Firewall basics and port forwarding

RouterOS Beginner Basics
1

I set up my router by following a video presentation by Mikrotik trainer Steve Discher but I do not understand exactly what I’ve done because, frankly, I’m not all that bright.

I also have attempted to allow access to an IP camera by creating a NAT rule. The NAT rule works but only if I disable a firewall rule.

Here are my questions:

  1. Should the NAT rule work without disabling the firewall rule (as detailed below)?

  2. If the firewall rule has to be disabled, how much am I compromising my security? Although my desktop may be off when I want access to the IP camera, there are other devices connected and in use (e.g. dvrs, a/c thermostat, etc.) Are these devices unduly vulnerable when that particular firewall rule is disabled?

The firewall rule I have to disable to allow access to my IP camera is:

add action=drop chain=forward comment=“Drop all other traffic through the router”


Here are the firewall settings:

/ip firewall address-list
add address=192.168.1.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment=“Allow access to the router from the LAN using an address list” src-address-list=
OurLocalLAN
add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add chain=forward comment=“Allow connections from the LAN” connection-state=new in-interface=bridge1
add chain=forward comment=“Allow established connections” connection-state=established
add chain=forward comment=“Allow related connections” connection-state=related
add chain=input comment=“Allow established connections to the router” connection-state=established
add chain=input comment=“Allow related connections to the router” connection-state=related
connection-type=“”
add action=drop chain=input comment=“Drop all other traffic to the router”
add action=drop chain=forward comment=“Drop all other traffic through the router”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=“Open port 82 for Foscam” dst-address=xx.xxx.xxx.xxx dst-port=82
in-interface=ether1 protocol=tcp to-addresses=192.168.1.172

My current version is 6.33.2

Thanks for any help,

2

You don’t need to disable the rule, instead add another one:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

It will allow all forwarded ports though router.

Few other tips:

  • Accepting established and related can be done in one rule, you don’t need two (it was needed only in old RouterOS versions)

  • Accepting established and related should be at the top of each chain, because vast majority or packets will then be matched by very first rule and it will save further processing.

  • Rather than allowing access to router from LAN (input chain) using IP addresses, use in-interface=bridge1. It’s not very likely, but packets from 192.168.1.x might come also from WAN. It you allow access by interface, there’s no way around that.

3

Thanks very much. Works great and I appreciate the tips.

4

Thanks for posting this.
It helped me get my connection to our alarm system going :smiley: