Lab 3.1 Creating a Basic Firewall with MikroTik Router - Part 1

Last updated on 
Lab 3.1 Creating a Basic Firewall with MikroTik Router - Part 1
Creating a basic firewall.
💡
Goals of this Lab1. Create a new GNS3 Workspace2. Implement a basic network3. Setting up a Python HTTP server to serve files4. Setup a basic firewall5. Test firewall access

Step 1: Create a new GNS3 workspace

💡
We will be utilizing the MikroTik WinBox GNS3 appliance for this lab. This appliance allows us to manage our MikroTik routers from within our GNS3 workspace. It provides us with a local instance of WinBox instead of relying on the WinBox application on our host PC. For this lab, our goal is to block our host PC from being able to connect to our MikroTik router. You will need to install the appliance prior to starting this lab. For information on installing the appliance, please take a look at this article.
  1. Create the following workspace in GNS3. (If you need a refresher on how to create workspaces in GNS3 please take a look at this article)
Basic Lab Setup for MikroTik Winbox router/firewall lab.

Note: Cloud1 port eth2 (NAT) is connected to ether1 on MikroTikCHR7.15.2-1 and port ether2 on MikrotTik7.15.2-1 is connected to our MikrotikWInBox-1 appliance.

When the MikroTikCHR7.15.2-1 appliance is started, from your host PC, open your local copy of WinBox and look at the neighbors tab.

Our virtual router instance from our GNS3 workspace. 

You will notice that our router instance should appear and is able to be managed/logged in to from our WAN interface. In non-virtualized environments, we would usually connect the WAN interface of our router to the Internet. This generally would mean that management of our router could be accessible over the public Internet. If someone knows our IP address, they could potentially log into the router and gain access to our network. In order to prevent this, what we usually want to do is to set up a firewall.

What is a firewall? A firewall is a security system designed to monitor and control incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet. Firewalls can be hardware, software, or a combination of both, and they work by inspecting incoming and outgoing data packets and determining whether to allow or block them based on defined security rulesets. Firewalls are essential for protecting networks from unauthorized access, malware, and other security threats.

How a firewall typically works. 

In this lab, our goal is to block our host PC from being able to access our GNS3 virtual router (in the same way we would block public hosts from being able to access our router over the Internet).

Step 1: Verify access to the MikroTik router via our host PC. From the host, open WinBox and attempt to log into the router. As you can see, our router IP address is 192.168.150.140. Click the Connect button. The IP address of your virtual router may be different than what is shown here, so make sure to double-check to ensure that you are connecting to the right appliance.

Once we hit the Connect button, it should have logged us in (see image)

We are logged in.
This also illustrates why it is important to set a secure password on the router! Without a firewall in place to protect us, someone over the Internet who has discovered our IP address could potentially log in to our router and gain complete control over our network. For the purposes of simplicity for our labs, we may forego the password or use a simple password, but make sure that in production you set a secure password otherwise someone could discover and log into your router or devices.

Step 2: Set the router password and click Change Now to apply the password. When you set the password, you will need to log out and log back in to the router using the password that you just set.

Step 3: Start the MikrotikWinBox-1 virtual appliance instance and log into the console. It should load the TightVNC viewer as shown below. Open the Neighbors tab and you should see the router listed.

Launching the MikroTik Winbox Virtual appliance
TightVNC viewer with loaded instance of WinBox
Logging into the virtual router appliance using virtual WinBox appliance.

To configure our firewall, we are going to start with importing a script onto the device and apply the script, which will setup a basic firewall. We will then test to see if we are still able to access our MikroTik router via our host PC, and then explain how the script works in part 2 of this tutorial.

💡
You can also use SSH and SCP to copy the file from your local device to the router. For more information on using SSH and SCP to copy files to your router, please check out this article.
Firewall Script
Default Firewall Configuration for Mikrotik Router
default_firewall.rsc
4 KB
download-circle

To import the firewall script, we are going to use the MikroTik Terminal CLI and a tool called fetch to download the script onto our device and then once it has been installed, we use the CLI once again to apply the script.

Step 4: In our WinBox virtual appliance instance main menu, tap "New Terminal"

Opening up the MikroTik Terminal CLI
In this lab we are going to make use of Python to set up a basic HTTP server to allow us to send our downloaded files to the MikroTik router. If you have not yet had a chance to install Python, please see the instructions here to install Python on your device. 

We are going to use the Python HTTP server to serve local files from our PC to the MikroTik router. Python’s HTTP server can come in handy when you want to quickly share a bunch of files with another device connected to the same network as you. What we are going to do is create a folder and drop the file(s) that we want to share with our MikroTik router in this directory, and then start the HTTP server to serve this directory over HTTP.

Step 5: Create a directory on your local PC. We are going to call our directory SRV.

Inside of this folder, we are going to create a folder called Scripts and place our firewall script inside this folder.

Open a Terminal window on your local PC and navigate to the base directory you created earlier (mine is E:\SRV). We are then going to launch Python to serve this directory. Run the following commands to launch the server. 

cd E:\SRV *(replace this with your directory if different)*
python -m http.server

Step 6: We are going to use the Quick Set feature of the MikroTik router to set up a basic configuration. This will preconfigure a bridge, set up a local network with ether1 port as our WAN port and the remainder ports as our LAN port. In WinBox, make the following settings and hit Apply.

Step 7: Now, download the script from the web server and run the script to apply the firewall settings.

To download, open a new terminal by selecting "New Terminal" from the Winbox main menu. Once terminal is open, run the following command. (Please note, your IP address may be different than the one that is shown here. In that case, you can open the Windows terminal app on your local machine and run the ipconfig command to see what your IP address actually is).

/tool fetch url="http://192.168.150.1:8000/scripts/default_firewall.rsc" mode="http"
Download firewall script.

If we look at the file directory (select "Files" from the Winbox main menu), in the File List we should see our firewall script has been downloaded to the router.

Viewing our file directory. 

Step 7: Open the Firewall filter rules window. (select "IP -> Firewall" from the Winbox main menu and open the Filter rules tab.) As you can see, we currently do not have any firewall rules currently defined, which means that our server is essentially wide-open and unprotected. Let's fix that. We're going to use the console again to run the script that we just downloaded, and then I'll explain what we've just applied. (The script that we are running is part of the default MikroTik configuration script.)

Viewing our empty firewall.

Step 8: Go back to the WinBox terminal, and in the terminal window, we are going to run the script that was just downloaded. To run the script, run the following command in the window. 

/import default_firewall.rsc
Running the script we just downloaded.

If you now take a look at our Firewall window, you will notice that we have added several new rules.

These rules should provide a basic configuration for protecting our router from Internet accessibilty. Now, if we attempt to connect to our router from WinBox on our host PC rather than the one inside our virtual instance, we no longer should be able to.

Step 9: Launch WinBox from our host PC, and attempt to connect to the router using the same IP address we used in step 1 and the password that we set in step 2.

Attempting to connect to our router from the "outside"

You should notice that you are unable to connect to the router as you previously were able to in step 1. Let's break down the firewall rules and see how we were able to accomplish this.

Part 2: Explanation of the Firewall Rules
Firewall Workshop