something wrong with firewall filter

diego73 · May 27, 2021, 2:55pm

EDITED 28/5/2021:
NO PROBLEM WITH FIREWALL, THE PROBLEM IS NAT AND IT IS SOLVED!!

Hi Sir

I have setup a router starting from a blank setup as following:

/interface list
add name=wan1
add name=wan2
add name=lan

/ip pool add name=lanPool ranges=192.168.9.100-192.168.9.250
/ip dhcp-server add address-pool=lanPool disabled=no interface=bridge lease-time=1w10m10s name=dhcpLan
/ip dhcp-server network add address=192.168.9.0/24 dns-server=1.1.1.1 gateway=192.168.9.1

/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/interface list member
add interface=ether1 list=wan1
add interface=ether2 list=wan2
add interface=bridge list=lan

/ip dns set servers=1.1.1.1,1.0.0.1

/ip address
add address=172.24.127.2/24 interface=ether1 network=172.24.127.0
add address=172.23.127.2/24 interface=ether2 network=172.23.127.0
add address=192.168.9.1/24 interface=bridge network=192.168.9.0

/ip route
add distance=1 gateway=172.24.127.1
add distance=1 dst-address=201.93.14.0/24 gateway=172.23.127.1

/ip firewall filter
add action=accept chain=input comment="rbMT" connection-state=established,related,untracked
add action=drop chain=input comment="rbMT" connection-state=invalid
add action=drop chain=input comment="deny all - LAN" in-interface-list=!lan
add action=accept chain=forward comment="byPass from wan2" in-interface-list=wan2
add action=accept chain=forward comment="rbMT" ipsec-policy=in,ipsec
add action=accept chain=forward comment="rbMT" ipsec-policy=out,ipsec
add action=fasttrack-connection comment="rbMT" chain=forward connection-state=established,related
add action=accept chain=forward comment="rbMT" connection-state=established,related,untracked
add action=drop chain=forward comment="rbMT" connection-state=invalid
add action=drop chain=forward comment="deny all - nat" connection-nat-state=!dstnat connection-state=new in-interface-list=wan1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan1
add action=masquerade chain=srcnat out-interface-list=wan2

with this setup, we can trace route to network 201.93.14.0 without problems, but there is something that is filtering data that come from that network because some apps in the lan are not working.

I would appreciate your answer thank you!!!

rextended · May 27, 2021, 3:04pm

/interface list member
add interface=ether1 list=wan1
add interface=ether1 list=wan2
add interface=bridge list=lan

ether2 instead?

EDIT: the author now have fix this on first post

diego73 · May 27, 2021, 3:54pm

Hi rextended!!!
I make a mistake typing, i correct it. thanks!

diego73 · May 27, 2021, 10:32pm

but it is not the problem.

anav · May 28, 2021, 12:37am

Sorry the arrogance is suffocating that you think you know what we need to see to help you with YOUR problem not ours.

/export hide-sensitive file=anynameyouwish

and this time dont take chunks out.

diego73 · May 28, 2021, 4:46pm

Surfing the web I found the problem with me setup, I post the solucion for anothres that have similar problem.

El problema no esta en el filtrado de paquetes sino en el NAT.
Masquerade funciona muy bien cuando tenemos solo un ISP, ya que selecciona automaticamente la ruta de salida.
Pero cuando tenemos mas de un ISP como es este caso masquerade suele traer problemas.
La solucion consiste en reemplazar masquerade por src-nat que es basicamente lo mismo y agrega la opcion de indicarle la salida.

change this

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan1
add action=masquerade chain=srcnat out-interface-list=wan2

to this

/ip firewall nat 
add action=src-nat chain=srcnat out-interface-list=wan1 to-addresses=172.24.127.2
add action=src-nat chain=srcnat out-interface-list=wan2 to-addresses=172.23.127.2

This work for me!!
Gracias a todos!!!

anav · May 28, 2021, 5:43pm

That is because your rules were wrong improper syntax etc.,
The ones you have put in place are good for static/fixed wanips.

For dynamic wanips they would be
/ip firewall nat
add action=masquerade chain=srcnat out-interface=isp1
add action=masquerade chain=srcnat out-interface=isp2

or a single rule
add action=masquerade chain=srcnat out-interface-list=WAN

diego73 · May 28, 2021, 6:13pm

Hi Anav!

That is because your rules were wrong improper syntax etc.,

I put all the info in yours hands.. What’s wrong?

Yes, my isp brings me static ip

anav · May 28, 2021, 6:56pm

I meant the rules you had originally, the ones you put in now are good!