Firewall problems

RouterOS General
1

Hi!
I have 2 issues with my mikrotik firewall config, i’ll will be gratefull for any help.

  1. I read about not using ‘clear’ masquarade rule, but when i put masquarade on bridge-lan with source lan adress then i have no access to lan from openvpn, only to my mikrotik. Any idea how to fix this?
  2. And second, maybe related to masquarade rule. I noticed i can’t use forward rules in my lan - for example. Simple rule to block any communication from windows server to NAS (source address winserv, destination address nas) aaaand nothing, zero packets. It work’s well for block (for example) pinging from mikrotik to NAS, but of course then it’s not forward rule.
2

The best practice is to use masquerade with out-interface (or out-interface-list) matcher, and only for your WAN interface(s).

3

Okay, so little mistake in my previosly post. masquerade is used on WAN interface. With this is everything okay users can use Internet, except VPN connection - when masquerade is used on out wan interface then i can’t connect to local network from my openvpn connection. When out-interface is blank, then i can access everything.

4

And about second question, just checked it on my second mikrotik router. For testing i created rule to block printer adress access from my local computer. And here too, zero packets.

Here i have normal masquerade rule, src address local network, out interface WAN. (Because there is no VPN here)

What wrong i’m doing here?
drop.png

5

Do you use different subnets for LAN and OVPN clients?

6

No, all in one subnet.

7

That won’t work: your computer and your printer are in the same L2 network, and they talk directly to each other on L2, never hitting your firewall which work on L3.
If they are connected directly to your Mikrotik (not via some ethernet switch) you can filter traffic between them in Bridge → Filter
But having filtering on the bridge enabled you will lose the FastPath an Hardware Offloading, and that can degrade your LAN performance.

8

Make them different then, unless you really need them to be in one /24 subnet.
In that case you can make it work by setting arp-mode to proxy-arp on your bridge.

9

Thanks, for the answer. But i can’t set any IP filtering, everything greyed. I can only use MAC filtering…
ip bridge filtrer.png

10

You can use IP section only if you select MAC Protocol - IP, obviously :slight_smile:

11

Ahhh, there it is. Sneaky hidden option. Thank you very much!

12

You are welcome! :slight_smile:

13

Sooo, there is still one problem. Filtering on bridge works fine on second router, but when i added rule on first router, nothing changes, zero packets.
I trying to check all traffic from one server to second (in future want to use drop rule self activated after work hours).

Same bridge config on first and second router :V What i can check to solve this problem?
first_router_zeropackets.png
second_router_packets.png

14

Keep in mind that direction makes a difference.
And if your network layout allows you use interface matchers, you probably don’t need any others (protocol, ip addresses, etc), if you want to drop all the traffic between devices.

15

Yup, i checked all directions, all possibilities. On second router everything works fine (even with IP addresses), on first still shows nothing ;/

16

Both devices are directly connected to Mikrotik, and you can actually see that there is traffic between them?

And another idea. That is the device with you ovpn server and the one, on which you enabled proxy-arp on the bridge, right?
Try to revert arp mode to enabled and see if it makes the difference.

17

Both devices connected to Mikrotik. I can access second device from first, first from second.
Arp default on both routers bridges.

18

Ok. Do

/export hide-sensitive

on a device, that doesn’t work and paste the result under here inside “code” marks.

19

nov/05/2019 15:14:05 by RouterOS 6.45.5

software id = EDC6-E3Z3

model = RouterBOARD 3011UiAS

serial number = 8EED093302EB

/interface bridge
add admin-mac=B8:69:F4:E8:01:17 auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] name=ether8_NowySerw speed=100Mbps
set [ find default-name=ether9 ] name=ether9_NAS speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface ethernet switch port
set 5 default-vlan-id=0 vlan-mode=fallback
set 6 default-vlan-id=0 vlan-mode=fallback
set 7 default-vlan-id=0 vlan-mode=fallback
set 8 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 11 default-vlan-id=0 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pula-vpn ranges=192.168.0.80-192.168.0.98
add name=dhcp_pool2 ranges=192.168.0.150-192.168.0.200
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge lease-time=4h name=
dhcp1
/ppp profile
add dns-server=192.168.0.1,8.8.8.8 local-address=192.168.0.1 name=OPENVPN
remote-address=pula-vpn use-encryption=yes
/user group
add name=ACCESS policy=“read,write,web,!local,!telnet,!ssh,!ftp,!reboot,!polic
y,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp”
skin=ACCESS
/interface bridge filter
add action=passthrough chain=forward disabled=yes in-interface=ether9_NAS
mac-protocol=ip out-interface=ether8_NowySerw
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8_NowySerw
add bridge=bridge interface=ether9_NAS
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=bridge list=LAN
add interface=ether1_WAN list=WAN
/interface ovpn-server server
set certificate=server-certificate default-profile=OPENVPN enabled=yes port=
1234
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=192.168.1.2/24 interface=ether1_WAN network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1_WAN
/ip dhcp-server lease
add address=192.168.0.252 client-id=1:74:da:38:82:6b:c6 comment=AP
mac-address=74:DA:38:82:6B:C6 server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.205 name=hidden_address.com.pl
/ip firewall address-list
add address=0.0.0.0/8 comment=Private list=NiePubliczne
add address=10.0.0.0/8 comment=Private list=NiePubliczne
add address=100.64.0.0/10 comment=Private list=NiePubliczne
add address=127.0.0.0/8 comment=Private list=NiePubliczne
add address=169.254.0.0/16 comment=Private list=NiePubliczne
add address=172.16.0.0/12 comment=Private list=NiePubliczne
add address=192.0.0.0/24 comment=Private list=NiePubliczne
add address=192.0.2.0/24 comment=Private list=NiePubliczne
add address=192.168.0.0/16 comment=Private list=NiePubliczne
add address=192.88.99.0/24 comment=Private list=NiePubliczne
add address=198.18.0.0/15 comment=Private list=NiePubliczne
add address=198.51.100.0/24 comment=Private list=NiePubliczne
add address=203.0.113.0/24 comment=Private list=NiePubliczne
add address=224.0.0.0/4 comment=Private list=NiePubliczne
add address=240.0.0.0/4 comment=Private list=NiePubliczne
add address=192.168.0.0/24 comment=Private list=NiePubliczne
add address=192.168.1.0/24 comment=Private list=NiePubliczne
/ip firewall filter
add action=drop chain=input comment=“Drop new requests to DNS udp”
connection-state=new dst-port=53 in-interface=ether1_WAN protocol=udp
add action=drop chain=input comment=“Drop new requests to DNS tcp”
connection-state=new dst-port=53 in-interface=ether1_WAN protocol=tcp
add action=drop chain=forward src-address-list=BlackList
add action=drop chain=forward dst-address-list=BlackList
add action=drop chain=input in-interface=ether1_WAN protocol=icmp
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2m chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=5m chain=input comment=“NMAP FIN Stealth scan”
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2m chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2m chain=input comment=“SYN/RST scan” protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2m chain=input comment=“FIN/PSH/URG scan” protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2m chain=input comment=“ALL/ALL scan” protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2m chain=input comment=“NMAP NULL scan” protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=Trusted in-interface=ether1_WAN
src-address-list=Trusted
add action=drop chain=input comment=“dropping port scanners”
src-address-list=“port scanners”
add action=accept chain=input comment=“Allow OpenVPN” dst-port=1234 protocol=
tcp
add action=drop chain=input comment=
“Drop port 999 - www routerboard from WAN” in-interface=ether1_WAN port=
999 protocol=tcp
add action=fasttrack-connection chain=forward connection-state=
established,related
add action=accept chain=input comment=
“Accept established and related packets” connection-state=
established,related
add action=accept chain=input comment=
“Accept all connections from local network” in-interface=bridge
add action=drop chain=input comment=“Drop invalid packets” connection-state=
invalid
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address”
src-address-type=!unicast
add action=drop chain=input comment=“Drop all packets from public internet whi
ch should not exist in public network” in-interface=ether1_WAN
src-address-list=NiePubliczne
add action=accept chain=forward comment=
“Accept established and related packets” connection-state=
established,related
add action=drop chain=forward comment=“Drop invalid packets”
connection-state=invalid
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=ether1_WAN
add action=drop chain=forward comment=“Drop all packets from public internet w
hich should not exist in public network” in-interface=ether1_WAN
src-address-list=NiePubliczne
add action=drop chain=forward comment=“Drop all packets in local network which
_does not have local network address” in-interface=bridge src-address=
!192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.250 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=5150 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.251 to-ports=5150
add action=dst-nat chain=dstnat disabled=yes dst-port=5150 in-interface-list=
WAN protocol=udp to-addresses=192.168.0.251 to-ports=5150
add action=dst-nat chain=dstnat dst-port=1433 in-interface-list=WAN protocol=
tcp src-address-list=DostepKlucz to-addresses=192.168.0.251 to-ports=1433
add action=dst-nat chain=dstnat dst-port=1433 in-interface-list=WAN protocol=
udp src-address-list=DostepKlucz to-addresses=192.168.0.251 to-ports=1433
add action=dst-nat chain=dstnat dst-port=1434 in-interface-list=WAN protocol=
tcp src-address-list=DostepKlucz to-addresses=192.168.0.251 to-ports=1434
add action=dst-nat chain=dstnat dst-port=1434 in-interface-list=WAN protocol=
udp src-address-list=DostepKlucz to-addresses=192.168.0.251 to-ports=1434
add action=dst-nat chain=dstnat disabled=yes dst-port=9595 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=9595
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.251 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=1344 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=1344
add action=dst-nat chain=dstnat disabled=yes dst-port=5030 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=5030
add action=dst-nat chain=dstnat disabled=yes dst-port=5030 in-interface-list=
WAN protocol=udp to-addresses=192.168.0.250 to-ports=5030
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=
WAN protocol=udp to-addresses=192.168.0.250 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=1234 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=1234
add action=dst-nat chain=dstnat disabled=yes dst-port=1234 in-interface-list=
WAN protocol=udp to-addresses=192.168.0.250 to-ports=1234
add action=dst-nat chain=dstnat disabled=yes dst-port=1723 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.250 to-ports=1723
add action=dst-nat chain=dstnat disabled=yes dst-port=1723 in-interface-list=
WAN protocol=udp to-addresses=192.168.0.250 to-ports=1723
add action=dst-nat chain=dstnat dst-port=5030 in-interface-list=WAN protocol=
tcp src-address-list=DostepKlucz to-addresses=192.168.0.206 to-ports=5030
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.0.99
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=999
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set backlight-timeout=5m time-interval=hour
/lcd pin
set hide-pin-number=yes pin-number=
/ppp secret
add name=warszawa profile=OPENVPN remote-address=192.168.0.99
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Mikrotik
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

20

Can’t see anything wrong, apart from an address assigned to ether2 instead of bridge, and not ideal masquerade rule.
Have no idea why the rule in question is not being hit.