i have been trying to secure my router-os a bit so i have followed this guide from mikrotik wiki https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS
but once i added the firewall filter rules then the last rules (19, 20) as in following code lost any effect.
i mean before adding the rules from 2 to 18, i was able to allow or restrict access to my lan from outside but now i cant yet iam able to do so by disabling a port forward from nat tab
;;; "just trying to block unwanted ips"
0 chain=input action=drop src-address-list=block-attack
1 chain=forward action=drop src-address-list=block-attack
;;; following the guide "Tips and Tricks for Beginners and Experienced Users of RouterOS"
2 chain=input action=accept connection-state=established,related
3 chain=input action=accept in-interface=local
4 chain=input action=accept in-interface=wlan
5 chain=input action=drop connection-state=invalid
6 chain=input action=drop dst-address-type=!local
7 chain=input action=drop src-address-type=!unicast
8 chain=input action=drop src-address-list=not_in_internet in-interface=wan
9 chain=forward action=accept connection-state=established,related
10 chain=forward action=drop connection-state=invalid
13 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=wan
14 chain=forward action=drop src-address-list=not_in_internet in-interface=wan
15 chain=forward action=drop dst-address-list=not_in_internet in-interface=local
16 chain=forward action=drop dst-address-list=not_in_internet in-interface=wlan
17 chain=forward action=drop src-address=!192.168.0.0/24 in-interface=local
18 chain=forward action=drop src-address=!192.168.1.0/24 in-interface=wlan
;;; "here i want to allow or strict access to local server but it is not working any more"
19 chain=input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=80
20 chain=input action=accept protocol=tcp dst-address=1.2.3.4 in-interface=wan dst-port=443
so how can i access to restrict access to my nated server again from firewall filter rules or is there another way to achieve that.
Resest back to defaults, as I cannot make heads or tails of the mess you have indeed created.
Then lets focus on what you wish to accomplish
Default Rules + Requirements for DST NAT rules.
By the way you can only limit access to the SERVER on your LAN to specific WANIPs if you know which WANIPs require access.
Typically you would make up a firewall address list for that and place it in the associated dst nat rule.
After we have the above straightened out, if you think you need more rules, feel free to add them.
thank you anav for your reply ,
the rules 0, 1 i added to block attacking ips that is why i set them first but i can delete them.
the rules from 2 to 18 are exactly copy paste of the guide from mikrotik wiki page i mentioned.
last 2 rules are example of what i want (accept or drop connections destined for certain ip with destined port ).
Where are IP 1.2.3.4 located? on the router it self? if not this will do nothing. Input chain is only used for traffic that are going to the router it self. (Mostly used for management of router. SSH Winbox etc)
I would guess IP 1.2.3.4 are some you have on your inside lan. If so its the forward chain that should be used.
this ip is one of my public pool ips i get through pppoe from wan interface.
i just noticed that if i disable the dst-nat rule which (translate a public ip to its local one), then filter rules like (19,20) will count some packets
thank you guys for pointing me to resetting the router (it felt like an os fresh install which is better than upgrade over upgrade), i did the reset with the default configs then configured the router as i want but left the firewall filter default rules and it looks like this
(1) The default rules are a good start. However your source nat and destination nat rules are in need of extreme modification.
(2) Not sure why you have a src-address-list for masquerade outbound? Normally one just identifies the outbound WAN interface or WAN-interface list. (Assuming dynamic WANIP)
Assuming you are using this for some reason but its not clear?
(3) For Hairpin Nat you need to add another masquerade rule.
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade (use your appropriate subnet)
(4) This rule makes little sense to me?? It says port forwarding but you have sourcnat in your rule???
What use case are you trying to achieve, without any mention of the config?
3 ;;; port forward - server via pub_ip
chain=srcnat action=src-nat to-addresses=1.2.3.4 src-address=192.168.0.101 out-interface=pppoe-out1
(5) What is dst-address 1.2.3.4?? Do you have a fixed static WANIP or a dynamic WANIP?
thank you anav for your feedback and sorry if my config wan’t clear enough
(2) from the previous configurations i have had multiple subnets and i created an address list for one of them that would have internet access, that is why i used src-adrress-list but i only have one subnet now and i didn’t think it would make an issue with the rule.
(4) i am really sorry for the misleading port forward comment.
(5) i do have a pool of static ip addresses assigned to the pppoe interface, and with the misleading src-nat rule i needed to forward the traffic of that specific server to one of them (i think this is 1:1 natting not sure … )
please don’t forget source nat and destination nat extreme modification of the rules, and give advise about what i want to achieve items