Firewall rules don't seem to be doing anything.

jking99 · October 4, 2021, 1:32pm

Hello, I’m pretty new to Mikrotik but have dealt with some switches, routers, and firewalls over my years. I recently picked up an rb4011 when I changed to AT&T Fiber internet. Everything seems to be working. I have a BGW320-500 with a built in ONT so I don’t think I’m going to be able to sidestep the gateway. I’ve been running it in ip-passthrough mode but it seems like it’s still doing something. I’ve been trying to setup my firewall and port forwarding and nothing seems to stick. Even just something as basic as accepting ICMP isn’t working. I’ve made a couple of really basic NAT rules to forward traffic to servers inside my network that doesn’t seem to be working either. Maybe I’m just lacking in some basic understanding of the RouterOS firewall? I’ve added the basic rules. You can see I’ve tried to do this a couple different ways but nothing has really worked.

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related,new in-interface=ether1 \
    src-address=0.0.0.0
add action=accept chain=input connection-state=established,related,new in-interface=ether1 src-address=0.0.0.0
add action=accept chain=input icmp-options=8:0-255 protocol=icmp
add action=jump chain=input jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN port=80 protocol=tcp to-addresses=192.168.10.25
add action=dst-nat chain=dstnat in-interface-list=WAN port=80 protocol=udp to-addresses=192.168.10.25
add action=dst-nat chain=dstnat comment=web dst-port=80 in-interface-list=WAN log=yes log-prefix=web protocol=tcp to-addresses=\
    192.168.10.25 to-ports=80

jking99 · October 4, 2021, 5:56pm

Well, I think this is pretty dumb but apparently in IP-Passthrough mode the BGW320 is still doing things. Once I allowed the port on the BGW it forwarded properly. I still can’t ICMP to work though.

jking99 · October 4, 2021, 8:45pm

I keep reading that ip passthrough should just be forwarding everything on to the router behind it but that’s definitely not the case for me. Anyone have any insight here?

WeWiNet · October 6, 2021, 4:24pm

You don’t show all your firewall rules here, so not possible to help you!
There is no single drop rule, if this would be the case any packets will go in and out and nothing gets dropped.
Firewall without a drop rule is not a firewall as at the end of the list is a accept all happening within Mirkotik router!

If you have no drop rule and can not ping, then you must have other issues like IP set up, routes etc.

A good thing to see if firewall is the culprit, is log for debugging purpose the drop rule.

jking99 · October 6, 2021, 5:40pm

It was definitely something with the ISP CPE. Those were all the firewall rules. I had no raw rules. At any rate I allocated a Public Static IP to the Mikrotik and enabled traffic to the Public subnet in the BGW and now the firewall behaves how I would expect. I have a full suite of rules now including drops at the end. Thanks for taking a look.