Hello,
and thanks for reading my Thread.
I’m new to mikrotik and firewalling and trying to block most ports expect https,http,IPsec, DNS, Mail-stuff etc.
Some short discription about my setup:
I have a cablerouter from my IPS wich is connected to my Mikrotik router.
The Mikrotikrouter listens as DHCP client on port 3 (Where the LANcabel from the cablerouter is connected) and is NATed on that port aswell. On port 2 the mikrotik provides a DHCP Server (Networkadress 192.168.133.0/24) to an 24 port switch with some clients.
Hear my firewall rules:
/ip firewall nat
chain=srcnat action=masquerade out-interface=ether3 log=no log-prefix=“”
/ip firewall filter
Firewall print:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; allow related and established
chain=input action=accept connection-state=established,related log=no
log-prefix=“”
2 chain=input action=accept src-address-list=allowed_to_router in-interface=bridge1
log=no log-prefix=“”
3 chain=input action=accept protocol=icmp log=no log-prefix=“”
4 ;;; Drop invalid input
chain=input action=drop connection-state=invalid log=no log-prefix=“”
5 ;;; Drop all packets which are not destined to routes IP address
chain=input action=drop dst-address-type=!local
6 ;;; Drop all packets which does not have unicast source IP address
chain=input action=drop connection-state=“” src-address-type=!unicast log=no
log-prefix=“”
7 ;;; Drop all packets from public internet which should not exist in public network
chain=input action=drop src-address-list=not_in_internet in-interface=ether3
log=no log-prefix=“”
8 ;;; drop all rule
chain=input action=drop log=no log-prefix=“”
9 X ;;; FastTrack
chain=forward action=fasttrack-connection connection-state=established,related
log=no log-prefix=“”
10 ;;; Established, Related
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”
11 ;;; Drop incoming packets that are invalid
chain=forward action=drop connection-state=invalid,new in-interface=ether3
log=yes log-prefix=“”
12 ;;; Drop new connections from internet which are not dst-natted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether3
13 ;;; Drop incoming from internet which is not public IP
chain=forward action=drop src-address-list=not_in_internet in-interface=ether3
log=yes log-prefix=“!public”
14 ;;; Drop all packets from local network to internet which should not exist in public
network
chain=forward action=drop dst-address-list=not_in_internet in-interface=bridge1
log=no log-prefix=“”
15 ;;; Drop all packets not from our LAN
chain=forward action=drop src-address-list=!allowed_to_router log=no
log-prefix=“”
16 X chain=forward action=accept protocol=udp dst-port=53 log=no log-prefix=“”
17 X chain=forward action=accept protocol=tcp src-port=“” dst-port=433,80,8080 log=no
log-prefix=“”
18 X chain=forward action=accept protocol=udp src-port=“” dst-port=433,80 log=no
log-prefix=“”
19 X chain=forward action=drop protocol=udp log=no log-prefix=“”
20 X ;;; drop all rule
chain=forward action=drop log=no log-prefix=“”
I tried to allow tcp dst. port 80,433,8080 und udp dst. port 53 but i stll cant browse in the web.
If the last (20) drop all rule is active, i can see the counter raise when trying to get to an web adress.
Fasttrack has been deactivated all the time, the last rules are deactivated because i cant surf if otherwise..
most likley its something obvious but i dont get it. Thanks for your help and time