Firewall rule works with interface, but not interface-list?

RouterOS General
1

Hi

I have a CCR1009-7G-1C-PC (on 6.48), and I’m trying to set up my firewall. After reading many thread, I can see interface-lists are often used. I like the idea, since you can group interfaces, making firewall rules easier to write, and you can give it a descriptive name “Trusted” / “Untrusted”.

I’ve been trying to write my firewall rules only with interface-lists (I have pretty basic requirements), but I’ve gotten to a point where 1 drop-rule will work then I use the base interface, but refuse to work when I use the interface-list.

Setup:
vlan2 - trusted devices
vlan3 - untrusted devices

/interface vlan
add interface=bridge-vlan name=vlan2 vlan-id=2
add interface=bridge-vlan name=vlan3 vlan-id=3
/interface list
add name=Trusted
add name=Untrusted
add name=WAN
...
/interface list member
add interface=ether1 list=WAN
add interface=vlan2 list=Trusted
add interface=vlan3 list=Untrusted
...

Firewall Requirements:
trusted devices can see internet, and untrusted devices.
untrusted devices can only see internet

_The firewall rules below were adapted from here: http://forum.mikrotik.com/t/how-to-block-traffic-between-vlans/84762/1

Working, with interface:
In the example below, rules 1 and 2 work with interface-list, and rule 3 works with interface.
This gives both vlans internet access, trusted can see untrusted, but untrusted cannot see trusted.

/ip firewall filter
add action=accept chain=forward in-interface-list=Trusted
add action=accept chain=forward connection-state=established,related in-interface-list=Untrusted
add action=drop chain=forward in-interface=vlan3 out-interface=vlan2

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

NOT Working, with interface-lists:
In the example below, rule 3 has been converted to interface-list, and doesn’t work.
With this configuration, both vlans can see internet,

and each other

.

/ip firewall filter
add action=accept chain=forward in-interface-list=Trusted
add action=accept chain=forward connection-state=established,related in-interface-list=Untrusted
add action=drop chain=forward in-interface-list=Trusted out-interface-list=Untrusted

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Am I nuts? Shouldn’t this work?

Thanks

2

Maybe a bug… but more likely a mistake in the Config

Can you please export your Config and Post it on the Forum (/export hide-sensitive file=anynameyouwish)

3

Interface lists are excellent ways to manage GROUPs of users or devices (aka subnets).
Firewall address lists are better to form a group of USERs that is less than a subnet, Iike a subset of IPs on a subnet, IPs from different subnets, or mix of IPs and whole subnets!!!

4

As for your Interface lists, looks okayish
Here is what you want
/interface list
-WAN
-LAN
-TRUSTED

/interface list members
WAN -ether1
LAN -vlan3
LAN-vlan2
TRUSTED-vlan2

You dont really need to distinguish TRUSTED Or UNTRUSTED because you only have one vlan of each so no GROUPS of vlans here.
In other words your firewall rules should be very simple!

THe reason to keep the TRUSTED interface is because you will need that in
tools: mac winmac server interface=TRUSTED. ( it only allows selections from the interface list )

Your source for firewall rules is utter crap.
USE DEFAULT RULES
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=vlan3 out-interface=VLAN2 (or you could use out-interface-list=TRUSTED)

Do post the rest of your config as requested.

5

What is amusing is that you blocked the trusted vlan from reaching the untrusted vlan,
add action=drop chain=forward in-interface-list=Trusted out-interface-list=Untrusted

whereas I am pretty sure you wanted the reverse,
the untrusted vlan not able to reach the trusted vlan. :wink: