Firewall rule problem

RouterOS General
1

Hello Guys,

I have a strange problem in my Mikrotik configuration that is making hard times for me :stuck_out_tongue:

I have segmented my network in some vlans, and everything is working fine except one firewall rule. I have create a Firewall rule where I block the connection from all Vlans to communicate with each other and some other rules to allow the communication with some specific IPs. But when I create and rule to allow me as System Admin to communicate with all Vlans it is not working and I cannot reach other vlans.
Did that happened to anyone of you before that can help me with this issue.?

# apr/04/2022 11:11:36 by RouterOS 6.49.5
# software id = 6511-TAFJ
#
# model = CCR1016-12G
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether4 ] comment="Main WAN" name=\
    "Kujtesa WAN - Ether4"
set [ find default-name=ether2 ] comment="Backup WAN" name="Telkos Ether2"
set [ find default-name=ether8 ] comment="Wifi Link - Ether 8" name=Wifi
set [ find default-name=ether9 ] arp=proxy-arp
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=ether11 ] arp=proxy-arp comment=LAN
/interface vlan
add interface=Wifi name=Vlan101-WifiGuest vlan-id=101
add interface=ether11 name=vlan10 vlan-id=10
add interface=ether11 name=vlan20 vlan-id=20
add interface=ether11 name=vlan30 vlan-id=30
add interface=ether11 name=vlan40 vlan-id=40
add interface=ether11 name=vlan50 vlan-id=50
add interface=ether11 name=vlan60 vlan-id=60
add interface=ether11 name=vlan70 vlan-id=70
add interface=ether11 name=vlan80 vlan-id=80
add interface=ether11 name=vlan90 vlan-id=90
add interface=ether11 name=vlan99 vlan-id=99
add interface=ether11 name=vlan100 vlan-id=100
add interface=ether11 name=vlan110 vlan-id=110
add interface=ether11 name=vlan120 vlan-id=120
add interface=ether11 name=vlan130 vlan-id=130
add interface=ether11 name=vlan140 vlan-id=140
add interface=ether11 name=vlan150 vlan-id=150
add interface=ether11 name=vlan160 vlan-id=160
add interface=ether11 name=vlan170 vlan-id=170
add interface=ether11 name=vlan200 vlan-id=200
add interface=ether11 name=vlan1000 vlan-id=1000
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.1.1.11-10.1.1.190
add name=openvpn-pool ranges=10.1.1.191-10.1.1.199
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.240
add name=dhcp_pool11 ranges=192.168.101.20-192.168.101.200
add name=dhcp_pool12 ranges=10.1.10.100-10.1.10.120
add name=dhcp_pool13 ranges=10.1.20.100-10.1.20.120
add name=dhcp_pool14 ranges=10.1.30.100-10.1.30.120
add name=dhcp_pool15 ranges=10.1.70.100-10.1.70.120
add name=dhcp_pool16 ranges=10.1.80.100-10.1.80.120
add name=dhcp_pool17 ranges=10.1.90.100-10.1.90.120
add name=dhcp_pool18 ranges=10.1.100.100-10.1.100.120
add name=dhcp_pool19 ranges=10.1.110.100-10.1.110.120
add name=dhcp_pool20 ranges=10.1.120.100-10.1.120.120
add name=dhcp_pool21 ranges=10.1.130.100-10.1.130.120
add name=dhcp_pool22 ranges=10.1.140.100-10.1.140.120
add name=dhcp_pool23 ranges=10.1.150.100-10.1.150.120
add name=dhcp_pool24 ranges=10.1.160.100-10.1.160.120
add name=dhcp_pool25 ranges=10.1.170.100-10.1.170.120
add name=dhcp_pool26 ranges=10.1.40.100-10.1.40.120
add name=dhcp_pool27 ranges=10.1.50.100-10.1.50.120
add name=dhcp_pool28 ranges=10.1.60.100-10.1.60.120
add name=dhcp_pool29 ranges=10.1.200.100-10.1.200.120
/ip dhcp-server
add address-pool=dhcp_pool1 allow-dual-stack-queue=no conflict-detection=no \
    disabled=no interface=vlan1000 lease-time=1d10m name="LAN dhcp" \
    src-address=10.1.1.1
add address-pool=openvpn-pool name=VPN-dhcp src-address=10.1.2.1
add address-pool=dhcp_pool3 disabled=no interface=Wifi lease-time=1d10m name=\
    "Wifi dhcp" src-address=192.168.100.1
add address-pool=dhcp_pool11 disabled=no interface=Vlan101-WifiGuest \
    lease-time=2h10m name="WifiGuest dhcp"
add address-pool=dhcp_pool12 disabled=no interface=vlan10 lease-time=23h59m \
    name=vlan10-dhcp
add address-pool=dhcp_pool13 disabled=no interface=vlan20 lease-time=23h59m \
    name=vlan20-dhcp
add address-pool=dhcp_pool14 disabled=no interface=vlan30 lease-time=23h59m \
    name=vlan30-dhcp
add address-pool=dhcp_pool15 disabled=no interface=vlan70 lease-time=23h59m \
    name=vlan70-dhcp
add address-pool=dhcp_pool16 disabled=no interface=vlan80 lease-time=23h59m \
    name=vlan80-dhcp
add address-pool=dhcp_pool17 disabled=no interface=vlan90 lease-time=23h59m \
    name=vlan90-dhcp
add address-pool=dhcp_pool18 disabled=no interface=vlan100 lease-time=23h59m \
    name=vlan100-dhcp
add address-pool=dhcp_pool19 disabled=no interface=vlan110 lease-time=23h59m \
    name=vlan110-dhcp
add address-pool=dhcp_pool20 disabled=no interface=vlan120 lease-time=23h59m \
    name=vlan120-dhcp
add address-pool=dhcp_pool21 disabled=no interface=vlan130 lease-time=23h59m \
    name=vlan130-dhcp
add address-pool=dhcp_pool22 disabled=no interface=vlan140 lease-time=23h59m \
    name=vlan140-dhcp
add address-pool=dhcp_pool23 disabled=no interface=vlan150 lease-time=23h59m \
    name=vlan150-dhcp
add address-pool=dhcp_pool24 disabled=no interface=vlan160 lease-time=23h59m \
    name=vlan160-dhcp
add address-pool=dhcp_pool25 disabled=no interface=vlan170 lease-time=23h59m \
    name=vlan170-dhcp
add address-pool=dhcp_pool26 disabled=no interface=vlan40 lease-time=23h59m \
    name=vlan40-dhcp
add address-pool=dhcp_pool27 disabled=no interface=vlan50 lease-time=23h59m \
    name=vlan50-dhcp
add address-pool=dhcp_pool28 disabled=no interface=vlan60 lease-time=23h59m \
    name=vlan60-dhcp
add address-pool=dhcp_pool29 disabled=no interface=vlan200 lease-time=23h59m \
    name=vlan200-dhcp

/system logging action
add name=RemoteLog remote=10.1.1.250 target=remote
/interface bridge port
add bridge=bridge1 interface=ether11
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=Wifi vlan-ids=101
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=\
    openvpn-profile enabled=yes require-client-certificate=yes
/ip address
add address=10.1.1.1/24 comment="LAN bridge" interface=vlan1000 network=\
    10.1.1.0
add address=192.168.101.1/24 comment="Gateway i Wifi per Guest" interface=\
    Vlan101-WifiGuest network=192.168.101.0
add address=10.1.10.1/24 comment="VLAN 10 - Network" interface=vlan10 \
    network=10.1.10.0
add address=10.1.20.1/24 comment="VLAN 20 - Network" interface=vlan20 \
    network=10.1.20.0
add address=10.1.30.1/24 comment="VLAN 30 - Network" interface=vlan30 \
    network=10.1.30.0
add address=10.1.40.1/24 comment="VLAN 40 - Network" interface=vlan40 \
    network=10.1.40.0
add address=10.1.50.1/24 comment="VLAN 50 - Network" interface=vlan50 \
    network=10.1.50.0
add address=10.1.60.1/24 comment="VLAN 60 - Network" interface=vlan60 \
    network=10.1.60.0
add address=10.1.70.1/24 comment="VLAN 70 - Network" interface=vlan70 \
    network=10.1.70.0
add address=10.1.80.1/24 comment="VLAN 80 - Network" interface=vlan80 \
    network=10.1.80.0
add address=10.1.90.1/24 comment="VLAN 90 - Network" interface=vlan90 \
    network=10.1.90.0
add address=10.1.100.1/24 comment="VLAN 100 - Network" interface=vlan100 \
    network=10.1.100.0
add address=10.1.110.1/24 comment="VLAN 110 - Network" interface=vlan110 \
    network=10.1.110.0
add address=10.1.120.1/24 comment="VLAN 120 - Network" interface=vlan120 \
    network=10.1.120.0
add address=10.1.130.1/24 comment="VLAN 130 - Network" interface=vlan130 \
    network=10.1.130.0
add address=10.1.140.1/24 comment="VLAN 140 - Network" interface=vlan140 \
    network=10.1.140.0
add address=10.1.150.1/24 comment="VLAN 150 - Network" interface=vlan150 \
    network=10.1.150.0
add address=10.1.160.1/24 comment="VLAN 160 - Network" interface=vlan160 \
    network=10.1.160.0
add address=10.1.170.1/24 comment="VLAN 170 - Network" interface=vlan170 \
    network=10.1.170.0
add address=10.1.200.1/24 comment="VLAN 200 - Network" interface=vlan200 \
    network=10.1.200.0
add address=10.1.99.1/24 comment="VLAN 99 - Network" interface=vlan99 \
    network=10.1.99.0
/ip dhcp-client
add add-default-route=no disabled=no interface="Telkos Ether2"
add interface="Kujtesa WAN - Ether4"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.1.1
add address=10.1.10.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.10.1
add address=10.1.20.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.20.1
add address=10.1.30.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.30.1
add address=10.1.40.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.40.1
add address=10.1.50.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.50.1
add address=10.1.60.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.60.1
add address=10.1.70.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.70.1
add address=10.1.80.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.80.1
add address=10.1.90.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.90.1
add address=10.1.100.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.100.1
add address=10.1.110.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.110.1
add address=10.1.120.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.120.1
add address=10.1.130.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.130.1
add address=10.1.140.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.140.1
add address=10.1.150.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.150.1
add address=10.1.160.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.160.1
add address=10.1.170.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.170.1
add address=10.1.200.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=\
    10.1.200.1
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
add address=192.168.101.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.101.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.1.10.0/24 list=Vlan10-List
add address=10.1.20.0/24 list=Vlan20-List
add address=10.1.30.0/24 list=Vlan30-List
add address=10.1.10.0/24 list="All VLANs"
add address=10.1.1.0/24 list="IT Devices"
add address=10.1.200.0/24 list="IT Room"
add address=10.1.20.0/24 list="All VLANs"
add address=10.1.30.0/24 list="All VLANs"
add address=10.1.40.0/24 list="All VLANs"
add address=10.1.50.0/24 list="All VLANs"
add address=10.1.60.0/24 list="All VLANs"
add address=10.1.70.0/24 list="All VLANs"
add address=10.1.80.0/24 list="All VLANs"
add address=10.1.90.0/24 list="All VLANs"
add address=10.1.100.0/24 list="All VLANs"
add address=10.1.110.0/24 list="All VLANs"
add address=10.1.120.0/24 list="All VLANs"
add address=10.1.130.0/24 list="All VLANs"
add address=10.1.140.0/24 list="All VLANs"
add address=10.1.150.0/24 list="All VLANs"
add address=10.1.160.0/24 list="All VLANs"
add address=10.1.170.0/24 list="All VLANs"
add address=10.1.10.102 list="IT Room"
add address=10.1.10.107 list="IT Room"
add address=10.1.130.0/24 list=vlan130-List
/ip firewall filter
add action=accept chain=forward comment="Permit connection with AD" \
    dst-address=10.1.1.10 src-address-list="All VLANs"
add action=accept chain=forward comment="Permit connection with FilesServer" \
    dst-address=10.1.1.19 src-address-list="All VLANs"
add action=accept chain=forward comment=\
    "Permit Recepsion with Camera connection" dst-address=10.1.1.222 \
    src-address=10.1.170.101
add action=accept chain=forward comment=\
    "Permit IT Staff connection with IT devices" dst-address-list=\
    "IT Devices" src-address-list="IT Room"
add action=accept chain=forward comment="Permit IP  to communicate with IP" \
    disabled=yes dst-address-list=Vlan20-List src-address=10.1.10.102
add action=accept chain=forward comment=\
    "Permit IT Staff Connection with All Vlans" disabled=yes \
    dst-address-list="All VLANs" src-address-list="IT Room"
add action=drop chain=forward comment="Block an IP to access internet." \
    disabled=yes src-address=10.1.1.79
add action=drop chain=forward comment="Block an IP to access internet." \
    disabled=yes src-address=10.1.20.108
add action=drop chain=forward comment="Block an IP to access internet." \
    disabled=yes src-address=10.1.1.63
add action=drop chain=forward comment="Block an IP to access internet." \
    disabled=yes src-address=10.1.10.105
add action=drop chain=forward comment="Blocking InterVLAN communication" \
    dst-address-list="IT Devices" src-address-list="All VLANs"
add action=drop chain=forward comment="Blocking InterVLAN communication" \
    dst-address-list="All VLANs" src-address-list="All VLANs"
add action=drop chain=forward comment=\
    "Blocking DS-VPN users from access internal resources. IN" disabled=yes \
    dst-address=10.1.1.0/24 src-address=192.168.150.0/24
add action=drop chain=forward comment=\
    "Blocking DS-VPN users from access internal resources.OUT" disabled=yes \
    dst-address=192.168.150.0/24 src-address=10.1.1.0/24
/ip firewall mangle
add action=accept chain=prerouting comment=\
    "No rules apply for - 192.168.100.95" src-address=192.168.100.95
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
    new-routing-mark="Wifi to ISP2" passthrough=yes src-address=\
    192.168.100.0/24
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
    new-routing-mark="Wifi to ISP2" passthrough=yes src-address=\
    192.168.101.0/24
add action=mark-routing chain=prerouting comment="PC te rrjeti i Telkosit" \
    disabled=yes new-routing-mark="Wifi to ISP2" passthrough=yes src-address=\
    10.1.10.102
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Route to Telkos" \
    out-interface="Wan2 Ether2"
add action=masquerade chain=srcnat comment="Default Route to Kujtesa" \
    out-interface=" WAN - Ether4"
/ip route
add comment="Route using by Wifi " distance=2 gateway=192.168.1.1 \
    routing-mark="Wifi to ISP2"
add comment=Main distance=1 gateway=178.132.223.1
add comment=Backup distance=2 gateway=192.168.1.1
add check-gateway=ping comment="Netwatch Main" disabled=yes distance=2 \
    dst-address=8.8.4.4/32 gateway=178.132.223.1
add check-gateway=ping comment="Netwatch Backup" disabled=yes distance=1 \
    dst-address=8.8.8.8/32 gateway=192.168.1.1
add comment="Static route for Wifi - 1" disabled=yes distance=1 dst-address=\
    192.168.100.0/24 gateway=10.10.10.2
add comment="Static route for Wifi -  2" disabled=yes distance=1 dst-address=\
    192.168.200.0/24 gateway=10.10.10.2

Thank you in advance guys. I would appreciate your help.

2

If this device faces the internet, your biggest problem is poor firewall rule setup.

  1. Recommend Use Bridge as bridge, not clue what abortion you have going here…
  2. ALL VLANS have interface bridge.
  3. Add the two bridge ports, 8, 11
  4. If 8 is going to a smart AP device then as a trunk bridge port, otherwise would need to be an access bridge port.
  5. Adjust /interface bridge vlans accordingly, like none of the other vlans are noted??? (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 is a good reference)
    6a. Where are your input chain firewall filter rules???
    6.b Change your firewall rules to drop all (at least at end of forward chain) and then you will only need rules to allow traffic (besides default rules).
  6. Seems like your missing the default useful firewall rules in the forward chain. If this device faces the internet, your biggest problem is poor firewall rule setup.
    If you need a basic one to start with - https://forum.mikrotik.com/viewtopic.php?t=180838
  7. For WHOLE Subnets, interface lists work more efficiently. Firewall address lists are best suited for a range of IPs, (less than a subnet, a mix of IPs from different subnets or any time you have single or groups of IPs and a whole subnet). If you have a firewall address list consisting only of subnet(s), you should use interface lists.
3

Hello Anav,

Thank you for your reply. And thank your for your information. Im going to do that as soon I have the time and fix all this holes.
But to fix the issue that I have is right now more urgent for me.
Do you have any solution for my problem ?

Thank you in advance.

Best Regards,

4

I did, I addressed your issues and provided a link as well.
No spoons here…make the effort to fix and then folks will assist.
More to the point, there is no point in giving you the right answer until you understand what you are doing.
That takes a bit of work and reading etc… If you want plugNplay buy a netgear home router.

5

Reading through to forum Anav, while blunt offers great assistance to forum users in his spare time so I would suggest taking the time and going through his dot points as you will be able to learn from this :slight_smile:

The useful part of my post will be this, if this is urgent enough that it needs to be done ASAP and you do not have the time to sort this our yourself Mikrotik does host a list of qualified consultants on their website that will be able to offer you with (most likely) paid support to get any urgent issues fixed :slight_smile:
https://mikrotik.com/consultants

6

Excellent point Aidan about the consultants!!

7

Or, instead of pointing to consultants, you can post a hint about stateful firewall, which is the basic thing that can be seen in @anav’s link, the rules with connection-state options. If there’s this:

/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=A out-interface=B action=accept
add chain=forward action=drop

Then it allows new connections from A to B, doesn’t allow new connections from B to A, but does allow traffic from B to A if it’s response to connections initiated from A to B. Stateless firewall like:

/ip firewall filter
add chain=forward in-interface=A out-interface=B action=accept
add chain=forward in-interface=B out-interface=A action=drop

allows traffic from A to B (first rule), but blocks all traffic from B to A (second rule) even when it’s in response to connections from A to B. So A can’t really communicate with B.

8

Hello together guys, thank you all for you help. the problem was solved. I had to add the add the connection rule. When I added it all is working now normally.