Questions about firewall and NAT

Hi all,

Just purchased a bunch of RouterBoards (including some CloudCore units) and am getting started with these units and OS. I’ve spent the last couple of weeks reading (including the RouterOS by example book) and watching countless hours of video tutorials provided by various members of the MikroTik community (BTW thanks to all who put these out!).

Here’s where I’m at; I started playing with one of the RB2011UAS-2HD-IN that I got in and have it all setup. I just want to verify that my firewall is configured properly.

Here is a print of the firewall filter list:

0 X ;;; RouterOS By Example
     chain=input action=drop connection-state=invalid 

 1 X chain=forward action=drop connection-state=invalid 

 2 X chain=input action=accept protocol=tcp dst-address=xx.xx.xx.xx 
     in-interface=ether1-gateway dst-port=80 

 3 X chain=input action=accept src-address-list=MyLAN 

 4 X chain=input action=accept connection-state=established 

 5 X chain=input action=drop 

 6 X chain=forward action=accept connection-state=new src-address-list=MyLAN 

 7 X chain=forward action=accept connection-state=related 

 8 X chain=forward action=accept connection-state=established 

 9 X chain=forward action=drop 

10   ;;; default configuration
     chain=input action=drop connection-state=invalid 

11   ;;; default configuration
     chain=forward action=drop connection-state=invalid 

12   ;;; default configuration
     chain=input action=accept protocol=icmp 

13   ;;; default configuration
     chain=input action=accept connection-state=established 

14   ;;; default configuration
     chain=input action=accept connection-state=related 

15   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway

If I try to use filters 1 thru 9 instead of 10 thru 15, all of my port forwarding in the NAT table is blocked. I’m assuming this is because I will need to add explicit filter entries here to all the traffic on the need ports to continue through the firewall. The big question is, which chain, forward or input and then related action to take?

Also, are the entries that I currently have active (10 - 15) the normal method where RouterOS is concerned?

Any insight or thoughts would be appreciated.

Again, a big thanks to the community at large for all the training and example materials. They’ve been a HUGE help.

Thanks,
Ken

Yes - the NAT entries will typically need corresponding forward chain entries to actually allow the traffic through so as you close down the forward side you need to add explicit accept entries to permit the forwarding for the NAT entries.

The input chain affects traffic to the router itself. The forward chain affects the traffic routing through the router.

Thanks a bunch. I’ll give it a whirl.

Ken