/ip firewall filter> print customer
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connection packets
chain=customer action=drop connection-state=invalid
1 ;;; Allow established connections
chain=customer action=accept connection-state=established
2 ;;; Allow related connections
chain=customer action=accept connection-state=related
3 ;;; Log dropped connections
chain=customer action=log log-prefix="customer_drop"
4 ;;; Drop and log everything else
chain=customer action=drop
/ip firewall filter> print forward
Flags: X - disabled, I - invalid, D - dynamic
2 ;;; allow established connections
chain=forward action=accept connection-state=established
3 ;;; allow related connections
chain=forward action=accept connection-state=related
4 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid
5 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
6 chain=forward action=jump jump-target=customer in-interface=Public
9 ;;; allow ping
chain=forward action=accept protocol=icmp
10 ;;; allow udp
chain=forward action=accept protocol=udp
11 X ;;; drop everything else
chain=forward action=drop
why when I enable 11 rule I cann’t access internet, i’m asking because I use jump forward to customer(see rule 6), and under chain customer I use drop everything else (see rule 4),but I can access to internet ,so i’m confuse about this.please explain.
thanks!!!
If I’m not mistake, enabling rule 11 make all trafic from your LAN can not passtrough Router BOX. You must add at least 1 rule to filter your LAN request.
example : /ip firewall filter add chain=forward src-address=xxx.xxx.xxx.xxx in-interface=ether-LAN action=accept
note :
move this rule to number 10 or placed before “drop everything else”
xxx.xxx.xxx.xx = your LAN ip range
ether-LAN = your interface card directhly to LAN
you right ,that’s why I’m confuse between two code above, if I add tcp port before drop everything it will work ,but why in first code do need tcp port to be added?
4 ;;; Drop and log everything else
chain=customer action=drop <— Drop everything
Problem: Where is the allow rules that allows tcp packets to pass through? For example if you want the LAN to be able to go to webpages then you need a rule for TCP Port 80 to be allowed. Then you also have to remember most users wont know the ip address of websites so they need to be able to dns query the ip addresses. So you will need another rule for that.
Does that make sense? With the rules you have now you are basically only allowing established and related traffic to past nothing new.
if only in rule above you mention I don’t need to add anything else it will work find ,if i add rule 11 X ;;; drop everything else
chain=forward action=drop
then I have to add tcp port 80 or other ports ,I confuse about why in fisrt one there have some rule drop everything else but they don’t need to setup ports.thanks
because with rule 11 disable, your router firewall in state accepting all trafic that not filtered by your firewall list.
then I have to add tcp port 80 or other ports ,I confuse about why in fisrt one there have some rule drop everything else but they don’t need to setup ports.thanks
as “mneumark” said, you must define your rule to controlling “new” not only establish or related only. You missing it.
Your request to internet define as “new” state and must be accepted by firewall