Hi,
I have configured several Subnets on my RB3011. All Subnets cannot see each other, it is disabled by FW-Rule.
Now I would like to configure some exceptions. I have a local SIP Server on Subnet1 with IP: 192.168.1.10. Client on Subnet1 can connect correctly to the Server, but Clients on Subnet2(192.168.2.0/24) do not work. This works as expected.
How do I have to configure a common rule for Subent2 to get this working? I think I have to route UDP-Port 5060.
Can some help here?
Christian
It would be useful to see/post your config to understand how your subnets are created.
I am assuming you are saying they are blocked by FW rules that you mean the last rule in your Foward Chain is drop all else rule??
/ip firewall
add chain=forward chain, action=accept log=yes prefix=AccessingSIPserver
destination address=192.168.1.10 in-interface= (subnet indentifier for LAN2).
(there is no need for ports or protocols usually as the server doesnt do anything else and it would add rules for no gain).
Note: You should go to your duplicate post and edit it (erase everything and state Duplicate Post please ignore).
Specific rule to allow SIP clients to connect server:
/ip firewall filter
add chain=forward action=accept comment="SIP clients from 192.168.2.0/24" src-address=192.168.2.0/24 dst-address=192.168.1.10 protocol=udp dst-port=5060
but make sure there’s a rule accepting connection-state=established,related before the new rule. And move the new rule above the rule which currently prevents connectivity to happen.
@anav showed a rule which logs all conections triggering this rule. While it’s fine to debug it shouldn’t be set up for production … it will litter the log with irrelevant entries making you miss the important ones.
Good point mkx, yes the log prefix enabled was simply to verify if the forwarding is taking place as desired. Once up and running it should be removed.
As also demonstrated by MKXs rule, the originating source can be identified in a few ways.
1 - source address (an individual address or whole subnet)
2 - in-interface (the LAN where the request is coming from/originating)
(Ive used a combo of both in the past for better security but have been told its simply wasteful and thus the source address as shown is adequate).
3. Use of protocol and ports is a good idea in terms of limiting the ports and protocols allowed by the originating LAn to hit your server.
(seeing as there is no other functionality of the server, I tend to think that this simply wasteful as well unless someone can point out why otherwise ???
Performance-wise it might indeed be wasteful. However, you never know if in future that same server might get some other functionality you don’t want to expose to the said subnet. This case, however, is not similar to yours (filtering based on both physical port and IP address): in “my” case filter is only very specific (narrowing down possibilities) - but in this very particular case it may not be necessary to be that very specific. In “your” case, both filter criteria (physical port and IP address) are, strictly speaking, not related at all. Specifying both might narrow down the possibilities (possibly breaking L2 network in unlucky case) or it may broaden possibilities (in another unlucky case).
Hi,
many thanks for your replies and sorry for late response, but I am on business trip and limited access to internet and my router. I will check tomorrow and post my config.
Thanks for help,
Christian
No worries spartacus, in the meantime I am simply sparring with mkx over some minutia. 
So mkx,
The questions comes down to what is most efficient.
a. asking the CPU to inspect the forwarded packet for IP, protocol and port (and discarding those that do not fit) OR
b. asking the CPu to inspect the forwarded packet for IP only (and discarding those that do not fit).
The questions I have is why would anyone on the originating LAN be hitting that IP address with anything other than the right protocol and port?
Does the admin expect some folks on the originating LAN to try and hit the server with different types of traffic (hack in?) ?
c. What is more efficient wrt to CPU load?
To have a rule that inspects a packet for allowable IP (which it does) but it has wrong port or protocol and drops it?
VERSUS
The packet is passed to the server (allowable IP) but the packets hits a closed port, or even an open port but with the wrong protocol.
I believe the latter events are transparent to the CPU (no load).
@anav, I don’t see continuing the discussion being productive. The baseline is: how paranoid should network administrator be to keep networks safe and going versus available (and allowable) resources?
My stand is that administrator should be as paranoid as possible and that security of a network should not be based neither on users’ friendliness nor assumptions about fair use (most of known exploits target such pitfalls).
Ahh well okay, I sense you are raising the white flag on efficiency and diverting to the ole security trumps all standby. 
Perhaps we can do combat another day.
You’re free to sense it in any way it suits you …
Hi everybody,
thanks for support. But it seems to be not working. The PC Client Software, Phoner, is working on the Client Subnet (192.168.2.0/24) and the Server IP is 192.168.1.10. I configured full access betwee the subnets without success:
/ip firewall filter add action=accept chain=forward dst-address-list=VlanFriends in-interface-list=LAN src-address-list=VlanFriends comment="Allow inter VLAN communication with VLAN friends"
Both networks are participants from VlanFriends.
Any ideas?
Christian
Yes post your config, looking at one rule you have is probably not all that helpful./
Hi,
ok here it is, but it is not simplel!
Remark: Some rules are disabled!
Christian
# nov/27/2018 17:09:21 by RouterOS 6.43.4
# software id = UJ3A-L315
#
/ip firewall address-list
add address=192.168.1.0/24 list=PrivateSubnets
add address=192.168.10.0/24 list=PrivateSubnets
add address=192.168.20.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=AdminSubnet
add address=192.168.10.10 comment="Office. Odilo" list=VlanFriends
add address=192.168.20.0/24 list=VlanFriends
add address=192.168.1.0/24 comment="All Subnets" list=PrivateSubnets
add address=192.168.10.20 comment="Client B\FCro PC" list=AdminSubnet
add address=192.168.30.0/24 list=PrivateSubnets
add address=192.168.40.0/24 list=PrivateSubnets
add address=192.168.50.0/24 list=PrivateSubnets
add address=192.168.60.0/24 list=PrivateSubnets
add address=192.168.70.0/24 list=PrivateSubnets
add address=192.168.80.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=AlllowWAN
add address=192.168.20.0/24 list=AlllowWAN
add address=192.168.10.0/24 list=AlllowWAN
add address=192.168.30.0/24 list=AlllowWAN
add address=192.168.40.0/24 list=AlllowWAN
add address=192.168.50.0/24 list=AlllowWAN
add address=192.168.60.0/24 list=AlllowWAN
add address=192.168.70.0/24 list=AlllowWAN
add address=192.168.80.0/24 list=AlllowWAN
add address=192.168.1.0/24 list=AlllowWAN
add address=192.168.10.0/24 list=SonosControl
add address=192.168.60.0/24 list=VlanFriends
add address=192.168.40.0/24 list=VlanFriends
add address=192.168.10.40 comment=Spok list=AdminSubnet
add address=192.168.30.0/24 list=VlanFriends
add address=192.168.50.0/24 list=VlanFriends
add address=192.168.10.0/24 list=VlanFriends
add address=192.168.1.0/24 list=VlanFriends
add address=192.168.10.11 comment=HP4050 list=Printer
add address=192.168.10.12 comment=HP8620 list=Printer
add address=192.168.10.13 comment=HP477fdw list=Printer
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="VPN: allow udp 500 and 4500" disabled=\
yes dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="VPN: allow ESP" disabled=yes \
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="allow AdminSubnet" in-interface-list=\
LAN src-address-list=AdminSubnet
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN NTP queries" dst-port=123 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment=" drop everything"
add action=fasttrack-connection chain=forward comment=\
" fasttrack established,related" connection-state=established,related
add action=accept chain=forward comment=" accept established,related" \
connection-state=established,related
add action=accept chain=forward comment="SIP clients from 192.168.10.0/24" \
disabled=yes dst-address=192.168.20.10 dst-port=5060 log=yes log-prefix=\
SIP protocol=udp src-address=192.168.10.0/24
add action=drop chain=forward comment="prevent SPAM" dst-port=25 \
in-interface-list=LAN out-interface-list=WAN protocol=tcp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
"only required for port forwarding from WAN" connection-nat-state=dstnat \
disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" disabled=\
yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"SONOS. Forward UPnP Device Discovery events from Players" in-interface=\
vlan30 out-interface-list="Sonos Control" port=1900,1901,6969 protocol=\
udp
add action=accept chain=forward comment="SONOS: forward Multicast traffic" \
dst-address=239.255.255.250 log-prefix=MultiCast
add action=accept chain=forward comment=\
"SONOS: Forward Contoller events from Players" in-interface-list=\
"Sonos Control" log=yes log-prefix=FromPlayer out-interface=vlan30 port=\
3400,3401,3500,4444,4070,5353 protocol=tcp
add action=accept chain=forward comment=\
"SONOS: forward Controller events to Players" dst-port="" in-interface=\
vlan30 log-prefix=ToPlayer out-interface-list="Sonos Control" port=\
3400,3401,3500,4444,4070,5353 protocol=tcp
add action=accept chain=forward comment=\
"accept Internet Access from \"Allow WAN\"" in-interface-list=LAN \
out-interface-list=WAN src-address-list=AlllowWAN
add action=accept chain=forward comment="Accept AdminSubnet-> PrivateSubnet" \
dst-address-list=PrivateSubnets in-interface-list=LAN src-address-list=\
AdminSubnet
add action=accept chain=forward comment=\
"Allow inter VLAN communication with VLAN friends" dst-address-list=\
VlanFriends in-interface-list=LAN src-address-list=VlanFriends
add action=drop chain=forward comment="drop everything" log=yes log-prefix=\
drop
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
new-connection-mark=TabS2 passthrough=yes src-mac-address=\
xx:xx:xx:xx:xx:xx
add action=mark-packet chain=prerouting connection-mark=TabS2 disabled=yes \
new-packet-mark=TabS2PacketMark passthrough=no
/ip firewall nat
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" dst-port=53 protocol=udp
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" \
out-interface=ether1 src-address-type=""
/ip firewall raw
add action=notrack chain=prerouting comment=\
"Fasttrack BYPASS for IPSec traffic " disabled=yes dst-address=\
192.168.1.0/24 src-address=192.168.2.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.2.0/24 \
src-address=192.168.1.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-timeout=20m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
Hi I am very much interested in this rule…
add action=accept chain=input comment=“Allow LAN NTP queries” dst-port=123
in-interface-list=LAN protocol=udp
What is its purpose? I have a smart device (honeywell leak detector) that refuses to connect to honeywell via my CapAC wifi and hex router.
I do it through a consumer cisco linksys router with no problems. Some ubiquiti forums talk about NTP and port 123 but I dont block that at all in any forward rule.
Thus it intrigued me to see you have this as a lan to router (input rule). Perhaps I could try this to see if it works for my smart device???
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Back to the show!!
The first thing is that your vlan config information is missing so that is not helpful
This blocks any attempt at email does it not???
Tells me port forwarding is off for now.
This rule allows any queries coming from/originating on vlan30 (which has no structure (no config viewable) to (??? on the specific ports. Without the VLAN config I am lost here…
NTP = Network Time Protocol makes use of port 123
Very good CZFAN, where is that emoji for a cookie, but that has nothing to do with my questions.
Hi,
here is my feedback.
VLAN Mapping Rule:
VLANnn=192.168.nn.0/24
Regards,
Christian
But your nTP rule is on the input chain??
If your devices need to query NTP dont they simply go out to the internet via the forward chain?? (in other words part of normal traffic and thus no rule required??)?
Okay so if NTP query is done on UDP, is that covered in forward chain rules? Does mikrotik recognize a device going on on UDP123 as a new connection and thus will be tracked??
Hi,
maybe there is a missunderstanding for the NTP-Rule:
NTP-Client (to sync RB with NTP-Servers in WAN) and NTP Server (for Clients in LAN) are running on RB3011 and all clients accross the different subnets can use the GW-Address of the current Subnet als NTP-Server to synchronize the time. Therefore I need the Input Rule on RB. It works!
Christian
You will also need to open few rules for RTP (audio)