firewall input chain question wrt wlan & lan

RouterOS Beginner Basics
1

Hi there

I understand that in the firewall filter you need to add a chain like this;
add chain=input in-interface=ether2 src-address=192.168.50.0/24 comment=“From our LAN”

but what I don’t understand is whether or not I need to add this for my wlan interface as well?

perhaps a line like this?;
add chain=input in-interface=wlan1 src-address=192.168.51.0/24 comment=“From our WLAN”

or could I just add an IP to the bridge and do this?;
add chain=input in-interface=bridge1 src-address=192.168.52.0/24 comment=“From our LAN/WLAN/BRIDGE”

I’m not sure about the IP address of the bridge though.

In my case, I’m using the wlan1 in ap_bridge mode so that wireless users on the network can access the internet.

I have these entries for NAT;
0 chain=srcnat action=masquerade src-address=192.168.50.0/24 (LAN)
1 chain=srcnat action=masquerade src-address=192.168.51.0/24 (WLAN)

and my bridge has PROXY-ARP enabled.

Sorry this is long winded but I wanted to give enough info for a meaningful response.

Thanks in advance.

2

ok so bridging works in layer 2 so no IP addresses are needed. but still, would you then assign a filter chain to an interface as opposed to an ip address?

3

add chain=input in-interface=ether2 src-address=192.168.50.0/24 comment=“From our LAN”

the input chain already exists by default, this rule makes no sense. what are you trying to do anyway?

There are three default chains:

Input: all traffic destined to the router itself, no matter from which interface
Forward: all traffic going through the router (your normal traffic from/to customers)
Output: all traffic FROM the router (like when you ping something from the router for example).

Additional chains are required only for grouping of firewall rules and optimization of the system.

4

Thanks normis

I was just following the example given my the wiki;

http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line
7th line under ‘ip firewall filter’

and hence my confusion as to whether I needed to add a input chain for my wlan interface as well as the lan1/ether1.

I don’t have any filter rules yet and there aren’t any installed by default that I can see. In telnet, ip firewall filter print shows nothing.

Am I confused or missing the point?

5

the command lacks the action=accept. this rule works in tandem with the later drop everything else rule. so in short - the first rule tells the router to accept connections to the router (like telnet) from your local network, and the other one drops all other connections.

so - it actually depends on which networks you trust. if the users coming from the wlan network should be allowed to connect to the router (for administration), then add a similar rule next to that one

basically:

  1. accept this
  2. accept that
  3. accept something else
  4. drop the rest
6

Ah, I see now. I’m getting my knickers in a knot over something that I didn’t understand properly.

For normal internet access, the packets merely ‘pass through’ the router and as such don’t need a specific rule? I only need the input chain filter for those connecting from the LAN and that need to actually end up at the router, so thanks.

7

yes and no. it doesn’t need a firewall rule, but depending on your network setup (bridging/routing) you might need a SRC-NAT rule (masquerade) to hide your private IPs behind the router.

8

Thanks Normis

I’m going on training tomorrow, so hopefully soon I’ll be asking more explicit questions.

9

To be a bit more specific, there are default behaviors for each of the chains. In 2.8.x, we had the option to set a default policy per chain. In 2.9.x, this option is no longer available. MikroTik has 3 “built-in” chains as follows:

INPUT - This chain is called for packets which are destined for the router. In other words, if the dst-address belongs to the router itself, that packet is processed against the INPUT chain.

OUTPUT - This chain is called for packets which originate from the router. Things like the router sending it’s syslog to a remote syslog server, replies to ping or other connections and such will be processed against this chain.

FORWARD - This chain is called for packets that enter the router and will be sent along to other devices. In other words, traffic that passes through the router will be processed against this chain.

For the above 3 “built-in” chains, the default policy is ACCEPT. This means that if you have no rules in a given chain, then packets that would be processed against that chain will “automatically” be accepted. Furthermore, let’s consider the following example for the input chain:

/ip firewall filter
    add chain=input src-address=10.10.2.1 action=drop
    add chain=input src-address=10.10.2.25 action=drop
    add chain=input src-address=10.1.1.2 action=accept

When a packet is received by the router with a src-address of 10.10.2.1 and a destination address that belongs to the router, that packet will match the first rule in the example and will, therefore, be dropped. Likewise for a src-address of 10.10.2.25. The last rule causes all traffic from 10.1.1.2 to be accepted. Since the default behavior for the input chain is to accept, the traffic from that IP would have been accepted anyway, so the rule is not needed. Keep in mind, that firewall rules are processed in order from the top going down. Let’s add another rule at the bottom of the list now:

add chain=input action=drop

What this rule does is cause any traffic that has not matched any previous rule to be dropped. With this setup, the first 2 rules would not really be needed, as the only traffic that has an “accept” action (if it comes from 10.1.1.2) will be allowed to pass the firewall. It should be noted that that last rule does not really change the default policy of the firewall, but it changes the default behavior, since the final rule will drop all other traffic. Kind of a minor point, but I thought I would add it for the sake of completeness.

10

Thanks Butch, this is a very good explanation.