Packets bypassing firewall

sin3vil · January 29, 2020, 11:24am

Hello all,

We’ve got the issue described in below thread on one of our sites.
http://forum.mikrotik.com/t/looking-up-cloud-mikrotik-com-every-second/122751/1

Detect-internet was somehow enabled which lead to spamming DNS requests on one of the WAN interfaces.
Thing is, because this is a completely restricted backup WAN connection, there are firewall rules on the output chain that block all traffic apart from specific whitelisted traffic.

/ip firewall filter
add action=accept chain=input protocol=tcp src-address-list=API
add action=accept chain=output dst-address-list=API dst-port=53,1701 protocol=udp
add action=accept chain=output dst-address-list=API dst-port=80,443 protocol=tcp
add action=accept chain=output out-interface=ether3 protocol=udp src-port=1701
add action=accept chain=output out-interface=ether3 protocol=tcp src-port=80,8291
add action=drop chain=output out-interface=ether3

Does Detect Internet traffic bypass the firewall?

mkx · January 29, 2020, 12:25pm

Are you sure you’re using correct firewall chain?

chain=input: traffic for which router itself is end destination
chain=output: traffic generated by router itself
chain=forward: traffic passing router in any direction. Mind that firewall has no notion of which side is “in” and which is “out” … with default firewall filter rules this distinction is made by extensive use of interface lists, by default there are lists “LAN” and “WAN”.

And keep in mind that there’s an implicit “action=accept” at the end of all rules so if you want to block some traffic, you need to block it explicitly using some more or less specific firewall rule.

Also be sure you understand the meaning of _src-_address VS _dst-_address in a given context. (A hint: it’s about the contents of IP header of a packet examined by firewall rule, doesn’t have anything to do with imaginary direction of a whole connection). The only part where whole connection context gets into play is if firewall filter rule contains connection-state=XXX.

So if the DNS traffic hitting the backup WAN Line originates from the router itself, then use of “chain=output” is correct. If the traffic is generated by some other device which communicates with backup WAN via MT, then “chain=forward” is the correct one.

BTW, option “detect internet” is largely useless and it’s best to disable it unless you fully understand what it’s good for and what are related bells and whistles.

sin3vil · February 1, 2020, 10:39am

Hello mkx,

We don’t ever use detect-internet feature, not sure how it got enabled.
I’ve posted my firewall rules, at least those related to this interface, and as you can see there are a bunch of accept rules for things we need working and then a drop rule to take care of the implicit accept.

But, it seems that the detect internet rules somehow bypass the firewall. Sniffing on ether3 I can see traffic being sent (and received but I’m not firewallling input chain) which should normally be blocked by the filter rules.
Note there’s also a drop rule for everything on the forward chain out this specific interface too, which I didn’t include in my post.

So you’re saying that is should be going through the firewall, as with any traffic generated, correct?

mkx · February 1, 2020, 12:29pm

I’m not saying anything, from the config snippet you posted it’s not possible to get the big picture of router config.