No DNS when using default filter

tomswenson · May 19, 2022, 2:23pm

Didn’t have much luck searching for this issue since every posted config contains this, so I hope you don’t mind me posting this.

Odd problem with one of my clients. I couldn’t Winbox to the HEX router via DNS.

Turns out the IP/Cloud was not working and system/packages wouldn’t check for updates.

After trouble shooting, I found that this default entry in the filter was the issue. Or, at least when I disabled it, everything works.

10 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN log=no log-prefix=“”

Not seeing this issue on other routers. I have LAN list entries of the bridge and a capsman bridge I use for public access.

Tom

erlinden · May 19, 2022, 2:46pm

Input is for connecting with the MikroTik. Is the MikroTik working as DNS server for the connected clients?

If you want more info, please share your complete config (make sure to remove any personal information):

/export file=anynameyoulike

anav · May 19, 2022, 2:57pm

What do you mean connecting to your clients via DNS and winbox?
The only method you should use to connect to client routers is via VPN etc…

Yes default rules block all traffic not coming from the LAN, this is appropriate for the default setup.
If you wish to permit incoming VPN traffic then you make an input rule prior to this as appropriate (such as wireguard port).

Sob · May 19, 2022, 3:24pm

Did you somehow lose default rule that accepts established, related and untracked connections? It’s also in input chain, somewhere before this drop rule and takes care of allowing responses to connections initiated by router.

tomswenson · May 19, 2022, 3:50pm

SOB, you nailed it. That rule was somehow missing.

Great catch, thanks all for responding.