Confused with firewall rules

rogue · March 10, 2009, 10:33pm

Hi everyone,

I'm a beginner on Mikrotik, but i hardly need it to manage my little network. I have 30 machines on my network with some light particularities. I had been told that this Mikrotik system is easier to configure and has many others advantages like QoS etc. But now I'm confused about how to configure it correctly.
Let me explain my problem.

I want to configure a firewall on my router so that, in one hand, my private LAN would be secured from Internet attacks and, in second hand, my router would be protected.
First, I did a basic configuration. I have an public IP 208.X.X.X on one side, and my private LAN 192.168.19.0/24, on the other side. I have 2 kind of users: some who can surf on the internet and the others who don't but can use ftp service.

Here's my route configuration:

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 reachable 208.X.X.X 1 ether2
1 ADC 208.X.X.X/30 208.X.X.X 0 ether2
2 ADC 192.168.19.0/24 192.168.19.X 0 ether1

I also configured DNS on the MKT router and it works. I created 2 address lists: 1 for FTP users and 1 for INTERNET users.

I added those rules in "ip firewall filter":
0 chain=input action=accept protocol=tcp src-address-list=INTERNET_hosts
1 chain=input action=drop protocol=tcp src-address-list=FTP_hosts dst-port=80
2 chain=input action=accept protocol=tcp src-address-list=FTP_hosts dst-port=21
3 X chain=input action=drop in-interface=ether2

and I have these NAT rules in "ip firewall nat"
0 ;;; NAT for FTP hosts
chain=srcnat action=masquerade src-address-list=FTP_hosts
1 ;;; NAT for INTERNET hosts
chain=srcnat action=masquerade src-address-list=INTERNET_hosts

My problem is that, even though i specifically mentionned (in Filter rules) that traffic on port 80 must be dropped for FTP hosts, they are still able to surf on the Internet alike my INTERNET hosts. But when I enable Filter rule n°3, no one on the LAN can open a web page. I don't understand why the Filter rule n°1 is not applied...
... may be I forgot to do something...

So, please help me understand what's wrong in my configuration.

Like I said before I'm a beginner on Mikrotik, that's why I'm asking this question:
With Mikrotik, when a packet is sent from the LAN to Internet, is it natted before filtered or the opposite? and what's happenning when it comes back from the Internet?

Thanks a lot, in advance, for your help.

nest · March 11, 2009, 12:34am

You are using the firewall chain called “input”. This is for traffic connections to the physical interfaces themselves. I.e. the Mikrotik OS. Therefore it will only apply those rules you have created on packets that have a destination IP address which is the same as one of the interfaces of the Mikrotik.

If you want to make firewall rules for traffic going through the mikrotik, you need to use the “forward” chain.

Ron.

normis · March 11, 2009, 7:28am

yes, nest is right.

Input:
—> ROUTER

Output:
ROUTER—>

Forward:
—>Router—>
<—Router<----

rogue · March 11, 2009, 4:53pm

Hi,

Thanks guys for your help. I will follow your suggestion and let you know what happens

see you soon

rogue

rogue · March 20, 2009, 8:32am

Hi guys,

I tried what you told me and it worked just as right as you said, so thanks again.

I have a new issue. Isn’t the rule in the router filter are executed sequentially, I mean from the 1st one to the last one?
I wanted to block all traffic toward my router and then decide which one I would give a granted access. This is what I implemented:
0 chain=forward action=accept protocol=tcp src-address-list=LAN_users dst-port=80
1 chain=forward action=drop protocol=0 src-address=0.0.0.0/0
2 chain=forward action=drop protocol=!0 src-address=0.0.0.0/0

I already implemented a masquerade NAT for the group ‘LAN_users’. I was thinking that the rules were implemented in a sequential order and I also read that when a packet matches a rule, it won’t be processed by any others rules. But with that configuration above, my ‘LAN_users’ can’t browse toward the internet. Why is that?

Give me please a hand on that matter.
thanks in advance

rogue

normis · March 20, 2009, 8:39am

yes, that’s right. you can add several ‘allow’ rules, and then one block rule at the end. the block rule doesn’t need any parameters except chain = forward. you can omit the protocol things and addresses. this setup will accept things that are matched at the first rules, but things that don’t match them, will reach end of filter list, and will get dropped.

rogue · March 20, 2009, 12:22pm

looks like I’m on the right way…

the fact is when the rules are like described above, my users can’t browse. but when I disable the last rule, they can.
now I changed the last 2 rules and replaced them by this one : chain=forward action=drop… now rules inside my firewall filter are:

0 chain=forward action=accept protocol=tcp src-address-list=LAN_users dst-port=80
1 chain=forward action=drop

but the result is the same as before, they can’t browse when the rule n°1 is enabled.
If the rules are processed sequentially, why HTTP traffic is blocked when going through the router ? I really don’t understand what’s happening.
Or may be the rule n°0 doesn’t define correctly a HTTP traffic? do you think there was a mistake in that rule?

Aug · March 20, 2009, 1:00pm

you need port 53 dns to browse

rogue · March 20, 2009, 2:42pm

yes Aug, you’re right, i forgot about that one. i added this rule about dns and it looks like that now:

0 chain=forward action=accept protocol=udp dst-port=53
1 chain=forward action=accept protocol=tcp src-address-list=LAN_users dst-port=80
2 chain=forward action=drop

and it’s not working either. but, still, when I disable rule n°2, it works…
I forgot to mention that I’m using the 3.20 version of Mikrotik, i don’t know if it may be related to this version…

nest · March 20, 2009, 10:41pm

Don’t forget 443 also. Otherwise no one will be able to surf to secure websites! If you want users to access other services, such as email, then ports for those will need to be opened too.

Ron