Hi,
Whenever i move or add a rule in the firewall something broke down!
Emule id low, VPN doesn’t work etc…
Is there a manual that explain method in the firewall to order rules correctly?
Then, “defconf” rules must be on top, bottom, mixed to my rules?
Now, for example, i noticed a slow transfer rate samba, then i move on top defconf rules (accept related etc…) and transfer rate is now ok, but vpn doesn’t work anymore!
I don’t remember the order i had before, so i’ll pass hours to disable all rules and try enabling one at the time to solve this.
Thanks!
defconf rules are nothing special, they are just DEFault CONFinguration.
It’s rather simple: there are 3 chains: input, output and forward. Rules in them are executed depending on packet’s path:
- input - packets which will be dealt by router’s own services (e.g. DNS server, http server - webfig, etc.) regardless teir origin (internet, LAN)
- output - packets created by router’s own services regardless their destination
- forward - packets passing router regardless the direction (LAN to internet, internet to LAN, LAN to LAN, even internet to internet in case of some special configuration). These can be NATed or whatever.
(one can create custom chains, but these have to be used explicitly, so it0s easy to notice when packets deviates into one of those)
And another simple rule: filter rules are executed top to bottom, first rule matching defines packet’s destiny. If packet doesn’t match any of rules, it’s accepted (implicit accept all rule at the end of these chains).
You can always get the list (and order) of default rules by examining output of command /system default-configuration print (just make sure command window is really wide)
One bit of advice…be sure to use safe mode when changing FW rules…last thing you need to do is lock yourself out of your own router.
Once you have all the settings correct, then you can disable safe and log out.
Worst case…if you get locked out, just mac-winbox back in to correct the mistakes (provided you do have mac-winbox enabled)
Thanks to all.
I already know what you write me, but i’ve bit difficult to sort ruler… Oriented to speed of router o for other services.
For example:
- fasttrack “doesn’t permit” queue, so you can add an accept rule before fasttrack rule.
- many rules slow down samba transfer rate between pc of lan, and are cpu expensive too, so you must place a bit accept rules at the top of list.
I don’t know safe mode, thanks, now i’ll watch!
You’re talking about samba: is that between two external machines (one being server and the other client) connected via MT .. or are you rather using MT as file server? If it’s the later case: MT isn’t fast samba server snd it’s not (only) due to firewall rules. If it’s the former and both devices are in the same IP subnet, then traffic should not hit firewall at all and you’re configuring your MT wrong (unless you have a good reason for LAN-to-LAN traffic to traverse firewall rules).
Regarding fast-track: it only works for chain=forward and causes packets, belonging to fast-tracked connections, to skip most of processing (including queues and mangle). It doesn’t work for input and output as those packets involve CPU processing anyway.
Thank you!
Samba is not one of the mikrotik but simply share between pc.
I’ve 5 PC, in 3 different networks, that share some directories.
Unfortunately, i must traverse firewall rules because i can’t permit all LAN views all LAN.
So i lock or permit some networks in realtion of others.
Which Mikrotik device is your router? Most low-end (SOHO) devices and many mid- and high-end devices as well are unable to route wirespeed. You may want to check official test results available from product page. Be sure to check “Ethernet test results” table. Many of forum users find number in “routing 25 ip filter rules - 512 byte packet size” the most correlated to real-life scenarios (give or take 50%).
Surely smart use of fast track feature allows router to get near that figure, but with complex setup it’s not easy to make fast track rule right.
Hint: you can have more than one fast-track rule, targetting different connections, if that makes your life easier.
Hi, thanks.
I’ve a 2011UAS-2HnD, Wi-Fi turned off Always.
5 LAN, 1 VPN, 54 firewall rules, 40 lines of address list in 8 lists.
Now i solved, i’ve 1 gigabit rate transfer when copy file between routing.
However, i continue to not understand many things… I just bought 2 books on Amazon, when they’ll arrive i try to learn…
1 question: in forum i find that to increase speed transfer rate when routing, you can put fasttrack rule just before accept forward rule of established, related.
But, if i’ll do this, every time firewall encounter an established connection it match and go out firewall… Right?
If yes, so, what is forward rile for?
Even fasttrack and forward meatch the same target… So only first will function… Right?
From the wiki “Note that not all packets in a connection can be FastTracked, so it is likely to see some packets going through slow path even though connection is marked for FastTrack. This is the reason why fasttrack-connection is usually followed by identical action=accept rule.”
So unless you need additional rules to prevent fasttrack, e.g. for queues, the first two forward chain rules should be action=fasttrack-connection connection-state=established,related and action=accept connection-state=established,related - these will handle the bulk of the forwarded traffic.
Typically these are followed by action=drop connection-state=invalid to exclude packets considered invalid by the connection tracking, then a number of rules to permit or drop specific protocols / ports / source addresses / destination addresses as required - whilst these consume CPU resources they are only processed for the first packet of new connections. Unless your traffic consists of a large volume of connections transferring small amounts of data this should only be a little of the available CPU.
ok, i reordered my firewall rules observing defconf rules, your suggestion and my needed.
Now it works almost all.
But now, i’m trying to understand, the dynamic rule (passthrough at position 0) created by mikro when you activate fasttrack, not work. 0 bytes!
While, before I started tidying up the rules, passthrough worked.
By the way, my transfer rate is “gigabit” inside the same LAN, very slow when routing in other LAN (about 200Mbit/s), all local lans.
While i was tidying up the rules, i probably found a sequence that permit me to increase transfer rate between LANs because trying to copy files i reached abou 600/700 Mbit/s od band.
Then, i continue to sorting rules trying to correct other problems (permit queue, transfer rate internal LAN, p2p emule natted ports, accept vpn ipsec) and i solved all problems, but i loose transfer rate between LANs.
For now it doesn’t matter, i solved 90% of my problems… but i’ll continue to try to optimize.
I print my rules..
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input src-address-list=Access-Router
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input dst-port=443 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="accept DSTNATed" connection-nat-state=dstnat
add action=accept chain=forward comment="skip fasttrack to permit queues" connection-state=established,related dst-address=192.168.44.100
add action=accept chain=forward comment="skip fasttrack to permit queues" connection-state=established,related dst-address=192.168.44.101
add action=accept chain=forward comment="skip fasttrack to permit emule p2p" dst-port=10300-10308 protocol=tcp
add action=accept chain=forward dst-port=10300-10308 protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Drop Fake-IP_Bogons" dst-address-list=Fake-IP_Bogons log-prefix=List-Fake-IP-Bogons out-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state="" in-interface-list=WAN
add action=drop chain=input comment="FTP BruteForce - DROP" dst-port=21 protocol=tcp src-address-list=FTP_BlackList
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP_BlackList address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="SSH BruteForce - DROP" dst-port=22 log=yes log-prefix=SSHBruteForceAttack_ protocol=tcp src-address-list=SSH_BlackList
add action=add-src-to-address-list address-list=SSH_BlackList address-list-timeout=4w2d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=SSH_Stage3
add action=add-src-to-address-list address-list=SSH_Stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=SSH_Stage2
add action=add-src-to-address-list address-list=SSH_Stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=SSH_Stage1
add action=add-src-to-address-list address-list=SSH_Stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="SSH BruteForce - DROP Downstream" dst-port=22 protocol=tcp src-address-list=SSH_BlackList
add action=drop chain=forward in-interface=ether1_WAN log=yes log-prefix=!public src-address-list=Fake-IP_Bogons
add action=drop chain=input comment="!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
I leaved spaces between “section” rules.
First, input, for the router, the the forwards for the lan, then brute force attacks (brute force go on top? i put on final …)
But, with this sequence, the unique rule works major is
add action=accept chain=forward connection-state=established,related,untracked
the other are near 0 byte traffic…
By the way, thank you very much for support!
The first rule coloured red actually overshades the rules coloured blue.
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment=“accept DSTNATed” connection-nat-state=dstnat
add action=accept chain=forward comment=“skip fasttrack to permit queues” connection-state=established,related dst-address=192.168.44.100
add action=accept chain=forward comment=“skip fasttrack to permit queues” connection-state=established,related dst-address=192.168.44.101
add action=accept chain=forward comment=“skip fasttrack to permit emule p2p” dst-port=10300-10308 protocol=tcp
add action=accept chain=forward dst-port=10300-10308 protocol=udpadd action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
Fo basically you switched off fast track (hence associated counters staying at zero). Why? Rules are evaluated top-to-bottom and first rule matching gets executed and the rest of rules are skipped.
As to statistics: as the first rule matches vast majority of packets, only a few will hit the rest of rules. Essentially only packets which initiate new connections.
Ok, yes, indeed i was studying my rules and in fact i imagined your description.
So… how would you sort my rules?
My solution is not good?
Question, wanting to make FastTrack working, as it is build, what kind of connections it will skip?
Is it necessary?
Would it be faster than the first rule?
Must I mantain the first rule or would be better to use fasttrack and try to reorder my rules?
Thanks!!
When I think of ordering the filter rules, I stick to two basic rules (in addition to the fact that rules are matched from top to bottom):
- more specific rules must be higher than the more general rules which might enforce different action
- rules getting most hits should be placed higher
That being written: I’d put top-most rules accepting connections which should not be fast-tracked (because they should be either mangled or subject to queues/QoS or involve IPsec). After that comes the (quite general) fasttrack rule immediately followed by matching accept established,related. After that come accepts for specifically allowed connections and at the end a general drop.
ok, clear.
thank you very much!
Meanwhile, indeed i try to disable the red line, the general accept that overshades others:
add action=accept chain=forward connection-state=established,related,untracked
and actually other rules works fine, the rest of LANs works fine!
Transfer rate inside LAN ok, vpn ok, queues ok, emule not ok! Low ID!
But, for emule i change the 2 line with ports and added an “estabilished, related, untrackes” and now it works with High ID!
So this 2 rules (for emule) become:
FROM:
add action=accept chain=forward comment="skip fasttrack to permit emule p2p" dst-port=10300-10308 protocol=tcp
add action=accept chain=forward dst-port=10300-10308 protocol=udp
TO:
add action=accept chain=forward comment="skip fasttrack to permit emule p2p" dst-port=10300-10308 protocol=tcp connection-state=established,related,untracked
add action=accept chain=forward dst-port=10300-10308 protocol=udp connection-state=established,related,untracked
Only 1 problem remains, transfer rate a bit low between LANs.
Now it’s about 150/200mbit/s instead of about 600/800mbit/s with an old rules configuration (that i don’t remeber).
I was at my first use of mikrotik and i didn’t make any backup 
But this is not major problem, i’ll solve it…
So, finally, i think my rules are rights, more or less i think to respect the sense you writed… right?
First i put accept input… the drop input… (input for the router first… right?)
Then accept forward specifics, fasttrack, drop.
I’m right! 
…?
I think so… not?
If i want to try to solve the “problem” of low transfer rate between LANs what rule can i try to add?
specific fasttrack for LANs?
specific accept forward between LANs?
What would you do?
Thank you!!!
[EDIT, upgrade…]
I try to add this rule between “input section” and “forward section”, so i put it as the first rule of forward section:
add action=fasttrack chain=forward in-interface-list=LAN out-interface-list=LAN
and the transfer rate between LANs is solved! gigabit transfer!
But emule has now a low id… i’m working… i’ll update you…
thanks!!
First i put accept input… the drop input… (input for the router first… right?)
Then accept forward specifics, fasttrack, drop.
I’m right!
The order of rules for different chains doesn’t matter … packet will only pass through rules for appropriate chain. It does make setup more readable if filter rules are grouped according to chains though.
Re slow LAN to LAN transfers: any of rules above the fasttrack rule could cause slowdown. It would be important to know details about connections to find the exact rule doing it. Is the LAN “server”, used for tests, one of 192.168.44.100 or .101? Does test incidentally use ports in range 10300-10308?
Yes, thank you, in fact i try to observe my rules working and seems that the rules that matches almost all during file transfer, was the rules to skip fasttrack to permit queues.
These:
add action=accept chain=forward comment="skip fasttrack to permit queues" connection-state=established,related dst-address=192.168.44.100
add action=accept chain=forward comment="skip fasttrack to permit queues" connection-state=established,related dst-address=192.168.44.101
so, i changed these rules adding WAN option in in/out-interface-list, to make them more precise, and the result is:
add action=accept chain=forward connection-state=established,related dst-address=192.168.44.100 in-interface-list=WAN out-interface-list=WAN
add action=accept chain=forward connection-state=established,related dst-address=192.168.44.101 in-interface-list=WAN out-interface-list=WAN
Then, unfortunately, emule give me immediately a Low ID!
So, i moved the rules for emule at “top” of the category “accept forward”.
I erase another one line to… (i don’t remember what)
Finally, my firewall is:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Router access" src-address-list=Router-Access
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Permit L2TP 1700 - IPSec 4500 - IKE 500" dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="Permit sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Skip FastTrack to permit LAN 44 p2p" connection-state=established,related,untracked dst-port=10300-10308 protocol=tcp
add action=accept chain=forward connection-state=established,related,untracked dst-port=10300-10308 protocol=udp
add action=accept chain=forward comment="accept DSTNATed" connection-nat-state=dstnat
add action=accept chain=forward comment="Skip fasttrack to permit queues" connection-state=established,related dst-address=192.168.44.100 in-interface-list=WAN out-interface-list=WAN
add action=accept chain=forward comment="Skip fasttrack to permit queues" connection-state=established,related dst-address=192.168.44.101 in-interface-list=WAN out-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Fake-IP_Bogons" dst-address-list=Fake-IP_Bogons log-prefix=List-Fake-IP-Bogons out-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state="" in-interface-list=WAN
add action=drop chain=input comment="FTP BruteForce - DROP" dst-port=21 protocol=tcp src-address-list=FTP_BlackList
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP_BlackList address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="SSH BruteForce - DROP" dst-port=22 log=yes log-prefix=SSHBruteForceAttack_ protocol=tcp src-address-list=SSH_BlackList
add action=add-src-to-address-list address-list=SSH_BlackList address-list-timeout=4w2d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=SSH_Stage3
add action=add-src-to-address-list address-list=SSH_Stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=SSH_Stage2
add action=add-src-to-address-list address-list=SSH_Stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=SSH_Stage1
add action=add-src-to-address-list address-list=SSH_Stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="SSH BruteForce - DROP Downstream" dst-port=22 protocol=tcp src-address-list=SSH_BlackList
add action=drop chain=forward in-interface=ether1_WAN log=yes log-prefix=!public src-address-list=Fake-IP_Bogons
And now, everithing works fine!
VPN access, emule High ID, file transfer inside LAN and between LANs (all “gigabit” transfer rate), webdav and other external access, fasttrack works fine…
Thank you very very much!!!