Firewall help on hAP

acsuser · May 15, 2016, 9:23pm

I’m trying to setup a hAP for a friend and I’ve run into an issue with my end filter rule to drop all remaining traffic on the forward chain. I’ve got the same rules, more or less, on my CRS and it works. When I enable the rule on the hAP, it drops all connections. I can no longer ping or browse. The hAP has a pppoe client on ether1, ether2 is bridge with wlan1 and is the master port of ether3 and ether4. What am I missing?

/ip firewall address-list
add address=192.168.1.0/24 list=LAN_1
/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add chain=forward comment="allow new connections from LAN_1" connection-state=\
    new src-address-list=LAN_1
add chain=forward comment=" accept established,related through router" \
    connection-state=established,related src-address-list=LAN_1
add chain=input comment="allow LAN_1 to administer router" src-address-list=\
    LAN_1
add chain=input comment="Allow router to communicate with other hosts" \
    connection-state=established,related
add chain=input comment="allow dns to router from LAN_1" dst-port=53 protocol=\
    tcp src-address-list=LAN_1
add chain=input comment="allow dns to router from LAN_1" dst-port=53 protocol=\
    udp src-address-list=LAN_1
add chain=input comment="allow dns requests to return to router" \
    connection-state=established connection-type="" in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=input comment="Accept WAN side pings" limit=1,5:packet protocol=icmp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=pppoe-out1
add action=drop chain=input comment=\
    "Drop all others hosts from reaching router"
add action=drop chain=forward comment="drop all other traffic through router" \
    disabled=yes
/ip firewall nat
add action=redirect chain=dstnat comment="redirect dns to router" dst-port=53 \
    protocol=tcp src-address-list=LAN_1
add action=redirect chain=dstnat comment="redirect dns to router" dst-port=53 \
    protocol=udp src-address-list=LAN_1
add action=masquerade chain=srcnat comment=" masquerade LAN_1 out pppoe-out1" \
    out-interface=pppoe-out1 src-address-list=LAN_1

p3rad0x · May 19, 2016, 12:34pm

What you can do to help solve this issue is to enable logging on the drop rule to see what kind of traffic is getting through.

Then you can make the necessary changes to you top rules