I have, I guess funny issue, and i hope you can help me
I deleted all the firewall rules using winbox, and clients behind hotspot are able to use internet etc. (i guess it is because default rule which is to allow/pass all traffic), and thats fine.
Than i add some rules to reject traffic to some neworks, reject some tcp/udp ports, reject icmp etc and that worked too.
But, now i have to add rule to allow some clients to use some tcp/udp ports from (above) blocked range, so i added rule to do that:
(under firewall → general → chain: forward, src. address: ip of client i want to pass, action: accept)
and set it first on list of rules, and nothing happened, traffic want pass.
Im playing with this for couple of days now, couldnt find any help regarding this.
I hoped that firewall rules should be executed by the firewall order list without regard to anything else? But I guess Im wrong?
If you could supply your firewall rules with “/ip firewall export” that would be useful, along with your specific goals for the rules. Did you delete the dynamic firewall rules that the hotspot created, if so you don’t want to do that, they make the hotspot work. Any number of things could be interfering, like if you made the rule too narrow to catch what you want, or didn’t use the correct matcher. Without more information it is impossible to say what the problem is.
huh,
first rule (actually 0 rule) is to allow all tragic to single ip address.
second rule is to reject icmp
third is to block xyz netwotk
i guess firewall rules should execute by order and if package match first rule it should ignore second?
but no, ip address to which i give all permisions cant ping (until i disable second rule) and it cant access xyz network until i disable third rule.
but what is point then?
Once again, supply “/ip firewall export”. Yes rules are processed in order based on their chain. With that being said however, if one rule is too general and catches everything (or more than what you want), such as your rule that accepts traffic to one IP, other rule will not be processed bellow that. Without you supplying the needed information, no one can correct or give any assistance in this for you. Based on what you are saying your rules are too general and accepting more traffic than what you want them to.
Feklar is right, if you mess up by having your general firewall rule set up, you could rule out the use of more specific rules. One general rules of Firewalls is to have more specific rules near the top and catch all rules nearer the bottom.
Well one of the first things that I see wrong is that you have no address list named 10.10.71.0/24 listed in your configuration. The src- and dst- address-list matcher is an address list that you give a readable name to. You add the IP addresses/subnets you want to that list in a firewall menu, you cannot directly list subnets there. You can either change it to src-address or set up the address list properly.
The second issue that I see is you are accepting traffic being forwarded to a certain MAC address, a firewall is generally a layer3 device, and MAC addresses do not traverse layer3 hops. So unless you are doing a transparent firewall, this is the wrong way to do it. It is much better to list the IP address of the device since that is what is going to be in the IP header.
Ok, first question, where is 10.10.71.111 located in the network? What device are you trying to communicate to with that and what is it’s IP address. A network diagram would be very handy along with the output of “ip address print detail” and “ip route print detail”.
The next thing to check is if the hotspot rules are back, it is not a very good idea to delete them, and the system will automatically repopulate them. You can place rules above them and they will stay there, but the hotspot needs those rules to work correctly, so don’t delete them.
Also is there a reason why you are blocking everything except for TCP DNS (DNS usually tries UDP first) HTTP, HTTPS, and Radius from the guests?
i will answer you from bottom,
is there reason to block everything except DNS, HTTP, HTTPS, and RADIUS.
yes, do they need anything else? no.
hotspot works perfectly, so i guess no need to return back default rules (btw i had same problem with default hotspot firewall rules on top).
and last/first
eth addr = 10.10.0.215
wlan addr = 10.10.71.1 client connected to wlan addr = 10.10.71.111
again,
first rule is to pass * from 10.10.71.111
and 2nd, 3rd etc are blocking rules,
problem is that firewall dont pass 10.10.71.111 based on first rule.
What I am saying is that the hotspot will automatically repopulate the dynamic rules every so often, so deleting them won’t do you much good, the router needs them to work properly with the hotspot and protect itself. These are not something that should be deleted.
The second thing is that you need to know how the hotspot works, I forgot to mention this before, so that’s my bad. Look at the packet flow diagram to get a clearer picture of what I am talking about here. http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
The first thing that the hotspot does is it will dst-nat all traffic in the NAT firewall to itself for guests that are not authorized. That means that there are no packets going to to the host you want to allow for guests that are not authorized. Once they are authorized on the network, then they can probably access that host fine correct? The hotspot will also continue to redirect HTTP requests to itself in the NAT firewall unless told not to by an accept rule further up the chain, this is how things like transparent proxy and the advertising options work. You can probably get around this by adding the host to the Walled Garden IP List under the hotspot settings as the quickest way around it, or you can make a set of your own rules in NAT and Filter to accomplish it.
I’m also assuming that your eth address and wireless address are on two different subnets? What services are they trying to connect to? As for you allowing only certain services, that’s a network design decision, and up to you. You need to weigh the cost of guests that expect to be able to use other services and the calls and complaints that will be generated vs the benefit of only allowing certain access.
many thanks for your detail explanation
But, it seems have some success,
i made rules "less general" and it works fine now, (i dont know how rule "all" is more general than the "block exact network" i have on wifi, basically its same thing)
i dont know how mikrotik firewall is designed, and that is why i asked for help here
listen for your advice and it seems that works.
here it is (solution that works, maybe it will help to someone, basically instead of all i just added exact network to block)
[admin@MikroTik] > /ip firewall export
