Network 172.16.0.0/16 isn’t added to whitelist at all because it’s the aggregation of two subnets , 172.16.0.0/24 and 172.16.1.0/24. So I’ve added it to FIREWALL RAW
And so I’ve added
And when SSH works fine and I see on notrack logs that I can get in but doesn’t appear to be the same with Winbox which doesn’t work at all.
It gets logged by Winbox firewall rule and also it is passed to prerouting rule.
Strange because if I disable that prerouting rule completely and of course VPN networks aren’t whitelisted in address-list than I get what I supposed to get
ssh: connect to host 10.254.254.253 port 22: Connection refused
A better way to approach this is not to show us any configuration but put in words what functionality you would like to have without discussing solution.
ex.
I want to only allow SSH and winbox connections outbound (lan to wan) for the admin only.
Second, express your concerns.
I am afraid of…
Or I want to ensure that X doesnt happen…
I know that but that’s not what I’m asking. I was asking about Winbox. Why Winbox doesn’t work if it also included in that no track rule the same as for SSH. SSH it’s not my concern here. It works like I wanted. If set rule for network which isn’t whitelisted in /ip firewall raw SSH let me through but Winbox doesn’t. Question is Why?
That is a problem because you think you explained what you wish to accomplish and all you did was ask why isnt some configuration working and the unexpected results you are getting.
None of which has anything to do with your requirements. As I requested state your requirements on a use case basis without referring to the configuration or solution at all.
Posting your config will show us how you attempted to address the requirements.
/export hide-sensitive file=yourconfigmar01
