Firewall and NAT

otgooneo · December 6, 2010, 3:44pm

Hello,

My firewall NAT and IP configurations are below. I want to other not authorized persons not able to access to my Local network from WAN side. But people, who set address=192.168.123.0/24 gateway=192.168.123.80 is still can access to my local network through my RB1000.
What firewall rule I need to add? For example simple small routers not accessable from WAN side. How to do this?

chain=srcnat action=masquerade out-interface=WAN

address=192.168.123.80/24 network=192.168.123.0 broadcast=192.168.123.255 
     interface=WAN

fewi · December 6, 2010, 3:54pm

Put a stateful firewall in place. First accept all packets that are part of already established connections so that packets from the WAN can go back to the LAN as long as someone on the LAN initiated the connection, then only forward packets from the LAN to the WAN, and drop everything else.

/ip firewall filter
add chain=forward connection-state=invalid action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward in-interface=!WAN action=accept
add chain=forward action=drop

Some people don’t like the negation of options (!WAN = “all interfaces that aren’t the WAN interface”), so you could also write it like this:

/ip firewall filter
add chain=forward connection-state=invalid action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward in-interface=WAN action=drop
add chain=forward action=accept

The last accept rule in that is actually not strictly needed since the default behavior is to allow, but it’s better to be explicit.

The wiki has many articles on firewalling.

otgooneo · December 8, 2010, 2:14am

Thanks, fewi
I found my mistake. I`m using bridged WAN interface, but the rules I wrote was on wrong interface.

otgooneo · January 5, 2011, 8:11am

Hello, Happy new year

How to add a lot of MAC addresses in the one firewall rule? “/ip firewall add src-mac-address=” is only supports 1 MAC address. I have a list of MAC addresses and need to add it to only one filter rule. Please advise

martini · January 5, 2011, 9:37am

add mac-address to static arp list on interface and set mode of interface reply-only. In firewall you cant add more than 1 mac in one rule.

otgooneo · January 6, 2011, 7:12am

So need to add mac-address-list like an /ip firewall address-list and add feature to choose mac-address-list.