So i have setup a destination nat to route traffic from public ip 98.137.11.164 directly to a private ip 192.168.10.111 and works fine
Now i want to restrict traffic so that only my internet public ip 172.217.14.174 can access this destination nat public ip
but it is not working, am not sure what else i need to do or why this is not so straight forward
Here is what i have as firewall rule, i even moved it to the very top of all firewall rules
but i can access the destination nat public ip by anyone on internet still
172.217.14.174 is my internet public ip, only this ip should be allowed, others DROP 98.137.11.164 is destination nat public ip which routes to local ip 192.168.10.111
chain: input
src address: !172.217.14.174
dst address: 98.137.11.164
action: drop
this rule does not work, so why is it not working?
Because chain=input has nothing to do with it, connections to forwarded ports go in chain=forward. And if you want it for only one address, you can do it directly in dstnat rule, e.g.:
/ip firewall nat
add chain=dstnat dst-address=98.x.x.x src-address=172.x.x.x <conditions for protocol and port if you're not forwarding everything> action=dst-nat to-addresses=192.168.10.111
I want to separate the NAT rules from firewall rules So how do i do this with firewall rules?
Better to separate them, so that way i make management easy for me
sob nailed it… add source address to the dst-nat rule which limits access to that source IP.
If you have several IPs, then one can use a source-address-list!
The good thing about using source in a destination nat rule is that the port will not be visible on scans!!
If you DONT use source, then the port will appear (visible) on scans but will appear closed.
Main part is to use correct chain (forward instead of input), correct addresses (forward no longer sees original destination, but 192.168.10.111), then if you want to do it properly, you need to do it only for dstnatted connections, otherwise it may block (depends on your other rules) also connections from internal server to that external address (if you ever wanted that). So something like:
I tried forward also, the firewall rule does not work at all
i can access from anywhere still
i also tried what you have and added the connection NAT state to dstnat and does not work
but even the bigger rule without additional connection NAT state does not work
why is not working is my question? because this is an issue then because this is a simple rule that one should expect should work like 1, 2, 3
I have this rule at the very top of firewall rules, i only have 3 rules in there, so not much
and the 2 other rules just allow traffic from one public ip to/fro another public ip via input and output chains, which works fine
yeah the whole thing is just weird, it looks so simple but i can access this ip from anywhere still
Ok now it blocks everyone including the public i need it not block
seems i missed the private ip in dst address, i thought that was the public ip
I really want to separate the NAT and firewall rules that is why
So i know NAT is for NAT and firewall rules are for the firewall rules
May not be generally easier, but for me it is
One other question, why is it that the first rule i had did not work?
172.217.14.174 is my internet public ip, only this ip should be allowed, others DROP
98.137.11.164 is destination nat public ip which routes to local ip 192.168.10.111
chain: input
src address: !172.217.14.174
dst address: 98.137.11.164
action: drop
Input chain is only for traffic to router itself, to server running on router, e.g. when you’re connecting to router with WinBox or use WebFig. Traffic passing through router and going somewhere else uses forward chain.
And if I understood correctly that your whole firewall consists of only three rules including this one, there’s no way it could be secure or correct.
Since default action is accept, i.e. if you don’t block something, it’s allowed, it’s very likely that you have everything wide open to whole world.
Check this thread, it’s rather long, so at least the example at the beginning (point 1). The idea is to use stateful firewall to allow packets for already established connections, drop packets seen by connection tracking as invalid, then the rest is new connections, so allow what should pass, and finally block the rest. It’s not the only way, but to me it seems simple and easy to understand.
For port forwarding, unlike other routers I have used, only one firewall rule is needed and applies to all port forwarding (dst-nats of that ilk).
add chain=forward action=accept connection-nat-state=dstnat
The rest of the details per individual rule are done under the NAT rules…
Yeah will have to focus on firewall for next 1 week before going PROD
I kind of have similar setup on my current Juniper SRX240 router also, and had it wide open too for like 8 years
But want a more security focused setup now
Will read up and work more on the firewall side now
It’s not that keeping things open must inevitably bring troubles. At first sight, why couldn’t e.g. WinBox be accessible, if you have strong password, perhaps you even do some rate limiting for new connections, etc. There’s practically zero chance that anyone would get in by bruteforcing it. And then something like this happens. Nasty bug where one connection is enough. So it’s safer to be a bit paranoid.
[quote=KateUhlerredalfias post_id=927371 time=1650280497 user_id=199950]
If you don’t trust certain IPs, just don’t allow them to connect to WAN. Then they can’t use fast track either. If you trust an IP, it doesn’t matter which port that IP uses in case it is compromised. If you close down 443 inboout might use 85358 anyway.
[/quote]
Wrong approach Kate, I will never know all the things or ports or IPs I should block, BuT I DO know what I want to allow.
Thus as per the link above for firewalls the optimal approach is a DROP: ALL rule at the end of the input and forward chains.
In this regard I am forced to create the rules to allow traffic and this is a much smaller 'BUNCH OF THINGS" to know.
I CAN BLOCK EVERYTHING just by dropping everything
I can then allow only a few things and these are things I do know about.
since my question is related to firewall issues, i set my question here instead of creating new topic. I would like to kindly ask you for assistance :
I recently switched from “hap ac” to “rb4011”. The device was configured by myself, used in same place - with same clients and options as previous hap ac. Im struggling with Firewall function, however i had the same rules set on previous device, running without any problems.
We are talking only about 3+1 rules. Blocking internet connection for specific devices (created address list), blocking DNS request for the same devices-same address list, and KidControl for one device. None of those rules are “catching” any datas, packets. For the “blocklist” stays traffic always as “0 bytes-packets” and also the KidControl “device” does the same = no IP address visible under added device, no packets captured even if the device is used, KidControl not working. Normally under KidControl “device” tab was all my devices in network visible, i could grab and “save” any of them to apply the rule. This list has now only 1 entry added manually by myself, no devices are discovered. As i mentioned, i was using those rules for 2years under same conditions in hap ac. It is for sure some configuration fault, which i made during setup, but i have no idea what can affect the traffic in way, that isnt filtered by rules.
My configuration is pretty basic :
only one subnet/DHCP is used
all devices used in firewall rules has fixed IPs, are visible under DHCP lease, traffic is visible
using latest ROS
no other network device, DHCP server is present in this network
no VLANs used
internet connection is established via PPPoE from ether1, where ISP ONT is connected
Print from my firewall rules. The address list for blocking is called “block”
