Mikrotik Firewall newbie

AZ81 · October 22, 2019, 9:14am

Hello,

I’ve just set up my first MikroTik and everything works fine. I have also set up pppoe, dhcp & different networks, all is OK and works.
But then I came across a small issue and still haven’t found a solution, neither here on the forum. But I believe it’s a trivial one. I cannot make the filter rules to work and just don’t know why. For example, I want one network to access tcp/8443, but not the second one. Everything else should be dropped.

chain=forward action=accept protocol=tcp src-addres=192.168.10.0/24 src-port=“” dst-port=21,53,80,443,8443
chain=forward action=accept protocol=tcp src-addres=192.168.11.0/24 src-port=“” dst-port=21,53,80,443

;;; Packets ACCEPT
chain=forward action=accept connection-state=established,related,new log=no log-prefix=“”

;;; Packets DROP
chain=forward actoion=drop connection-state=invalid

;;; Drop ANY
chain=forward action=drop

But If I remove the “Packets ACCEPT” rule, nothing works (I have to mention that other input, output, DNS, DHCP rules are above these and are fine).

It doesn’t work either if I add the in-interface
chain=forward action=accept protocol=tcp src-addres=192.168.10.0/24 in-interface=Bridge-VLAN10 src-port=“” dst-port=21,53,80,443,8443
chain=forward action=accept protocol=tcp src-addres=192.168.11.0/24 in-interface=Bridge-VLAN11 src-port=“” dst-port=21,53,80,443

It doesn’t work either i I add the connection-state to a specific rule, for example:
chain=forward action=accept connection-state=established,related,new connection-nat-state=“” protocol=tcp src-address=192.168.10.0/24 in-interface=Bridge-VLAN10 src-port=“” dst port=21,53,80,443,8443 log=yes log-prefix=“”

What am I missing?

I am used to other firewalls and usually I have set up the way “source-address / source-port > destination-address / destination-port > protocol > accept/drop”. So I cannot figure out what shall I do on my MikroTik.

Thanks!

mkx · October 22, 2019, 10:14am

Don’t set src-port to empty string, omit this setting altogether.
Mising setting is wildcard, empty setting is not.

AZ81 · October 22, 2019, 10:47am

Hey,

Thanks a lot for the tip! I corrected it, yet the issue persists.
Any other ideas how to drop all the traffic from a subnet except for the one explicitly allowed with filter rules?

Sob · October 22, 2019, 11:48am

Your “Packets ACCEPT” rule is wrong, it must not include “new”. As it is now, it’s useless, because it allows everything.

What you really want is (in this order):

/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=drop connection-state=invalid
...
<other rule(s) to allow access from LAN to internet, and whatever else should be allowed>
...
add chain=forward action=accept connection-nat-state=dstnat comment="allow forwarded ports, if you have any"
add chain=forward action=accept protocol=tcp src-addres=192.168.10.0/24 dst-port=21,53,80,443,8443
add chain=forward action=accept protocol=tcp src-addres=192.168.11.0/24 dst-port=21,53,80,443
add chain=forward action=drop

AZ81 · October 22, 2019, 12:27pm

Hi Sob,

Thanks for your precious help, now it works.
I had to move the “packets rules” above the “src.address rules”, remove the “new” connection state as you suggested and everything works as expected.