Firewalls MikroTik - edu-kit
L’infrastructure edu-kit est protégée par deux firewalls MikroTik CHR sous RouterOS 7.20.8 en haute disponibilité VRRP v2. fw-01 est le master (priority=254), fw-02 le backup (priority=100). La VIP publique 192.214.203.203 bascule automatiquement sur fw-02 en cas de panne de fw-01.
Configuration fw-01
Point de départ : RouterOS 7.20.8 fraîchement installé, accessible via Winbox sur l’IP DHCP attribuée par le réseau DIIAGE.
Étape 1 - Nommage des interfaces
Le câblage physique de fw-01 ne correspond pas à l’ordre naturel des ports RouterOS - ether4 est branché côté DIIAGE/WAN, ether1 côté vpnet, etc. Les renommages suivent le câblage réel.
/interface ethernet
set [ find default-name=ether4 ] disable-running-check=no name="ether1 - pub"
set [ find default-name=ether1 ] disable-running-check=no name="ether2 - vpnet"
set [ find default-name=ether2 ] disable-running-check=no name="ether3 - dmznet"
set [ find default-name=ether3 ] disable-running-check=no name="ether4 - adminet"
set [ find default-name=ether5 ] disable-running-check=no name="ether5 - k3snet"
set [ find default-name=ether6 ] disable-running-check=no name="ether6 - regnet"
set [ find default-name=ether7 ] disable-running-check=no name="ether7 - obsnet"
set [ find default-name=ether8 ] disable-running-check=no name="ether8 - socnet"
set [ find default-name=ether9 ] disable-running-check=no name="ether9 - labnet"
set [ find default-name=ether10 ] disable-running-check=no name="ether10 - diiage"
set [ find default-name=ether11 ] disable-running-check=no name="ether11 - mailnet"
set [ find default-name=ether12 ] disable-running-check=no name="ether12 - pvenet-trunk"
Étape 2 - WireGuard
/interface wireguard
add listen-port=42654 mtu=1420 name=wg1
Ajouter les peers (clés publiques à récupérer auprès de chaque utilisateur) :
/interface wireguard peers
add allowed-address=10.0.1.5/32 interface=wg1 name=emertzeisen public-key="KmuOEsS+v9NAAM8/jCZf3G0xpeHFmcXz3aCV3V4ODVM="
add allowed-address=10.0.1.10/32 interface=wg1 name=aarnoux public-key="xrFPfrVAqYys/2KZMbAzHsGIaPTJ47W53df0CMKUPEU=="
add allowed-address=10.0.1.15/32 interface=wg1 name=bprongue public-key="GzmWxU+PyvlM6nSGMENIoP7cElthHNX+QgbshpMLQh0="
add allowed-address=10.0.1.20/32 interface=wg1 name=lbelair public-key="aP/Di8+S9Yc6Erugth6NieLajnFwEwkQbbGSK2DulBg=="
add allowed-address=10.0.1.25/32 interface=wg1 name=lmoreau public-key="qwLHXvclf0Av+iFrsZRUIyYxjf6L8Xvv0weTBkkzfTw="
add allowed-address=10.0.1.30/32 interface=wg1 name=garnaud public-key="iw2uFzR0M4RjC3zdiNIHv2nzqXqrpEPCodt960iStxs="
Étape 3 - Interfaces VRRP
Une interface VRRP par segment. fw-01 est master sur tous les segments (priority=254).
/interface vrrp
add authentication=simple interface="ether1 - pub" name="vrrp1 - pub" priority=254 version=2 vrid=1
add authentication=simple interface="ether2 - vpnet" name="vrrp2 - vpnet" priority=254 version=2 vrid=5
add authentication=simple interface="ether3 - dmznet" name="vrrp3 - dmznet" priority=254 version=2 vrid=10
add authentication=simple interface="ether4 - adminet" name="vrrp4 - adminet" priority=254 version=2 vrid=20
add authentication=simple interface="ether5 - k3snet" name="vrrp5 - k3snet" priority=254 version=2 vrid=30
add authentication=simple interface="ether6 - regnet" name="vrrp6 - regnet" priority=254 version=2 vrid=40
add authentication=simple interface="ether7 - obsnet" name="vrrp7 - obsnet" priority=254 version=2 vrid=50
add authentication=simple interface="ether8 - socnet" name="vrrp8 - socnet" priority=254 version=2 vrid=60
add authentication=simple interface="ether9 - labnet" name="vrrp9 - labnet" priority=254 version=2 vrid=200
add authentication=simple interface="ether10 - diiage" name="vrrp10 - diiage" priority=254 version=2 vrid=131
add authentication=simple interface="ether11 - mailnet" name="vrrp11 - mailnet" priority=254 version=2 vrid=70
add authentication=simple interface="ether12 - pvenet-trunk" name="vrrp12 - pvenet" priority=254 version=2 vrid=80
Étape 4 - Listes d’interfaces
/interface list
add name=VRRP
add name=LAN
add name=WAN
/interface list member
add interface="ether1 - pub" list=VRRP
add interface="ether1 - pub" list=WAN
add interface="vrrp1 - pub" list=WAN
add interface="ether2 - vpnet" list=VRRP
add interface="ether2 - vpnet" list=LAN
add interface="ether3 - dmznet" list=VRRP
add interface="ether4 - adminet" list=VRRP
add interface="ether5 - k3snet" list=VRRP
add interface="ether6 - regnet" list=VRRP
add interface="ether7 - obsnet" list=VRRP
add interface="ether8 - socnet" list=VRRP
add interface="ether9 - labnet" list=VRRP
add interface="ether10 - diiage" list=VRRP
add interface="ether11 - mailnet" list=VRRP
add interface="ether12 - pvenet-trunk" list=VRRP
Étape 5 - Adressage IP
Chaque segment a une IP physique sur fw-01 (.1) et une VIP VRRP (.254 ou spécifique).
/ip address
# WAN / DIIAGE
add address=10.4.131.1/16 interface="ether1 - pub" network=10.4.0.0
add address=10.4.131.251/16 interface="ether10 - diiage" network=10.4.0.0
add address=10.4.131.254/16 interface="vrrp10 - diiage" network=10.4.0.0
# VIP publique
add address=192.214.203.203/28 interface="vrrp1 - pub" network=192.214.203.192
# Segments LAN
add address=192.168.5.1/24 interface="ether2 - vpnet" network=192.168.5.0
add address=192.168.5.254/24 interface="vrrp2 - vpnet" network=192.168.5.0
add address=192.168.10.1/24 interface="ether3 - dmznet" network=192.168.10.0
add address=192.168.10.254/24 interface="vrrp3 - dmznet" network=192.168.10.0
add address=192.168.20.1/24 interface="ether4 - adminet" network=192.168.20.0
add address=192.168.20.254/24 interface="vrrp4 - adminet" network=192.168.20.0
add address=192.168.30.1/24 interface="ether5 - k3snet" network=192.168.30.0
add address=192.168.30.254/24 interface="vrrp5 - k3snet" network=192.168.30.0
add address=192.168.40.1/24 interface="ether6 - regnet" network=192.168.40.0
add address=192.168.40.254/24 interface="vrrp6 - regnet" network=192.168.40.0
add address=192.168.50.1/24 interface="ether7 - obsnet" network=192.168.50.0
add address=192.168.50.254/24 interface="vrrp7 - obsnet" network=192.168.50.0
add address=192.168.60.1/24 interface="ether8 - socnet" network=192.168.60.0
add address=192.168.60.254/24 interface="vrrp8 - socnet" network=192.168.60.0
add address=192.168.70.1/24 interface="ether11 - mailnet" network=192.168.70.0
add address=192.168.70.254/24 interface="vrrp11 - mailnet" network=192.168.70.0
add address=192.168.200.1/24 interface="ether9 - labnet" network=192.168.200.0
add address=192.168.200.254/24 interface="vrrp9 - labnet" network=192.168.200.0
# pvenet (Proxmox)
add address=10.10.40.254/24 interface="ether12 - pvenet-trunk" network=10.10.40.0
add address=10.10.40.252/24 interface="vrrp12 - pvenet" network=10.10.40.0
# WireGuard
add address=10.0.1.254/24 interface=wg1 network=10.0.1.0
Étape 6 - DHCP (labnet uniquement)
/ip pool
add name=dhcp_pool-labnet ranges=192.168.200.100-192.168.200.253
/ip dhcp-server
add address-pool=dhcp_pool-labnet interface="vrrp9 - labnet" name=dhcp-labnet
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254
Étape 7 - DNS
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8,10.4.0.254
Enregistrements statiques :
/ip dns static
# Enregistrement A racine
add address=192.168.10.5 comment="NPM lui meme" name=npm.int.edu-kit.fr type=A
add address=192.168.70.5 comment="SMTP poste:465" name=smtp.int.edu-kit.fr type=A
# CNAMEs -> npm.int.edu-kit.fr
add cname=npm.int.edu-kit.fr comment="ArgoCD via NPM" name=argocd.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="ArgoCD Prod via NPM" name=argocd.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="ArgoCD Dev via NPM" name=argocd.dev.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="org-service via NPM" name=org-svc.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Org-Service Prod" name=org-svc.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Org-Service Dev" name=org-svc.dev.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="vm-service via NPM" name=vm-svc.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Vm-Service Prod" name=vm-svc.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Vm-Service Dev" name=vm-svc.dev.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Poste via NPM" name=poste.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Postal via NPM" name=postal.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Headlamp via NPM" name=headlamp.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Headlamp Prod" name=headlamp.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Headlamp Dev" name=headlamp.dev.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Wazuh via NPM" name=wazuh.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Harbor via NPM" name=harbor.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Uptime Kuma via NPM" name=uptimekuma.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Warpgate via NPM" name=warpgate.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Grafana via NPM" name=grafana.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Crowdsec via NPM" name=crowdsec.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Chaos-Mesh via NPM" name=chaos.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="RabbitMQ via NPM" name=rabbitmq.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="RabbitMQ Prod" name=rabbitmq.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="RabbitMQ Dev" name=rabbitmq.dev.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Rancher via NPM" name=rancher.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Rancher Prod" name=rancher.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Rancher Dev" name=rancher.dev.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Longhorn via NPM" name=longhorn.int.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Longhorn Prod" name=longhorn.prod.edu-kit.fr type=CNAME
add cname=npm.int.edu-kit.fr comment="Longhorn Dev" name=longhorn.dev.edu-kit.fr type=CNAME
Étape 8 - Address-lists
/ip firewall address-list remove [find]
# VIP publique
add address=192.214.203.203 comment="VIP publique VRRP" list=wan-vip
# vrrp-peers - IPs de fw-02 sur chaque segment
add address=10.4.131.2 comment="fw-02 - pub" list=vrrp-peers
add address=192.168.5.2 comment="fw-02 - vpnet" list=vrrp-peers
add address=192.168.10.2 comment="fw-02 - dmznet" list=vrrp-peers
add address=192.168.20.2 comment="fw-02 - adminet" list=vrrp-peers
add address=192.168.30.2 comment="fw-02 - k3snet" list=vrrp-peers
add address=192.168.40.2 comment="fw-02 - regnet" list=vrrp-peers
add address=192.168.50.2 comment="fw-02 - obsnet" list=vrrp-peers
add address=192.168.60.2 comment="fw-02 - socnet" list=vrrp-peers
add address=192.168.70.2 comment="fw-02 - mailnet" list=vrrp-peers
add address=192.168.200.2 comment="fw-02 - labnet" list=vrrp-peers
add address=10.4.131.252 comment="fw-02 - diiage" list=vrrp-peers
add address=10.10.40.253 comment="fw-02 - pvenet" list=vrrp-peers
# vpn - utilisateurs WireGuard
add address=10.0.1.5 comment="wg - emertzeisen" list=vpn
add address=10.0.1.10 comment="wg - aarnoux" list=vpn
add address=10.0.1.15 comment="wg - bprongue" list=vpn
add address=10.0.1.20 comment="wg - lbelair" list=vpn
add address=10.0.1.25 comment="wg - lmoreau" list=vpn
add address=10.0.1.30 comment="wg - garnaud" list=vpn
# lan - tous les segments internes
add address=192.168.5.0/24 comment=vpnet list=lan
add address=192.168.10.0/24 comment=dmznet list=lan
add address=192.168.20.0/24 comment=adminet list=lan
add address=192.168.30.0/24 comment=k3snet list=lan
add address=192.168.40.0/24 comment=regnet list=lan
add address=192.168.50.0/24 comment=obsnet list=lan
add address=192.168.60.0/24 comment=socnet list=lan
add address=192.168.70.0/24 comment=mailnet list=lan
add address=192.168.200.0/24 comment=labnet list=lan
add address=10.10.40.0/24 comment=pvenet list=lan
# VMs individuelles
add address=192.168.5.5 comment="vpnet - Netbird" list=netbird
add address=192.168.10.5 comment="dmznet - NPM" list=npm
add address=192.168.20.5 comment="adminet - Warpgate" list=warpgate
add address=192.168.20.10 comment="adminet - Docusaurus" list=docusaurus
add address=192.168.30.5 comment="k3snet - k3s-cp1" list=k3s-nodes
add address=192.168.30.10 comment="k3snet - k3s-w1" list=k3s-nodes
add address=192.168.30.15 comment="k3snet - k3s-w2" list=k3s-nodes
add address=192.168.30.20 comment="k3snet - k3s-w3" list=k3s-nodes
add address=192.168.30.55 comment="k3snet - k3s-cp1-prod" list=k3s-nodes
add address=192.168.30.60 comment="k3snet - k3s-w1-prod" list=k3s-nodes
add address=192.168.30.65 comment="k3snet - k3s-w2-prod" list=k3s-nodes
add address=192.168.30.70 comment="k3snet - k3s-w3-prod" list=k3s-nodes
add address=192.168.40.5 comment="regnet - Harbor" list=harbor
add address=192.168.40.10 comment="regnet - Agent" list=agent
add address=192.168.50.5 comment="obsnet - Grafana" list=grafana
add address=192.168.50.10 comment="obsnet - Prometheus" list=prometheus
add address=192.168.50.15 comment="obsnet - Loki" list=loki
add address=192.168.50.20 comment="obsnet - Tempo" list=tempo
add address=192.168.50.25 comment="obsnet - Uptime Kuma" list=uptime-kuma
add address=192.168.60.5 comment="socnet - Wazuh Manager" list=wazuh
add address=192.168.60.10 comment="socnet - Suricata" list=suricata
add address=192.168.60.15 comment="socnet - CrowdSec" list=crowdsec
add address=192.168.70.5 comment="mailnet - Poste / Postal" list=poste
add address=192.168.70.5 comment="mailnet - Poste / Postal" list=postal
# Listes composites
add address=192.168.10.5 comment="dmznet - NPM" list=npm-et-uptimekuma
add address=192.168.50.25 comment="obsnet - Uptime Kuma" list=npm-et-uptimekuma
add address=10.10.40.1 comment="pvenet - pve1" list=pves
add address=10.10.40.2 comment="pvenet - pve2" list=pves
add address=10.10.40.3 comment="pvenet - pve3" list=pves
add address=10.10.40.1 comment="pvenet - pve1" list=proxmox-nodes
add address=10.10.40.2 comment="pvenet - pve2" list=proxmox-nodes
add address=10.10.40.3 comment="pvenet - pve3" list=proxmox-nodes
# ssh-targets - toutes les VMs administrables
add address=192.168.5.5 comment="vpnet - Netbird" list=ssh-targets
add address=192.168.10.5 comment="dmznet - NPM" list=ssh-targets
add address=192.168.20.5 comment="adminet - Warpgate" list=ssh-targets
add address=192.168.20.10 comment="adminet - Docusaurus" list=ssh-targets
add address=192.168.30.5 comment="k3snet - k3s-cp1" list=ssh-targets
add address=192.168.30.10 comment="k3snet - k3s-w1" list=ssh-targets
add address=192.168.30.15 comment="k3snet - k3s-w2" list=ssh-targets
add address=192.168.30.20 comment="k3snet - k3s-w3" list=ssh-targets
add address=192.168.30.55 comment="k3snet - k3s-cp1-prod" list=ssh-targets
add address=192.168.30.60 comment="k3snet - k3s-w1-prod" list=ssh-targets
add address=192.168.30.65 comment="k3snet - k3s-w2-prod" list=ssh-targets
add address=192.168.30.70 comment="k3snet - k3s-w3-prod" list=ssh-targets
add address=192.168.40.5 comment="regnet - Harbor" list=ssh-targets
add address=192.168.40.10 comment="regnet - Agent" list=ssh-targets
add address=192.168.50.5 comment="obsnet - Grafana" list=ssh-targets
add address=192.168.50.10 comment="obsnet - Prometheus" list=ssh-targets
add address=192.168.50.15 comment="obsnet - Loki" list=ssh-targets
add address=192.168.50.20 comment="obsnet - Tempo" list=ssh-targets
add address=192.168.50.25 comment="obsnet - Uptime Kuma" list=ssh-targets
add address=192.168.60.5 comment="socnet - Wazuh" list=ssh-targets
add address=192.168.60.10 comment="socnet - Suricata" list=ssh-targets
add address=192.168.60.15 comment="socnet - CrowdSec" list=ssh-targets
add address=192.168.70.5 comment="mailnet - Postal" list=ssh-targets
# wazuh-agents
add address=192.168.5.5 comment="vpnet - Netbird" list=wazuh-agents
add address=192.168.10.5 comment="dmznet - NPM" list=wazuh-agents
add address=192.168.20.5 comment="adminet - Bastion" list=wazuh-agents
add address=192.168.20.10 comment="adminet - Docusaurus" list=wazuh-agents
add address=192.168.30.5 comment="k3snet - k3s-cp1" list=wazuh-agents
add address=192.168.30.10 comment="k3snet - k3s-w1" list=wazuh-agents
add address=192.168.30.15 comment="k3snet - k3s-w2" list=wazuh-agents
add address=192.168.30.20 comment="k3snet - k3s-w3" list=wazuh-agents
add address=192.168.30.55 comment="k3snet - k3s-cp1-prod" list=wazuh-agents
add address=192.168.30.60 comment="k3snet - k3s-w1-prod" list=wazuh-agents
add address=192.168.30.65 comment="k3snet - k3s-w2-prod" list=wazuh-agents
add address=192.168.30.70 comment="k3snet - k3s-w3-prod" list=wazuh-agents
add address=192.168.40.5 comment="regnet - Harbor" list=wazuh-agents
add address=192.168.40.10 comment="regnet - Agent" list=wazuh-agents
add address=192.168.50.5 comment="obsnet - Grafana" list=wazuh-agents
add address=192.168.50.10 comment="obsnet - Prometheus" list=wazuh-agents
add address=192.168.50.15 comment="obsnet - Loki" list=wazuh-agents
add address=192.168.50.20 comment="obsnet - Tempo" list=wazuh-agents
add address=192.168.50.25 comment="obsnet - Uptime Kuma" list=wazuh-agents
add address=192.168.60.10 comment="socnet - Suricata" list=wazuh-agents
add address=192.168.60.15 comment="socnet - CrowdSec" list=wazuh-agents
add address=192.168.70.5 comment="mailnet - Poste" list=wazuh-agents
# alloy-agents (Grafana Alloy installé - excl. netbird, haproxy-02, suricata, docusaurus)
add address=192.168.10.5 comment="dmznet - NPM" list=alloy-agents
add address=192.168.20.5 comment="adminet - Bastion" list=alloy-agents
add address=192.168.30.5 comment="k3snet - k3s-cp1" list=alloy-agents
add address=192.168.30.10 comment="k3snet - k3s-w1" list=alloy-agents
add address=192.168.30.15 comment="k3snet - k3s-w2" list=alloy-agents
add address=192.168.30.20 comment="k3snet - k3s-w3" list=alloy-agents
add address=192.168.30.55 comment="k3snet - k3s-cp1-prod" list=alloy-agents
add address=192.168.30.60 comment="k3snet - k3s-w1-prod" list=alloy-agents
add address=192.168.30.65 comment="k3snet - k3s-w2-prod" list=alloy-agents
add address=192.168.30.70 comment="k3snet - k3s-w3-prod" list=alloy-agents
add address=192.168.40.5 comment="regnet - Harbor" list=alloy-agents
add address=192.168.40.10 comment="regnet - Agent" list=alloy-agents
add address=192.168.50.5 comment="obsnet - Grafana" list=alloy-agents
add address=192.168.50.10 comment="obsnet - Prometheus" list=alloy-agents
add address=192.168.50.15 comment="obsnet - Loki" list=alloy-agents
add address=192.168.50.20 comment="obsnet - Tempo" list=alloy-agents
add address=192.168.50.25 comment="obsnet - Uptime Kuma" list=alloy-agents
add address=192.168.60.5 comment="socnet - Wazuh" list=alloy-agents
add address=192.168.60.15 comment="socnet - CrowdSec" list=alloy-agents
add address=192.168.70.5 comment="mailnet - Poste" list=alloy-agents
add address=10.10.40.1 comment="pvenet - pve1" list=alloy-agents
add address=10.10.40.2 comment="pvenet - pve2" list=alloy-agents
add address=10.10.40.3 comment="pvenet - pve3" list=alloy-agents
Étape 9 - Firewall filter
/ip firewall filter remove [find]
# INPUT
add action=accept chain=input comment="ESTABLISHED/RELATED" connection-state=established,related
add action=drop chain=input comment="DROP INVALID" connection-state=invalid
add action=accept chain=input comment="ICMP" protocol=icmp
add action=accept chain=input comment="VRRP depuis fw-02" in-interface-list=VRRP protocol=vrrp src-address-list=vrrp-peers
add action=accept chain=input comment="DNS UDP depuis LAN" dst-port=53 protocol=udp src-address-list=lan
add action=accept chain=input comment="DNS TCP depuis LAN" dst-port=53 protocol=tcp src-address-list=lan
add action=accept chain=input comment="DNS UDP depuis VPN" dst-port=53 protocol=udp src-address-list=vpn
add action=accept chain=input comment="DNS TCP depuis VPN" dst-port=53 protocol=tcp src-address-list=vpn
add action=accept chain=input comment="NTP depuis LAN" dst-port=123 protocol=udp src-address-list=lan
add action=accept chain=input comment="WireGuard" dst-port=42654 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="prometheus -> API MikroTik" dst-port=8728 protocol=tcp src-address-list=prometheus
add action=accept chain=input comment="Winbox depuis pub" dst-port=8291 in-interface="ether1 - pub" protocol=tcp
add action=accept chain=input comment="Winbox depuis VPN" dst-port=8291 protocol=tcp src-address-list=vpn
add action=accept chain=input comment="WebFig depuis diiage" dst-address=10.4.131.254 dst-port=80,443 protocol=tcp
add action=accept chain=input comment="WebFig depuis VPN" dst-address=10.4.131.254 dst-port=80,443 protocol=tcp src-address-list=vpn
add action=drop chain=input comment="DROP ALL"
# FORWARD
add action=accept chain=forward comment="ESTABLISHED/RELATED" connection-state=established,related
add action=drop chain=forward comment="DROP INVALID" connection-state=invalid
add action=accept chain=forward comment="LAN -> WAN" out-interface-list=WAN src-address-list=lan
add action=accept chain=forward comment="WAN -> NPM HTTP/S" dst-address-list=npm dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="WAN -> NPM SMTP" dst-address-list=npm dst-port=25 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="VPN -> NPM" dst-address-list=npm dst-port=80,443 protocol=tcp src-address-list=vpn
add action=accept chain=forward comment="VPN -> Warpgate" dst-address-list=warpgate dst-port=2244 protocol=tcp src-address-list=vpn
add action=accept chain=forward comment="VPN -> LAB" dst-address=192.168.200.0/24 src-address-list=vpn
add action=accept chain=forward comment="VPN -> DIIAGE" dst-address=10.4.0.0/16 src-address-list=vpn
add action=accept chain=forward comment="NPM+UK -> k3s nodes" dst-address-list=k3s-nodes dst-port=80,443 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Grafana" dst-address-list=grafana dst-port=3000 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Wazuh" dst-address-list=wazuh dst-port=80,443 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Harbor" dst-address-list=harbor dst-port=80,443 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Uptime Kuma" dst-address-list=uptime-kuma dst-port=3001 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Poste" dst-address-list=poste dst-port=80 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> NPM admin" dst-address-list=npm dst-port=81 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Postal SMTP" dst-address-list=postal dst-port=25 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Warpgate" dst-address-list=warpgate dst-port=8888 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="NPM+UK -> Crowdsec" dst-address-list=crowdsec dst-port=80,443,8080 protocol=tcp src-address-list=npm-et-uptimekuma
add action=accept chain=forward comment="Warpgate -> SSH targets" dst-address-list=ssh-targets dst-port=2244 protocol=tcp src-address-list=warpgate
add action=accept chain=forward comment="k3s nodes -> Harbor" dst-address-list=harbor dst-port=80,443 protocol=tcp src-address-list=k3s-nodes
add action=accept chain=forward comment="k3s nodes -> Poste SMTP" dst-address-list=poste dst-port=465 protocol=tcp src-address-list=k3s-nodes
add action=accept chain=forward comment="k3s nodes -> NPM" dst-address-list=npm dst-port=80,443 protocol=tcp src-address-list=k3s-nodes
add action=accept chain=forward comment="k3s nodes -> OBS" dst-address=192.168.50.0/24 protocol=tcp src-address-list=k3s-nodes
add action=accept chain=forward comment="k3s nodes -> pve4" dst-address=10.4.131.14 dst-port=7001,8006,2244 protocol=tcp src-address-list=k3s-nodes
add action=accept chain=forward comment="DIIAGE -> bastion" dst-address=192.168.20.5 dst-port=2222,8888 protocol=tcp
add action=accept chain=forward comment="bastion -> LAN SSH" dst-address-list=lan dst-port=2244 protocol=tcp src-address=192.168.20.5
add action=accept chain=forward comment="DIIAGE -> Poste SMTP" dst-address-list=poste dst-port=465 in-interface="vrrp10 - diiage" protocol=tcp
add action=accept chain=forward comment="agent -> NPM" dst-address-list=npm dst-port=80,443 protocol=tcp src-address-list=agent
add action=accept chain=forward comment="Alloy agents -> Prometheus" dst-address-list=prometheus dst-port=9090 protocol=tcp src-address-list=alloy-agents
add action=accept chain=forward comment="Alloy agents -> Loki" dst-address-list=loki dst-port=3100 protocol=tcp src-address-list=alloy-agents
add action=accept chain=forward comment="prometheus -> proxmox API" dst-address-list=proxmox-nodes dst-port=8006,8007 protocol=tcp src-address-list=prometheus
add action=accept chain=forward comment="Grafana -> Wazuh API" dst-address-list=wazuh dst-port=55000 protocol=tcp src-address-list=grafana
add action=accept chain=forward comment="Wazuh agents -> Wazuh" dst-address-list=wazuh dst-port=1514,1515 protocol=tcp src-address-list=wazuh-agents
add action=accept chain=forward comment="Uptime Kuma -> NPM hairpin" dst-address-list=npm dst-port=80,443 protocol=tcp src-address-list=uptime-kuma
add action=accept chain=forward comment="Uptime Kuma -> PVEs ICMP" dst-address-list=pves protocol=icmp src-address-list=uptime-kuma
add action=drop chain=forward comment="DROP inter-LAN" dst-address-list=lan src-address-list=lan
add action=drop chain=forward comment="DROP ALL"
Étape 10 - NAT
/ip firewall nat
# SNAT - sortie Internet
add action=src-nat chain=srcnat comment="LAN -> Internet via VIP pub" out-interface="vrrp1 - pub" src-address-list=lan to-addresses=192.214.203.203
add action=masquerade chain=srcnat comment="VPN -> DIIAGE" dst-address=10.4.0.0/16 src-address-list=vpn
add action=masquerade chain=srcnat comment="k3s nodes -> DIIAGE" dst-address=10.4.0.0/16 src-address-list=k3s-nodes
# DNAT - trafic entrant public
add action=dst-nat chain=dstnat comment="HTTP public -> NPM" dst-address=192.214.203.203 dst-port=80 in-interface="vrrp1 - pub" protocol=tcp to-addresses=192.168.10.5 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS public -> NPM" dst-address=192.214.203.203 dst-port=443 in-interface="vrrp1 - pub" protocol=tcp to-addresses=192.168.10.5 to-ports=443
add action=dst-nat chain=dstnat comment="MAIL public -> NPM TLS -> postal" dst-address=192.214.203.203 dst-port=25 in-interface="vrrp1 - pub" protocol=tcp to-addresses=192.168.10.5 to-ports=25
add action=dst-nat chain=dstnat comment="DIIAGE -> Poste SMTP" dst-address=10.4.131.254 dst-port=465 in-interface="vrrp10 - diiage" protocol=tcp to-addresses=192.168.70.5 to-ports=465
# Hairpin Uptime Kuma -> NPM (UK accède à NPM via la VIP publique)
add action=dst-nat chain=dstnat comment="Hairpin Uptime Kuma -> NPM via IP publique" dst-address=192.214.203.203 dst-port=80,443 protocol=tcp src-address-list=uptime-kuma to-addresses=192.168.10.5
add action=masquerade chain=srcnat comment="Hairpin srcnat Uptime Kuma -> NPM" dst-address-list=npm dst-port=80,443 out-interface="ether3 - dmznet" protocol=tcp src-address-list=uptime-kuma
Étape 11 - Route par défaut
/ip route
add dst-address=0.0.0.0/0 gateway=192.214.203.193
Étape 12 - Services
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes port=81
set www-ssl certificate=webfig disabled=no
set api disabled=no
set api-ssl disabled=yes
set ssh disabled=yes
Étape 13 - Utilisateur API (mktxp)
/user group
add name=prometheus policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/user
add name=prometheus group=prometheus password=CHANGE_ME
Étape 14 - Logging Wazuh
/system logging action
add name=wazuhserver remote=192.168.60.5 remote-log-format=syslog target=remote
/system logging
add action=wazuhserver prefix="MKT[001][FW]" topics=firewall
add action=wazuhserver prefix="MKT[001][SYS]" topics=system
Étape 15 - NTP
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=fr.pool.ntp.org
add address=time.cloudflare.com
Étape 16 - Identité et timezone
/system identity
set name=fw-01
/system clock
set time-zone-name=Europe/Paris
/ipv6 settings
set disable-ipv6=yes
Configuration fw-02
Point de départ : RouterOS 7.20.8 fraîchement installé. fw-02 est le backup VRRP (priority=100).
La configuration est identique à fw-01 sauf pour les points listés ci-dessous. Appliquer les étapes 1 à 16 en remplaçant les valeurs indiquées.
Différences par étape
Étape 1 - Nommage : même commandes. Le câblage physique de fw-02 correspond à l’ordre naturel des ports.
Étape 3 - Interfaces VRRP : priority=100 sur toutes les interfaces. Ajouter vrrp12 - pvenet qui nécessite de configurer ether12 en amont (voir ci-dessous).
Étape 5 - Adressage IP : remplacer les IPs fw-01 par les IPs fw-02 :
| Segment | IP fw-01 | IP fw-02 |
|---|---|---|
| pub | 10.4.131.1 | 10.4.131.2 |
| diiage (physique) | 10.4.131.251 | 10.4.131.252 |
| vpnet | 192.168.5.1 | 192.168.5.2 |
| dmznet | 192.168.10.1 | 192.168.10.2 |
| adminet | 192.168.20.1 | 192.168.20.2 |
| k3snet | 192.168.30.1 | 192.168.30.2 |
| regnet | 192.168.40.1 | 192.168.40.2 |
| obsnet | 192.168.50.1 | 192.168.50.2 |
| socnet | 192.168.60.1 | 192.168.60.2 |
| mailnet | 192.168.70.1 | 192.168.70.2 |
| labnet | 192.168.200.1 | 192.168.200.2 |
| pvenet (physique) | 10.10.40.254 | 10.10.40.253 |
Les VIPs VRRP (.254, 10.10.40.252, 192.214.203.203) sont identiques - elles sont portées par le master actif.
Étape 8 - Address-lists : vrrp-peers pointe vers les IPs de fw-01 (pas fw-02) :
add address=10.4.131.1 comment="fw-01 - pub" list=vrrp-peers
add address=192.168.5.1 comment="fw-01 - vpnet" list=vrrp-peers
add address=192.168.10.1 comment="fw-01 - dmznet" list=vrrp-peers
add address=192.168.20.1 comment="fw-01 - adminet" list=vrrp-peers
add address=192.168.30.1 comment="fw-01 - k3snet" list=vrrp-peers
add address=192.168.40.1 comment="fw-01 - regnet" list=vrrp-peers
add address=192.168.50.1 comment="fw-01 - obsnet" list=vrrp-peers
add address=192.168.60.1 comment="fw-01 - socnet" list=vrrp-peers
add address=192.168.70.1 comment="fw-01 - mailnet" list=vrrp-peers
add address=192.168.200.1 comment="fw-01 - labnet" list=vrrp-peers
add address=10.4.131.251 comment="fw-01 - diiage" list=vrrp-peers
add address=10.10.40.254 comment="fw-01 - pvenet" list=vrrp-peers
Étape 14 - Logging Wazuh : préfixes [002] :
add action=wazuhserver prefix="MKT[002][FW]" topics=firewall
add action=wazuhserver prefix="MKT[002][SYS]" topics=system
Étape 16 - Identité :
/system identity
set name=fw-02
Problèmes connus
VRRP password
L’authentification VRRP (authentication=simple) n’est disponible qu’en version 2 - VRRP v3 ne supporte pas les mots de passe. Toutes les interfaces VRRP sont configurées en version=2 pour cette raison.
Si un mot de passe est défini sur fw-01, il doit être positionné manuellement sur fw-02 après création de chaque interface VRRP - il n’apparaît pas dans l’export RouterOS.