Firewall rules ignored for 1 IP for all google domains

RouterOS General
1

Hello all,

Im a new user of the RouterOS router.
I have the RouterBOARD 962UiGS-5HacT2HnT

I have setup a few address lists.
one that includes several IPs for my kids computers (3 in total 2 linux 1 win)
and then another one 2 websites they are allowed on during the day
I then have 2 specific firewall rules

  1. allows access based on the address list
  2. blocks access (based on time of day) to the rest of the internet
    All this works for the 2 systems (linux) but the windows machine has access to all google stuff, which it is not supposed to.

If you need more specifics from terminal, please let me know what you need to help me.
This is driving me crazy…

2

I tried changing the IP address of the affected system but the same issue is happening.

3

You can try sharing your config:

/export hide-sensitive
4

Thanks for the tip.
Here is the config output:

[alexc@ShieldRouter] > /export hide-sensitive
# mar/14/2019 10:41:42 by RouterOS 6.44
# software id = 693L-KSBV
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7C08417BB5
/interface bridge
add admin-mac=CC:2D:E0:AB:8A:01 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=ether2_master
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=secureHome \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name="wlan1 - 2.4G" security-profile=secureHome ssid=Shield wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name="wlan2 - 5G" security-profile=secureHome ssid=Shield wireless-protocol=802.11 \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d name=homeDHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_master
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface="wlan1 - 2.4G"
add bridge=bridge comment=defconf interface="wlan2 - 5G"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=1:1c:1b:d:e3:15:e7 comment=Main_PC mac-address=1C:1B:0D:E3:15:E7 server=homeDHCP
add address=192.168.1.70 client-id=ff:b5:5e:67:ff:0:2:0:0:ab:11:f:e3:54:62:20:b9:a0:df comment=WebServer mac-address=\
    52:54:00:DE:11:4C server=homeDHCP
add address=192.168.1.43 client-id=ff:cb:39:a:c7:0:2:0:0:ab:11:19:49:6c:26:af:5:2c:d3 comment=Ubuntu_Server mac-address=\
    30:85:A9:93:92:43 server=homeDHCP
add address=192.168.1.249 client-id=1:30:cd:a7:2a:53:f1 mac-address=30:CD:A7:2A:53:F1 server=homeDHCP
add address=192.168.1.210 comment=Emma mac-address=68:EC:C5:E6:EF:B5 server=homeDHCP
add address=192.168.1.211 comment=Arthur mac-address=5C:51:4F:2C:8C:2E server=homeDHCP
add address=192.168.1.212 comment=Edvard mac-address=AC:D1:B8:DF:2D:49 server=homeDHCP
add address=192.168.1.40 client-id=1:a4:da:22:20:27:d3 comment="Wyze Garage" mac-address=A4:DA:22:20:27:D3 server=homeDHCP
add address=192.168.1.41 client-id=1:94:51:3d:2:a7:50 comment="Wyze Backdoor" mac-address=94:51:3D:02:A7:50 server=homeDHCP
add address=192.168.1.38 client-id=1:a4:da:22:29:69:5b comment="Wyze Livingroom" mac-address=A4:DA:22:29:69:5B server=homeDHCP
add address=192.168.1.39 client-id=1:a4:da:22:29:69:b5 comment="Wyze Diningroom" mac-address=A4:DA:22:29:69:B5 server=homeDHCP
add address=192.168.1.105 client-id=1:28:ef:1:d3:e1:a8 comment="Ed's Kindle" mac-address=28:EF:01:D3:E1:A8 server=homeDHCP
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.1.210-192.168.1.213 list=Kids
add address=192.168.1.36-192.168.1.41 list="IP Cams"
add address=abeka.com list=Abeka
add address=sso.abeka.com list=Abeka
add address=academy.abeka.com list=Abeka
add address=vcdn.abeka.com list=Abeka
add address=192.168.1.200 list=Alex
add address=static.abeka.com list=Abeka
add address=edmentum.com list=Abeka
/ip firewall filter
add action=accept chain=forward comment="Abeka.com Accept" dst-address-list=Abeka protocol=tcp src-address-list=Kids time=\
    8h30m-14h30m,mon,tue,wed,thu,fri
add action=reject chain=forward comment="M-F 8:30-14:30 Internet Block" in-interface-list=LAN protocol=tcp reject-with=\
    tcp-reset src-address-list=Kids time=8h30m-14h30m,mon,tue,wed,thu,fri
add action=accept chain=forward comment="Test - Abeka.com Accept - Test" disabled=yes dst-address-list=Abeka protocol=tcp \
    src-address-list=Kids time=8h30m-14h30m,mon,tue,wed,thu,fri
add action=reject chain=forward comment="Test - M-F 8:30-14:30 Internet Block -Test" disabled=yes in-interface-list=LAN \
    protocol=tcp reject-with=tcp-reset src-address-list=Kids time=8h30m-14h30m,mon,tue,wed,thu,fri
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="haripin nat" dst-address=!192.168.1.1 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=WSE dst-address=!192.168.1.1 dst-address-type=local dst-port=1935 protocol=tcp \
    to-addresses=192.168.1.43 to-ports=1935
add action=dst-nat chain=dstnat comment="WSE SSL" dst-address=!192.168.1.1 dst-address-type=local dst-port=444 protocol=tcp \
    to-addresses=192.168.1.43 to-ports=443
add action=dst-nat chain=dstnat comment=WSEM dst-address=!192.168.1.1 dst-address-type=local dst-port=8088 protocol=tcp \
    to-addresses=192.168.1.43 to-ports=8088
add action=dst-nat chain=dstnat comment="WSEM SSL" dst-address=!192.168.1.1 dst-address-type=local dst-port=8090 protocol=tcp \
    to-addresses=192.168.1.43 to-ports=8090
add action=dst-nat chain=dstnat comment="WebServer SSL" dst-address=!192.168.1.1 dst-address-type=local dst-port=443 protocol=\
    tcp to-addresses=192.168.1.70 to-ports=443
add action=dst-nat chain=dstnat comment=WebServer dst-address=!192.168.1.1 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.1.70 to-ports=80
add action=dst-nat chain=dstnat comment="MicroTik WebFig" dst-port=20080 in-interface=ether1_wan protocol=tcp to-addresses=\
    192.168.1.1 to-ports=20080
add action=dst-nat chain=dstnat comment=PLEX dst-port=32400 in-interface=all-ethernet protocol=tcp to-addresses=192.168.1.43 \
    to-ports=32400
add action=dst-nat chain=dstnat comment=Amcrest-IP-FY-RTSP dst-address=!192.168.1.1 dst-address-type=local dst-port=555 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=554
add action=dst-nat chain=dstnat comment=Amcrest-IP-FY-Web dst-address=!192.168.1.1 dst-address-type=local dst-port=5080 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=80
add action=dst-nat chain=dstnat comment=Amcrest-IP-FY dst-address=!192.168.1.1 dst-address-type=local dst-port=33337 protocol=\
    tcp to-addresses=192.168.1.36 to-ports=37777
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=20080
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/snmp
set trap-generators=temp-exception,temp-exception
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=ShieldRouter
/system ntp client
set enabled=yes primary-ntp=45.32.75.249 secondary-ntp=104.238.183.250
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
5

I don’t see it. The “Kids” list is .210-213 and firewall rule blocks tcp connections when source address belongs to that list. Did you check the computer, if it has expected IP address? It would get around the blocking if it had different one for some reason (either manually configured, or you could have typo in MAC address in DHCP reservation, so it would get different one). Another possibility would be IPv6, since nothing is blocked there and if available, it would be preferred. But that’s probably not it, because I don’t see any IPv6 config except default firewall.

6

Command /export doesn’t show dynamic settings … to make sure ipv6 setup doesn’t exist, one should check settings using print

7

But there’s nothing, not only IPV6 address, but not DHCPv6 client either.

One more possibility, you only block tcp, which is usually enough to block web access. But I read somewhere recently that Google is doing some experiments with future udp-based http protocol and they may have it enabled in Chrome. I’m not sure exactly, but if it was the case, it would get around your tcp-only blocking.

8

I think you hit the nail on the head with the chrome issue.
This isn’t even specifically related to chrome, I opened an incognito window on the same computer, and tried to go to Youtube, and it was correctly blocked.
Seems like this is a Google account issue the simply bypasses the TCP block by accessing the google related services via udp. 172.217.5.110 connections are full of this IP when I go to Youtube.
Now I just need to figure out how to modify the rules to block this as well.

Thanks, this was super helpful.

9

Add another set of filter rules, but set protocol=udp

I’m not sure if it’s worth bothering with action=reject with all of its attributes. Simple action=drop would do the job just as well … and with that you could probably completely omit protocol= setting… making it match both TCP and UDP, so two sets of rules would not be necessary.