RouterOS Firewall setting - not finding the forrest amongst all those trees

To all the experts in this forum, I need some help. For a couple of days I am fiddling around to get my RB2011 configured on my home network. Reading through the WIKI and the forum I got that far, the router does basically what it needs to do, but blocking me on the https access to the internet.
If I deacitvate the drop on the forward chain it works, but that shouldn’t be the solution. I am boggling my mind, but I don’t find what I am missing on. Maybe some of you genius can help me out.

Thanks in advance.

Here my config of the router:

/interface bridge
add name=pv-bridge
add fast-forward=no name=vlan_bridge

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether6 ] name=ether6-Config
set [ find default-name=sfp1 ] disabled=yes

/interface vlan
add interface=vlan_bridge name=vlan1 vlan-id=1
add interface=vlan_bridge name=vlan10-home1 vlan-id=10
add interface=vlan_bridge name=vlan20-home2 vlan-id=20
add interface=vlan_bridge name=vlan30-Gast vlan-id=30
add interface=vlan_bridge name=vlan40-VoIP vlan-id=40
add interface=vlan_bridge name=vlan60-Vsec vlan-id=60


/ip pool
add name=dhcp_pool_vlan1 ranges=192.168.1.100-192.168.1.200
add name=dhcp_pool_vlan10 ranges=192.168.11.10-192.168.11.99
add name=dhcp_pool_vlan20 ranges=192.168.12.10-192.168.12.99
add name=dhcp_pool_vlan30 ranges=192.168.13.10-192.168.13.99
add name=dhcp_pool_vlan40 ranges=192.168.14.10-192.168.14.20
add name=dhcp_pool_vlan60 ranges=192.168.16.100-192.168.16.200
add name=dhcp:pool_LAN70 ranges=192.168.17.10-192.168.17.20
add name=dhcp_pool_LAN5 ranges=192.168.5.2

/ip dhcp-server
add address-pool=dhcp_pool_vlan1 disabled=no interface=vlan1 name=dhcp_VLAN1
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10-home1 name=dhcp_VLAN10
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20-home2 name=dhcp_VLAN20
add address-pool=dhcp_pool_vlan30 disabled=no interface=vlan30-Gast name=dhcp_VLAN30
add address-pool=dhcp_pool_vlan40 disabled=no interface=vlan40-VoIP name=dhcp_VLAN40
add address-pool=dhcp_pool_vlan60 disabled=no interface=vlan60-Vsec name=dhcp_VLAN60
add address-pool=dhcp:pool_LAN70 disabled=no interface=pv-bridge name=dhcp_LAN70
add address-pool=dhcp_pool_LAN5 disabled=no interface=ether6-Config name=dhcp_LAN5

/interface bridge port
add bridge=pv-bridge interface=ether7
add bridge=pv-bridge interface=ether8
add bridge=pv-bridge interface=ether9
add bridge=pv-bridge interface=ether10
add bridge=pv-bridge interface=wlan1–PV
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=60
add bridge=vlan_bridge interface=ether3 pvid=10
add bridge=vlan_bridge interface=ether4 pvid=20
add bridge=vlan_bridge interface=ether5 pvid=30
add bridge=vlan_bridge frame-types=admit-only-vlan-tagged interface=wlan2-Gast pvid=30

/ip neighbor discovery-settings
set discover-interface-list=none

/interface bridge vlan
add bridge=vlan_bridge tagged=vlan_bridge vlan-ids=1
add bridge=vlan_bridge tagged=vlan_bridge,ether3 vlan-ids=10
add bridge=vlan_bridge tagged=vlan_bridge,ether4 vlan-ids=20
add bridge=vlan_bridge tagged=vlan_bridge,ether3,ether5,wlan2-Gast vlan-ids=30
add bridge=vlan_bridge tagged=vlan_bridge,ether3,ether4,ether5 vlan-ids=40
add bridge=vlan_bridge tagged=vlan_bridge,ether3,ether5 vlan-ids=60

/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.5.1/24 interface=ether6-Config network=192.168.5.0
add address=192.168.11.1/24 interface=vlan10-home1 network=192.168.11.0
add address=192.168.12.1/24 interface=vlan20-home2 network=192.168.12.0
add address=192.168.13.1/24 interface=vlan30-Gast network=192.168.13.0
add address=192.168.14.1/24 interface=vlan40-VoIP network=192.168.14.0
add address=192.168.16.1/24 interface=vlan60-Vsec network=192.168.16.0
add address=192.168.17.1/24 interface=pv-bridge network=192.168.17.0

/ip dhcp-client
add disabled=no interface=ether1-WAN

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1
add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=192.168.13.1
add address=192.168.14.0/24 dns-server=192.168.14.1 gateway=192.168.14.1
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
add address=192.168.17.0/24 dns-server=192.168.17.1 gateway=192.168.17.1

/ip dns
set allow-remote-requests=yes
static add address=1.1.1.1 name=cloudflare
static add address=9.9.9.9 name=quad9

/ip firewall address-list
add address=192.168.5.0/24 list=mgmt

/ip firewall filter
add action=accept chain=input comment=“accept established and related connections”
connection-state=established,related
add action=fasttrack-connection chain=forward comment=“accept fast-track on established
and related connections” connection-state=established,related
add action=accept chain=forward comment=“accept established and related connections”
connection-state=established,related
add action=drop chain=input comment=“drop invalid connections” connection-state=invalid
add action=drop chain=forward comment=“drop invalid connections” connection-state=invalid
add action=accept chain=input comment=“accept router configuration access” src-address-list=mgmt
add action=accept chain=forward comment=“allow admin access into all internal subnets”
dst-address=192.168.0.0/24 src-address-list=mgmt
add action=accept chain=forward comment=“accept ICMP requests for mgmt into internal
subnets (and internet)” in-interface=!ether1-WAN protocol=icmp src-address-list=mgmt
add action=accept chain=input comment=“accept ICMP requests only from inernal VLAN-LAN
users” dst-address=192.168.0.0/24 in-interface=!ether1-WAN protocol=icmp src-address=
192.168.0.0/24
add action=accept chain=input comment=“accept tcp DNS requests from internal users with
internet permission” dst-address=192.168.0.0/20 dst-port=53 in-interface=!ether1-WAN
protocol=tcp src-address=192.168.0.0/20
add action=accept chain=input comment=“accept udp DNS requests from internal users with
internet permission” dst-address=192.168.0.0/20 dst-port=53 in-interface=!ether1-WAN
protocol=udp src-address=192.168.0.0/20
add action=accept chain=forward comment=“allow internet access for all relevant subnets”
dst-port=80 out-interface=ether1-WAN protocol=tcp src-address=192.168.0.0/20
add action=accept chain=forward comment=“allow internet access for all relevant subnets”
dst-port=443 out-interface=ether1-WAN protocol=tcp src-address=192.168.0.0/20
add action=accept chain=forward comment=“access for VLAN10 members on PV-LAN” in-interface=
vlan10-home1 out-interface=pv-bridge
add action=accept chain=forward comment=“access for VLAN10 members on Vsec” in-interface=
vlan10-home1 out-interface=vlan60-Vsec
add action=accept chain=forward comment=“access for VLAN20 members on cameras in Vsec”
dst-address=192.168.16.16/28 in-interface=vlan20-home2 out-interface=vlan60-Vsec
add action=accept chain=forward comment=“access for VLAN30 members on cameras in Vsec”
dst-address=192.168.16.16/28 in-interface=vlan30-Gast out-interface=vlan60-Vsec
add action=drop chain=input comment=“DROP everything else on input chain”
add action=drop chain=forward comment=“DROP everything else on forward chain”

/ip firewall nat
add action=masquerade chain=srcnat comment=“IP translation for VLAN-LAN with internet
permission only” out-interface=ether1-WAN src-address=192.168.0.0/20

A couple quick comments. First, I would suggest sorting your firewall rules so that each chain is together. In other words, all the Input chain, then all the forward chain, etc. Does not make any difference to the router, but makes it far easier for us poor humans to read it.
On my quick look, you are allowing port 80 and 443 TCP only for outbound. That is likely going to be far more restrictive than you are expecting. I don’t know for sure if that is affecting your https issue however (I don’t know enough of the details of how https works to answer).

Some guidance found here…
https://forum.mikrotik.com/viewtopic.php?t=182373

Txs for the feedback and the link.

In fact, yes for reading the script is definitely easier to group along chains. However, I did set it up for input and forward chain in parallel ending up with what I have

Anyway, I did review your “guide” and yes it is very structured and helpful. Even though I worked with address spaces rather than lists (which in return is definitely more maintenance friendly) the only real difference I found was on the forward rule for internet access. You left the protocol and port spec out of the filter rule. I dropped in mine and it worked.

Now leaving me with the questions:

• why does specifying tcp and ports 80, 443 not do the job as well?
• what else needs to be specified in the filter rules to allow https traffic?
• why did it work for http traffic in the first place, but not for https?

However, thanks to your hints, my firewall is at least running and does what was asked to do. Improvements will be added later (once I understand what I’m doing )

(1) Step one GET RID OF VLAN1.
It is the default vlan ID of the bridge and should be left as is “ALONE” and if you need another vlan to carry the data then just make another vlan.
Real easy since the rest of the structure is already defined.

(2) Why is your source nat rule thusly defined??
/ip firewall nat
add action=masquerade chain=srcnat comment=“IP translation for VLAN-LAN with internet
permission only” out-interface=ether1-WAN src-address=192.168.0.0/20

Are there some subnet you are trying to exclude from NAT??

(3) What do you mean https traffic??
If the rule is allow LAN to WAN traffic, all traffic will be allowed.
If you want to limit that, I suppose one could put
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN dst-ports=80,443 protocol=tcp ???
But I rarely see it.

IN addition for admin control of router for config purposes
I normally have something like
add chain=input action=accept in-interface-list=manage src-address-list=authorized, I dont bother with putting in dst-ports=winboxport, ssh port but you can and nothing wrong with that.

Learning as I go along…

thanks for the hint with VLAN1, it is a relict from a situation where I was somehow mislead as I did some testing with not having VLAN filtering on

In fact I do have divided my subnets in those with internet access granted and those with no access rights. It’s my part of paranoia keeping “smart” toys from getting too exposed.

The issue with the https traffic was, once I took out the specifics of ports and protocols it worked.

1st attempt similar to what you noted was not working:

• add action=accept chain=forward comment=“allow internet access for all relevant subnets” dst-port=80 out-interface=ether1-WAN protocol=tcp src-address=192.168.0.0/20
• add action=accept chain=forward comment=“allow internet access for all relevant subnets” dst-port=443 out-interface=ether1-WAN protocol=tcp src-address=192.168.0.0/20

After modification, it works:

• add action=accept chain=forward comment=“allow internet access for all relevant subnets” out-interface=ether1-WAN src-address=192.168.0.0./20

This is what puzzles me, as my understanding so far was, that I do allow “http” traffic with dst-port=80 and “https” with dst-port=443 and tcp protocol specified. But there seems something missing for “https” as it worked for “http” but not for “https” traffic. Even though the problem is solved with the modification of the forward rule, I am still curios why the other approach didn’t work.

Going through your tutorials you triggered some ideas and got me motivated to upgrade my structure with lists. In the long run it is definitely worth the effort.

Txs for all your the efforts on getting us novices up to speed.

Glad to hear its starting to make sense and I am still on that path, but getting to at least the point of modifying the default config to something useful for some small changes can either be painful or manageable and the latter is the the goal for the help files.