Dual wan

The only thing that comes to my mind is that one of your src-nat rules doesn’t check the out-interface and so it changes the source address of the icmp ping requests coming from bridge-LAN while forwarding them to LAN-3, so the icmp ping responses get the routing mark (as their dst-address is not from 192.168.50.0/24) and cannot be delivered, while in the opposite direction the connection-tracking prevents this from happening.

Please provide the ouptut of the commands given in the previous post.

if you only need to ping from the bridge-lan to the lan-3
I do not understand what you are asking me to do

I do not understand what you are asking me to do

I have read your previous post and responded before you have put the configuration export into it.

Now as I’ve seen the export, I know my assumption was correct. You have to modify the NAT rule

/ip firewall nat
add action=masquerade chain=srcnat

by adding “out-interface=LAN-2,WAN2” to it. Currently, anything leaving your Mikrotik through any interface is src-nat’ed, so the devices in 192.168.40.0/24 can see the ping requests actually coming from 192.168.50.0/24 as coming from 192.168.40.1, so they respond to the same address, and the responses get the routing mark and are thus sent out via WAN1 (which is LAN-2).

By modifying the masquerade rule the way shown above, you’ll restrict it only to packets leaving towards the internet, so it will not affect packets between your two LANs, and everything should start working the way you need.

After verifying that, you can delete the newer mangle rule and add “dst-address=!192.168.50.0/24” back into the older one.

@wireless

Your whole config seems like a mess, why will you allow these following rules? Usually they are dropped

/ip firewall filter

add action=accept chain=input comment="No permitir paquetes extra\F1os" \
    connection-state=invalid

add action=accept chain=forward comment="No permitir paquetes extra\F1os" \
    connection-state=invalid

I will also specify a outgoing interface on the below, might also solve your ping problem but if I was you, I would relook at all rules / config

/ip firewall nat
add action=masquerade chain=srcnat

@CZFan,

why will you allow these following rules? Usually they are dropped

Well, “eliminar” in comment and “accept” in action in the DNS rules also doesn’t make sense, but let’s let the OP finish one thing first and only then audit his security concept.

doing what you tell me I still do not have ping from the bridge-lan to the lan-3

/ip firewall nat
add action=masquerade chain=srcnat out-interface=LAN-2
add action=masquerade chain=srcnat out-interface=WAN2

That sounds crazy.

Please do

/ip firewall connection remove [find where protocol=icmp ]

, then try the ping again.

If that does not help make the ping get through, start the ping from the side from which it does not get through, and then issue

ip firewall connection print detail where protocol=icmp

.

Then put here the result and an output of “/ip firewall export” of the current configuration (after the last changes).

everything is working as indicated above I am left like this
Nat

/ip firewall nat
add action=masquerade chain=srcnat out-interface=LAN-2
add action=masquerade chain=srcnat out-interface=WAN2

Mangle

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.50.0/24 \
 in-interface=LAN-3 new-routing-mark=wan1-only passthrough=yes

Now, because now that I have access to all the devices between the bridge-lan and the lan-3 when I’m on the lan-3, I can not enter my device which would be 192.168.8.1 this would be the wan2

Well, now it is me who does not understand what you are saying. So I’ll try to translate that:

With the two masquerade rules, one for WAN2 and one for LAN-2, and with the single mangle rule, and after clearing the icmp connections table:

• you can ping and access devices connected to LAN-3 from devices connected to bridge-LAN and vice versa as you wanted,
• devices connected to LAN-3 can access internet only via LAN-2 (which is the primary WAN) as you wanted,
• but you cannot access the LTE modem which is in 192.168.8.0/24 from devices connected to LAN-3

.

If this is true, I think the easiest solution is to modify the mangle rule by replacing !192.168.50.0/24 by !192.168.0.0/16 in the dst-address. It is simply that you have initially not mentioned that remote equipment connected to WAN 1 and WAN 2 is also under your administration, I thought these were already ISP’s boxes, so I’ve suggested an exception from the routing-mark rule only for 192.168.50.0/24.

After the change, the devices connected to LAN-3 will be able to connect to any private address in the 192.168.0.0/16, even through the LTE, but that should not cause any issue unless something gets really crazy (like some application sending a UDP stream towards some 192.168.x.x not in your network and your WAN 1 internet connection down at the same time).

I’m sorry, it turns everything
and everything is working the only problem is that I can not access from the lan-3 to the device connected in the wan2 that would be an LTE modem that I administer myself but from the lan-3 if I can enter the device of the wan1
so if I change that rule and place that ip the previous consiguration is not damaged

change the ip in the rule by 192.168.0 / 24 and it takes away the access of the devices connected in the lan-3 from the bridge-lan

Correct, everything that works will continue working, that change will only extend the exception from the WAN restriction also to devices connected to 192.168.8.0/24 (like your LTE modem) and devices connected to 192.168.20.0/24.

After checking that everything works the way you want, come back for the audit of your security rules. It seems you’ve missed a point in how the firewall filter works, as @CZFan has pointed out. On the other hand, as both your WANs are via private subnets, I assume both the LTE modem and the WAN 1 modem have their own security policies, so it is probably not urgent.

I changed the rule but after doing so I can not enter the devices of the lan-3 but I can enter the LTE modem

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.8.0/24 \
 in-interface=LAN-3 new-routing-mark=wan1-only passthrough=yes

security is very important for me since my two connections to the internet have public ip and this router will be my main since my wan1 is a SXT LITE5

to refresh one thing
WAN1: 192.168.20.1
WAN2: 192.168.8.1
Bridge-lan: 192.168.50.1
Lan-3: 192.168.40.1

Read again what I wrote - I’ve told you to change 192.168.50.0/24 to 192.168.0.0/16 in the mangle rule and you have instead changed it to 192.168.8.0/24.

No wonder that it behaves different than what I’ve said.

As for security - of course security is important, no question about that. But all your public adresses are currently outside the Mikrotik we are twisting so most attacks cannot reach it unless you have some DMZ rules on the boxes closer to the internet. If you plan to have a public address directly on this Mikrotik, or if you have DMZ rules forwarding everyting that comes to their public IP address further to this Mikrotik without any filtering, then you need to fix your security rules on this Mikrotik urgently.

sorry I had not read well and it works all

about security I tell you that my sxt has done DDoS attacks and for dns I can not get the rules that that team has since I do not have the administrator password to enter their configuration
my idea is to make the pppoe mark that the sxt is doing and to do it from this router that we are configuring for this I want to have it the safest prosibleme because it is the one that will support everything from outside

my sxt has done DDoS attacks

Do I get you right that the SXT was participating in DDoS attack against some other address in the internet? Or it was subject to a DDoS attack against its public IP address?

for dns I can not get the rules that that team has since I do not have the administrator password to enter their configuration



my idea is to make the pppoe mark that the sxt is doing and to do it from this router that we are configuring

These two statements somehow contradict to each other. WIthout modifying the SXT configuration, you cannot move the PPPoE termination point from the SXT to this Mikrotik.

However, let’s talk about the firewall rules.

1. add action=accept chain=input comment="Eliminar solicitudes de DNS de public" \
    connection-state=new dst-port=53 in-interface=LAN-2 protocol=tcp
2. add action=accept chain=input comment="Eliminar solicitudes de DNS de public" \
    connection-state=new dst-port=53 in-interface=LAN-2 protocol=udp
3. add action=accept chain=input comment="No permitir paquetes extra\F1os" \
    connection-state=invalid
4. add action=accept chain=input comment=\
    "Permitir el acceso LAN al enrutador y a Internet" connection-state=new \
    in-interface=bridge-LAN
5. add action=accept chain=input comment=\
    "Permitir el acceso LAN al enrutador y a Internet" connection-state=new \
    in-interface=LAN-3
6. add action=accept chain=input comment=\
    "Permitir conexiones que se originaron desde LAN" connection-state=\
    established
7. add action=accept chain=input comment=\
    "Permitir ping ICMP desde cualquier lugar" protocol=icmp
8. add action=accept chain=input comment=\
    "No permitir nada desde cualquier lugar en cualquier interfaz"
9. add action=accept chain=forward comment="No permitir paquetes extra\F1os" \
    connection-state=invalid

While the comment to rules 1 and 2 says “Eliminar solicitudes de DNS de public”, their action is “accept”, which means they do not eliminate the DNS requests coming in via LAN-2. To make them do what the comment says, you have to change action to “drop”.
Same case are rules 3 and 9 - the comment says “No permitir paquetes extraños” but the action is “accept”. So a change of action to “drop” is also needed.
Comment to rule 5 says “Permitir el acceso LAN al enrutador y a Internet”, but as the rule is in chain “input”, it only permits access to the router itself, not to internet.
Comment to rule 6 says “Permitir conexiones que se originaron desde LAN” but actually it permits any previously established connection to/from the router itself, regardless from where it has been originated.
Comment to rule 8 says “No permitir nada desde cualquier lugar en cualquier interfaz” but it actually permits everything, so you would need to replace “accept” with “drop” as action, but don’t do it now as you would cut access to the Mikrotik.


Now how the firewall filter actually works:

• each incoming packet with destination address matching any of the addresses which are up on the Mikrotik itself is tested against rules in the chain named “input”
• each incoming packet with destination address matching none of Mikrotik’s own addresses is tested against rules in the chain named “forward”

.

In each chain, the rules are tested against the packet one-by-one starting from the topmost one until one of the rules which do match the packet provides a final verdict (typically accept or drop, some other actions are final verdicts too, but e.g. “log” is not a final verdict so a packet matching such rule continues to be processed by the chain). If none of the rules in the chain provides a final verdict, the packet is accepted.

The above is true unless a rule with “action=fasttrack-connection” matches a packet; if it does, further packets belonging to the same connection are not processed by the filter, assuming that packets which have established that connection were been permitted by the filter.

So the current configuration of your firewall filter actually provides no security at all, because it explicitly or implicitly accepts (or forwards) whatever it receives.

I would recommend you to look at the firewall settings in the output of “system default-configuration print”, understand fully what each of them does, and then create your own rules based on that.

Interface lists are a handy tool - you can e.g. define a list named “WAN” and a list named “LAN” and refer to them in all rules which should match traffic coming from several different interfaces. Instead of in-interface, you use in-interface-list in the rule; such rule then matches if the packet comes in through any of the interfaces on the list.

An example would be that in order to ignore DNS queries coming in via WAN interfaces, you actually configure a rule to accept DNS requests coming in via any of the LAN interfaces in the “input” chain. The final “drop the rest” rule in the “input” chain, if present, will then take care of dropping DNS requests coming in via any other interface. So the first “accept” rule is an exception from the last “drop all” one.

Just a last remark, while “accept everything towards my own IPs which came in via any LAN interface” and “drop everything which came from outside, with several well-thought exceptions” may seem fine, some devices in your network may get infected by downloading some malware due to applications’ security holes and then attack your network from inside. So even if you have a working firewall, do not leave any account with administration privileges open without a password. The best thing is to create some other user than “admin” (not “root”, please), give it full access to configuration (and a password of course) and then disable the “admin” account. And if you provide internet access to some clients connected via LAN interfaces, better consider them potential threats too and do not permit them access to your management ports (ssh, http, https) at all. Actually, all they need to access on your Mikrotik itself is DNS (UDP/53), NTP (UDP/123) and DHCP (UDP/67).

the attacks I received was through my public ip were by dns and DDoS
then how would all the rules be that I copied it from the post that you passed me to make the dual wan

I have to paraphrase a wise man’s statement as I wasn’t able to find the original link: “there is no security without understanding; if someone offers to care about your security instead of you, he’s in the best position to take it away from you”.

So look through the manual and my example on blocking DNS from WAN again, there is everything you need to know to create your firewall.

Basically:

• you want to block any packet initiating a connection coming from the internet, i.e. via any internet-facing interface, except thoroughly thought cases (like icmp). The key here is “connection-state=new” for the exceptions and the last rule in each chain to be “action=drop” without any conditions.
• you want to permit any packet belonging to an already established connection. The key here is “connection-state=established,related”

The above applies for both “input” and “forward” chains.
Specifically for security of the Mikrotik itself (chain “input”):

• you want to block access to the mikrotik’s own IP addresses also for generic devices in your LANs, with the exceptions listed earlier (ICMP, DHCP, DNS, NTP)
• you want to enable only secure management protocols on your Mikrotik (ssh, https, winbox) with non-default usernames and passwords; under such conditions, these protocols can be left open for all LAN devices on the firewall
• if you cannot avoid use of insecure protocols (http, telnet, ftp), access to them must be permitted only to a handful of IP addresses assigned to devices under your direct control and it is still not secure enough (IP address can be spoofed, communication between the authorized device and your mikrotik can be intercepted; telnet and ftp send passwords in plaintext, http sends using an encryption algorithm which provides no real protection given the computing power available today)

The firewall rules from the default configuration do not permit DNS requests coming from the internet to be processed. So if your SXT could be used in the past to DDoS someone using the DNS attack, it means the default firewall rules were not active on it.

No firewall rules can protect you from losing the internet connectivity if you are a target of a DDoS attack. A DDoS attack will exhaust all your downlink bandwidth or all the packet forwarding capacity of your firewall device, whichever is lower. But the firewall can protect you from unintentionally participating in a DDoS attack against someone else using your Mikrotik. It cannot protect you from one of the devices in your network getting infected due to application vulnerabilities and then participating in any kind of malicious activity you can imagine.

hi
these are the only rules that my SXT has any more?

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="default configuration" log=yes src-address-list=\
    admis
add action=drop chain=input dst-port=123 log=yes protocol=udp \
    src-address-list=!ntp-servers
add action=drop chain=input comment="default configuration" in-interface=\
    wlan1-gateway
add action=drop chain=input comment="default configuration" dst-port=53 \
    in-interface=all-ppp log=yes protocol=udp
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid

The interface configurations are missing but I suppose that wlan1-gateway has no IP address at all and there is some pppoe-out1 which uses wlan1-gateway as transport interface and gets the IP address from the ISP.
If the above is true, the firewall actually permits anything that comes in towards the SXT itself via the pppoe interface, because each of the three “action=drop” rules has some additional conditions:

• the first one doesn’t care abouut the interface but only drops NTP packets from other sources than on the ntp-servers address-list
• the second one drops “everything” but only if it gets in via wlan1-gateway (which I assume is actually nothing as wlan1-gateway supposingly has no IP address associated
• the third one drops packets which come in via any ppp interface (which includes your pppoe interface), but only the DNS ones.
  So e.g. the http and ssh interface of this SXT are open for public access at firewall level; it is not clear whether they are limited to some source subnets at service level (see “/ip service print” output, if there are some subnets other than 0.0.0.0/0, the se services are secured there, otherwise they are open to the world).

The forward chain is similarly broken, it only drops “invalid” packets, but permits opening of new connections. This is more or less fine if there are no dst-nat rules in “/ip firewall nat” part of the configuration, but if there are, anything matching those rules can get in and establish a new connection. Of course it is possible that the dst-nat rules check the source but something is telling me that it is not the case.

Well I’ll have to finish all the settings so that you help me with the rules is my first mikrotik device and I do not know much about them the sxt is managed by my internet service provider