How to block IP list with dual wan?

archiezhong · January 9, 2015, 8:56am

Hi Mikrotik Masters!
I would like to ask for help for IP list block with dual wan.
I have an IP list. It is free to access the IP address in this list, and costly to access the address outside the list. So I need to block the access to IP not in this list.
Before I setup an additional wan, everything is OK. The IP block script is

/ ip firewall filter
chain=forward action=drop dst-address-list=!Freeip

And it was perfect to fulfill my requirement.
BUT, after the second wan is added, this script cannot block all access to costly IP. The amount of package flow is 1-2M/day, which can be seen on the web monitor at our collage.

My dual wan script is as following,

# ROS script of load balancing multiple same subnet links from
# wiki.mikrotik.com/wiki

/ip address
add address=219.217.237.39/25 interface=Public
add address=219.217.237.40/25 interface=Public_2nd
add address=88.168.16.1/24 interface=Local

/ip route
add gateway=219.217.237.126
add gateway=219.217.237.126%Public routing-mark=first
add gateway=219.217.237.126%Public_2nd routing-mark=second

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Public
add action=masquerade chain=srcnat out-interface=Public_2nd

/ip firewall mangle
add action=mark-routing chain-prerouting src-address=88.168.16.101-88.168.16.166 new-routing-mark=first
add action=mark-routing chain-prerouting src-address=88.168.16.167-88.168.16.254 new-routing-mark=second

In order to find out why this happened, I try three methods.

First is add extra policy in ip firewall filter. I add following script.

/ ip firewall filter
chain=forward action=drop src-address-list=!FreeIP 
chain=forward action=drop src-address-list=!FreeIP in-interface=Public 
chain=forward action=drop src-address-list=!FreeIP in-interface=Public_2nd 
chain=forward action=drop dst-address-list=!FreeIP out-interface=Public 
chain=forward action=drop dst-address-list=!FreeIP out-interface=Public_2nd 
chain=forward action=drop dst-address-list=!FreeIP in-interface=Local 
chain=forward action=drop dst-address-list=!FreeIP in-interface=Public 
chain=forward action=drop dst-address-list=!FreeIP in-interface=Public_2nd 
chain=forward action=drop dst-address-list=!FreeIP in-interface=Local out-interface=Public 
chain=forward action=drop dst-address-list=!FreeIP in-interface=Local out-interface=Public_2nd 
chain=forward action=reject reject-with=icmp-network-unreachable src-address-list=!FreeIP in-interface=Public out-interface=Local 
chain=forward action=reject reject-with=icmp-network-unreachable src-address-list=!FreeIP in-interface=Public_2nd out-interface=Local 
chain=forward action=reject reject-with=icmp-network-unreachable src-address-list=!FreeIP dst-address-list=!FreeIP in-interface=Public_2nd out-interface=Public 
chain=forward action=reject reject-with=icmp-network-unreachable src-address-list=!FreeIP dst-address-list=!FreeIP in-interface=Public out-interface=Public_2nd 
chain=forward action=drop src-address=88.168.16.0/24 dst-address-list=!FreeIP 
chain=input action=drop src-address=88.168.16.0/24 dst-address-list=!FreeIP in-interface=Local 
chain=input action=drop dst-address-list=!FreeIP in-interface=Local 
chain=input action=drop dst-address-list=!FreeIP 
chain=output action=drop dst-address-list=!FreeIP out-interface=Public_2nd 
chain=output action=drop dst-address-list=!FreeIP out-interface=Public

88.168.16.1 is the gateway of LAN and 88.168.16.0/24 ip of LAN。My ROS version is 5.24.
Unfortunately, it doesn’t work.

The second method I tried is add the policy to send forward connection back to original WAN，

/ip firewall mangle
chain=input action=mark-connection new-connection-mark=Public_conn passthrough=yes in-interface=Public 
chain=output action=mark-routing new-routing-mark=Public_rout passthrough=yes connection-mark=Public_conn 
chain=input action=mark-connection new-connection-mark=Public_2nd_conn passthrough=yes in-interface=Public_2nd 
chain=output action=mark-routing new-routing-mark=Public_2nd_rout passthrough=yes connection-mark=Public_2nd_conn 
chain=prerouting action=mark-connection new-connection-mark=Public_conn passthrough=yes src-address=88.168.16.0/24 dst-address-type=!local      per-connection-classifier=both-addresses:2/0 
chain=prerouting action=mark-routing new-routing-mark=Public_rout passthrough=yes src-address=88.168.16.0/24 connection-mark=Public_conn 
chain=prerouting action=mark-routing new-routing-mark=Public_2nd_rout passthrough=yes src-address=88.168.16.0/24 connection-mark=Public_2nd_conn 
chain=prerouting action=mark-connection new-connection-mark=Public_conn passthrough=yes src-address=88.168.16.0/24 dst-address-type=!local      per-connection-classifier=both-addresses:2/1

This is also useless.

The third, I want to setup a bridge firewall to segregate interface Public and Public_2nd using following script.

/interface bridge
add name="bridge1" protocol-mode=stp
/interface brideg port
add brideg=bridge1 interface=Public
add brideg=bridge1 interface=Public_2nd
/interface bridge filter
add chain=forward out-interface=Public_2nd action=drop in-interface=Public 
add chain=forward out-interface=Public action=drop in-interface=Public_2nd

But, when I added this, all the internet cannot be accessed.

All my attempts have failed. As a ROS newbie, I know I must made a stupid mistake, but I don’t know where and why. So I come here for help.
My questions are:

Is there something I did wrong?
What is the reason for this phenomenon?

heislerb · January 9, 2015, 11:21am

I am no expert on this, but I have a triple wan setup and I had to put a mangle rule it to send blocked packets to one wan. Your rule has to be in front of all the load balancing rules.
Below is my rule. You should be able to translate it to your needs.

add action=mark-routing chain=prerouting comment="blocked redirect to WAN3  needed to send port 80,443 out the same WAN" dst-port=443,80 new-routing-mark=to_WAN3 passthrough=no protocol=tcp \
    src-address-list="Block access"