there is one thing, i cannot understand really, i think it has to do with my network knowledge but maybe you people could help me.
When i do firewall rules, i do basically this: input drop invalid - input accept related,established and than the same with forward and at the end: drop input in-interface:WAN
This way i think im fine, but i read a comment somewhere, where they do the same kind of fw and asked, why do the connections work from the laptop? Arent thoose connections new? Why can i pass the firewall without a rule like this: forward accept con-state:new in-interface:LAN or something like this?
Your answer would greatly apreciated,because i think im missing something!
Thank you in advance!
The default for the firewall filter is to accept. If you remove all rules, everything would be accepted.
If you only add chain=forward action=drop, then all being forwarded would be dropped.
Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being dropped.
This allows the LAN (laptop) to connect to the Internet, but the replies can not come back. This is why you need to accept the Established, Related. Now the the returns are accepted.
i just wanted to write down, why i still dont understand, but now i get it, because there is NO rule, what is talkin about “conn-state:new”, the rule is already enabled, right?
Thank you, now im in a state, where i do understand, few seconds later again the whole thing is just crazy.
If i have 4 forward rules (which affect the, for example: browsing web on my lapton)
accept forward established/releated
drop forward invalid
accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS (i now, now bogons dont have to do anything with it, but i wanted to copy the whole command i used now in my fw)(my lan is now 192.168.1.0/24)
This is now my config, for the forward part, my question is: if i drop at the end all FORWARD, does this not include the “forward , conn-state:new”? Because it seams so, i can just browse the web and stuff, and now its not logical again for me I did not say anything about conn-state:new, but i did say all other forwarded traffic should be dropped!
All rules in Mikrotik are processed sequentially. Look in Winbox, on the left side of the ip/firewall rules. You will see a column labeled “#”. This is the number of the firewall rule. Click the “#” to order the list. The firewall rules will be processed in that order, starting from 0 (zero). Once a rule is matched, the other rules are not processed, except if action=passthrough. action=passthrough is used primarily to gather statistics.
In your case, the rule
accept forward source-address list: 192.168.1.0/24 out-interface:WAN
thank you, for your time, now i got it and it helpd meg a lot
I marked 2frog-s reply as an aswer, bc that was the answer for the original question, but your answer was helping me too, to fully understand what im doing
This doesn’t look like something you want to have:
It’s basically that everything from WAN (including new connections) is allowed to access your LAN (except what’s in BOGONS address list). You shouldn’t need this. You want to keep the rule allowing access from LAN to WAN, and replies will be allowed by “accept forward established/related”. If you have any forwarded ports, add another accept rule with connection-nat-state=dstnat.
then for me this means: from WAN side everything can come in, what is: not on the bogon list, and the most important, only the established/related. So only what internal users initiated and not from/to bogons! Am i right? How would you build your public firewall rules? Im really curious, but sadly everyone is protecting its public fw config from the public Thank you in advance for your reply and time
And what do you expect from DMZ (*)? Because what your rule does is opening unlimited access to all devices in 192.168.1.0/24 subnet to anyone (except BOGONS). Well, theoretically, random person from internet won’t be able to connect to your private addresses, but any device connected to your router’s WAN port would be able to access anything.
Look it at like this, first two rules take care of established/related/invalid, so what’s left is new/untracked. We can forget untracked now, because it doesn’t happen by itself, you have to skip tracking for some packets in raw table. So you can imagine all following rules as having connection-state=new. Do you really want to accept all new connections from WAN? Probably not.
(*) Problem with term DMZ is that home routers completely screwed up the meaning. It’s supposed to be network isolated from the rest of LAN, but they use it as “better looking” (I guess) term for simple dstnat to device in LAN.
Sob, i totally understand now how this works and what the problem was, thank you for pointing out my mistake, this really helpd me a lot to understand the mikrotik way of thinking!
I did not say anything about conn-state:new, but i did say all other forwarded traffic should be dropped!