Firewall drop rules not working

RouterOS General
1

Hello, I have a RB750g running 5.24. My firewall seems to have partially stopped working.
I have a normal setup with nothing fancy. I have five static IPs configured with one active.
If I set

/ip firewall filter add action=reject chain=input comment=ssh disabled=no dst-address=50.x.x.x dst-port=220 protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=drop chain=input comment=ssh disabled=no dst-address=50.x.x.x dst-port=220 protocol=tcp

as rules number 1 and 2 traffic will continue to pass without incrementing the byte or packet counts as long as I have a NAT rule set to direct it somewhere. If I disable the NAT rule

/ip firewall nat add action=dst-nat chain=dstnat comment="SSH" disabled=no dst-address=50.x.x.x dst-port=220 protocol=tcp to-addresses=\
    192.168.1.11 to-ports=22

then the firewall will recognize the packets, count and drop them.

I can duplicate this scenario with the the same firewall and nat rules but with port 80 instead.

Here are my configs for the bridge, firewall and nat.

/interface bridge
add admin-mac=D4:CA:6D:CC:CB:21 ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 \
    name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=LAN2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=WAN path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no




/ip firewall filter
add action=reject chain=input comment=ssh disabled=no dst-address=50.x.x.x dst-port=220 protocol=tcp reject-with=tcp-reset
add action=drop chain=input comment=ssh disabled=no dst-address=50.x.x.x dst-port=220 protocol=tcp
add action=drop chain=input comment=RDP disabled=yes dst-port=3389 in-interface=WAN protocol=tcp
add action=drop chain=input comment="Outside DNS Lookups TCP" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="NTP on UDP" disabled=no dst-port=123 protocol=udp
add action=drop chain=input comment=Web disabled=no dst-port=80 in-interface=WAN protocol=tcp
add action=accept chain=input comment="old dvr" disabled=yes dst-port=3701 in-interface=WAN protocol=tcp
add action=accept chain=input comment="old dvr" disabled=yes dst-port=3702 in-interface=WAN protocol=tcp
add action=accept chain=input comment=Tenvis_PT-01 disabled=yes dst-port=7777 in-interface=WAN protocol=tcp
add action=accept chain=input comment="new dvr" disabled=no dst-port=37777 in-interface=WAN protocol=tcp
add action=accept chain=input comment="new dvr" disabled=no dst-port=37778 in-interface=WAN protocol=udp
add action=accept chain=input comment="new dvr" disabled=no dst-port=88 in-interface=WAN protocol=tcp
add action=accept chain=input comment="new dvr" disabled=no dst-port=554 in-interface=WAN protocol=tcp
add action=accept chain=input comment=imap disabled=no dst-port=143 in-interface=WAN protocol=tcp
add action=accept chain=input comment=mail disabled=no dst-port=110 in-interface=WAN protocol=tcp
add action=accept chain=input comment=mail disabled=no dst-port=25 in-interface=WAN protocol=tcp
add action=drop chain=forward comment="Block Freddy" disabled=yes src-mac-address=00:25:64:A7:EC:57
add action=accept chain=input comment="tcp 1723 (VPN)" disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input comment="gre 47 (VPN)" disabled=no protocol=gre
add action=accept chain=input comment="Outside DNS Lookups UDP" disabled=no dst-port=53 protocol=udp
add action=accept chain=forward comment="Outside DNS Lookups UDP" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
add action=accept chain=input comment=winbox disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment="mikrotik speedtest :-)" disabled=yes protocol=udp src-port=2000-3000
add action=accept chain=input comment="Accept to established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
add action=accept chain=ICMP comment="Allow ping to and from SUPPORT list" disabled=no src-address-list=support
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=drop chain=input comment="drop invalid packets" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" \
    disabled=no




/ip firewall nat
add action=dst-nat chain=dstnat comment=http disabled=no dst-address=50.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.52 \
    to-ports=80
add action=dst-nat chain=dstnat comment=Tenvis_PT-01 disabled=yes dst-address=50.x.x.x dst-port=7777 protocol=tcp to-addresses=\
    192.168.1.98 to-ports=7777
add action=dst-nat chain=dstnat comment="NEW Dvr" disabled=no dst-address=50.x.x.x dst-port=37777 protocol=tcp to-addresses=\
    192.168.1.97 to-ports=37777
add action=dst-nat chain=dstnat comment="NEW Dvr" disabled=no dst-address=50.x.x.x dst-port=37778 protocol=udp to-addresses=\
    192.168.1.97 to-ports=37778
add action=dst-nat chain=dstnat comment="NEW Dvr" disabled=no dst-address=50.x.x.x dst-port=554 protocol=tcp to-addresses=192.168.1.97 \
    to-ports=554
add action=dst-nat chain=dstnat comment="NEW Dvr" disabled=no dst-address=50.x.x.x dst-port=88 protocol=tcp to-addresses=192.168.1.97 \
    to-ports=88
add action=add-src-to-address-list address-list=rdp address-list-timeout=0s chain=dstnat comment=RDP disabled=no dst-address=50.x.x.x \
    dst-port=3389 protocol=tcp to-addresses=192.168.1.15 to-ports=3389
add action=dst-nat chain=dstnat comment="SSH  to Ares" disabled=no dst-address=50.x.x.x dst-port=220 protocol=tcp to-addresses=\
    192.168.1.11 to-ports=22
add action=dst-nat chain=dstnat comment=mail disabled=no dst-address=50.x.x.x dst-port=143 protocol=tcp to-addresses=192.168.1.11 \
    to-ports=143
add action=dst-nat chain=dstnat comment=dns disabled=no dst-address=50.x.x.x dst-port=53 protocol=udp to-addresses=192.168.1.11 \
    to-ports=53
add action=dst-nat chain=dstnat comment=mail disabled=no dst-address=50.x.x.x dst-port=110 protocol=tcp to-addresses=192.168.1.11 \
    to-ports=110
add action=dst-nat chain=dstnat comment=mail disabled=no dst-address=50.x.x.x dst-port=25 protocol=tcp to-addresses=192.168.1.10 \
    to-ports=25
add action=netmap chain=dstnat comment="Asterisk 1-2-1 NAT" disabled=yes dst-address=50.244.230.194 to-addresses=192.168.1.138
add action=netmap chain=srcnat comment="Asterisk 1-2-1 NAT" disabled=yes src-address=192.168.1.138 to-addresses=50.244.230.194
add action=masquerade chain=srcnat disabled=no src-address=192.168.1.0/24 to-addresses=0.0.0.0

Thanks in advance!

Ron

2

Something I forgot to add. The computers on the LAN side of my router just started receiving DHCP leases from my cable modem… Shouldn’t the firewall block that?

3

you need a table of FORWARD, not input