firewall rules jump/return

mvcorrea · September 8, 2017, 3:27am

Hi there,

I have a chain called “wifi” where I filter who and when to get internet access.

on my first rule i have a matching action forward where I jump into the wifi chain.

there I implement some rules then I do return (I supposed to return to the next line after the jump)

but I am unable to see any match? Any help is appreciated

 1    chain=forward action=jump jump-target=wifi in-interface=all-wireless log=no log-prefix="wifi"
 ...
 12    chain=wifi action=accept src-mac-address=00:22:5F:B4:B5:94
 13 I  ;;; inactive time
      chain=wifi action=accept time=13h-14h,mon,tue,wed,thu,fri log=no
 14    chain=wifi action=drop time=10h-23h59m,mon,tue,wed,thu,fri log=no
 15 X  chain=wifi action=return log=no

Sob · September 8, 2017, 1:14pm

It also depends on the rest of your config. What you have can work with independent wireless interface. But in case you have it bridged with wired, in-interface=all-wireless won’t match, because from firewall’s point of view, packed will be coming from bridge.

mvcorrea · September 8, 2017, 5:16pm

Hi Sob, tanks for your help

So the situation is because all interfaces are in same bridge? its logical
So If I create other bridge, put both wireless ifaces on it, it should work with this config?

regards,

ZeroByte · September 8, 2017, 6:44pm

Yep.

The basic rule of thumb for in/out interface matching in the IP firewall is whether or not there’s an IP address on the interface you mention. Only IP interfaces have their traffic passed to the IP firewall.

mvcorrea · September 9, 2017, 5:47pm

So please could you help me in this setup?
I got everything working, I now I have hits in the firewall, but I think I got some questionable config

# RouterOS v6.40.1 - MikroTik hAP ac

# new bridge
/interface bridge
add name=wifi-bridge

# ifs on the bridge
/interface bridge port
add bridge=wifi-bridge comment=defconf interface=wlan-2G
add bridge=wifi-bridge comment=defconf interface=wlan-5G

# creating subnet for it
/ip address
add address=10.10.11.1/24 interface=wifi-bridge network=10.10.11.0

# then
# create a pool
/ip pool
add name=wifi-pool ranges=10.10.11.160-10.10.11.189

# associate pool/bridge
/ip dhcp-server
add address-pool=wifi-pool disabled=no interface=wifi-bridge name=server1

# I need this to make it work
/ip dhcp-server network
add address=10.10.11.0/24 gateway=10.10.11.1

looks ok, did I forgot something?
Also Whats the difference in creating a subnet “/ip address add address=" and the subnet created "/ip dhcp-server network”

[admin@MikroTik] > /ip route print 
...
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          XX.YY.128.1              1
...
 2 ADC  10.10.10.0/24      10.10.10.1      bridge                    0
 3 ADC  10.10.11.0/24      10.10.11.1      wifi-bridge               0
...

comments are welcome

Sob · September 9, 2017, 7:05pm

I think it looks ok. And in “/ip address” there’s address (and network) used by router, while “/ip dhcp-server network” is config given to dhcp clients.