firewall/forwarding

RouterOS Beginner Basics
1

Hi,
I m trying to create a new vlan on my ccr1016. The new vlan in 10.0.100.0/24. I managed to setup correctly , getting an ip address from the dhcp server, but my problem is i can t ping the “internet” through the wan port(ether12).Probably my forwarding rules is the problem, because my connections are timed out.

[admin@MikroTik] > ip firewall filter pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connection
chain=input action=drop connection-state=invalid log=no log-prefix=“”
1 ;;; allow established
chain=input action=accept connection-state=established log=no log-prefix=“”
2 ;;; allow related
chain=input action=accept connection-state=related log=no log-prefix=“”
3 ;;; Allow ping,at 5pck/s
chain=input action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 log=no log-prefix=“”
4 ;;; #DMZ#-dns req
chain=input action=accept protocol=tcp src-address=10.0.100.0/24 dst-port=53 log=no log-prefix=“”
5 chain=input action=accept protocol=udp src-address=10.0.100.0/24 dst-port=53 log=no log-prefix=“”
6 chain=input action=accept protocol=udp src-address=10.0.100.0/24 dst-port=67-68 log=no log-prefix=“”
7 chain=input action=accept protocol=icmp src-address=10.0.100.0/24 log=no log-prefix=“”
14 ;;; Accept Management to router config
chain=input action=accept src-address=192.168.0.23 dst-address-list=network-dev log=yes log-prefix=“”
15 ;;; input jump to portscan
chain=input action=jump jump-target=portscan log=no log-prefix=“”
16 ;;; Block portscans
chain=portscan action=add-src-to-address-list protocol=tcp psd=20,3s,3,1 address-list=blocked-addr address-list-timeout=1h log=yes log-prefix=“”
17 ;;; Block TCP Null san
chain=portscan action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=blocked-addr address-list-timeout=1h log=yes log-prefix=“”
18 ;;; Block TCP Xmassl scan
chain=portscan action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=blocked-addr address-list-timeout=1h log=yes log-prefix=“”
19 ;;; Drop blocked-addr
chain=portscan action=jump jump-target=drop protocol=tcp src-address-list=blocked-addr log=yes log-prefix=“”
20 chain=drop action=drop log=yes log-prefix=“”
21 ;;; input jump to netw-dev-prot
chain=input action=jump jump-target=netw-dev-protection log=no log-prefix=“”
22 X ;;; Management ip accept
chain=netw-dev-protection action=accept src-address=192.168.0.0/24 dst-address-list=network-dev log=no log-prefix=“”
23 ;;; Management ip accept
chain=netw-dev-protection action=accept src-address=192.168.0.33 dst-address=193.xx.xx.128/26 log=no log-prefix=“”
24 ;;; Management ip accept
chain=netw-dev-protection action=accept src-address=192.168.0.23 dst-address=193.xx.xx.128/26 log=no log-prefix=“”
25 ;;; ssh tcp block
chain=netw-dev-protection action=drop protocol=tcp src-address=!192.168.0.23 dst-port=22 log=no log-prefix=“”
26 ;;; ssh udp block
chain=netw-dev-protection action=drop protocol=udp src-address=!192.168.0.23 dst-port=22 log=no log-prefix=“”
28 ;;; Telnet block
chain=netw-dev-protection action=drop protocol=udp src-address=!192.168.0.23 dst-address-list=network-dev dst-port=23 log=no log-prefix=“”
29 ;;; Webmin connection block
chain=netw-dev-protection action=drop protocol=tcp src-address=!192.168.0.23 dst-address-list=network-dev dst-port=20561,8291 log=no log-prefix=“”
30 ;;; input → services
chain=input action=jump jump-target=services log=no log-prefix=“”
31 ;;; Allow DNS requests
chain=services action=accept protocol=tcp src-address-list=local-networks dst-port=53 log=no log-prefix=“”
32 ;;; Allow DNS requests
chain=services action=accept protocol=udp src-address-list=local-networks dst-port=53 log=no log-prefix=“”
33 ;;; Allow DHCP req/replies
chain=services action=accept protocol=udp src-address-list=local-networks dst-port=67-68 log=no log-prefix=“”
34 ;;; Allow Http,Https
chain=services action=accept protocol=tcp src-address-list=local-networks dst-port=80,443,8080 log=no log-prefix=“”
35 ;;; !!Default Drop everything Input
chain=input action=drop log=no log-prefix=“”
38 ;;; Telnet-FTP-SSH Bruteforce filter
chain=forward action=drop protocol=tcp src-address-list=blocked-addr dst-port=21-23 log=no log-prefix=“”
39 ;;; Drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”
40 ;;; forward established
chain=forward action=accept connection-state=established dst-address-list=local-networks log=no log-prefix=“”
41 ;;; forward related
chain=forward action=accept connection-state=related log=no log-prefix=“”
42 ;;; #DMZ
chain=forward action=accept src-address=10.0.100.0/24 out-interface=ether12 log=no log-prefix=“”
43 chain=forward action=accept protocol=icmp src-address=10.0.100.0/24 log=yes log-prefix=“”
44 chain=forward action=accept src-address=10.0.100.0/24 dst-address=8.8.8.8 log=no log-prefix=“”
45 X chain=forward action=accept in-interface=ether12 out-interface=vlan100 log=no log-prefix=“”
48 ;;; Sysadmin
chain=forward action=accept protocol=tcp src-address=192.168.3.23 dst-port=3389 log=no log-prefix=“”
50 chain=forward action=accept src-address=192.168.0.23 dst-address=10.0.100.0/24 log=no log-prefix=“”
51 chain=forward action=accept protocol=tcp src-address=192.168.0.23 dst-address=193.xx.xx.128/26 dst-port=22,10000 log=no log-prefix=“”
52 ;;; Ping 5/s
chain=forward action=accept protocol=icmp icmp-options=8:0-255 limit=10,10 log=no log-prefix=“”
56 ;;; Default DROP from local
chain=forward action=drop protocol=tcp src-address=!192.168.0.23 dst-address=193.xx.xx.128/26 dst-port=22,10000 log=no log-prefix=“”
58 X ;;; Jump to portscan chain
chain=forward action=jump jump-target=portscan log=no log-prefix=“”
59 ;;; jump to netw-dev-prot
chain=forward action=jump jump-target=netw-dev-protection log=no log-prefix=“”
60 ;;; Forward jump to services
chain=forward action=jump jump-target=services src-address-list=local-networks log=no log-prefix=“”
63 ;;; Printers
chain=forward action=accept dst-address-list=network-printers in-interface=vlan0 log=no log-prefix=“”
64 chain=forward action=accept dst-address-list=network-printers in-interface=vlan4 log=no log-prefix=“”
65 chain=forward action=accept dst-address-list=network-printers in-interface=vlan3 log=no log-prefix=“”
66 ;;; vlan0 users comunication
chain=forward action=accept in-interface=vlan0 out-interface=vlan0 log=no log-prefix=“”
67 ;;; Default drop Open-Wifi
chain=forward action=drop in-interface=vlan4 log=no log-prefix=“”
68 ;;; Vlan5
chain=forward action=accept in-interface=vlan5 out-interface=vlan5 log=no log-prefix=“”
69 ;;; !Accept Traffic out on WAN
chain=forward action=accept out-interface=ether12 log=no log-prefix=“”
70 ;;; !!Drop everything else on Forward!!
chain=forward action=drop log=no log-prefix=“”


IF I ENABLE rule nr 45, then it s all fine, i get internet connection, but it s a security concern to enable it. SO my question is why the other vlans work (get internet, hence rule 69 is working for the other vlans)

2

IF I ENABLE rule nr 45, then it s all fine, i get internet connection, but it s a security concern to enable it. SO my question is why the other vlans work (get internet, hence rule 69 is working for the other vlans)


40 ;;; forward established
chain=forward action=accept connection-state=established [b]dst-address-list=local-networks[/b] log=no log-prefix=""

Is that VLAN (10.0.100.0) in local-networks?

Even so, checking again dst-address on forward chain for established connections is a rather unnefficient approach; they wouldn’t be established unless you allow them to access the internet for starters, moving #42 before #40 not only would be more efficient, but will simplify management:

40 ;;; #DMZ
chain=forward action=accept src-address=10.0.100.0/24 out-interface=ether12 connection-state=new
41 ;;; forward established
chain=forward action=accept connection-state=established 
42 ;;; forward related
chain=forward action=accept connection-state=related log=no log-prefix=""
3

Is that VLAN (10.0.100.0) in local-networks?

Even so, checking again dst-address on forward chain for established connections is a rather unnefficient approach; they wouldn’t be established unless you allow them to access the internet for starters, moving #42 before #40 not only would be more efficient, but will simplify management:

Ur question is on point, my attention slipped above the local networks detail. Probably that s the problem. I m gonna check on it monday, and post my feedback.

4

I added vlan 10.0.100.0/24 to the local networks, and i even added a new rule to accept new packet from vlan100 to ether12, but the packets are timed out, and theres no reply. So i don t understand suddenly how come this particular vlan can t get outside connection…

5

I ve rechecked and the problem was indeed the network not being part of the local networks. Thank you for the perceptive remark.