I have an allow rule followed by a drop - from what I’ve read since the packet is accepted from the allow it should never reach the drop, but I see both counters going up at the same increment.
If I disable 6&7 then all traffic makes it through (even those not on the address lists)
If I enable 6&7 then (some) traffic is blocked (I have no idea how some is making it through)
Rules in question are 2 - 7
Then my NAT
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=10.0.165.3 protocol=tcp dst-address= dst-port=3383 log=no log-prefix=“”
1 chain=dstnat action=dst-nat to-addresses=10.0.165.3 protocol=udp dst-address= dst-port=3383 log=no log-prefix=“”
2 chain=dstnat action=dst-nat to-addresses=10.0.165.3 protocol=udp dst-address= dst-port=10000-60000 log=no log-prefix=“”
3 X chain=srcnat action=masquerade src-address=10.0.165.201-10.0.165.254 log=no log-prefix=“”
4 ;;; default configuration
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=“”
Essentially I am trying to block all traffic on these ports that is not in either address list. Im going to make it one address list as well, just finishing some scripting to do so.
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough WHAT IS THE PURPOSE OF THIS RULE???
1 chain=input action=drop protocol=tcp dst-port=22,23 log=no log-prefix="" (GET RID OF THIS RULE DONT NEED IT)
Just make sure you have a drop all rule at the end of input chain.
Just make sure you have a drop all rule at the end of the forward chain.
If I disable 6&7 then all traffic makes it through (even those not on the address lists)
If I enable 6&7 then (some) traffic is blocked (I have no idea how some is making it through)
Rules in question are 2 - 7 (thats an opinion!!)
You forget your dstnat rule required in the forward chain!
add action=accept chain=forward comment=
“Allow Port Forwarding” connection-nat-state=dstnat
Then my NAT
Flags: X - disabled, I - invalid, D - dynamic
REMOVE TO-ADDRESS for the destination nat rules below and put in IN-INTERFACE=pppoe-out
0 chain=dstnat actio[color=dst-nat to-addresses=10.0.165.3 protocol=tcp dst-address= dst-port=3383 log=no log-prefix=“”
1 chain=dstnat action=dst-nat to-addresses=10.0.165.3 protocol=udp dst-address= dst-port=3383 log=no log-prefix=“”
2 chain=dstnat action=dst-nat to-addresses=10.0.165.3 protocol=udp dst-address= dst-port=10000-60000 log=no log-prefix=“”
3 X chain=srcnat action=masquerade src-address=10.0.165.201-10.0.165.254 log=no log-prefix="" (WRONGO get rid of this one)
4 ;;; default configuration
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=“” (Correct)
0 is put tehre when you enable fasttrack - you cannot get rid of this
1 was there to block inbound 22/23 without it traffic was hitting the router and I do have a drop at the end!
6/7 were there to drop traffic not captured by the allow rule - without these traffic is still flowing. I disabled all the 2,3,4,5 and the traffic is still hitting my server - is this through the NAT forwards??
3 on NAT is disabled already, I was trying to NAT VPN traffic at one point
/ip firewall raw
add action=drop chain=prerouting comment=“Drop Port Scanner List - TCP”
src-address-list=port_scans_tcp
add action=drop chain=prerouting comment=“Drop Port Scanner List - UDP”
src-address-list=port_scans_udp