denied winbox/dude connect from <my wan IP here>

gdanov · December 24, 2021, 2:23pm

I get the message above every now & then. Is this reason to worry about having something misconfigured?
My firewall has rule to drop all input packets that are not established or related.

anav · December 24, 2021, 2:50pm

post your config, the fact that such things are denied means all is working…
But to be on the safe side, best to see what is setup.
/export hide-sensitive file=anynameyouwish

Zacharias · December 24, 2021, 3:48pm

You won’t get that kind of message if you try to access your router but there is a drop rule for example…
There are similar posts if you search in the forum http://forum.mikrotik.com/t/denied-winbox-dude-message/114663/1
What is your ROS version ?

gdanov · December 24, 2021, 4:33pm

sorry, even with “hide-sensitive” there’s enough config I don’t feel comfortable posting publicly. here are my firewall filter rules, some are redundant, I know. ether3 is my WAN port.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related,untracked disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "allow incoming SSH. Notice port! This is because NAT" connection-state=\
    new disabled=yes dst-port=22 in-interface-list=WAN log=yes log-prefix=\
    "WAN SSH initiate" protocol=tcp
add action=accept chain=forward connection-nat-state=srcnat connection-state=\
    established,related in-interface=bridge-580
add action=reject chain=forward connection-state="" in-interface=bridge-580 \
    out-interface=!ipip-tunnel1 reject-with=icmp-network-unreachable
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related,untracked
add action=accept chain=input dst-port=51821 in-interface-list=WAN protocol=\
    udp
add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=\
    udp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log-prefix="FW Invalid Drop"
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT:
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" disabled=yes \
    in-interface-list=LAN src-address-list="my LAN"
add action=drop chain=forward comment="drop all" in-interface-list=WAN log=\
    yes log-prefix="FW Drop:"
add action=drop chain=input connection-state=!established,related,untracked \
    in-interface=ether3 log-prefix="\?\?"
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp

I’d expect rule

add action=drop chain=input connection-state=!established,related,untracked
in-interface=ether3 log-prefix=“??”

to drop any attempt to access winbox before winbox has the chance to log the line in the subject. I guess somehow a winbox connection from my LAN got routed internally via the wan IP???

gdanov · December 24, 2021, 4:34pm

Version is 7.1. Thanks for the link, I read it already and frankly did not make any use of it. See my rules, I believe I have what it takes.

anav · December 24, 2021, 4:45pm

Well your firewall rules are a mess if thats any indication fo the rest of the config…

USE
/export hide-sensitive file=anynameyouwish

THen before posting here,
just ensure you have removed anything that slipped by
WANIP or WANIP Gateway are the only things that come to mind.
YOu may have WANIPs in firewall address lists to remove.

not as familiar with 7.1 but if so just remove any ipsec lines if you have ipsec,

Zacharias · December 24, 2021, 5:05pm

As said earlier, a drop rule won’t give you such a message in the Log even if you have log=yes…
What i can assume is, that in /ip service you have explicitly allowed specific subnets only ( address spaces ) to access either winbox, or telnet or ssh etc … The connections that are allowed through the firewall but are blocked through the /ip service would give you such a warning in the log…

gdanov · December 24, 2021, 5:30pm

that’s clear to me

What i can assume is, that in /ip service you have explicitly allowed specific subnets only ( address spaces ) to access either winbox, or telnet or ssh etc … The connections that are allowed through the firewall but are blocked through the /ip service would give you such a warning in the log…

yes, only two LAN subnets are allowed to access winbox. This is exactly how I understand it — connection from my wan IP got through the firewall. The question is where did it come from.

gdanov · December 24, 2021, 5:34pm

yes, I’m bad with iptables.

I don’t get that. I capture my WAN IP in an address list which I don’t use for any purposes currently AFAIK.

Sob · December 24, 2021, 6:42pm

Do you run Dude on your router?

gdanov · December 25, 2021, 10:45am

not on that one. I run Dude on another router in the LAN. Interesting clue, that may be it…

Zacharias · December 26, 2021, 5:52pm

But if it is another device in the LAN, it would show that LAN IP and not your WAN IP as you state in your first post…