Misunderstanding Firewall

I’m using v2.9.18. I’m trying to block access from anywhere to a particular network on UDP ports 1024-1030. All traffic is routed through the box I’m working on. I have just started building firewall rules on this OS, so this is the only filter I have:

add chain=forward dst-address=xxx.xxx.230.0/24
protocol=udp dst-port=1024-1030 action=drop

When I put the rule in place, it works and blocks the undesired traffic, but it also blocks other UDP traffic as well, such as RADIUS on ports 1645 & 1646. I’ve tried creating a rule to explicitly allow the RADIUS ports and put it before this rule, but that doesn’t work either.

I’m sure that I am missing some basic something, but I’ve not been able to figure it out reading the docs or anything online. I think if I can just understand why this one thing doesn’t work, I’ll easily come to grips with anything else the firewall might bring up.

For what it’s worth, the documentation in the reference manual doesn’t match what’s actually going on on my box. I.E., there is no “/ip firewall rule” command.

Thanks,

Rob

It might be that the router is in fact not blocking the original packets but the corresponding return packets. That will happen if the destination port number of the return packet falls into the range of 1024-1030.

The correct solution to handle this is to use the stateful features of the firewall, i.e. connection-state=established and connection-state=related (see the manual, and also try to learn from the firewall setup on demo2.mt.lv)

You said you’re running RouterOS 2.9, but are you sure that you’re reading the 2.9 manual and not an older version?


–Tom

Thanks Tom, that’s exactly what I needed to know, and makes complete sense.

Front page of the PDF I had printed says v2.9.