• Apparati e reti

  • Problemi con configurazione MikroTik L009 – Firewall & PPPoE

Ciao a tutti,
sto cercando di sistemare la configurazione del mio MikroTik L009. Allego la configurazione attuale (estratto in fondo al post) e vorrei un vostro parere su come migliorarla, soprattutto lato firewall e PPPoE.

Un utente esperto mi ha già dato qualche consiglio, ma non ha voluto fornire indicazioni pratiche. Riassumo qui cosa mi è stato suggerito:

Feedback ricevuto:
Sto usando PPPoE client ma poi assegno manualmente un IP pubblico all’interfaccia: secondo lui dovrei riceverlo direttamente dal provider tramite PPPoE.

Il firewall va rivisto:

Usare le /interface/list

Le chain di default sono in accept, quindi servono regole di drop in fondo

Le porte in dst-nat vanno nella chain forward, non in input

Usare le /ip/firewall/address-list per gestire src-address e dst-address

Disattivare da /ip/services tutto ciò che non uso (es. api, ftp…)

Abilitare NTP client o /ip/cloud per l'orario

Creare un utente con accesso full dalla LAN e disabilitare admin

In generale, secondo lui la configurazione standard Mikrotik sarebbe stata meglio di quella attuale

Le mie richieste:
Qual è il modo corretto per far gestire automaticamente l’IP pubblico dal PPPoE client?

Potete aiutarmi a scrivere un firewall base corretto, usando best practice Mikrotik?

Dove posso migliorare la sicurezza?

Ci sono errori evidenti o criticità che dovrei sistemare?

questa è la stringa

1970-01-02 05:52:52 by RouterOS 7.16.1

software id = UH7J-1EMC

#

model = L009UiGS

serial number = HGA09RDSHDJ

/interface bridge
add name=LAN-BRIDGE
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=WAN use-peer-dns=\
yes user=r000004249@rsdh.intred.it
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_poolrange ranges=10.0.0.100-10.0.0.199
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
/ip address
add address=10.0.0.69/24 interface=LAN-BRIDGE network=10.0.0.0
add address=31.171.138.195 comment="IP Pubblico Intred" interface=WAN \
network=31.171.138.195
/ip dhcp-server
add address-pool=dhcp_poolrange interface=LAN-BRIDGE lease-time=2h name=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.69
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow port forwarding" dst-port=\
1194,443,22,6763,7783,1022,8783,2022,9783,3022,65113 in-interface=ether1 \
protocol=tcp
add action=accept chain=forward comment="opt1 allow" dst-address=10.0.0.210 \
dst-port=563 protocol=tcp src-address=145.224.104.53
add action=accept chain=forward comment="sandbox allow" dst-address=\
10.0.0.210 dst-port=4443 protocol=tcp src-address=85.31.9.233
add action=accept chain=forward comment="dta allow" dst-address=10.0.0.210 \
dst-port=443 protocol=tcp src-address=192.46.190.0
add action=accept chain=forward comment="skidata allow" dst-address=\
10.0.0.210 dst-port=443 protocol=tcp src-address=151.4.23.116
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=manivak1 dst-port=1194 protocol=tcp \
to-addresses=10.0.0.210 to-ports=1194
add action=dst-nat chain=dstnat comment=manivak1 dst-port=1194 protocol=tcp \
to-addresses=10.0.0.210 to-ports=1194
add action=dst-nat chain=dstnat comment=webshop dst-port=443 protocol=tcp \
to-addresses=10.0.0.210 to-ports=443
add action=dst-nat chain=dstnat comment="NVR .48" dst-port=22 protocol=tcp \
to-addresses=10.0.0.118 to-ports=22
add action=dst-nat chain=dstnat comment="NVR .48 2" dst-port=6763 protocol=\
tcp to-addresses=10.0.0.118 to-ports=6763
add action=dst-nat chain=dstnat comment="NVR .54" dst-port=7783 protocol=tcp \
to-addresses=10.0.0.118 to-ports=7783
add action=dst-nat chain=dstnat comment="NVR .54 2" dst-port=1022 protocol=\
tcp to-addresses=10.0.0.118 to-ports=1022
add action=dst-nat chain=dstnat comment="NVR .59" dst-port=8783 protocol=tcp \
to-addresses=10.0.0.118 to-ports=8783
add action=dst-nat chain=dstnat comment="NVR .59 2" dst-port=2022 protocol=\
tcp to-addresses=10.0.0.118 to-ports=2022
add action=dst-nat chain=dstnat comment="NVR .60" dst-port=9783 protocol=tcp \
to-addresses=10.0.0.118 to-ports=9783
add action=dst-nat chain=dstnat comment="NVR .60 2" dst-port=3022 protocol=\
tcp to-addresses=10.0.0.118 to-ports=3022
add action=dst-nat chain=dstnat comment="POS IGLOO" dst-port=65113 protocol=\
tcp to-addresses=10.0.0.89 to-ports=65113
add action=dst-nat chain=dstnat comment="barard chalet" dst-port=8106 \
protocol=tcp to-addresses=10.0.0.106 to-ports=443
add action=dst-nat chain=dstnat comment="chalet barard" dst-port=8107 \
protocol=tcp to-addresses=10.0.0.107 to-ports=443
add action=dst-nat chain=dstnat comment="barard dasdana" dst-port=8090 \
protocol=tcp to-addresses=10.0.0.90 to-ports=443
add action=dst-nat chain=dstnat comment="dasdana barard" dst-port=8091 \
protocol=tcp to-addresses=10.0.0.91 to-ports=443
add action=dst-nat chain=dstnat comment="barard igloo" dst-port=8103 \
protocol=tcp to-addresses=10.0.0.103 to-ports=443
add action=dst-nat chain=dstnat comment="igloo barard" dst-port=8104 \
protocol=tcp to-addresses=10.0.0.104 to-ports=443
add action=dst-nat chain=dstnat comment="dasdana ristoro" dst-port=8087 \
protocol=tcp to-addresses=10.0.0.87 to-ports=443
add action=dst-nat chain=dstnat comment="ristoro dasdana" dst-port=8086 \
protocol=tcp to-addresses=10.0.0.86 to-ports=443
add action=dst-nat chain=dstnat comment="mobotix ex igloo" dst-port=8068 \
protocol=tcp to-addresses=10.0.0.68 to-ports=80
add action=dst-nat chain=dstnat comment="mobotix chalet" dst-port=8067 \
protocol=tcp to-addresses=10.0.0.67 to-ports=80
add action=dst-nat chain=dstnat comment="mobotix dasdana" dst-port=8098 \
protocol=tcp to-addresses=10.0.0.98 to-ports=80
add action=dst-nat chain=dstnat comment="anel gasolio" dst-port=8010 \
protocol=tcp to-addresses=10.0.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="nvr biglietteria" dst-port=8019 \
protocol=tcp to-addresses=10.0.0.80 to-ports=80
add action=dst-nat chain=dstnat comment="nvr cucina" dst-port=8140 protocol=\
tcp to-addresses=10.0.0.140 to-ports=80
add action=dst-nat chain=dstnat comment="panoramica igloo" dst-port=8109 \
protocol=tcp to-addresses=10.0.0.109 to-ports=80
add action=dst-nat chain=dstnat comment=SKIDATA1 dst-port=8210 protocol=tcp \
to-addresses=10.0.0.210 to-ports=80
add action=dst-nat chain=dstnat comment="zocchi barard" dst-port=8093 \
protocol=tcp to-addresses=10.0.0.93 to-ports=443
add action=dst-nat chain=dstnat comment="barard zocchi" dst-port=8092 \
protocol=tcp to-addresses=10.0.0.92 to-ports=443
add action=dst-nat chain=dstnat comment="igloo barardd" dst-port=8110 \
protocol=tcp to-addresses=10.0.0.110 to-ports=443
add action=dst-nat chain=dstnat comment="SRV PingWin Chalet" dst-port=8080 \
protocol=tcp to-addresses=10.0.0.190 to-ports=8080
add action=dst-nat chain=dstnat comment="Reolink dasdana sud" dst-port=8209 \
protocol=tcp to-addresses=10.0.0.209 to-ports=80
add action=dst-nat chain=dstnat comment="switch ubi dasdana" dst-port=8001 \
protocol=tcp to-addresses=10.0.0.1 to-ports=80
add action=dst-nat chain=dstnat comment="barard chalet UDP" dst-port=8106 \
protocol=udp to-addresses=10.0.0.106 to-ports=443
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
10.0.0.0/24 src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="opt1 TCP 563" dst-port=563 protocol=\
tcp src-address=145.224.104.53 to-addresses=10.0.0.210 to-ports=563
add action=dst-nat chain=dstnat comment="sandbox TCP 4443" dst-port=4443 \
protocol=tcp src-address=85.31.9.233 to-addresses=10.0.0.210 to-ports=\
4443
add action=dst-nat chain=dstnat comment="dta TCP 443" dst-port=443 protocol=\
tcp src-address=192.46.190.0 to-addresses=10.0.0.210 to-ports=443
add action=dst-nat chain=dstnat comment="skidata TCP 443" dst-port=443 \
protocol=tcp src-address=151.4.23.116 to-addresses=10.0.0.210 to-ports=\
443
add action=dst-nat chain=dstnat comment="chalet gasolio" dst-port=8186 \
protocol=tcp to-addresses=10.0.0.186 to-ports=80
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

Informativa privacy - Informativa cookie - Termini e condizioni - Regolamento - Disclaimer - 🏳️‍🌈
P.I. IT16712091004 - info@fibraclick.it

♻️ Il server di questo sito è alimentato al 100% con energia rinnovabile