MikroTik RouterOS • View topic - Can bridge be used as firewall, and if so, how?

eugenevdm · **Posted:** Thu Jan 26, 2012 9:59 am

We have this setup:

Internet
|
Core Router
|
MikroTik (Transparent) Bridge
|
Windows 2008 Server with RDP

On MT Bridge, we have this rule:

/ip firewall filter chain=forward action=drop protocol=tcp dst-address=196.x.x.x dst-port=!3389

The idea is that all packets from the outside except RDP (port 3389) is dropped.

The rule fails because it's a bridge and now any traffic originating from the RDP server is also dropped.

How can we do this?

Aug · **Posted:** Thu Jan 26, 2012 12:04 pm

bridge > settings > use ip firewall

eugenevdm · **Posted:** Thu Jan 26, 2012 12:35 pm

>bridge > settings > use ip firewall

Already done, doesn't work.

Because bridge has no src interface or dst interface, all traffic is just "bridge".

Sure traffic gets in:

Internet Src->Firewall->OK @ 3389

but traffic also goes out

RDP Src->Firewall>Internet->Not OK because !3389 (TCP confirmations use random port)

nickshore · **Posted:** Thu Jan 26, 2012 5:25 pm

should be a filter in bridge not ip firewall

eg

Quote:

/interface bridge filter
add action=drop chain=forward dst-address=192.168.55.0/24 dst-port=!3389 ip-protocol=tcp mac-protocol=ip

Aug · **Posted:** Thu Jan 26, 2012 8:42 pm

yes you can use bridge filter also.

If you want to use ip firewall filter, I believe you need connection tracking enabled and bridge-settings-use ip firewall.

Either way should work.

eugenevdm · **Posted:** Thu Jan 26, 2012 10:56 pm

Quote:

should be a filter in bridge not ip firewall

Thanks nickshore, I ended up doing this, to allow FTP and RDP and block everything else:

Code:

/interface bridge filter> pr

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Accept ICMP for PING
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=icmp 

 1   ;;; Accept FTP Transfer Port
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=20 ip-protocol=tcp 

 2   ;;; Accept FTP Control Port
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=21 ip-protocol=tcp 

 3   ;;; Accept RDP
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=3389 ip-protocol=tcp 

 4   ;;; Log everything that is about to get dropped
     chain=forward action=log mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp log-prefix="firewall_drop" 

 5   ;;; Drop everything
     chain=forward action=drop mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp 

So far so good. I see some packets originating from the server to the outside on port 443, but nmap reports what I want to see, everything blocked except FTP.

eugenevdm · **Posted:** Fri Jan 27, 2012 10:35 pm

I confirm packets don't get out of the RDP server. I tried adding this rule:

Code:

;;; Allow everything out
     chain=forward action=accept mac-protocol=ip src-address=196.x.x.x/32 ip-protocol=tcp 

Sure packets get out, but TCP/IP acknowledgements don't return.

Any advice?

lahoras · **Posted:** Sat Apr 07, 2012 9:14 am

eugenevdm,i'm trying use firewall on bridge to block passthrough between wlans of my RB433, my case is similar because I want that windows customers can not access to other users that by default accidentaly have same group name and have any resource shared.

It was imposible for me makes that works, until I try this rule:

Code:

chain=forward action=drop mac-protocol=ip src-address=192.168.28.0/28  dst-port=135-139 ip-protocol=udp

If you wacht diference is adress, that is src and not dst, I was loging connections and here is the answer, src nated address has not the same port, in my case works fine now, can you check if this works on your net?

thanks in advance.

ARIEL

Who is online