Hi, all!
I have network
I want to create some chains on router №1. Chains for traffic to&from internet to my neighbor (router №2) by lists of interfaces WAN-NEIGHBOR,NEIGHBOR-WAN(WAN: pppoe, ether1 NEIGHBOR: ether2).
And chains for my network to&from internet (router №1) by lists of interfaces WAN-LAN, LAN-WAN(WAN: pppoe, ether1 LAN:ether3,ether4,ether5)
I created this chains but counters of traffic for chains my network with such lists is null. Chains for neighbor traffic works fine and counters increase.
Why chains for my network do not work?
The most idea is separate neighbor internet traffic and my.
Without you posting your configuration, we can only guess. From that we can tell what you are doing to get traffic onto different chains (among other stuff). Use the command:
/export hide-sensitive
/interface list member
add interface=ether1-master-local list=LAN
add interface=ether2-slave-local list=LAN
add interface=ether3-slave-local list=LAN
add interface=ether4-slave-local list=LAN
add interface=ether6-gateway list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether7-master-local list=LAN
add interface=frootvpn list=WAN
add interface=ether9-slave-local list=LAN
add interface=ether10-slave-local list=LAN
add interface=wlan1 list=LAN
add interface=ether8-slave-local list=LAN
add interface=ether6-gateway list=LAN
add interface=ether5-slave-local-NEIGHBOR list=NEIGHBOR
/ip firewall filter
add action=jump chain=forward in-interface-list=WAN jump-target=WAN-NEIGHBOR \
out-interface-list=NEIGHBOR
add action=jump chain=forward in-interface-list=NEIGHBOR jump-target=NEIGHBOR-WAN \
out-interface-list=WAN
add action=drop chain=input in-interface-list=WAN src-address-list=BOGON
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=jump chain=forward in-interface-list=WAN jump-target=WAN-LAN \
out-interface-list=LAN
add action=jump chain=forward in-interface-list=LAN jump-target=LAN-WAN \
out-interface-list=WAN
add action=accept chain=input comment="allow already established connections" \
connection-state=established
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=accept chain=input comment="allow related connections" \
connection-state=related
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=input disabled=yes dst-port=1701,500,4500 protocol=\
udp
add action=accept chain=input connection-state=new dst-port=8291,65522 \
protocol=tcp
add action=accept chain=input dst-address=192.168.88.1 dst-port=80 protocol=\
tcp src-address=192.168.88.0/24
add action=jump chain=forward in-interface=bridge-local jump-target=LAN-NEIGHBOR \
out-interface-list=NEIGHBOR
add action=jump chain=forward in-interface-list=NEIGHBOR jump-target=NEIGHBOR-LAN \
out-interface=bridge-local
add action=drop chain=input connection-state=new in-interface-list=!LAN
add action=drop chain=tcp comment="NEIGHBORy TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy RPC portmapper" dst-port=111 \
protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy RPC portmapper" dst-port=135 \
protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy NetBus" dst-port=12345-12346 \
protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="NEIGHBORy BackOriffice" dst-port=3133 protocol=\
tcp
add action=drop chain=tcp comment="NEIGHBORy DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="NEIGHBORy TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="NEIGHBORy PRC portmapper" dst-port=111 \
protocol=udp
add action=drop chain=udp comment="NEIGHBORy PRC portmapper" dst-port=135 \
protocol=udp
add action=drop chain=udp comment="NEIGHBORy NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="NEIGHBORy NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="NEIGHBORy BackOriffice" dst-port=3133 protocol=\
udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="NEIGHBORy all other types"
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=WAN-LAN
add chain=LAN-WAN
add chain=WAN-NEIGHBOR
add chain=NEIGHBOR-WAN
add action=drop chain=NEIGHBOR-LAN
add action=drop chain=LAN-NEIGHBOR
add action=accept chain=NEIGHBOR-LAN dst-port=68 protocol=udp src-port=67
add action=accept chain=LAN-NEIGHBOR dst-port=67 protocol=udp src-port=68
Of course, sorry.
This counters are null after long long time…->
add action=jump chain=forward in-interface-list=WAN jump-target=WAN-LAN \
out-interface-list=LAN
add action=jump chain=forward in-interface-list=LAN jump-target=LAN-WAN \
out-interface-list=WAN
First of all, I would suggest some organization. You have forward chain rules and input chain rules all mixed together. It will work that way, but sure makes it harder to read for us human beings.
Firewall rules are handled in the order that they are listed. In the code extract below, since the first rule in the WAN-LAN, NEIGHBOR-LAN, and LAN-NEIGHBOR chains is action=drop, all traffic in those chains will be dropped and rule processing stops. Your two accept rules at the end will never be processed because of the drop actions above them.
add action=drop chain=WAN-LAN
add chain=LAN-WAN
add chain=WAN-NEIGHBOR
add chain=NEIGHBOR-WAN
add action=drop chain=NEIGHBOR-LAN
add action=drop chain=LAN-NEIGHBOR
add action=accept chain=NEIGHBOR-LAN dst-port=68 protocol=udp src-port=67
add action=accept chain=LAN-NEIGHBOR dst-port=67 protocol=udp src-port=68
Next major thing I see is that for the most part in your tcp and udp chains, you are dropping a long list of specific traffic, and then by default allowing anything else. That’s sort of the opposite of how you should do it. General concept should be to allow the specific things that you want to allow, and then drop everything else. Here is an extract from my forward chain. I have removed some stuff simply to keep it fairly short for the post here. I allow specifically what I want and at the bottom, drop anything that makes it to that rule. The two passthrough rules near the top were there just for some testing that I was doing yesterday.
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=passthrough chain=forward comment=\
"Counter for inbound packets with SMTP routing mark" connection-state="" \
in-interface=VLAN_200 routing-mark=SMTP
add action=passthrough chain=forward comment=\
"Counter for outbound packets with SMTP routing mark" connection-state="" \
in-interface=E3-p15_102 routing-mark=SMTP
add action=accept chain=forward comment=\
"Allow Johnstone SuperGoose and WebCams access to Mail server" \
dst-address=192.168.101.11 src-address=192.168.103.240/30
add action=accept chain=forward comment=\
"Allow Safe list access to Web Power switches" dst-address=\
192.168.101.231-192.168.101.233 dst-port=80 in-interface=\
E1-p49_Cable_Internet protocol=tcp src-address-list=Safe
add action=accept chain=forward comment="Accept all that is DST NATed" \
connection-nat-state=dstnat connection-state=new
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"Accept established and related packets" connection-state=\
established,related
add action=accept chain=forward comment=\
"Allow outbound SMTP traffic from Jupiter to DSL internet" dst-port=25 \
in-interface=E2-p13_101 out-interface=VLAN_200 protocol=tcp src-address=\
192.168.101.11
add action=accept chain=forward comment=\
"Allow outbound traffic from .101 to internet" in-interface=E2-p13_101 \
out-interface=E1-p49_Cable_Internet
add action=accept chain=forward comment=\
"Allow priviledged PCs access to .102 LAN" out-interface=E3-p15_102 \
src-address-list=Priviledged
add action=accept chain=forward comment=\
"Allow priviledged PCs access to .201 LAN" out-interface=VLAN_201 \
src-address-list=Priviledged
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
You will see that I allow specific conditions, and the last rule is to drop anything that makes it to that rule. That way I only have the specific traffic that I want making it through the forward chain.
BTW, in the extract from your rules below, you specify that only traffic with a protocol of tcp will jump to the tcp chain. Therefore, you don’t really need to specify in each rule in the tcp chain that the protocol is tcp. You did the same thing in the udp and icmp chains.
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=drop chain=tcp comment=“NEIGHBORy TFTP” dst-port=69 protocol=tcp
add action=drop chain=tcp comment=“NEIGHBORy RPC portmapper” dst-port=111
protocol=tcp
add action=drop chain=tcp comment=“NEIGHBORy RPC portmapper” dst-port=135
protocol=tcp
add action=drop chain=tcp comment=“NEIGHBORy NBT” dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment=“NEIGHBORy cifs” dst-port=445 protocol=tcp
Yes, i agree with you, thank you for your advice. But firs of all i want to separate wan internet traffic to my neighbor from my internet traffic. I don’t want to filter his traffic by my firewall, he will use his own firewall. I want to filter only my traffic. But i cant separate my traffic because chains WAN-LAN LAN-WAN do not work.
If you want to NOT filter your neighbor’s traffic, then that’s very easy to do in just two rules.
For performance, it’s best to fasttrack and allow the already-checked sessions first, so here are what I recommend as your first four rules in the forwarding chain:
chain=forward connection-state=established,related action=fasttrack-connection
chain=forward connection-state=established,related action=accept
chain=forward out-interface=ether1 action=accept
chain=forward in-interface=ether1 out-interface=pppoe1 action=accept
The bold typeface rules are the two rules necessary to allow all traffic between your neighbor and the WAN.
I think you are making it far more complex than you need to. I’m doing something similar at my house. I have a wired LAN that is used for most of my stuff. Additionally I have a completely separate LAN that is used for my private WiFi, and a third LAN that is used for my “public” WiFi. All three LANs are completely blocked form each other, but all access the same internet connection. In my case, each LAN uses a different public IP on the internet connection (I get eight static IPs on my DSL), but that is not required. Below are several code segments that will show what I’m doing.
/interface ethernet
set [ find default-name=ether1 ] comment="DSL internet" name=\
E1-p1_DSL_Internet
set [ find default-name=ether2 ] comment="802.11Q trunk" name=\
E2-p3_802.11Q_trunk
set [ find default-name=ether3 ] comment="Main home LAN" name=E3-p5_201
/ip neighbor discovery
set E1-p1_DSL_Internet discover=no
/interface vlan
add comment=".202 Public WiFi LAN" interface=E2-p3_802.11Q_trunk name=\
VLAN_202 vlan-id=202
add comment=".203 Private WiFi LAN" interface=E2-p3_802.11Q_trunk name=\
VLAN_203 vlan-id=203
/ip address
add address=192.168.201.250/24 interface=E3-p5_201 network=192.168.201.0
add address=192.168.202.250/24 interface=VLAN_202 network=192.168.202.0
add address=192.168.203.250/24 interface=VLAN_203 network=192.168.203.0
add address=208.127.aaa.xxx/24 comment="Public IP for .201 LAN" interface=\
E1-p1_DSL_Internet network=208.127.aaa.0
add address=208.127.aaa.yyy/24 comment="Public IP for .202 LAN" interface=\
E1-p1_DSL_Internet network=208.127.aaa.0
add address=208.127.aaa.zzz/24 comment="Public IP for .203 LAN" interface=\
E1-p1_DSL_Internet network=208.127.aaa.0
In the first segment I define the interfaces, and then give them IP addresses. In the case of the two WiFi LANs, they are on a trunk port as separate VLANs because I needed more than the 5 ports that a RB750 router provides. I made it easy for me to keep straight in my brain by using the same number for the VLANs as I used for the third octet of the IP addresses.
In this next section, I use src-nat rules to specify that outbound traffic from each of the three LANs uses a specific public IP. If you were going to the same public IP on the internet connection, you would use a masquerade rather than the src-nat. I could have specified the in-interface instead of the src-accress in order to determine which rule applied.
add action=src-nat chain=srcnat comment="Outgoing NAT from .201 LAN" \
out-interface=E1-p1_DSL_Internet src-address=192.168.201.0/24 \
to-addresses=208.127.aaa.xxx
add action=src-nat chain=srcnat comment="Outgoing NAT from .202 LAN" \
out-interface=E1-p1_DSL_Internet src-address=192.168.202.0/24 \
to-addresses=208.127.aaa.yyy
add action=src-nat chain=srcnat comment="Outgoing NAT from .203 LAN" \
out-interface=E1-p1_DSL_Internet src-address=192.168.203.0/24 \
to-addresses=208.127.aaa.zzz
This next part of the firewall rules specifically allows the three LANs access to the internet connection.
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=accept chain=forward comment=\
"Allow outbound traffic from .201 to internet" in-interface=E3-p5_201 \
out-interface=E1-p1_DSL_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .202 to internet" in-interface=VLAN_202 \
out-interface=E1-p1_DSL_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .203 to internet" in-interface=VLAN_203 \
out-interface=E1-p1_DSL_Internet
add action=accept chain=forward comment=\
"Forward established and related connections" connection-state=\
established,related
And this part specifically blocks the three LANs from accessing each other. You will notice that these six rules are all disabled. That’s because I originally did it this way, but changed it to the second “drop everything” segment shown below. I had forgotten that these rules were even still in the router. Guess I should really delete them…
add action=drop chain=forward comment=\
"Drop all traffic on .201 from accessing .202" disabled=yes in-interface=\
E3-p5_201 out-interface=VLAN_202
add action=drop chain=forward comment=\
"Drop all traffic on .201 from accessing .203" disabled=yes in-interface=\
E3-p5_201 out-interface=VLAN_203
add action=drop chain=forward comment=\
"Drop all traffic on .202 from accessing .201" disabled=yes in-interface=\
VLAN_202 out-interface=E3-p5_201
add action=drop chain=forward comment=\
"Drop all traffic on .202 from accessing .203" disabled=yes in-interface=\
VLAN_202 out-interface=VLAN_203
add action=drop chain=forward comment=\
"Drop all traffic on .203 from accessing .201" disabled=yes in-interface=\
VLAN_203 out-interface=E3-p5_201
add action=drop chain=forward comment=\
"Drop all traffic on .203 from accessing .202" disabled=yes in-interface=\
VLAN_203 out-interface=VLAN_202
Much easier this way…
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
There is obviously more to it than this, but this is all that is required to get the three LANs functional to the internet, and yet completely separated from each other.
Make sense?
I can not use fasttrack, it’s corrupt my connection through vpn. http://forum.mikrotik.com/t/rb2011-rb3011-fasttrack-vpn-problem/101581/1
I don’t only accept i want to comfortable manage this traffic too, as i understand chains is best way for this, but chain WAN-LAN LAN_WAN do not work
You said that the neighbor has his own firewall and you don’t want to filter his traffic.
The easiest way to completely do that is what I stated in my reply. If fasttrack is bad for your particular situation, then simply remove that one rule.
Long story short - either you’re filtering your neighbor’s packets or you’re not.
If you’re not, then simply accept them all to/from his interface/your WAN interface, and be done. Any additional rules will simply waste processing power evaluating them and tracking them.
In fact, the most efficient thing to do would be to put a notrack rule into the RAW table’s prerouting chain, matching his traffic. This would free up maximum resources for your router to handle your own traffic.
Anything else means that you ARE managing his traffic - which is fine if that’s what you want to do. If so, I would suggest that you structure your neighbor-to-wan / wan-to-neighbor chains as follows:
assume that the decision has already been made that traffic entering these chains is appropriate. Thus, no rules should bother having any criteria matching src/dst addresses or interfaces or what-have-you… They should simply be whatever ports and/or protocols you want to allow or disallow him to use going to/from the Internet. You can decide to make them operate as “default-accept” chains or as “default deny” chains - meaning that the final rule of each chain should be “accept” or “deny” with no conditions attached.
Once your chains are configured with the policies you wish to apply, you would then modify my two suggested rules by changing the action from “accept” to being “jump” with the appropriate jump target chain.
You got me) Yes you are right, but in this case i want to protect my LAN from NEIGHBOR, because if i will accept all traffic it will be like opening pandora box. And i need to save opportunity to manage traffic NEIGHBOR-LAN, LAN-NEIGHBOR, because we have some shared resources and my dhcp manage his network. In this reason thought that separating by chains is the best way. At last my chains NEIGHBOR-LAN, LAN-NEIGHBOR do not work too like LAN-WAN, WAN-LAN counters still equals zero and i do not understand why it does not work.
Okay - so don’t worry about the chain - just add one more rule right after the 4 I already gave.
rule 5:
add chain=forward in-interface=ether1 action=drop
done.
oh - and for any shared resources you want to allow, just allow them before rule 5…