Dropping forward chain new - ppppoe connections

korg · May 10, 2024, 10:34pm

Hi to all,

i have the following code

/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    423423423423
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.20-192.168.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=4h name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether9 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether10 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.5.3/32 interface=wireguard1 public-key=\
    "Y45645645645645645645="
/ip address
add address=192.168.0.254/24 interface=bridge1 network=192.168.0.0
add address=172.16.5.1/24 interface=wireguard1 network=172.16.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=bridge1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.254 gateway=192.168.0.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Wireguard handshake" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "Allow DHCP, DNS, NTP from internal networks only" dst-port=\
    5678,123,53,67,68 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment="Allow ICMP" in-interface-list=!WAN
add action=accept chain=input comment="Allow access to FW except internet" \
    in-interface-list=!WAN
add action=drop chain=input
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN out-interface=wireguard1
add action=drop chain=forward disabled=yes log=yes log-prefix=drop-fw
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="MT GW 3011"
/system note
set show-at-login=no

Everything is fime except the last FW rule add action=drop chain=forward disabled=yes log=yes log-prefix=drop-fw.

As soon as i enable it i get this error drop-fw forward: in:bridge1 out:pppoe-out1, connection-state:new src-mac 48:f1:7f:dc:61:17, proto TCP (SYN) and dont have internet connectivity.

Connection state new is only enabled at the forward chain.

Could anyone give me a hist of where could be the source of this ‘drop’?

tx

korg

tdw · May 11, 2024, 9:57am

You do not have pppoe-out1 added to the WAN interface list.

anav · May 11, 2024, 1:05pm

Besides that your firewall rules are a bit silly.

A. There is no need for the rule in PURPLE
B. It is made even sillier by the rule in Orange.
C. Blocking ping from the WAN side is actually not useful and can get in the way of troubleshooting.

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“Wireguard handshake” dst-port=13231
protocol=udp
add action=accept chain=input comment=
“Allow DHCP, DNS, NTP from internal networks only” dst-port=
5678,123,53,67,68 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment=“Allow ICMP” in-interface-list=!WAN
add action=accept chain=input comment=“Allow access to FW except internet”
in-interface-list=!WAN
add action=drop chain=input
FIXED:
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“Allow ICMP”
add action=accept chain=input comment=“Wireguard handshake” dst-port=13231
protocol=udp
add action=accept chain=input comment=“Lan to Router” in-interface-list=LAN
add action=drop chain=input comment=“Drop all else”

Clean, and does exactly what your rules above accomplish.
Personally I would only allow the admin to access the Config of the router and thus I would modify the above to the following:

/ip firewall address-list
add address=192.168.0.XX list**=Authorized** comment=“admin local PC”
add address=192.168.0.XY list=Authorized comment=“admin local laptop”
add address=172.16.5.3 list=Authorized comment=“admin remote laptop”
add address=172.16.5.4 list=Authorized comment=“admin remote home PC”

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“Allow ICMP”
add action=accept chain=input comment=“Wireguard handshake” dst-port=13231
protocol=udp
add action=accept chain=input comment=“Admin to Router” src-address-list=Authorized
add action=accept chain=input comment=Users to Services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=Users to Services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input

As far as wireguard goes, I am not sure why you are sourcenatting Wireguard.
The router is acting as a server for individual device clients.
Are you connecting to another router ???
add action=accept chain=input comment=Users to Services" dst-port=53 protocol=udp in-interface-list=LAN ???