Rules for unblocking a port to a /24

jwbtx · June 14, 2020, 8:29pm

I’ve been searching on how to unblock a specific port to a /24 (which is one of VLANs on my mikrotik), specifically for NTP.
In reading, I see where Mikrotik doesnt support port “groups” which means a couple more step to accomplish.

I came across a thread http://forum.mikrotik.com/t/allow-incoming-and-outgoing-traffic-on-specific-ports-to-certain-ips/107637/1 which accomplished a similar result, but to specific IPs.
The question I have is can you apply that to an entire block? For example, can the rule be written this way to accomplish what I am trying to do?

/ip firewall address-list
add address=192.168.30.0/24 list=Allowed_IP_UDP_NTP

add action=accept chain=input dst-port=123 protocol=udp src-address-list=Allowed_IP_UDP_NTP

add action=accept chain=output src-port=123 protocol=udp dst-address-list=Allowed_IP_UDP_NTP

Thank you and appreciate the feedback.

Cheers
jwb

Sob · June 14, 2020, 10:41pm

And don’t you need just simple (for NTP server on router):

/ip firewall filter
add chain=input src-address=192.168.30.0/24 protocol=udp dst-port=123 action=accept

Or (for NTP server elsewhere):

/ip firewall filter
add chain=forward src-address=192.168.30.0/24 protocol=udp dst-port=123 action=accept

Possibly with additional “out-interface=” or “dst-address=” or “dst-address-list=”?

In other words, it usually helps to write what’s the goal, big picture, instead of focusing on just one step.

jwbtx · June 15, 2020, 1:56pm

SOB-

Thank you so much! Makes total sense. I was just planning for future when I wanted to add additional ports to the “group”. Whats led me down this path was upgrading to all Unifi UBNT Nano-hd’s separating IoT, NoT and main LAN. Lots of good videos if your all UBNT, but I’m in love with RouterOS so all has to work through it.

Again, thank you for your assistance and guidance!

Cheers

jwb

jwbtx · June 15, 2020, 2:20pm

I implemented the above, but dont seem to be capable of passing traffic over 123. I attached a screen capture of the rules in my MT.
Appreciate your review.

jwb

anav · June 15, 2020, 3:04pm

There are two ways to get time on the router. According to my experience, sob being an alien may have different experiences
A. comes with default sntp client - to easy like a client set it and it works (enable), no rules needed.
B. Download the NTP package

setup NTP client much like in A, router gets time.
-setup NTP server
Make firewall address list for devices that require NTP service (such as any other MT devices, or managed switches etc…)
add Input chain rule allowing that source address list onto port 123
done~
No requirement for forward chain rules at all.
For example on MT client devices on the lan one puts the ntp source as the IP of the subnet or vlan, ie vlan45 the ntp source is 192.168.45.1 (like dns)

Sob · June 16, 2020, 2:49am

Rules are processed in order from top to bottom. So when #9 and #10 have no hits, either the traffic is blocked by previous rules, or nothing from 192.168.30.0/24 sends such packets for some reason.

jwbtx · June 16, 2020, 11:53pm

My testing was with a couple of android atomic clock apps, and wasn’t able to pass. I’ll dive a little deeper into it. I did move the NTP rules to the 1 & 2 position for testing.
I’ll look for an app that lets me dictate where I want the test to run (by IP/port) The ones I tested had pre-configured servers..
In parallel, I installed the NTP server on the MT. If needed, I can test out the method from Anav (Thanks to you as well!).

This is for an NoT VLAN i’ve created and moving bulbs, plugs etc to that just need to check time.

I appreciate your time and feedback.

Cheers
jwb