Firewall + pppoe/ether1 with /28 IPv4 on LAN side

I have SOHO and friend of mine recommended to switch to MikroTik for versitality of their products running RouterOS.
So purchased hEX S and cAP ac that is connected via PoE to the hEX S.

My “hEX S” has “ether1” connected to VDSL Modem via “pppoe-out1” connection.

Ports “spf1,ether2,ether3,ether4,ether5” are local ports. and included in “bridge”
so “ether1” is my internet port and so is “pppoe-out1”..

#ALL INTERFACES
#interface print from my hEX S

/interface print
 #     NAME                                TYPE       
 0     ether1                              ether      
 1     ether2                              ether      
 2     ether3                              ether      
 3     ether4                              ether      
 4     ether5                              ether      
 5     sfp1                                ether      
 6     bridge                              bridge     
 7     pppoe-out1                          pppoe-out

.
#LAN + WAN
#interface member print from my hEX S

/interface list member print 
 #   LIST 	                               INTERFACE                                                                                                                                                     
 0   LAN                                   bridge                                                                                                                                                        
 1   WAN                                   ether1

#LAN only ports
#interface bridge port print showing rest of the ports as LAN

/interface bridge port print
 #     INTERFACE     BRIDGE     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0     ether2        bridge     yes    1     0x80         10                 10       none
 1     ether3        bridge     yes    1     0x80         10                 10       none
 2     ether4        bridge     yes    1     0x80         10                 10       none
 3     ether5        bridge     yes    1     0x80         10                 10       none
 4     sfp1          bridge     yes    1     0x80         10                 10       none

.
.
My previous ADSL Modem/Router Technicolor TG582 was great,
I could control it from telnet, and here are example of the firewall rule when I wanted to allow incoming traffic:

(1) - add/check the hostname/port
:expr add name=RPi512 type=ip addr=107.189.10.209
:expr add name=RPi512 type=ip addr=2002:6bbd:0ad8:0:ba27:ebab:fc5d:f34a
:expr add name=RPi512rtmp type=serv proto=tcp dstport=1935
:expr list

.
.

(2) - add/check the firewall rule
:firewall rule add chain=forward_level_Expert index=3 srcintf=wan serv=RPi512rtmp srcip=190.58.131.145 dstip=107.189.10.209 log=enabled action=accept
:firewall rule add chain=forward_level_Expert index=3 srcintf=wan serv=RPi512rtmp dstip=2002:6bbd:0ad8:0:.... log=enabled action=accept
:firewall rule list

.
I would start after rule no. 2 as that was designated for persistent abusers

(3) - check the firewall list
:firewall level list

Rules (flags: C=Constant, D=Dynamic, E=Enable, L=Log)
=====
Chain                            Nr.  Flags  Rule name         Action                             Conditions                              
------------------------------------------------------------------------------------------------------------------------------------------
forward_level_Expert             1    C EL                   : accept                           : lan.* > *.*
                                 2    C EL                   : drop                             : wan.abusers > *.*
                                 3    C EL                   : accept                           : RPi512rtmp wan.190.58.131.145 > *.107.189.10.209
                                 4    C EL                   : accept                           : RPi512rtmp wan.* > *.2002:6bbd:0ad8:0:ba27:ebab:fc5d:f34a
....................			...	  .....				    ...........							....................................................
                                 29   C EL                   : deny                             : wan.* > *.*

Last year I had upgraded from ADSL to VDSL and got from my ISP new VDSL Modem/Router,
that is restricted to only handful of rules that can be saved in firewall via
web interface and the device is restricted, locked DNS servers, etc.

But the firewall rules are easy to set up, just add “SERVICE [name + port number(s)+ type UDP,TCP or both]”
and then create a firewall rule for Inbound service:
“SERVICE” + action “allow, block” + LAN IPv4 or v6 + access from “Single IP/Range” and last "LOG rule

Perhaps the fact the have a block of /28 IPv4 on LAN side could be the problem,
but it never was when we had the stock ADSL/VDSL Modem/Routers.

Is it important that “input” rules are first in firewall rules, or they can be after
“forward” rules in MIkroTIk firewall?

I understand that “input” is to allow access to the router, which I do not need (just ICMP), I am
after allowing/opening specific port(s) to specific LAN IP address from my block of /28 that my ISP give me
and restricting access to that port/ip only from certain outside IP ranges.

I have tried the following:
#IPv4 firewall to a router=input (Block everything apart of ICMP)

/ip firewall filter add action=accept chain=input comment="MT default configuration" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="MT default configuration" src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="MT default configuration" protocol=icmp
/ip firewall filter add action=drop chain=input comment="MT default configuration"

.
#IPv4 firewall address list for LAN

/ip firewall address-list add address=107.189.10.216/28 list=allowed_to_router comment="MT default configuration"
/ip firewall address-list add address=107.189.10.209-107.189.10.222 list=allowed_to_router

.
#IPv4 firewall for clients=forward | in-interface=bridge

/ip firewall filter
add action=fasttrack-connection chain=forward comment="MT FastTrack" connection-state=established,related
add action=accept chain=forward comment="MT Established, Related" connection-state=established,related
add action=drop chain=forward comment="MT Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="MT Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="MT Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="MT Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
# And here I would place my custom rules to allow access to different local LAN IP range of public IPv4 adresses - 107.189.10.209-107.189.10.222:
add action=accept chain=forward protocol=tcp dst-address=107.189.10.209 dst-port=1935-1935 log=yes log-prefix="" 
add action=drop chain=forward comment="MT Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!107.189.10.216/28

I have followed the wiki posts [https://wiki.mikrotik.com/wiki/Firewall]
but none of them seems to work for me,
and I would end up with open network (all the hosts are accessible from Internet).

What am I doing wrong?


On “chain=forward” my “in-interface” should be “ether1” or “bridge” or “pppoe-out1”?

ether1 is connected to VDSL Modem in bridge mode.
bridge is where all of my LAN clients are
pppoe-out1 is the connection created to connect to my ISP

EDIT: added Code display

OK, so this is helpfull: [http://forum.mikrotik.com/t/firewall-problem/140666/1]
.

  • chain=input is for packets which enter router (any interface!) and are targeting router’s own services


  • chain=output is for packets originating from router itself (and egressing=in/out any interface)


  • chain=forward is for packets which (eventually) pass router. And those include NAT-ed packets which (if coming from internet) initially seem to target router itself, but if port is forwarded, these packets pass router hence chain=forward

.
.
Is that the order the rules need to be in?
1st chain=input
2nd chain=output
3rd chain=forward

Firewall’s default action is accept. Imagine it as invisible “/ip firewall filter add chain= action=accept” at the end of each chain. I prefer to add unconditional drop/reject, like you did with input chain.

Order of rules is important only within same chain. Otherwise chains are independent on each other, it doesn’t matter if you have input before forward or forward before input. You can even mix rules from different chains together and it will still work the same (but it will be harder to read for you).