Jump outside of firewall's raw filter

Kentzo · January 12, 2022, 5:58am

I have a raw rule to drop non-global IPs (specified via an address list) from WAN. But I need to let a regular firewall filter to work on a single non-global IP (cable modem) from WAN. One option is to modify the non-global IPs address list to exclude that single IP, but it seems cleaner to me to put a raw rule for that single IP just before the drop rule.

mkx · January 12, 2022, 1:46pm

Yes, allowing specifics before dropping in general is the way to be done.

Kentzo · January 12, 2022, 7:47pm

The issue is that my general dropping rule is RAW, but for that single IP (that is included in the range of IP addresses used by the general RAW rule) I want usual filtering with connection tracking.

Something like this:

/ip firewall raw
add action=??? chain=prerouting src-address=192.168.100.1 in-interface-list=WAN ;;; bypass the next rule and let usual filter to work on this IP
add action=drop chain=prerouting src-address=192.168.0.0/16 in-interface-list=WAN 

/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked ;;; allow 192.168.100.1 <-> WAN <-> LAN when connection is initiated from the LAN
add chain=forward action=drop src-address=192.168.100.1 in-interface-list=WAN
add chain=input action=accept connection-state=established,related,untracked ;;; allow 192.168.100.1 <-> WAN <-> Self when connection is initiated from Self
add chain=input action=drop src-address=192.168.100.1 in-interface-list=WAN

Is it possible to achieve without splitting the 192.168.0.0/16 into multiple networks just to exclude 192.168.100.1?

mkx · January 12, 2022, 8:37pm

Sure. Rules are ecaluated from top to bottom and first matching executes. So your first rule should have action=accept.

Accept in raw firewall does not mean that packets will skip firewall filter rules, those are still evaluated and executed.

Have a look at packet flow, after some thinking it becomes clear …

Do you mind explaining what are you trying to achieve? The rules you shown in previous post don’t make much sense to me.

Kentzo · January 12, 2022, 9:58pm

Ah, you’re right. I was not noticing it because my other, much more general, firewall rule for established,related was accepting it. I wish it was mentioned very early in the help page

The rules you shown in previous post don’t make much sense to me.

I’ll gladly answer the questions in the corresponding thread.