I have a MikroTik CCR1009 with 8 ethernet ports + 2 SFP ports.
Ether1 is WAN and Ether8 is LAN.
When I apply rule 13 below everything stops working for the clients inside the LAN.
I can connect to the public IP of Ether1 and connect to the web server at port 5001 without a problem.
My goal is to be able to start a new connection inside my LAN behind Ether8 and being able to surf the web.
I also have a server at IP 10.10.10.5 but that part is working as it should.
The rules is copied from this thread: http://forum.mikrotik.com/t/firewall-rules/69251/1
Rule with both connection-state=established and in-interface=ether8 allows packets of established connections that come from ether8. Packets, not connections. But packets for established connections need to go both ways. If you enable your rule 13, it makes sure that no connection from LAN can be established.
Solution is to remove in-interface from rules with connection-state=established/related (rules 7, 8, 11, 12). And you probably want to move these rules to top before everything else, since they’re going to be the most used ones.
And rule 9 does not match the description either. It blocks everything from LAN, but nothing will ever hit it, because all packets will be caught by rules 6-8. So it looks like you don’t want in-interface=ether8 there either.
I was looking at the MikroTik forum regarding the firewall queues and noticed this:
input > - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain
forward > - used to process packets passing through the router
output > - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Since i only uses forward except for rule 0 nothing will block access to the router in any way right?
Thank you for the information regarding the firewall rules.
I’m actually working with firewalls daily but every brand has it’s own way of doing and matching firewall rules.
This is my ruleset today for both IPv4 and IPv6. If something is wrong, please tell me.
RouterOS firewall is basically Linux iptables, same logic applies. Default policy is set to accept, so unless you block something, it’s allowed.
With your rules, I don’t see anything I’d call wrong, but there’s always something that can be done differently. Based on what I usually do:
I would slightly reorder them to have most used first (e.g. established & related #3 is going to be the most used one by far).
You might add in-interface= for new connections from LAN, to be absolutely sure that no one can do anything bad from outside, although the possibility of that is more theoretical.
In case of IPv4, you could probably replace all specific rules #4-13 for individual ports by just one with connection-nat-state=dstnat (assuming those are port forwards done at this router). On the other hand, counters for individual rules are nice too and if you have only few of them, you don’t need to worry much about optimization.
For IPv4, you probably don’t need allow ICMP rule #1. Requests from LAN (and replies) are covered by allow LAN rule #2. And unless you’re part of some larger LAN, you don’t need to allow incoming ones (nobody needs to be able to ping 10.0.0.0/8 from outside). But again, chances of it actually happening are very low.
Little filtering of input also doesn’t hurt. Allow established & related, drop invalid, allow icmp, allow ports for services (winbox, ssh, …) you need and from where you need them, drop the rest.