Lab 3.1 Creating a Basic Firewall with MikroTik Router - Part 1
Step 1: Create a new GNS3 workspace
- Create the following workspace in GNS3. (If you need a refresher on how to create workspaces in GNS3 please take a look at this article)
Note: Cloud1 port eth2 (NAT) is connected to ether1 on MikroTikCHR7.15.2-1 and port ether2 on MikrotTik7.15.2-1 is connected to our MikrotikWInBox-1 appliance.
When the MikroTikCHR7.15.2-1 appliance is started, from your host PC, open your local copy of WinBox and look at the neighbors tab.
You will notice that our router instance should appear and is able to be managed/logged in to from our WAN interface. In non-virtualized environments, we would usually connect the WAN interface of our router to the Internet. This generally would mean that management of our router could be accessible over the public Internet. If someone knows our IP address, they could potentially log into the router and gain access to our network. In order to prevent this, what we usually want to do is to set up a firewall.
What is a firewall? A firewall is a security system designed to monitor and control incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet. Firewalls can be hardware, software, or a combination of both, and they work by inspecting incoming and outgoing data packets and determining whether to allow or block them based on defined security rulesets. Firewalls are essential for protecting networks from unauthorized access, malware, and other security threats.
In this lab, our goal is to block our host PC from being able to access our GNS3 virtual router (in the same way we would block public hosts from being able to access our router over the Internet).
Step 1: Verify access to the MikroTik router via our host PC. From the host, open WinBox and attempt to log into the router. As you can see, our router IP address is 192.168.150.140. Click the Connect button. The IP address of your virtual router may be different than what is shown here, so make sure to double-check to ensure that you are connecting to the right appliance.
Once we hit the Connect button, it should have logged us in (see image)
Step 2: Set the router password and click Change Now to apply the password. When you set the password, you will need to log out and log back in to the router using the password that you just set.
Step 3: Start the MikrotikWinBox-1 virtual appliance instance and log into the console. It should load the TightVNC viewer as shown below. Open the Neighbors tab and you should see the router listed.
To configure our firewall, we are going to start with importing a script onto the device and apply the script, which will setup a basic firewall. We will then test to see if we are still able to access our MikroTik router via our host PC, and then explain how the script works in part 2 of this tutorial.
To import the firewall script, we are going to use the MikroTik Terminal CLI and a tool called fetch to download the script onto our device and then once it has been installed, we use the CLI once again to apply the script.
Step 4: In our WinBox virtual appliance instance main menu, tap "New Terminal"
We are going to use the Python HTTP server to serve local files from our PC to the MikroTik router. Python’s HTTP server can come in handy when you want to quickly share a bunch of files with another device connected to the same network as you. What we are going to do is create a folder and drop the file(s) that we want to share with our MikroTik router in this directory, and then start the HTTP server to serve this directory over HTTP.
Step 5: Create a directory on your local PC. We are going to call our directory SRV.
Inside of this folder, we are going to create a folder called Scripts and place our firewall script inside this folder.
Open a Terminal window on your local PC and navigate to the base directory you created earlier (mine is E:\SRV). We are then going to launch Python to serve this directory. Run the following commands to launch the server.
cd E:\SRV *(replace this with your directory if different)*
python -m http.server
Step 6: We are going to use the Quick Set feature of the MikroTik router to set up a basic configuration. This will preconfigure a bridge, set up a local network with ether1 port as our WAN port and the remainder ports as our LAN port. In WinBox, make the following settings and hit Apply.
Step 7: Now, download the script from the web server and run the script to apply the firewall settings.
To download, open a new terminal by selecting "New Terminal" from the Winbox main menu. Once terminal is open, run the following command. (Please note, your IP address may be different than the one that is shown here. In that case, you can open the Windows terminal app on your local machine and run the ipconfig command to see what your IP address actually is).
/tool fetch url="http://192.168.150.1:8000/scripts/default_firewall.rsc" mode="http"
If we look at the file directory (select "Files" from the Winbox main menu), in the File List we should see our firewall script has been downloaded to the router.
Step 7: Open the Firewall filter rules window. (select "IP -> Firewall" from the Winbox main menu and open the Filter rules tab.) As you can see, we currently do not have any firewall rules currently defined, which means that our server is essentially wide-open and unprotected. Let's fix that. We're going to use the console again to run the script that we just downloaded, and then I'll explain what we've just applied. (The script that we are running is part of the default MikroTik configuration script.)
Step 8: Go back to the WinBox terminal, and in the terminal window, we are going to run the script that was just downloaded. To run the script, run the following command in the window.
/import default_firewall.rsc
If you now take a look at our Firewall window, you will notice that we have added several new rules.
These rules should provide a basic configuration for protecting our router from Internet accessibilty. Now, if we attempt to connect to our router from WinBox on our host PC rather than the one inside our virtual instance, we no longer should be able to.
Step 9: Launch WinBox from our host PC, and attempt to connect to the router using the same IP address we used in step 1 and the password that we set in step 2.
You should notice that you are unable to connect to the router as you previously were able to in step 1. Let's break down the firewall rules and see how we were able to accomplish this.