2B Apprentice in Defacto Firewall Setup

pelikuin · April 24, 2023, 4:27pm

I’m working through the The DEFACTO DEFAULT FIREWALL Setup, and have got to stage (2B) APPRENTICE SETUP.

Aside: Grateful that such resources exist for newcomers.

My question relates to this element of the guide

(2) RAW RULE Inbound/Destination Address - Designed to Stop Cold, any incoming traffic (passing inbound on the WAN) whose destination-address is different from the public IPs on the router. Thus we make use of a firewall address list to identify the available public IPs at the router.

After adding the RAW rules all seemed fine until one day I restarted the router and found I had no internet connection. I had been assigned a new dynamic IP and I believe the address-list was unable to resolve my new external address as the raw rules were blocking traffic back into the router, so I had a circular problem which I could only resolve by temporarily blocking the rule which denied traffic from the WAN.

Question: Am I right in thinking that this section of the guide is problematic for people with dynamic IPs?

These are the lines that I believe are relevant, noting that in the address list I had something like home.mydomain.com.

/ip firewall address-list
{...}
add list=expected-dst-address-to-my-ISP address=my.public.wan.ip

/ip firewall raw
{...}
add action=drop chain=prerouting in-interface-list=WAN dst-address-list=!expected-dst-address-to-my-ISP comment="drop  non-legit dst-addresses hitting WAN side"

mkx · April 24, 2023, 4:51pm

If you use domain name in that address list, then you have to allow at least traffic with selected DNS server before blocking everything else… or else router is not able to populate/renew the IP address.

This is not a problem when WAN IP address is static and is set in address list as IP address.

pelikuin · April 24, 2023, 7:56pm

Ah, of course, that makes sense

anav · April 24, 2023, 8:24pm

Thanks for bringing this up, perhaps I may have to add a script for that case.

anav · April 29, 2023, 4:28pm

Would this solve the dilemma introduced by dynamic WANIPs and not being able to resolve WANIP in a timely manner???

/ip firewall
add chain=prerouting action=accept dst-address=1.1.1.1
add chain=prerouting action=accept src-address=1.1.1.1

anav · April 29, 2023, 5:12pm

Okay here is the solution.

A. We are attempting to resolve the new WANIP via the firewall address list…

/ip firewall address-list
add list=expected-dst-address-to-my-ISP address=my.public.wan.ip

We know that the response back will be blocked as the destination address will be the old WANIP…

B. SOLUTION, is to identify the new WANIP assigned on outgoing traffic and add it to the list. In our case we know the router will send outgoing traffic to resolve the WANIP.
We will use that traffic to discern the new WANIP and add it to the list

add chain=output action=add-src-address-to-list src-address=local address-list=expected-dst-address-to-my-ISP
out-interface-list=WAN address-list-timeout=1m