Firewall inactive on new configuration

RouterOS Beginner Basics
1

I’m relatively new to working with Mikrotik, although I’ve had experience with several other brands in the past. Currently, I’m using a CR2004-16G-2S+ running RouterOS 7.6. I haven’t created any Bridge interfaces yet, but I have my WAN on SFP2 (Interface list: WAN) and my Network on SFP1 (Interface list: LAN), with masquerade on WAN.

Everything seems to be functioning smoothly (around 6-7Gbit/s to WAN), but for some reason, the firewall appears to be inactive.

I’ve set up a couple of simple rules just to test it out, but it doesn’t seem to be taking effect.

Here are the details of my firewall and address-list configuration:

Address List:
Columns: LIST, ADDRESS, CREATION-TIME
0 MYLAN 172.16.0.0/16 oct/26/2022 14:24:21

Firewall Filters:
Flags: X - disabled, I - invalid; D - dynamic
0 chain=input action=drop connection-state=“” connection-nat-state=“” protocol=icmp src-address=172.16.0.0/16 dst-address=1.1.1.1 in-interface-list=LAN log=no log-prefix=“”
1 chain=input action=drop connection-state=invalid,established,related,new,untracked protocol=tcp src-address-list=MYLAN in-interface-list=LAN src-port=53 dst-port=53 log=yes log-prefix=“”
2 chain=input action=drop connection-state=invalid,established,related,new,untracked protocol=udp src-address-list=MYLAN in-interface-list=LAN src-port=53 dst-port=53 log=yes log-prefix=“”

Oddly enough, I can still ping 1.1.1.1 and use dig @8.8.8.8 whateverdomain.tld.

I’ve experimented with various configurations like full IP addresses, CIDR, addresses, and source lists, but I can’t seem to figure it out. Any help would be greatly appreciated.

2

For a configuration like yours, it’s only necessary when you have multiple ports in use on the LAN side and want them to behave like a network switch, and even then, only if you want that configuration to be efficient. You’re welcome to have multiple LAN-side ports without a bridge, forcing all LAN-side traffic through the CPU’s routing engine instead, if you enjoy livin’ la vida loca. :winking_face_with_tongue:


Firewall Filters:
Flags: X - disabled, I - invalid; D - dynamic
0 chain=input action=drop…

In the future, please post the output of “/export” commands rather than “print” commands, since it gives us the exact details we can replicate on local setups; columnar “print” output has to be retranslated back into RouterOS CLI commands. It is also kind to put this type of thing into a “code” block so that we get syntax highlighting and better scrolling behavior on the forum.

But that isn’t necessary here for such simple problems as I believe this one to be. The input chain is for packets destined to the router itself. Your rules will only block DNS for clients using the router’s IP as their DNS. Packets outbound to the Internet like your 8.8.8.8 example will instead go through the “forward” chain. Moving your rules to that chain should give the effect you’re after, if I understand you properly.