresa.siete.0/24 out-interface=WAN log=no log-prefix=""
1 chain=dstnat action=dst-nat to-addresses=lan.ip.adresa.servera to-ports=443 protocol=tcp dst-address=wan.ip.adresa.routera in-interface=WAN dst-port=443 log=no log-prefix=""
Vsetky pravidla by mali zodpovedat zakladnym pravidlam ktore doporucuje Mikrotik na Wiki webe okrem pravidla tykajuceho sa DNS ktore som pridal sam pretoze router pouzivam na ucely DNS. Tiez som pridal natovany port 443.
Log pri tychto pravidlach vyzera takto:
Kód:
18:06:09 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 92.118.37.70:50792->wan.ip.adresa.routera:3415, len 40
18:06:11 firewall,info forward-invalid forward: in:LAN out:WAN, src-mac XXXXX, proto TCP (RST), lan.ip.adresa.zariadenia:51742->17.142.171.9:443, len 40
18:07:41 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 185.176.27.18:55490->wan.ip.adresa.routera:7001, len 40
18:07:44 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 5.188.86.114:53104->wan.ip.adresa.routera:33852, len 40
18:07:52 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 198.108.66.80:18098->wan.ip.adresa.routera:443, len 40
18:07:52 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 198.108.66.80:18098->wan.ip.adresa.routera:443, len 40
18:08:38 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 89.248.160.193:42224->wan.ip.adresa.routera:7598, len 40
18:09:44 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 5.188.86.114:53104->wan.ip.adresa.routera:3254, len 40
18:10:44 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 92.119.160.125:45001->wan.ip.adresa.routera:10249, len 40
18:10:52 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 185.175.93.45:53727->wan.ip.adresa.routera:3386, len 40
18:11:09 firewall,info forward-invalid forward: in:LAN out:WAN, src-mac XXXXX, proto TCP (RST), [b]lan.ip.adresa.zariadenia[/b]:51744->17.252.91.246:443, len 40
18:11:09 firewall,info forward-invalid forward: in:LAN out:WAN, src-mac XXXXX, proto TCP (RST), [b]lan.ip.adresa.zariadenia[/b]:51744->17.252.91.246:443, len 40
18:11:34 firewall,info forward-invalid forward: in:LAN out:WAN, src-mac XXXXX, proto TCP (RST), [b]lan.ip.adresa.zariadenia[/b]:51743->17.167.194.230:443, len 40
18:11:36 firewall,info forward-invalid forward: in:LAN out:WAN, src-mac XXXXX, proto TCP (RST), [b]lan.ip.adresa.zariadenia[/b]:51745->17.134.127.250:443, len 40
18:13:02 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 185.176.27.166:55523->wan.ip.adresa.routera:58700, len 40
18:13:39 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 185.222.211.114:55704->wan.ip.adresa.routera:3313, len 40
18:13:40 firewall,info invalid-input input: in:WAN out:(unknown 0), src-mac XXXXX, proto TCP (RST), 34.241.240.50:443->wan.ip.adresa.routera:51490, len 40
Log je z dnesneho dna. Podobne zaznamy sa opakuju v logu dlhodobo a ako vidite tak velmi casto a mozno sa mylim ale myslim si ze ak nejaka siet nastavena spravne tak pouzitie drop pravidla by mala byt anomalia ktora si vyzaduje pozornost hlavne preto ze su pouzite len pravidla doporucene samotnym mikrotikom a myslim si ze by mali zodpovedat standardnej prevadzke. Takze moja otazka teda znie: Je moj predpoklad spravny a mam nieco zle nastavene alebo je taketo dropovanie v praxi bezne a netreba sa tym zaoberat?
Dalsia otazka ktora sa tyka logu/firewallu je ze posledne dva zaznamy (ale aj dalsie) v logu sa tykaju mac adresy ktora sa uz niekolko dni nevyskytuje v mojej sieti (to zariadenie realne nie je na blizku). To znamena ze logicky toto zariadenie nemohlo poslat ziadny request do internetu ale ako je potom mozne ze nejaky server (konkretne censys.io) sa snazi spatne komunikovat s tymto zariadenim resp. s routerom ked to zariadenie je uz niekolko dni mimo siete?
Dalsia vec na ktoru sa chcem spytat sa tyka vytvorenia hostovskej siete pre wifi AP Ubi ktora bude izolovana od LAN. Cital som ze na tento a podobne ucely sa pouzivaju prave VLANy ale chce, sa spytat preco nie je lepsie na tento ucel vytvorit v mikrotiku dalsiu adresu resp. siet v casti /ip/addresses? Ak je to uplna blbost a nema to ziadne vyhody alebo by to ani nefungovalo napiste mi preco.
Keby som to teda riesil cez VLANy potreboval by som aby siet fungovala takto:
1. Normalna interna LAN v ktorej sa uvidia vsetky zariadenia (vratane servera)
2. Izolovana hostovska Wifi siet ktora vobec neuvidi zariadenia v LAN sieti pripadne hostia v tejto sieti uvidia len vybrane zariadenia z LAN siete ktore budem chciet zdielat (napr. tlaciaren).
3. Planujem na Mikrotiku spravit VPN tunel pre zabezpecene pripojenie z internetu do servera takze zrejme budem potrebovat tretiu VLANu pre VPN klientov tak aby po pripojeni do LAN nevideli vsetky zariadenia v sieti ale iba vybrany server
Da sa to spravit? Ako najlepsie a najbezpecnejsie? "topologiu" siete na zaciatku prispevku som napisal preto aby ste mi mohli poradit ak je niekde chyba alebo sa da nieco vylepsit (napr. asi je lepsie pouzit v sieti jeden switch ale ak su dva znamena to automaticky problem/spomalenie apod.?) Ak nie su dva switche problem ale zalezi na ich parametroch napiste mi to.
Diky za rady.
