SOLVED:Firewall filter configuration with Public subnet

tane · March 13, 2010, 10:42pm

Hi,
I have a simple problem allowing protecting my DMZ network and also allowing to access the internet.
I made a diagram to explain the easily my configuration.
Basically idea is to block all traffic from Internet to DMZ zone but allow some ports
for example
First Drop all “chain=forward action=drop in-interface=ether1 out-interface=ether3”

and then allow to one server in DMZ some ports
“chain=forward action=accept protocol=tcp dst-address=205.203.243.18 in-interface=ether1 out-interface=ether3
dst-port=443,80,25”

This configuration does to job except one problem I also block internet connection to my servers in DMZ zone.
And I want server to allow to access the internet.

What I am doing wrong ?
Thank you.

bloodram · March 24, 2010, 2:28pm

could you explain me the configuration you made to create the dmz .
I have the same scenario ISP , i create a private network , i masquerade that network and i use the isp gateway.
I can not create a DMZ , i don’t wont to protect the dmz!

Maybe for you the best solution would be to NAT your DMZ.

nickshore · March 24, 2010, 2:49pm

you need to add another rule to allow your dmz servers to go out to the internet

ie from eth3 to eth1

you should also add rules for related traffic…

Maybe worth looking at http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router

tane · March 25, 2010, 2:24pm

Hi, tnx guys for the reply.

My DMZ configuration is not NAT based it’s routed via static route.
So I don’t have any masquerade for 205.203.243.16/28.
Only for my lan.

And I want to protect my DMZ servers via firewall.

I also know that is possible to configure 205.203.243.16/28 on eth1 then use NAT to send to DMZ.

But I did this already with untangle and shorewall so I know it is possible.

bloodram · March 27, 2010, 12:14am

Can you print as your configuration ??

tane · July 22, 2010, 11:55am

Solutions is to add before drop rule.

add chain=forward connection-state=established comment=“allow established connections”
add chain=forward connection-state=related comment=“allow related connections”

And then add drop all or allow filters.

more about that here.
http://wiki.mikrotik.com/wiki/Protecting_your_customers

tnx to Chaos and NAB