Running in circles for couple of hours, I have two routers … first one does inter-VLAN routing and another one handles Internet access (NAT, hotspot, etc.).
On the inter-VLAN router I setup allow and deny rules in forward chain so to handle local routing for different VLANs/Subnets,
but would like to finish with the default-drop rule so if something forgotten to be explicitly allowed by other admins it defaults to drop/reject.
But if I define drop all rule without parameters as the last rule in the firewall, it drops everything, even traffic that was previously allowed.
I assume this is easy to solve, but I run out of ideas.
Maybe jump without return but than I would need to define it for every allow rule which seems clumsy…
Open your firewall filter rules in winbox.
Reset all counters.
If no bytes/packets numbers are moving on the accept rules, then well … they are not accepting.
Without looking at your config, nobody can know why.
You need to understand that the default firewall installed by RouterOS (on models that have a default configuration) operates on the principle that undesired traffic is blocked and at the end of the list there is an implicit “default accept”.
The structure of the rules is dependent on that.
So when you want to add an explict rule, it should be a default accept rule, not a default block rule.
Of course you can change all that. You can wipe the entire firewall and make your own if you like, and you can end it with a default block.
I do that all the time on routers where there are different local networks, and indeed it works fine. But of course you need to be careful, the details are important.
I’m sure you have a mistake in your rules even when you do not see it right now.
Cofiguration is relatively complex to post and contains too many private details to remove… talking about ~150 rules or so.
Allow-all is great as soho firewall default, but generally shouldn’t be a croproate practice…
When I actvate default deny- all as the last rule in firewall forward chain, it does register some blocked traffic confirmed by rule counters and it logs it too. If I disable block all rule, traffic passes normally and nothing in the logs/counters of course.
In particular it is unicast video stream between two VLANs that jumps out immediately in the logs, but other less frequent inter-vlan traffic does too.
That same traffic is allowed in prior allow rules.
Allow rules mainly allow traffic by subnets/lists, so I must have missed something like a subnet mask or maybe specified incorrect interface/list.
At this point it was important for me to confirm that the default deny-all rule can be used in MKTK firewall and that allow rules above it should pass the matched traffic prior to it hitting deny-all at the bottom so to be denied… like any other firewall would normally behave.
Of course. I do not like the default config either, although it is already much better than before.
But it is setup in such a way that “unknown traffic is blocked” even in this default config even though it ends in a default accept.
When I actvate default deny- all as the last rule in firewall forward chain, it does register some blocked traffic confirmed by rule counters and it logs it too. If I disable block all rule, traffic passes normally and nothing in the logs/counters of course.
I’m sure there is some mistake somewhere in your complex setup!
At this point it was important for me to confirm that the default deny-all rule can be used in MKTK firewall and that allow rules above it should pass the matched traffic prior to it hitting deny-all at the bottom so to be denied… like any other firewall would normally behave.
For sure!
Of course also note that using connection tracking and the established/related rule can sometimes lead to surprises especially when you are experimenting with rule changes.
An open connection in the connection tracking is NOT erased when you add a rule that would block it. The existing connection tracking and established/related rule still allows it to continue. Only new traffic is blocked when it hits your new rules.
On your last remark:
when playing with fw rules, either go to the connection tab and remove all open connections.
Or reboot router.
Both work to make sure new rules get into play where they should.