Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall doesn't work

Post Reply
 
mikham
just joined
Topic Author
Posts: 12
Joined: Fri Apr 22, 2022 5:49 am

Firewall doesn't work

Tue Feb 27, 2024 9:03 am

OS router version 7.6, device : CCR2004-16G-2S+, Winbox (64 bit)

Hi, I need help with my firewall filter rules. They seem need to be fixed.

I have two Mikrotik routers, one for me and the other one belonging to ISP; before, the topology of my Mikrotik was connected to a radio antenna (ether1) directly, and the firewall rules filter was working. However, now my Mikrotik is connected to ISP's Mikrotik, and the firewall rules filter is not working anymore. I had given access to my Mikrotik router to the vendor of ISP, and I didn't know every detail of changes they had set to my Mikrotik; now it seems unchanged, but the firewall filter rules aren't working.

In this scenario, is the ISP's Mikrotik router bypassing my Mikrotik filter rules? Can my Mikrotik rules be bypassed even if sequentially connected before the ISP's Mikrotik router?
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1975
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Firewall doesn't work

Tue Feb 27, 2024 9:29 am

Bit hard to tell, you might want to add some relevant information:

Can you post a network diagram, including clients?
Can you share your MikroTik configs:
Code: Select all
/export file=anynameyoulike
Remove serial and any other private information and post between code tags by using the </> button.
Top
 
mikham
just joined
Topic Author
Posts: 12
Joined: Fri Apr 22, 2022 5:49 am

Re: Firewall doesn't work

Tue Feb 27, 2024 10:27 am

thanks for the reply this is the exported rsc
Code: Select all
# feb/27/2024 14:49:35 by RouterOS 7.6
# software id = 
#
# model = -=-=
# serial number = --
/interface bridge
add name=Switch
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-chap,https name=HS
/ip hotspot user profile
set [ find default=yes ] shared-users=5
/ip pool
add name=dhcp_pool1 ranges=192.168.86.2-192.168.87.254
add name="up 87.50 below 87.255" ranges=192.168.87.50-192.168.87.254
add name="for A" ranges=192.168.87.51-192.168.87.110
add name="for B, C, D, H, I, J" ranges="192.168.\
    87.111-192.168.87.139,192.168.87.141-192.168.87.149,192.168.87.151-192.168\
    .87.156,192.168.87.159-192.168.87.160"
/ip dhcp-server
add add-arp=yes address-pool="up 87.50 below 87.255" interface=Switch \
    lease-time=1h name=DHCP-HS
/ip hotspot
add address-pool="up 87.50 below 87.255" disabled=no interface=Switch \
    name=HS
/ip hotspot user profile
add address-pool="up 87.50 below 87.255" keepalive-timeout=1h name=vip \
    rate-limit=4M/4M shared-users=3
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add name=vpn-mikhmon
/interface ovpn-client
add connect-to=blabla disabled=yes mac-address=blabla \
    mode=ethernet name=ovpn-out1 port=blabla profile=blabla=\
    blabla@blabla.net
/queue simple
add max-limit=64k/64k name="Z-Limit" target=192.168.87.161/32
add max-limit=200M/200M name="TOTAL SPEED" queue=default/default target=\
    Switch
add comment="A from 87.51 to 87.110" max-limit=15M/15M name=\
    "1. A" parent="TOTAL SPEED" queue=\
    pcq-upload-default/pcq-download-default target="192.168.87.51/32,192.168.8\
    7.52/32,192.168.87.53/32,192.168.87.54/32,192.168.87.55/32,192.168.87.56/3\
    2,192.168.87.57/32,192.168.87.58/32,192.168.87.59/32,192.168.87.60/32,192.\
    168.87.61/32,192.168.87.62/32,192.168.87.63/32,192.168.87.64/32,192.168.87\
    .65/32,192.168.87.66/32,192.168.87.67/32,192.168.87.68/32,192.168.87.69/32\
    ,192.168.87.70/32,192.168.87.71/32,192.168.87.72/32,192.168.87.73/32,192.1\
    68.87.74/32,192.168.87.75/32,192.168.87.76/32,192.168.87.77/32,192.168.87.\
    78/32,192.168.87.79/32,192.168.87.80/32,192.168.87.81/32,192.168.87.82/32,\
    192.168.87.83/32,192.168.87.84/32,192.168.87.85/32,192.168.87.86/32,192.16\
    8.87.87/32,192.168.87.88/32,192.168.87.89/32,192.168.87.90/32,192.168.87.9\
    1/32,192.168.87.92/32,192.168.87.93/32,192.168.87.94/32,192.168.87.95/32,1\
    92.168.87.96/32,192.168.87.97/32,192.168.87.98/32,192.168.87.99/32,192.168\
    .87.100/32,192.168.87.101/32,192.168.87.102/32,192.168.87.103/32,192.168.8\
    7.104/32,192.168.87.105/32,192.168.87.106/32,192.168.87.107/32,192.168.87.\
    108/32,192.168.87.109/32,192.168.87.110/32"
add comment="B, C, D from 87.111 to 87.160 " max-limit=\
    5M/5M name="2. B, C, D, E, F, G" parent=\
    "TOTAL SPEED" queue=pcq-upload-default/pcq-download-default target="192.16\
    8.87.111/32,192.168.87.112/32,192.168.87.113/32,192.168.87.114/32,192.168.\
    87.115/32,192.168.87.116/32,192.168.87.117/32,192.168.87.118/32,192.168.87\
    .119/32,192.168.87.120/32,192.168.87.121/32,192.168.87.122/32,192.168.87.1\
    23/32,192.168.87.124/32,192.168.87.125/32,192.168.87.126/32,192.168.87.127\
    /32,192.168.87.128/32,192.168.87.129/32,192.168.87.130/32,192.168.87.131/3\
    2,192.168.87.132/32,192.168.87.133/32,192.168.87.134/32,192.168.87.135/32,\
    192.168.87.136/32,192.168.87.137/32,192.168.87.138/32,192.168.87.139/32,19\
    2.168.87.141/32,192.168.87.142/32,192.168.87.143/32,192.168.87.144/32,192.\
    168.87.145/32,192.168.87.146/32,192.168.87.147/32,192.168.87.148/32,192.16\
    8.87.149/32,192.168.87.151/32,192.168.87.152/32,192.168.87.153/32,192.168.\
    87.154/32,192.168.87.155/32,192.168.87.156/32,192.168.87.159/32,192.168.87\
    .160/32"
add max-limit=2M/2M name="H" parent="TOTAL SPEED" queue=\
    default/default-small target=192.168.87.158/32
add max-limit=2M/2M name="I" parent="TOTAL SPEED" queue=\
    default/default target=192.168.87.157/32
add max-limit=2M/2M name="J" parent="TOTAL SPEED" queue=\
    default/default target=192.168.87.140/32
add max-limit=2M/2M name="K" parent="TOTAL SPEED" queue=\
    default/default target=192.168.87.150/32
/ip hotspot user profile
add address-pool="A" insert-queue-before="Z-Limit" name=A \
    parent-queue="1. A" queue-type=hotspot-default rate-limit=3M/3M \
    shared-users=3
add address-pool="B, C, D, E, F, G" \
    insert-queue-before="Z-Limit" name=\
    "B, C, D, E, F, G" parent-queue=\
    "2. B, C, D, E, F, G" queue-type=\
    hotspot-default rate-limit=1M/1M shared-users=2
add address-pool="up 87.50 below 87.255" insert-queue-before=\
    "Z-limit" keepalive-timeout=1h name=blabla parent-queue="1. A" \
    queue-type=hotspot-default rate-limit=5M/5M shared-users=10
add address-pool="B, C, D, E, F, G" \
    insert-queue-before="Z-Limit" name=lalala parent-queue=\
    "2. B, C, D, E, F, G" queue-type=\
    hotspot-default rate-limit=1M/1M shared-users=90
/snmp community
set [ find default=yes ] name=IndosatCmp2024
/interface bridge port
add bridge=Switch interface=ether2
add bridge=Switch interface=ether3
add bridge=Switch interface=ether4
add bridge=Switch interface=ether5
add bridge=Switch interface=ether6
add bridge=Switch interface=ether7
add bridge=Switch interface=ether8
add bridge=Switch interface=ether9
add bridge=Switch interface=ether10
add bridge=Switch interface=ether11
add bridge=Switch interface=ether12
add bridge=Switch interface=ether13
add bridge=Switch interface=ether14
add bridge=Switch interface=ether15
add bridge=Switch interface=ether16
add bridge=Switch interface=sfp-sfpplus1
add bridge=Switch interface=sfp-sfpplus2
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.86.1/23 interface=Switch network=192.168.86.0
add address=lala.lala.lala.lala/30 disabled=yes interface=ether1-WAN network=\
    lala.lala.lala.lala
add address=lala.lala.lala.lala/28 interface=ether1-WAN network=lala.lala.lala.lala
/ip arp
add address=192.168.87.157 comment="lala" interface=Switch mac-address=\
    lala
add address=192.168.87.150 comment="lolo" interface=Switch \
    mac-address=lolo
add address=192.168.87.140 comment="lili" interface=Switch \
    mac-address=lili
add address=192.168.87.105 comment=lele interface=Switch mac-address=\
    lele
add address=192.168.87.234 comment="lulu" interface=\
    Switch mac-address=lulu
add address=lalala comment=\
    "lblb" interface=ether1-WAN \
    mac-address=lblb
add address=192.168.87.158 comment="lclc" interface=Switch \
    mac-address=lclc
add address=192.168.87.15 comment=\
    "ldld" interface=Switch \
    mac-address=ldld
add address=192.168.87.179 comment="lflf" interface=Switch \
    mac-address=lflf
add address=192.168.86.3 comment="lglg" \
    interface=Switch mac-address=lglg
add address=192.168.87.16 comment="lhlh" interface=\
    Switch mac-address=lhlh
add address=192.168.87.254 comment="ljlj" \
    interface=Switch mac-address=ljlj
/ip dhcp-server lease
add address=192.168.87.234 client-id=lklk mac-address=\
    lklk server=DHCP-HS
add address=192.168.86.3 client-id=llll mac-address=\
    llll server=DHCP-HS
/ip dhcp-server network
add address=192.168.86.0/23 gateway=192.168.86.1
/ip dns
set allow-remote-requests=yes servers=lmlm,lnln
/ip firewall address-list
add address=192.168.86.0/23 list=LAN
add address=lplp list="allowed outside IP to Akses Remote Mikrotik"
add address=192.168.31.1 list="allowed outside IP to Akses Remote Mikrotik"
add address=lqlq/22 list=\
    "allowed outside IP to Akses Remote Mikrotik"
add address=lrlr/27 list=\
    "allowed outside IP to Akses Remote Mikrotik"
add address=192.168.87.111-192.168.87.139 list="test youtube1"
add address=192.168.87.141-192.168.87.149 list="test youtube2"
add address=lsls/30 list="IP mikrotik router wan ISP"
add address=ltlt/28 list="IP mikrotik router wan ISP_"
/ip firewall filter
add action=drop chain=forward content=youtube.com dst-address=lvlv/28 \
    src-address=192.168.86.0/23
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=accept chain=forward connection-state=established,related \
    dst-address=lvlv/28
add action=accept chain=input dst-address=lvlv/28 src-address-list=\
    "allowed outside IP to Akses Remote Mikrotik"
add action=drop chain=forward connection-state=invalid dst-address=\
    lvlv/28
add action=drop chain=input connection-state=invalid dst-address=\
    lvlv/28
add action=accept chain=input dst-address=lvlv/28 src-address-list=\
    LAN
add action=accept chain=input connection-state=established dst-address=\
    lvlv/28
add action=accept chain=forward connection-state=new dst-address=\
    lvlv/28 src-address-list=LAN
add action=accept chain=forward connection-state=related dst-address=\
    lvlv/28
add action=accept chain=forward connection-state=established dst-address=\
    lvlv/28
add action=drop chain=forward dst-address=lvlv/28
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=lwlw \
    dst-port=81 protocol=tcp to-addresses=192.168.... to-ports=lxlx
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
    192.168.... src-port=lxlx to-addresses=lzlz to-ports=..
/ip hotspot ip-binding
add address=192.168.87.140 comment="lzlz" mac-address=\
    lzlz server=HS to-address=192.168.87.140 type=bypassed
add address=192.168.87.105 comment="lzalza=\
    lzalza server=HS to-address=192.168.87.105 type=bypassed
add address=192.168.87.... comment="lzblzb" mac-address=lzblzb \
    server=HS to-address=192.168.87.... type=bypassed
add address=192.168.87.... comment="lzclzc" mac-address=lzclzc \
    server=HS to-address=192.168.87.... type=bypassed
add address=192.168.87.150 comment="lzdlzd" mac-address=\
    lzdlzd server=HS to-address=192.168.87.150 type=bypassed
add address=192.168.87.5 to-address=192.168.87.5 type=bypassed
add address=192.168.87.3 mac-address=lzelze to-address=\
    192.168.87.3 type=bypassed
add address=192.168.87.4 mac-address=lzflzf to-address=\
    192.168.87.4 type=bypassed
add address=192.168.87.6 to-address=192.168.87.6 type=bypassed
add address=192.168.86.3 comment=wifi ap disabled=yes mac-address=\
    lzglzg server=HS to-address=192.168.86.3 type=bypassed
add address=192.168.87.234 comment=wifi ap2 disabled=yes mac-address=\
    lzflzf server=HS to-address=192.168.87.234 type=bypassed
add address=lzhlzh/28 comment="IP mikrotik ISP" type=bypassed
add address=192.168.87.15 comment="lzilzi" \
    mac-address=lzilzi to-address=192.168.87.15 type=bypassed
add address=192.168.87.179 comment="Printer" mac-address=\
    lzjlzj to-address=192.168.87.179 type=bypassed
add address=192.168.87.16 comment="lzklzk" mac-address=\
    lzklzk to-address=192.168.87.16 type=bypassed
add address=192.168.87.254 comment=\
    "lzllzl" disabled=yes \
    mac-address=lzllzl to-address=192.168.87.254 type=bypassed
/ip hotspot user
add name=AA
add name=BB profile="A, B, C, D, E, F" \
    server=HS
add name=CC profile="A, B, C, D, E, F" server=\
    HS
add name=DD profile="A, B, C, D, E, F" \
    server=HS
add name=EE profile="A, B, C, D, E, F" server=\
    HS
add name=FF profile="A, B, C, D, E, F" server=\
    HS
add name=GG profile="A, B, C, D, E, F" server=\
    HS
add name=HH profile="A, B, C, D, E, F" \
    server=HS
add name=II profile="A, B, C, D, E, F" \
    server=HS
add name=JJ profile="A, B, C, D, E, F" \
    server=HS
add name=KK profile="A, B, C, D, E, F" server=\
    HS
add name=LL profile="A, B, C, D, E, F" server=\
    HS
add name=MM profile="A, B, C, D, E, F" server=\
    HS
add name=NN profile="A, B, C, D, E, F" server=\
    HS
add name=OO profile="A, B, C, D, E, F" server=\
    HS
add name=PP profile="A, B, C, D, E, F" server=\
    HS
add name=QQ profile="A, B, C, D, E, F" \
    server=HS
add name=RR profile="A, B, C, D, E, F" server=\
    HS
add name=SS profile="A, B, C, D, E, F" server=\
    HS
add name=TT profile="A, B, C, D, E, F" server=\
    HS
add name=UU profile="A, B, C, D, E, F" server=\
    HS
add name=Cool1 profile=lzjlzj server=HS
add name=Cool2 profile=lzjlzj server=HS
add name=Cool3 profile=lzjlzj server=HS
add name=Cool4 profile=lzjlzj server=HS
add name=Cool5 profile=lzjlzj server=HS
add name=Cool6 profile=lzjlzj server=HS
add name=Cool7 profile=lzjlzj server=HS
add name=Cool8 profile=lzjlzj server=HS
add name=Cool9 profile=lzjlzj server=HS
add name=Cool10 profile=lzjlzj server=HS
add name=Cool11 profile=lzjlzj server=HS
add name=Cool12 profile=lzjlzj server=HS
add name=Cool13 profile=lzjlzj server=HS
add name=Cool14 profile=lzjlzj server=HS
add name=Cool15 profile=lzjlzj server=HS
add name=Cool16 profile=lzjlzj server=HS
add name=Cool17 profile=lzjlzj server=HS
add name=Cool18 profile=lzjlzj server=HS
add name=great profile=great server=HS
add name=nice profile=nice server=HS
add name=perfect profile="A, B, C, D, E, F" server=HS
add name=decent profile="A, B, C, D, E, F" \
    server=HS
add name=AB profile="A, B, C, D, E, F" \
    server=HS
add name=AC profile="A, B, C, D, E, F" \
    server=HS
add name=AD profile=\
    "A, B, C, D, E, F" server=HS
add name=AE profile="A, B, C, D, E, F" \
    server=HS
add name=AF profile="A, B, C, D, E, F" \
    server=HS
add name=AG profile="A, B, C, D, E, F" \
    server=HS
add name=AH profile="A, B, C, D, E, F" \
    server=HS
add name=AI profile="A, B, C, D, E, F" \
    server=HS
add name=AJ profile="A, B, C, D, E, F" \
    server=HS
add name=AK profile="A, B, C, D, E, F" \
    server=HS
add name=AL
add name=AM profile=lzjlzj server=HS
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=lala \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=lala/30 gateway=192.168.86.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    lala pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set contact="Who who" enabled=yes trap-version=2
/system clock
set time-zone-name=great/great
/system identity
set name=cool-cool
/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system routerboard settings
set enter-setup-on=delete-key
/tool romon
set enabled=yes
Top
 
johnson73
Member Candidate
Member Candidate
Posts: 186
Joined: Wed Feb 05, 2020 10:07 am

Re: Firewall doesn't work

Tue Feb 27, 2024 11:03 am

If you use this CCR and you get the Internet from another mikrotik, which belongs to the ISP, then it would be advisable to delete all the mix that is there. There is a mega mix, no sequence, security, etc. We safely use default rules as the basis for everything. If everything is configured correctly, it will not be possible to bypass your rules
Default rules can be supplemented with necessary entries. You can use this example-
Code: Select all
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.86.0/24 list=Admin

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=Authorized src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Top
 
mikham
just joined
Topic Author
Posts: 12
Joined: Fri Apr 22, 2022 5:49 am

Re: Firewall doesn't work

Wed Feb 28, 2024 8:50 am

thanks for the reply; does this seems "mega mixed ?"

Image

Image
Top
 
johnson73
Member Candidate
Member Candidate
Posts: 186
Joined: Wed Feb 05, 2020 10:07 am

Re: Firewall doesn't work

Wed Feb 28, 2024 9:11 am

yes, there is a mix. Wrong...
There is also a bit wrong in the NAT section. First there must be a "masquarade" rule and then the others, which are responsible for some kind of port forward to a certain address, for example.
We place Masquarade rules only if, for example, an ipsec tunnel is created or an internal src-Nat is created. In other cases, all port forwards are "under the masquarade" rule.
Rules must be in order! They are executed from top to bottom. There should be an ``input'' section first, which ends with input=drop all, and then a ``forward section'', which also ends with forward-=drop all. It will be correct. I already copied the example for you. Use it safely, because your post shows that the rules do not have any correct order, etc. Accordingly, the rules are not enforced correctly and the traffic flow is incorrect.

INPUT CHAIN --> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN --> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN --> From the Router. Directional flow is Router to WAN.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 37 guests
  4. RouterOS
  5. General