Hi, I’v been doing some work on a large internet network system.(Mikrotik 750G v5.7).
I had in place several simple firewall rules that was blocking some users MAC addresses, as well as some rules for blocking torrent sites(layer-7) This was all working well.
I then added a transparent proxy rule for port 80 → 8080 for the webproxy.
The transparent web proxy works well, however, I now see that devices that are suppost to be MAC blocked are surfing the net !!, as well as my layer-7 filter rules are being disregarded accross the entire network.
What the go ?? How can running the transpartent proxy rule cause firewall-Filter Rules rules to be ignored ?
1 ;;; TRANSPARENT WEB PROXY
chain=dstnat action=redirect to-ports=8080 protocol=tcp
in-interface=Users Side dst-port=80
Wild guess: the rules that aren’t firing are in the forward chain only. Because you’re using a redirect action you’re rewriting the destination IP address to a router IP after prerouting, so the packets are now going to be in the input chain rather than in the forward chain.
If that is the case you may want to review the packet flow diagrams on the wiki, as well as refer to the IP firewall filter manual page. When designing packet filters a very important basic requirement is to know where a packet is going to be at what time, otherwise traffic will escape your filter sets. Learn what chains are for what packets, and what NAT decisions change chains, and where.
Do your layer 7 filtering in the proxy (where it is more appropriate and consumes fewer resources), the wiki manual on the IP proxy shows how. And implement your MAC blocking rules in the input chain as well so that proxy redirected traffic gets filtered for those MACs.
If that guess is wrong post the actual rule set. Facts and details lead to opinions, rough descriptions without details lead to wild guesses.
I changed the chain to input instead of forward and that fixed the locked down the MAC addresses issue. After that there attempted tx traffic went to 0 bps !!
I will now look into the layer-7 filtering for the proxy.
You want to filter in BOTH input and forward. Forward still applies for all connections through the router the NAT rule doesn’t redirect to the router. It’s just that right now they were only trying web traffic. One simple way to do this is to have a custom chain for all the MAC addresses that drops them, and then jump into it from both the input and forward chain.
I really encourage you to read the packet flow wiki. Read it again and again, every now and then as you learn things. It’s the single most important thing to understand in the manual. Once you really understand the packet flow everything else is easy to figure out.
It occured to me that I’d need to double up on the filtering after my last post for input and forwarding.!
The site filtering looks pretty easy for webproxy, just have to bash the keyboard for a while
Will look into cleaner method of MAC filtering.
