add action=accept chain=input comment="vista login for winbox" disabled=no \
dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=!101.0.1.0/24
why am i able to login with winbox with an ip of 101.0.1.254 with the above firewall rule? pulling my hair out
Three wild guesses:
Two more side notes: 101.0.1.0/24 is a public IP address and not something you should use unless you’ve been assigned that public IP subnet by China Telecom, and that rule probably doesn’t do what you think it does.
What exactly are you trying to achieve? Don’t bother with the firewall rule implementation for now: can you describe in English what you want to protect the router from?
add action=drop chain=input comment="vista login for winbox" disabled=no dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=\
101.0.1.0/24
then why does this rule work?
i have a transparent proxy running
internet is 174.etc. main router is 10.0.1.1, mikrotik is static client at 10.0.1.70. mikrotik serves dhcp(server ip is 101.0.1.1) transparent proxy at 101.0.1.0/24
i want to block access to gui interface at 10.0.1.1 10.0.1.70 and 101.0.1.1 to all addresses in the 101.0.1.0 range
You keep mentioning both 101.0.1.0/24 and 10.1.0.1/24.
Can you post the output of “/interface print detail”, “/ip address print detail”, “/ip route print detail”, and “/ip firewall export”?
If you simply want to drop administrative traffic from 101.0.1.0/24 use this:
/ip firewall filter
add chain=input src-address=101.0.1.0/24 action=drop
That’s it.
But again, you shouldn’t be using 101.0.1.0/24 at all.
this filter blocks all traffic, this ip range still needs internet
i will change the range, this is all in test environement
It only blocks administrative access to the router. DHCP will work fine, and packets can go THROUGH the router fine. They just can’t get TO the router.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Chains
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. > Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
If you want to add stuff like “protocol=tcp dst-port=21,22,23,80,443,8291,8878” to block only FTP, SSH, telnet, HTTP, HTTPS, Winbox, and the API.
im not trying to fight you, but adding the rule you gave me stoped ALL http traffic in the proxy dhcp pool. not a single website opened. i don’t understand how it could you pretty much blocked all ports did you not?
I forgot about the transparent proxy. That counts as input. So use this instead:
/ip firewall filter
add chain=input src-address=101.0.1.0/24 action=drop protocol=tcp dst-port=21,22,23,80,443,8291,8878
That blocks all traffic to those ports on that router only, from 101.0.1.0/24. That shouldn’t include the proxy port, which is likely 8080.
The reason your original rule didn’t work is that there’s an implicit permit: if no rule matches the packet then the packet is accepted.
/ip firewall filter add action=accept chain=input comment="vista login for winbox" disabled=no \
dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=!101.0.1.0/24
Means “allow all packets to 101.0.1.1 that don’t come from 101.0.1.0/24”. Packets from 101.0.1.0/24 don’t match that. Then the implicit permit allows them.
You either have to run the rule I just put (with the ports specified), or add a default drop rule at the bottom.
if the packets don’t match that then why does this rule work
add action=drop chain=input comment="vista login for winbox" disabled=no dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=101.0.1.0/24
ok your new rule works and i understand it, so how do i block access to gui’s on 10.1.70(wan connection for mikrotik) and the 10.0.1.1 gui on the main router?
Because it doesn’t negate.
If all you have is this:
/ip firewall filter add action=accept chain=input comment="vista login for winbox" disabled=no \
dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=!101.0.1.0/24
then because there is an implicit permit at the end it’s functionally equivalent to this:
/ip firewall filter
add action=accept chain=input comment="vista login for winbox" disabled=no \
dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=!101.0.1.0/24
add action=accept chain=input
That second line is there, but you can’t see it.
When 101.1.0.1/24 sends a packet to 101.0.1.1 it doesn’t match the first rule, then matches the second rule, and gets accepted.
If all you have is this:
/ip firewall filter
add action=drop chain=input comment="vista login for winbox" disabled=no dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=101.0.1.0/24
then because there is an implicit permit at the end it’s functionally equivalent to this:
/ip firewall filter
add action=drop chain=input comment="vista login for winbox" disabled=no dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=101.0.1.0/24
add action=accept chain=input
When 101.1.0.1/24 sends a packet to 101.0.1.1 it matches the first rule, and gets dropped.
That make sense now?
ok your new rule works and i understand it, so how do i block access to gui’s on 10.1.70(wan connection for mikrotik) and the 10.0.1.1 gui on the main router?
If you’re still trying to block traffic from 101.0.1.0/24 you don’t have to block anything towards 10.0.1.70 because that’s also in the ‘input’ chain, because it’s a router IP. So the rule I wrote out already blocks that.
To block 101.0.1.0/24 from accessing 10.0.1.1 you need to add a filter in the ‘forward’ chain:
/ip firewall filter
add chain=forward src-address=101.0.1.0/24 dst-address=10.0.1.1 action=drop
[root@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp
1 ;;; default configuration
chain=input action=accept connection-state=established in-interface=ether1-gateway
2 ;;; default configuration
chain=input action=accept connection-state=related in-interface=ether1-gateway
3 ;;; vista login for winbox
chain=input action=accept protocol=tcp src-address=!101.0.1.0/24 dst-address=10.0.1.70 dst-port=8291,80
4 chain=input action=drop protocol=tcp src-address=101.0.1.0/24 dst-port=21,22,23,80,443,8291,8878
5 chain=forward action=drop src-address=101.0.1.0/24 dst-address=10.0.1.1
6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
from 101.0.1.254 i can’t access 101.0.1.1(perfect) i can still get to the gui at 10.0.1.70(mikrotik wan)and 10.0.1.1(main router)
If all you have is this:
Code:
/ip firewall filter add action=accept chain=input comment=“vista login for winbox” disabled=no
dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=!101.0.1.0/24then because there is an implicit permit at the end it’s functionally equivalent to this:
Code:
/ip firewall filter
add action=accept chain=input comment=“vista login for winbox” disabled=no
dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=!101.0.1.0/24
add action=accept chain=inputThat second line is there, but you can’t see it.
When 101.1.0.1/24 sends a packet to 101.0.1.1 it doesn’t match the first rule, then matches the second rule, and gets accepted.If all you have is this:
Code:
/ip firewall filter
add action=drop chain=input comment=“vista login for winbox” disabled=no dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=101.0.1.0/24then because there is an implicit permit at the end it’s functionally equivalent to this:
Code:
/ip firewall filter
add action=drop chain=input comment=“vista login for winbox” disabled=no dst-address=101.0.1.1 dst-port=8291,80 protocol=tcp src-address=101.0.1.0/24
add action=accept chain=inputWhen 101.1.0.1/24 sends a packet to 101.0.1.1 it matches the first rule, and gets dropped.
That make sense now?
Honestly it doesn’t, were prolly close though
where are you getting 101.1.0.1 from? and can you explain what is the first rule and what is the second rule?
Anything which is not forbidden is allowed.
Ask yourself, what happens if you have no filter rules? If you said “everything is accepted” you get a gold star.
Now filter rules 101: Packets are compared against each rule in the relevant chain until one of the following occurs;
Rules only fire when they match. Your original rule didn’t work because it did not match the source address.
so what is my source address? no one has answered that. since not adding a ! makes the rule work. im still quite confused, and the rules fewi posted above don’t work for me
Every packet, among other things, has a source address and port and a destination address and port.
The source address is the address from which a packet comes from, so that the destination knows where to reply back to.
The destination address is used by routers to forward the packet to the correct destination.
Your initial rule used this src-address=!101.0.1.0/24, this means source address that is NOT 101.0.1.0/24. I’m assuming you were connecting on the LAN of the router, that means your source address would have been a private IP, not one of your WAN IPs, so it would match that rule and not be processed any further by the firewall.
You haven’t supplied enough information about your setup for people to be very helpful.
/ip firewall export
/ip address print detail
/ip route print detail
Supply that information if you need specific help. Also providing a network diagram and what your goals are so people can give specific advice to your goals and setup.
In the example you gave? 101.0.1.254
The rule you gave explicitly doesn’t not match anything in that address range, so it’s ignored (remember the rule only fires if it matches and you told it not to match). Then it goes on to the next rule and doesn’t match and so on until it hits the end of the chain and is implicitly accepted.
Now if you’re asking what addresses the router is seeing, you can always just connect from that machine and go look at http://10.0.1.1/webfig/#IP:Firewall.Connections which will show you the src and dst addresses with ports.