My firewall rule doesn't drop anything

broderick · January 22, 2022, 1:09pm

hi,

I first created an address-list and put a few IPs in there, then I set a firewall rule in order to drop any IPs but those of my list to reach my server:

;;; Block every IPs to Server but Server IPs chain=forward action=drop connection-state=new dst-address=192.168.3.10
src-address-list=!Server-IPs log=yes log-prefix=""

I placed it almost at the top of the firewall list in order to avoid any position rule issue and check it.

(I don’t know why my image doesn’t show up above correctly. Anyway it’s a thumbnail, just click on it to see it)

Unfortunately it seems not to be working even though I see counters for it.
I mean, Other devices that are not in the list can reach the server’s services’ weblogin pages, i.g. 192.168.3.10:9000 (portainer) or 192.168.3.10:32400 (plex server dashboard)

I am still wondering what I did wrong. Could you help me please?
Thanks

anav · January 22, 2022, 2:57pm

First we do not work with crystal balls, tarot cards, or ouji boards.
Please post your config for review.
/export hide-sensitive file=anynameyouwish

Also one must understand how port forwarding for servers works in MT configurations.
There is only one rule germane in the firewall rules (forward chain) and that is to allow any connection-nat-state=dstnat.
Which basically tells the router, for any unsoliticited traffic (originated from the net or possibly from users on the LAN using the public IP for access to the server) inbound, let it through the firewall if it has a destination port also defined in the NAT rules.

The NAT rules and specifically destination nat rules are where one can ADD the source-address-list of authorized users to that server.
Note that the IP addresses of your authorized users can be in the form of public IP address (if they have a static fixed public IP) or the router can accept in the IP address entry a DYNDNS name (url), for the case of dynamic public IPs. The router will resolve the name to the proper IP for you.

broderick · January 22, 2022, 4:30pm

First we do not work with crystal balls, tarot cards, or ouji boards.
Please post your config for review.
/export hide-sensitive file=anynameyouwish

Also one must understand how port forwarding for servers works in MT configurations.
There is only one rule germane in the firewall rules (forward chain) and that is to allow any connection-nat-state=dstnat.
Which basically tells the router, for any unsoliticited traffic (originated from the net or possibly from users on the LAN using the public IP for access to the server) inbound, let it through the firewall if it has a destination port also defined in the NAT rules.

The NAT rules and specifically destination nat rules are where one can ADD the source-address-list of authorized users to that server.
Note that the IP addresses of your authorized users can be in the form of public IP address (if they have a static fixed public IP) or the router can accept in the IP address entry a DYNDNS name (url), for the case of dynamic public IPs. The router will resolve the name to the proper IP for you.

Here is my setup:

# jan/22/2022 17:04:48 by RouterOS 6.49.1
# software id = 5Z4J-31GG
#
# model = RBD52G-5HacD2HnD
# serial number = BEExxxxxxx
/interface bridge
add admin-mac=C4:AD:34:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] comment=WAN2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name="wan wifi" supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name="wifi int" supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name="WAN WiFi VOD" supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name="wifi 5Ghz" supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=motog \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX \
    comment=N1 country="united states3" disabled=no frequency=auto \
    installation=indoor keepalive-frames=disabled multicast-buffering=\
    disabled security-profile="WAN WiFi VOD" ssid=Vodax-35xxxxxx \
    wds-default-bridge=bridge wds-mode=dynamic wireless-protocol=802.11 \
    wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-a/n country="united states3" \
    frequency=5220 installation=indoor mode=ap-bridge security-profile=\
    "wifi 5Ghz" ssid=TIK5 station-roaming=enabled wmm-support=enabled \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile="wifi intx" ssid=homemik station-roaming=enabled \
    wds-cost-range=0 wds-default-bridge=bridge wds-default-cost=0 wds-mode=\
    dynamic wmm-support=enabled wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment=
/interface wireless nstreme
set wlan1 comment=
/ip pool
add name=dhcp_pool1 ranges=192.168.3.50-192.168.3.254
add name=ovpn-pool ranges=192.168.131.10-192.168.131.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge name=dhcp1
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/ppp profile
add dns-server=192.168.131.1 local-address=192.168.131.1 name=ovpn \
    remote-address=ovpn-pool use-encryption=yes
/queue simple
add name=PC target=192.168.3.100/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=xxxn1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=mikrotik cipher=aes256 default-profile=ovpn \
    enabled=yes port=1195
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=\
    192.168.3.0
add address=192.168.1.11/24 comment=WAN1 interface=xxx1 network=192.168.1.0
/ip arp
add address=192.168.3.100 interface=bridge mac-address=44:8A:5B:C9:xx:xx
add address=192.168.3.93 interface=bridge mac-address=00:0C:29:9E:xx:xx
add address=192.168.3.98 interface=bridge mac-address=00:0C:29:A2:xx:xx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add !dhcp-options interface=wlan1 use-peer-dns=no
add disabled=no interface=ether5 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.3.95 client-id=1:be:81:b0:xx:xx:x comment=pfSense-proxmox \
    mac-address=BE:81:B0:xx:xx:xx server=dhcp1
add address=192.168.3.100 client-id=1:44:8a:5b:xx:xx:xx comment="My PC" \
    mac-address=44:8A:5B:xx:xx:xx server=dhcp1
add address=192.168.3.98 client-id=\
    ff:2b:94:34:c1:0:2:0:0:ab:11:8:49:9a:b0:18:xx:xx:4 mac-address=\
    00:0C:29:xx:xx:xx server=dhcp1
add address=192.168.3.92 client-id=\
    ff:6f:8c:c7:3d:0:2:0:0:ab:11:b9:3:74:6:5f:xx:xx:xx comment=pihole-proxmox \
    mac-address=3E:E7:2A:xx:xx:xx server=dhcp1
add address=192.168.3.99 client-id=1:20:cf:30:17:xx:xx comment=Asus \
    mac-address=20:CF:30:xx:xx:xx server=dhcp1
add address=192.168.3.10 client-id=\
    ff:24:72:xx:xx:0:2:0:0:ab:11:71:c2:b8:e4:bd:28:xx:xx comment=\
    "Ubuntu 20.4 netbook" mac-address=xx:75:08:xx:xx:xx server=dhcp1
add address=192.168.3.15 client-id=1:c0:ee:fb:34:97:xx comment="Oneplus One" \
    mac-address=C0:EE:FB:xx:xx:xx server=dhcp1
add address=192.168.3.16 client-id=1:0:26:ab:39:xx:xx comment=\
    "Stampante Epson" mac-address=00:26:AB:39:xx:xx server=dhcp1
add address=192.168.3.18 client-id=1:c8:c7:50:56:xx:xx comment=Moto \
    mac-address=xx:xx:50:xx:xx:xx server=dhcp1
add address=192.168.3.20 client-id=1:78:ab:xx:4d:24:33 comment=\
    "TV" mac-address=xx:xx:xx:4D:xx:xx \
    server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf dns-server=1.1.1.2,1.0.0.2 \
    gateway=192.168.3.1
/ip dns
set servers=1.1.1.2,1.0.0.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.3.95 comment=pfsense-proxmox name=pfsense.localdomain
add address=192.168.3.93 name=cloxx.xxxxnetwork.xxxxx.org
/ip firewall address-list
add address=192.168.3.1 list=DNSForward
add address=192.168.3.100 list=Server-IPs
add address=192.168.3.18 list=Server-IPs
add address=192.168.3.20 list=Server-IPs
add address=192.168.3.99 list=Server-IPs
/ip firewall filter
add action=drop chain=forward comment="blocking webpage via tls" disabled=yes \
    in-interface=bridge protocol=tcp tls-host=*facebook*
add action=drop chain=forward comment=\
    "Block every IPs to Server but Server IPs" connection-state=new \
    dst-address=192.168.3.10 log=yes src-address-list=!Server-IPs
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward dst-address-list=WAN src-address-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input connection-state="" dst-port=80 \
    in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input icmp-options=8:0-255 in-interface-list=WAN \
    protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" limit=1,5:packet \
    protocol=icmp
add action=accept chain=input comment="From pfsense LAN" log=yes src-address=\
    192.168.5.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow OpenVPN" disabled=yes \
    dst-port=1194 protocol=tcp
add action=accept chain=input comment="allow OpenVPN" disabled=yes \
    dst-port=1195 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
# no interface
add action=accept chain=input comment="From OpenVPN interface" in-interface=\
    *F00000 log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes
add action=drop chain=forward comment="Drop all else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface=ether5
add action=src-nat chain=srcnat out-interface-list=WAN src-address=\
    192.168.3.0/24 to-addresses=192.168.1.11
add action=src-nat chain=srcnat log=yes log-prefix=dd-wrt out-interface=\
    ether5 src-address=192.168.3.0/24 to-addresses=192.168.9.139
# lte1 not ready
add action=masquerade chain=srcnat out-interface=*A
add action=dst-nat chain=dstnat comment="wireguard on Lubuntu" disabled=yes \
    dst-port=51820 log=yes protocol=udp to-addresses=192.168.3.99 to-ports=\
    51820
add action=dst-nat chain=dstnat comment="nginx vm" disabled=yes dst-address=\
    192.168.1.11 dst-port=443 log=yes protocol=tcp to-addresses=192.168.3.93 \
    to-ports=443
add action=dst-nat chain=dstnat comment="nginx vm" disabled=yes dst-address=\
    192.168.1.11 dst-port=80 log=yes protocol=tcp to-addresses=192.168.3.93 \
    to-ports=80
add action=dst-nat chain=dstnat comment="OpenVPN on pfsense" disabled=yes \
    dst-port=1194 protocol=udp to-addresses=192.168.3.95 to-ports=1194
add action=dst-nat chain=dstnat disabled=yes dst-port=22448 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.3.100 to-ports=\
    22448
add action=dst-nat chain=dstnat disabled=yes dst-port=xxxxx \
    in-interface-list=WAN protocol=udp to-addresses=192.168.3.100 to-ports=\
    14922
add action=dst-nat chain=dstnat comment="Pi-hole Proxmox" disabled=yes \
    dst-address=!192.168.3.92 dst-port=53 log=yes protocol=udp src-address=\
    !192.168.3.92 to-addresses=192.168.3.92
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.3.92 \
    dst-port=53 log=yes protocol=tcp src-address=!192.168.3.92 to-addresses=\
    192.168.3.92
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.3.92 \
    dst-port=53 log=yes protocol=udp src-address=192.168.3.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.3.92 \
    dst-port=53 log=yes protocol=tcp src-address=192.168.3.0/24
add action=dst-nat chain=dstnat comment=Transmission disabled=yes dst-port=\
    51xxx in-interface-list=WAN log=yes protocol=tcp to-addresses=\
    192.168.3.94 to-ports=51413
add action=dst-nat chain=dstnat comment=emule disabled=yes dst-port=98xx \
    in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.3.100 \
    to-ports=9835
add action=dst-nat chain=dstnat disabled=yes dst-port=41525 \
    in-interface-list=WAN log=yes protocol=udp to-addresses=192.168.3.100 \
    to-ports=41525
/ip route
add check-gateway=ping comment=Primary distance=1 gateway=8.8.8.8
add comment="Validate Primary" distance=1 dst-address=8.8.8.8/32 gateway=\
    192.168.1.1 scope=10
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.3.95
add distance=1 dst-address=192.168.6.0/24 gateway=192.168.3.95
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.3.0/24
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn_user profile=ovpn service=ovpn
/snmp
set trap-target=0.0.0.0 trap-version=2
/system clock
set time-zone-name=Europe/
/system identity
set name=hometik
/system logging
add topics=dhcp
/system ntp client
set enabled=yes primary-ntp=193.204.114.105 secondary-ntp=193.204.114.233
/system routerboard mode-button
set enabled=yes on-event=\
    "/interface wireless set wlan2 disabled=(![get wlan2 disabled])"
/system scheduler
add interval=30s name=DNSscript on-event=":local currentDNS [/ip dns get serve\
    r]\r\
    \n:local piholeDNS \"192.168.3.12\"\r\
    \n:local backupDNS \"1.1.1.2,1.0.0.2\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$currentDNS = \$piholeDNS) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip dns set servers=\$backupDNS\r\
    \n        /ip dhcp-server network set [find] dns-server=\$backupDNS;\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip dns set servers=\$piholeDNS\r\
    \n        /ip dhcp-server network set [find] dns-server=\$piholeDNS;\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/15/2020 start-time=07:59:53
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add interface=ether1
/tool graphing queue
add allow-address=192.168.3.100/32
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

As you can see, many rules are disabled. I often experiment with things in my home LAB for learning purpose .

Thanks

sindy · January 22, 2022, 5:23pm

Given the position of the rule in the chain, and given that it counts and logs, I’d assume that those clients that can reach the server although they are not in the address-list are in the same subnet like the server, so the send packets to the server directly, not via the router.

If the above is not the case, it could be that connections established before you’ve added the rule continue working but new ones cannot establish - the rule matches on connection-state=new, so it ignores mid-connection packets.

anav · January 22, 2022, 5:24pm

In general your firewall rules are a mess and the biggest heartache is the improper order of rules and also the fact that they are not clearly grouped together all the input and all the forward etc..

What the heck are you trying to say or do with this rule???
add action=drop chain=forward comment=
“Block every IPs to Server but Server IPs” connection-state=new
dst-address=192.168.3.10 log=yes src-address-list=!Server-IPs

Why are you allowing port 80 inbound on the INPUT chain??

What is the purpose of these two rules: Doesnt the second rule already include the first rule so the first one would not be necessary??
add action=accept chain=input comment=“From pfsense LAN” log=yes src-address=
192.168.5.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN log=yes

Same question on these two… The second rule drops ALL else, why bother with the dropping on the first rule just make it ALLOW connections for connection-nat-state.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN log=yes
add action=drop chain=forward comment=“Drop all else” disabled=yes

The only source nat entry I sorta understand is the first one… (assuming ether5 is the name of your wan interface)
Can you tell me the purpose of the others??

Destination NAT rules, missing dst-address=fixed public IP, On first rule, but what the heck are you doing a port forward for wireguard here ???

broderick · January 22, 2022, 5:42pm

I know that they look a mess. I told you that I am experimenting with my Home LAB. Anyway, most of them have always worked as I expected

What the heck are you trying to say or do with this rule???
add action=drop chain=forward comment=
“Block every IPs to Server but Server IPs” connection-state=new
dst-address=192.168.3.10 log=yes src-address-list=!Server-IPs

I’d want to block any connection attempts coming from IPs in my LAN other than those in my server-IPs list (my own devices basically)

Why are you allowing port 80 inbound on the INPUT chain??

It is actually a block rule and I don’t even remember the reason why it is still there, but i don’t think it has anything to do withy my problem.

What is the purpose of these two rules: Doesnt the second rule already include the first rule so the first one would not be necessary??
add action=accept chain=input comment=“From pfsense LAN” log=yes src-address=
192.168.5.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN log=yes

Same question on these two… The second rule drops ALL else, why bother with the dropping on the first rule just make it ALLOW connections for connection-nat-state.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN log=yes
add action=drop chain=forward comment=“Drop all else” disabled=yes

The only source nat entry I sorta understand is the first one… (assuming ether5 is the name of your wan interface)
Can you tell me the purpose of the others??

Destination NAT rules, missing dst-address=fixed public IP, On first rule, but what the heck are you doing a port forward for wireguard here ???

Again, I can’t see how this setup above has anything to do with my problem, sorry.

Thanks

broderick · January 22, 2022, 5:51pm

Yes, they are in the same subnet like the server. I’d like to know if I can block IPs of devices that connect to my LAN occasionally, without setting VLANs or separate an ethernet port from the bridge and set a different subnet on it, then create rules to block unwanted traffic coming from it. Thanks

anav · January 22, 2022, 6:01pm

Still dont understand what you are trying to accomplish and why…

You have one subnet.
You wish to block segments of that subnet (some users within the same LAN ) from accessing your servers also on the LAN
You would prefer not to have to create different subnets or create vlans to separate those users off the lan to achieve that separation.
It would be accurate to say that the only LANIPs that you want connecting to the servers are the ones associated with your PC/laptop/smartphone/ipad etc…

Is that about right??

sindy · January 22, 2022, 6:14pm

You can, but it’s not the way it is usually done

The traffic to the server from devices in the same subnet can be blocked using /interface bridge filter rules or, because your Mikrotik model supports that, using /interface ethernet switch rule rules. To make this possible, the server must be connected to another Ethernet port of your Mikrotik device than the devices you want to prevent from accessing the server.

The bridge “firewall” cannot be made stateful like the IP one, i.e. no connection-state can be tracked and referred to in rules, and address-list matching is also not supported. Besides, if you want to use /interface bridge filter rules, you have to disable switch chip forwarding at least on the port to which the server is connected; if you want to use /interface ethernet switch rule rules, bear in mind that they are matched as the frame enters the switch chip, i.e. you must hook them to all ports of the bridge except the one to which the server is connected. Switch chip rules work at wirespeed, but their number is very limited (30 if I remember correctly).

broderick · January 23, 2022, 12:21am

broderick · January 23, 2022, 12:42am

Yes, right. I’ve realized that there is nothing to “forward” really on the same subnet; my bad.
I know that I could have created a different subnet on a separate (from the bridge) ethernet port, then set rules on it. VLANs is not an option now. I’m going to use VLANs when I buy a vlan-capable switch to connect to my Mikrotik.
As they said, there would be another way to accomplish that by enabling "use IP firewall” on the port, but it would put more stress on the CPU. I don’t think it si worth it.
So, for the time being at least, a separate port from the bridge with a new subnet on it is probably the best way to go.
Setting firewall rules directly on the linux server accepting only a list of IPs would be a different, yet still effective way to reach my purpose maybe.
Thanks

broderick · January 23, 2022, 12:55am

Are you talking about the "“use IP firewall” in the bridge setting?

The bridge “firewall” cannot be made stateful like the IP one, i.e. no > connection-state > can be tracked and referred to in rules, and > address-list > matching is also not supported.

Yes, I got it now.

Besides, if you want to use > /interface bridge filter > rules, you have to disable switch chip forwarding at least on the port to which the server is connected; if you want to use > /interface ethernet switch rule > rules, bear in mind that they are matched as the frame enters the switch chip, i.e. you must hook them to all ports of the bridge except the one to which the server is connected. Switch chip rules work at wirespeed, but their number is very limited (30 if I remember correctly).

Understood, but it isn’t worth it, I guess.

I think I’ll separate an ethernet port from the bridge and set a new subnet on it. Thanks