I think I didn’t understand the flow across the chains. The manual has a good scheme (packet flow) but not easy for beginners.
There are my rules:
1 ;;; Accept all establish related connection
chain=input action=accept connection-state=established,related log=no log-prefix=""
2 X ;;; Drop port scanner IP list
chain=input action=drop src-address-list=Port_scanners_IP_list log=no log-prefix=""
3 ;;; Drop all invalid connection
chain=input action=drop connection-state=invalid log=no log-prefix=""
4 ;;; Accept all establish connection to forward
chain=forward action=accept connection-state=established connection-type="" log=yes log-prefix=""
5 ;;; Accept all related connection to forward
chain=forward action=accept connection-state=related connection-type="" log=yes log-prefix=""
6 ;;; Drop all invalid connection to forward
chain=forward action=drop connection-state=invalid connection-type="" log=no log-prefix=""
and the routing:
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 85.xxx.xxx.1 1
1 ADC 85.xxx.xxx.0/24 85.xxx.xxx.xxx combo1 0
2 ADC 192.168.1.0/24 192.168.1.1 bridge1 0
Yes this is the question: why ?
I should answer myself but …
I think my ccr is not correctly configured and this explains that.
May I submit what I want to connect to my ccr and could you help me to configure the base ?
Please post you requirements and current configuration (type /export in the command line).
Also mention what device you have and describe your performance expectations.
I have one ccr1009-7g-1c-pc connected to internet through combo1 (sfp).
On the ether4 I connect a cisco phone (spa301). The SIP Provider has 8 servers.
On the ether3 I connect an access point (tablett, notebook, …).
On the ether1 a physical machine with virtual machines.
All these things are in the same lan: 192.168.1.0
No switches in my lan, behind the router.
You have my address list, my route, my firewall rules.
Bridge ?
At first I would like to have a basic protection, next to config SIP traffic.
okay - so this means you’re using a bridge for the LAN interfaces?
If so, then that’s the reason you’re not seeing traffic in the forward chain, because the IP firewall only receives packets that flow through IP interfaces.
If you’re trying to filter traffic between bridged interfaces, then you need to use the bridge filter or else enable “Use IP Firewall” on your bridge.
yes. I think I am obliged to use a bridge (correct me if i am wrong)
if not, ether3 and ether4 don’t communicate with internet and ether1 doesn’t “see” these ports (ping fails).
i created the bridge in the “interface list” window: correct ?
The bridge button display the created bridge.
I do: bridge tab > settings > use ip firewall > apply > ok
The forward chain has always no traffic !!!
Shall I reboot ? yes: a new forward rule was created and I see traffic (but which one ?) !
That means I must delete my forward rules #4 and #5.
My In.Interface is combo1 or bridge1 ?
I didn’t check your first proposition (bridge filter)
Bad news: my phone on ether4 is not registered anymore.
the traffic goes from ether4 to bridge1, bridge1 to combo1, but not combo1 to SIP server
the traffic goes from SIP server to combo1, not from combo1 to bridge1, not from bridge to ether4