Drop filter rule between subnets, not work.

RouterOS Beginner Basics
1

This is my firewall config:

/ip firewall address-list
add address=192.168.5.0/24 list=management
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack connection" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="fasttrack connection" \
    connection-state=established,related
add action=drop chain=forward comment="block nexus 7 internet" disabled=yes \
    out-interface=ether1 src-address=192.168.5.45
add action=accept chain=input dst-port=21 protocol=tcp src-address-list=\
    management
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
    management
add action=accept chain=input dst-port=2000 protocol=tcp src-address-list=\
    management
add action=accept chain=input dst-port=80 protocol=tcp src-address-list=\
    management
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    management
add action=accept chain=input dst-port=8728 protocol=tcp src-address-list=\
    management
add action=accept chain=input dst-port=23 protocol=tcp src-address-list=\
    management
add action=accept chain=forward comment="nas to maika android stb" disabled=\
    yes dst-address=192.168.5.2 src-address=192.168.10.99
add action=accept chain=forward comment="nas to maika android stb" disabled=\
    yes dst-address=192.168.10.99 src-address=192.168.5.2
add action=accept chain=forward comment="maika dns pihole" disabled=yes \
    dst-address=192.168.5.16 src-address=192.168.10.0/24
add action=accept chain=forward comment="maika dns pihole" disabled=yes \
    dst-address=192.168.10.0/24 src-address=192.168.5.16
add action=accept chain=forward comment="otdelqne 5 ot 10 mreja izkluchenia" \
    dst-address=192.168.5.0/24 dst-address-list="home trusted" src-address=\
    192.168.10.0/24
add action=accept chain=forward comment="otdelqne 10 ot 5 mreja izkluchenia" \
    dst-address=192.168.10.0/24 src-address=192.168.5.0/24 src-address-list=\
    "home trusted"
add action=accept chain=forward comment="otdelqne 5 ot 20 mreja izkluchenia" \
    disabled=yes dst-address=192.168.5.0/24 dst-address-list="home trusted" \
    src-address=192.168.20.0/24
add action=accept chain=forward comment="otdelqne 20 ot 5 mreja izkluchenia" \
    disabled=yes dst-address=192.168.20.0/24 src-address=192.168.5.0/24 \
    src-address-list="home trusted"
add action=accept chain=forward comment="nas fasttack exclude" \
    connection-state=established,related disabled=yes dst-address=192.168.5.2
add action=accept chain=forward comment="nas fasttack exclude" disabled=yes \
    src-address=192.168.5.2
add action=accept chain=forward comment="guest fasttrack exclude" \
    connection-state=established,related dst-address=10.1.10.0/24
add action=accept chain=forward comment="guest fasttrack exclude" \
    src-address=10.1.10.0/24
add action=accept chain=forward comment="maika fasttrack exclude" \
    connection-state=established,related dst-address=192.168.10.0/24
add action=accept chain=forward comment="maika fasttrack exclude" \
    src-address=192.168.10.0/24
add action=accept chain=forward comment="vlan20 fasttrack exclude" \
    connection-state=established,related dst-address=192.168.20.0/24
add action=accept chain=forward comment="vlan20 fasttrack exclude" \
    src-address=192.168.20.0/24
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "Port scanners list -  exclude sam s10e" protocol=tcp psd=21,3s,3,1 \
    src-address=!192.168.5.36
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "Add NMAP NULL scan to Port Scanners address list" in-interface=ether1 \
    protocol=tcp src-address-list=!allowed_ip tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="otdelqne 10.1.10.0 ot 5 mreja" \
    dst-address=10.1.10.0/24 src-address=192.168.5.0/24
add action=drop chain=forward comment="otdelqne 10.1.10.0 ot 5 mreja" \
    dst-address=192.168.5.0/24 src-address=10.1.10.0/24
add action=drop chain=forward comment="otdelqne 5 ot 10 mreja" dst-address=\
    192.168.5.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="otdelqne 10 ot 5 mreja" dst-address=\
    192.168.10.0/24 src-address=192.168.5.0/24
add action=drop chain=forward comment="otdelqne 5 ot 20 mreja" dst-address=\
    192.168.5.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="otdelqne 20 ot 5 mreja" dst-address=\
    192.168.20.0/24 src-address=192.168.5.0/24
add action=drop chain=forward comment="ps4 update" dst-address-list=blocked
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input dst-port=21 protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=23 protocol=tcp
add action=drop chain=input dst-port=80 protocol=tcp
add action=drop chain=input dst-port=443 protocol=tcp
add action=drop chain=input dst-port=2000 protocol=tcp
add action=drop chain=input dst-port=8291 protocol=tcp
add action=drop chain=input dst-port=8728 protocol=tcp
add action=drop chain=forward comment="BLOCK GoogleADS doubleclick.net-v.2" \
    content=doubleclick.net dst-port=80,443 protocol=tcp
add action=drop chain=output comment="BLOCK GoogleADS doubleclick.net-v.2" \
    content=doubleclick.net dst-port=80,443 protocol=tcp
add action=drop chain=forward comment="BLOCK GoogleADS ggpht.com-v.2" \
    content=ggpht.com dst-port=80,443 protocol=tcp
add action=drop chain=output comment="BLOCK GoogleADS ggpht.com-v.2" content=\
    ggpht.com dst-port=80,443 protocol=tcp
add action=drop chain=forward comment="BLOCK YOUTUBE ADS-v.2" content=&ctier \
    dst-port=80,443 protocol=tcp
add action=drop chain=output comment="BLOCK YOUTUBE ADS-v.2" content=&ctier \
    dst-port=80,443 protocol=tcp
add action=drop chain=forward comment="fasttrack connection" \
    connection-state=invalid
add action=drop chain=input comment="Block DdosAtack" dst-port=53 \
    in-interface=ether1 protocol=udp
add action=drop chain=input comment="Block DdosAtack" dst-port=53 \
    in-interface=ether1 protocol=tcp
add action=jump chain=forward comment="Block DdosAtack" connection-state=new \
    disabled=yes jump-target=detect-ddos
add action=return chain=detect-ddos comment="Block DdosAtack" disabled=yes \
    dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=detect-ddos comment="Block DdosAtack" disabled=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=detect-ddos comment="Block DdosAtack" disabled=yes
add action=drop chain=forward comment="Block DdosAtack" connection-state=new \
    disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment="block gate" disabled=yes src-address=\
    91.139.192.1
add action=drop chain=forward comment="block facebook" content=facebook \
    disabled=yes dst-port=80,443 protocol=tcp src-address=192.168.5.0/24
add action=drop chain=forward comment="block unknown dhcp i network" \
    disabled=yes dst-port=68 protocol=udp src-address=!192.168.5.1 src-port=\
    67
/ip firewall mangle
add action=jump chain=forward comment="tcp, mss" disabled=yes jump-target=mss
add action=change-mss chain=mss comment="tcp, mss fixation" disabled=yes \
    new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!536-1460
add action=change-mss chain=mss comment="tcp, mss 1440 for mtu 1492" \
    disabled=yes new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=1453-65535
add action=change-mss chain=mss comment="tcp,mss clamp-to-pmtu" disabled=yes \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=log chain=prerouting comment="fragmenting iptv loggging" disabled=\
    yes fragment=yes log-prefix=mangle-pre-fragment
add action=mark-connection chain=prerouting dst-port=80 new-connection-mark=\
    http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http_conn \
    new-packet-mark=http passthrough=no
add action=mark-connection chain=prerouting new-connection-mark=other_conn \
    passthrough=yes
add action=mark-packet chain=prerouting connection-mark=other_conn \
    new-packet-mark=other passthrough=no
add action=mark-packet chain=prerouting comment="ms list dst" disabled=yes \
    layer7-protocol=*1 new-packet-mark=ms passthrough=no
/ip firewall raw
add action=log chain=prerouting comment="fragmenting iptv loggging" disabled=\
    yes fragment=yes log-prefix=raw-fragment
add action=drop chain=prerouting dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=ether1 protocol=udp
/ip firewall service-port
set sip disabled=yes

This 2 rules:
add action=drop chain=forward comment=“otdelqne 10.1.10.0 ot 5 mreja”
dst-address=10.1.10.0/24 src-address=192.168.5.0/24
add action=drop chain=forward comment=“otdelqne 10.1.10.0 ot 5 mreja”
dst-address=192.168.5.0/24 src-address=10.1.10.0/24

Don’t work, i have icmp between host’s in 2 subnets. Please help to solve this.

2

You have accept rule for src-address=10.1.10.0/24 before drop rule for the same subnet
As for another drop rule, don’t see anything suspicious. If currently disabled rules were disabled when you tested it.

3

Ignoring firewall rules.


А къде е останалото?

Всичко, което е необходимо, е разтоварването на хардуера да е активно и пакетите дори не преминават през защитната стена…

4

I didn't understand, do I have to share the whole configuration? Isn't it just enough firewall export? Мога ли да ви пиша на български и ще ме разберете ли? Понеже английския не ми е добър.

5

This is my actual working firewall config export.

I try disable this accept rule and share tonight.

This rule is for exclude from fasttrack this network.

6

Yes, because we need to see whole picture.

7

This has no impact on fasttrack. It only allows initial traffic from 10.1.10.0/24 to everywhere. After connection is established, fasttrack rule, which is first in forward chain,catches that and all related connections.

8

After disable rules, all ok for now, thanks for the help. I try couple days for normal work.