Last block rule, blocks everything

I’m trying to make my RB 2011UAS02-Hnd to with with my firewall rules. But until now i can’t make it to work.

What i want, default block everything, unless I create an allow rule. So basically a default block, unless…(should be the default on any firewall, or give the option to the admin).
The problem is, the last rule is my blocking rule [Last Rule => Drop Everything]. But its keeps blocking everything before it.

I’m total configuration is a lot advanced, but I went back to this basic configuration. And still i have the same issue.
I have already tried several options but non of them worked correctly.

The total setup will be like this (I know this will not work with the current config below. But the current config is for troubleshooting)
The option is to allow full access to all network ranges from the MGMT Interface. So all traffic should be allowed FROM this interface.
The shop should have full Internet access. But the no access to the other networks.
The hotspots will have normal Internet access (After authentication).
There will be some default (windows type) blocking rules.

The total setup will be:
eth 1: Internet
eth 1: MGMT
eth 5: Shop
eth 6: hotspot 1
eth 9: hotspot 2
wlan : not configured yet.
The rest of the Interfaces will not be configured.

But now, from the network, its not even possible to ping (tried chain=forward, did not work)


I’m now a little bit lost. I’m working on the issue several days. But i don’t see the light any more.

Can somebody tell when where my stupid mistake is?
/interface
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=“Interface sfp” disabled=yes full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:87:31:DF master-port=none mtu=1500 name=sfp speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=“Interface 01” disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:87:31:E0 master-port=none mtu=1500 name=Internet speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=“Interface 02” disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:87:31:E1 master-port=none mtu=1500 name=MGMT speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=“Interface 03” disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:87:31:E2 master-port=none mtu=1500 name=ether3 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=“Interface 04” disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:87:31:E3 master-port=none mtu=1500 name=ether4 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=“Interface 05” disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:87:31:E4 master-port=none mtu=1500 name=Winkel speed=100Mbps

/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=yes protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established disabled=yes
add action=accept chain=input comment=“default configuration” connection-state=related disabled=yes
add action=drop chain=input comment=“default configuration” disabled=yes in-interface=sfp
add action=drop chain=input comment=“default configuration” disabled=yes in-interface=Internet
add action=drop chain=input comment=“Drop Invalid connections” connection-state=invalid disabled=no
add action=accept chain=input comment=“Allow Established connections” connection-state=established disabled=no
add action=accept chain=input comment=“Allow ICMP” disabled=no protocol=icmp
add action=accept chain=input comment=“MGMT Allow Rule” disabled=no in-interface=!Internet src-address=192.168.88.0/24
add action=accept chain=input comment=“Allowed Services” disabled=no dst-port=53 protocol=tcp
add action=accept chain=input disabled=no dst-port=53 protocol=udp
add action=accept chain=input disabled=no dst-port=123 protocol=udp
add action=accept chain=input disabled=no dst-port=8291 in-interface=Internet protocol=tcp
add action=drop chain=input comment=“Drop everything else” disabled=no
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment=“deny TCP” disabled=no dst-port=135 protocol=tcp
add action=drop chain=tcp disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=tcp disabled=no dst-port=445 protocol=tcp
add action=drop chain=tcp disabled=no dst-port=6660-7000 protocol=tcp
add action=drop chain=udp comment=“deny UDP” disabled=no dst-port=69 protocol=udp
add action=drop chain=udp disabled=no dst-port=135 protocol=udp
add action=drop chain=udp disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp disabled=no dst-port=2049 protocol=udp
add action=drop chain=udp disabled=no dst-port=6660-7000 protocol=udp
add action=accept chain=icmp comment=“Always Allow Ping” disabled=no out-interface=Internet
add action=accept chain=forward comment=“Always allow MGMT Traffic” disabled=no in-interface=MGMT
add action=drop chain=forward comment=“Last Rule => Drop Everything” disabled=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=sfp
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=Internet

In a quick scan I didn’t see any entries on the forward chain for connection states Established or Related so perhaps you are allowing outbound connections but no return traffic is allowed.

I noticed a lot of drop entries. When constructing firewall rulesets it is usually safer to make all your entries for traffic flows that you want to permit and then drop everything else at the end. Explicit drops can be added for efficiency of execution if necessary.

Hours of work lost… I should have posted my issues on this forum earlier…

Indeed it was the issue.

I have added the following rules:
add chain=forward protocol=tcp connection-state=invalid action=drop comment=“drop invalid connections”
add chain=forward connection-state=established action=accept comment=“allow already established connections”
add chain=forward connection-state=related action=accept comment=“allow related connections”
add chain=forward protocol=tcp connection-state=invalid action=drop comment=“drop invalid connections”
add chain=forward connection-state=established action=accept comment=“allow already established connections”
add chain=forward connection-state=related action=accept comment="allow related connections"And it solved my issues…


And I agree on your comments on the block rules. I have some default block rules that will always be blocked. I have multiple customers on this RB. I don’t have full controll over there network. So i have configured some basic filtering.

Thx for solving my issue.

Glad it helped you find the problem!