Hello All,

I'm really really newbie in networking... I would like to ask your helps. I have an internal LAN and a DMZ. I have several firewall rules.

I would like to make these kind of filter rules:

If there is a request from LAN from a given port to DMZ, the answer package can come through without opening port from DMZ to LAN.

The aim would be... packages can only come from DMZ to LAN if the LAN asks.

Can anyone make me a sample rule here? Your help is much much appriciated.

Regards,
David

Create a rule in your forward chain where the dst-address=your-dmz and src-address=your-lan
you probably already have a rule for established traffic

So i have to set the "Connection State" to "Established" ?

Please post your firewall config

ros code

/ip firewall filter
export compact

You need 2 rules.
One allowing the traffic from lan to dmz.
Besides that you need a rule for established traffic to allow it in reverse, but it is highly possible you already have that rule.