Firewall input drop all except LAN

globalmedia · March 20, 2023, 9:14pm

I have enabled the defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN

After that I am getting a lot of these messages in the log:

OUT-OF-LAN input: in:ether1-pppoe-out1 out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:53->PPPOE-DYNAMIC-IP-ADDRESS:54398, len 144

I am trying to find an explanation about that. I see some topics in this forum related with similar problem, but no solutions.

Do you have some idea about how to get it fixed?

BartoszP · March 21, 2023, 6:46am

You want to fix scanning bots or other abusing devices sweeping all router ports to check if your device is vulnerable.

erlinden · March 21, 2023, 7:47am

You can disable logging on this firewall rule.

anav · March 21, 2023, 12:01pm

First of all why do you use such a twisted rule??
defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN

Much better and clearer to simply say

accept all coming from LAN
drop all else

This leads to the logical next step, which you may have not noticed with the original default (designed for simple flat network).

accept all coming from LAN but only with source address of ADMIN
accept all coming from LAN for ONLY required services, normally DNS and sometimes NTP
drop all else.

Because the whole LAN does not require full access to the router!! (input chain = to the router) better security practice!

globalmedia · March 21, 2023, 8:48pm

Dear,

I absolutely agree with you. But the comments came from the examples that I have used.
I will make necessary changes with your suggestions.
Accept all only from admin IPs.
Accept from all only 53 and 123 ports.

And I have observed the following… I am also getting a lot of ACK,PSH messages and apparently all the messages gone when I have added a new condition to the rule:

Now the rule is chain input !LAN !DSTNAT. Apparently all that messages are from connections from nat.

Sincerely,

anav · March 22, 2023, 12:07am

Its simple for both chains
a few default rules
a few user rules
drop all

No need to get cute…

allow Admin to router
allow users to needed services
drop all else

allow subnets to WAN

allow port forwarding
drop all else

**** any other needed traffic like to a shared printer for example.

globalmedia · March 23, 2023, 1:52am

I got it. Thank you so much!
Mindset changes!

anav · March 23, 2023, 2:13am

Yup…
https://forum.mikrotik.com/viewtopic.php?t=180838

globalmedia · March 24, 2023, 5:45am

Recommended that topic for all mikrotik new user.