Firewall Rule not Working

RouterOS General
1

Hi all,

Trying to wrap my head around why my rule isn’t working. I’m trying to access 10.0.20.100 from my Trust network. If I remove the IP from the “Allow-Reolink-Access” rule, I can access it.

I also tried to add only the sub interfaces to the rule by assigning my "trust-Network to IN. Interface and IOT-Network to my Out.Interface, but it still is not working.

I set to log and see traffic matching the rule, however no acks are sent back when an IP or interface is assinged.

Any ideas?

/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=Trust-Management dst-port=22,80,443,8921 in-interface=Trust-Network protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" in-interface=all-vlan protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=Allow-Outbound-All connection-state=established,related,new,untracked in-interface=all-vlan out-interface-list=WAN
[b]add action=accept chain=forward comment=Allow-Reolink-Access connection-state=established,related,new,untracked dst-address=10.0.20.100 log=yes[/b]
add action=accept chain=forward comment=Allow-AmazonSpatialPerception-TCP dst-port=55443,55444 in-interface=IOT-Network out-interface=Home-Network protocol=tcp
add action=accept chain=forward comment=Allow-AmazonSpatialPerception-UDP dst-port=55443,55444 in-interface=IOT-Network out-interface=Home-Network protocol=udp
add action=drop chain=forward comment=Drop-IOT-LAN in-interface=IOT-Network out-interface=!IOT-Network
add action=drop chain=forward comment=Drop-Home-LAN in-interface=Home-Network out-interface=!Home-Network
add action=drop chain=forward comment=Drop-Guest-LAN in-interface=Guest out-interface=!Guest
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,new,untracked
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes

Log
Logs.png
:

2

Why did you move the rule with the comment “defconf: accept established,related, untracked” to the bottom of the chain, below the drop rules? Please restore it to its original state (remove “new” from connection-state)


add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

and move it back to where it belong, namely right after the fasttrack rule.

Please read https://help.mikrotik.com/docs/display/ROS/Basic+Concepts#BasicConcepts-FastTrack
fasttrack-rule.png
In your current version reply-packets (your “acks”) for the packets that previously went through the accept rules might be dropped if they cannot be fasttracked immediately.

3

Apologies, I’m very new to Mikrotik.

My intention was to allow internal traffic out of my WAN interface only to ensure my internal networks cannot communicate with each other. If I want a device in one segment to communicate with another I would create a rule below the ‘Allow-Outbound-All’ rule. Additionally, my Amazon Alexa devices will not work unless the “new” is checked.

Wouldn’t the FastTrack rule along with the default rule allow access between my internal networks. Is there a best practice on how to segment networks using Mikrotik?

4

In my previous post I’ve quoted and underlined the reason why the Fasttrack rule alone is not enough, you must pair it with a rule with the same condition, but with action=accept. That was the case in the default configuration (defconf) firewall, but you have modified that rule and moved it to the bottom, below the drop rules. Which means that now, when you try to insert an “accept” rule to allow an exception between certain host/network, that rule will work for packets in one direction (the direction in the rule) but reply-packets might not be accepted if fasttrack fails to catch them (see the green underline lines).

To achieve what you want, you should go back to the default rules of defconf. If you run the command


/system default-configuration print

and scroll down a bit, you can find the interface list configuration and original rules for IPv4, which are:


/interface list member 
add list=LAN interface=bridge comment="defconf"
add list=WAN interface=ether1 comment="defconf"

/ip firewall nat 
add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

Starting from this (not your current config!), now you should add all of your VLAN and bridge interfaces to the interface list “LAN”. You’ve probably already done that. At this point, all of your LAN networks can go to the internet and talk to each other. New connections from the outside (WAN) are blocked. This is the default firewall behavior of “defconf”. If you want to block inter-vlan communication, you can now do this:

  • Create a new interface list, ISOLATED_VLAN for instance, and add the interfaces that you don’t want to give access to all other interfaces of your LAN to it:


/interface list
add comment="all isolated vlans" name=ISOLATED_VLAN

/interface list member
add interface=IOT-Network list=ISOLATED_VLAN
add interface=Home-Network list=ISOLATED_VLAN
add interface=Guest list=ISOLATED_VLAN
  • Now you can add the following filter rule to the current defconf rules list above, at the bottom, after the rule “defconf: drop all from WAN not DSTNATed”


/ip firewall filter
add action=drop chain=forward comment="block isolated vlan to lan" in-interface-list=ISOLATED_VLAN out-interface-list=LAN

With this rule, all clients in the 3 networks that have been added to the ISOLATED_VLAN interface list are blocked from communicating with the other LAN networks (members of LAN).

  • Let’s say you have a management interface and want all devices in this management network to have access to all other LAN networks, then you just need to add this interface to the list LAN but not to the list ISOLATED_VLAN.

  • Or if you want that a specific device to still have access to all networks, add an exception rule for it, like


/ip firewall filter
add action=accept chain=forward src-address=x.x.x.x out-interface-list=LAN

and move this rule above the drop ISOLATED_VLAN rule. Replace src-address with src-address-list if you have multiple hosts. Similarly, your “Allow-Reolink-Access” rule should also be added above this drop rule. At the end, the rules in your IPv4 forward filter chain will look somewhat like this, in this order:


/ip firewall filter
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
add action=accept chain=forward comment="host with special access" src-address=x.x.x.x out-interface-list=LAN
add action=accept chain=forward comment=Allow-Reolink-Access dst-address=10.0.20.100
add action=drop chain=forward comment="block isolated vlan to lan" in-interface-list=ISOLATED_VLAN out-interface-list=LAN
5

Thanks for the help, that seems to have worked!