I am running 2.9.27
I set up a rule for block internal packets to go out to the internet.
/ ip firewall filter
add chain=output out-interface=Public1 dst-address-list=INTERNAL_NETWORK action=reject reject-with=icmp-net-prohibited
add chain=output out-interface=Public2 dst-address-list=INTERNAL_NETWORK action=reject reject-with=icmp-net-prohibited
(i have 2 ISP’s)
The problem is that if i set up the Mikrotik syslog service to send log messages to one of my internal network host, and that host is offline and i set up a mangling rule to mark connections on the output chain in order to route selectively router’s output to each external interfaces and also to mark routing’s, the syslog messages go out to the one (or the other) of the public interfaces.
It seems that if I disable the routing marks (on the output chain) the problem isn’t manifest, but I want to be able to distribute randomly the router’s proxi connections to every ISP’s (not only the forwarded traffic).
If I enabled the routing mark of routers own output, the pachet’s seem to bypass the output filter chain, which I think is a very severre problem!
The connection and routing mark’s are exactely like in the example posted on the wiki (with the exception that on the output instead of prerouting chain, and also without specifying the IN or OUT interface which are selected [the OUT one] based on the route mark itself [the IN doesn’t exist on the output chain]).
Routers output (proxy, DNS etc.) is distributed among the 2 interfaces as it should, but i don’t want my syslog messages go out to the internet (when the internal host wich is configured to receive the messages is down and the router will route this packets to the internet [packets wich are Bogons, but not in one of my ISP’s network]), especialy when that ISP distribute services via a private network class, and this network is verry insecure.
Anyway not only the syslog but other traffic (originated from the router) too!
I tested the block rules with drop action and also I place them first on the output chain (before accept of related and established) with no avail, packets destined to the log receiving host go out to the internet despite that host’s address being on the INTERNAL_NETWORK network!