Filter Rule problem

tuxtlequino · June 1, 2022, 4:00pm

Hi, I am trying to figure out why my main router cannot ping to itself. I know what filter rule is causing the problem. It is this one.

/ip/firewall/filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!WITH_INTERNET

The interface list has a list of all of the VLANs I want to have internet. I notice that when I disable that rule, I can ping the main router again. So my questions are.

What is that rule actually doing that is only blocking my main router from pinging?
What can I do to modify my firewall to allow my router to ping to itself?

I want to run CAPsMAN and User Management in the main router, but I cannot use some of these services since the problem mentioned above. Any help will be appreciated!

tuxtlequino · June 1, 2022, 6:21pm

I found a discussion and solution to my problem by googling ‘“defconf: drop all not coming from LAN” mikrotik’

That lead me to a post that has plenty of good information on why, and how to fix this issue. Hope this helps someone

mkx · June 1, 2022, 6:22pm

Default firewall filter rule set on SoHo class devices for ROS 7.2.3 includes the folliwing rule:

/ip/firewall/filter 
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

It’s placed just above the last rule which drops all packets not using ingress interface from LAN interface list. Regardless of comment (stating it’s intended for capsman) it should allow all traffic between processes inside the device.

Sob · June 1, 2022, 6:46pm

Or if you want to access other local address than 127.0.0.1, rule with src-address-type=local would do the trick (not dst, that would allow access from everywhere).