Hi,
I created my own configuration of firewall (I do not use default) and I have problem with one rule. Could you please give me some tips?
I have RouterOS 6.31 on RouterBOARD. Two WAN Ethernet ports (ether1 and 2) and two local bridges. Everything works great except highlighted rule:
/ip firewall filter
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether1
add action=drop chain=input in-interface=ether2
add chain=input in-interface="bridge-local-1"
# At the end to see counters
add action=drop chain=input comment="END"
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether2
add chain=forward connection-state=established,related
add chain=forward in-interface="bridge-local-1"
add chain=forward in-interface="bridge-local-2"
### THIS IS THE ISSUE:
### add action=drop chain=forward connection-state=invalid
add chain=forward connection-nat-state=dstnat connection-state=new in-interface=ether1
add chain=forward connection-nat-state=dstnat connection-state=new in-interface=ether2
### This is OK:
add action=drop chain=forward connection-state=invalid
# At the end to see counters
add action=drop chain=forward comment="END"
When I ping a computer (from a computer behind another router) that has IP from MikroTik’s DHCP then the “connection-state=invalid” rule drop the ICMP packet. For your illustration I tried to do this:
PC (run CMD ping) ---> Non-MikroTik router ---> MikroTik router --- WAN
|
|
PC that is pinged
I am sure that routing is functional (I have correct static routes on all routers) and I am sure that the issue is the FW configuration because I moved the rule to the bottom (as you can see in example) and the issue was solved. Please could you tell me why FW dropping ICMP packets that should be routed?
Thank you very much.
Bor