Hi, i have router which i want to use only ports 8291, 3000 to 3010 and 8000 to 8010 . I did make input rules to accept these ports and one drop input all rule in the end. Everything is ok but when i try to reach lets say port 3050 the firewall did not drop it?!? Also it seems that the counters on the allow rules doesnt count anything. Version is 6.47. Its simple configuration with 1 network and 1 WAN with no other things in firewalls, just some natted devices behind. Can you help me guys?
First things first: chain names (input, output, forward) don’t describe direction of packet movement (e.g. from internet to LAN or from LAN to internet), but rather packet movement relative to router itself:
- chain=input is for packets which enter router (any interface!) and are targeting router’s own services
- chain=output is for packets originating from router itself (and egressing any interface)
- chain=forward is for packets which (eventually) pass router. And those include NAT-ed packets which (if coming from internet) initially seem to target router itself, but if port is forwarded, these packets pass router hence chain=forward
Next: it’s hard to tell what exactly you configured and thus impossible to tell why router doesn’t behave in the way you expected. So post full export of config: in terminal window (“New Terminal” in winbox/webfig) execute command /export hide-sensitive (including leading slash) and post result (copy-paste) … inside [__code] [/code] environment …
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=8001-8010 in-interface=ether1 protocol=tcp
add action=drop chain=input in-interface=ether1 log=yes src-address=!192.168.1.0/24
add action=accept chain=input dst-port=3000-3010 in-interface=ether1 protocol=tcp
This is my firewall config. I want to be able to access just these ports (from outside) and drop any other . The problem is that the 3000-3010 and the 8000-8010 rules doesnt get any counters going, like they are not working, the drop rule is last .
Well, the tiny part of config just confirms you misused chains. I actually asked for full config because only then it’s possible to asses configuration problems. Without it one can only guess and chances are high to guess wrong.
For example: do you have any service running on the router itself which offers connectivity on TCP port range 8001-8010 (inclusive)?
I think you’ll get useable advice only if you describe (in plain words) what you require to work (i.e. I need to access LAN server at IP 192.168.X.Y at TCP port Z from internet).
No, on the router itself its only 8191 (winbox). The devices behind it that i want to access are security cameras, the nat works, i see them no problem, but the firewall accept rules doesnt seem to work.
Which device are you using? If it’s one of low- and mid-end, then default firewall config is fine, as the last rule it includes this one:
/ip firewall filter
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
To make DST-NAT work fine it’s then enough to configure rules in /ip firewall nat and you don’t have to fuss with firewall rules as long as you stick to certain rules (such as keeping membership of /interface list member current. Surely you can do things differently if you choose so, but then it’s adviceable to know what you’re doing.
Its low end device hAp Lite. Everything is working fine, i just want to secure the network a bit. The router is only used for this purpose - Accessing the devices from WAN. Here is no problem, i just want to drop everything i dont use.