This very simple firewall ruleset SHOULD work-- but.....

jantypas · April 26, 2024, 7:34am

I’ve reduced everything down to the basics but it doesn’t seem to help…

The hardware is an RB5009 that simply has two interfaces (an OUT (FRC) and an IN (LAN). (There are firewalls upstrea.) The goal of the firewall ruleset at this point is:

Allow everything out
Allow return traffic in
Allow SSH in if it’s going to host 199.181.204.130
Drop everything else

There is no NAT at this point, so it’s just a set of “public IPs”

0 ;;; Allow anything out from the LAN to the tunnels
chain=forward action=accept in-interface=ether1-LAN
out-interface=ether2-FRC log=no log-prefix=“”

1 chain=forward action=accept protocol=tcp dst-address-list=199.181.204.130
dst-port=22 log=no log-prefix=“”

2 ;;; Allow active connections in
chain=forward action=accept
connection-state=established,related,untracked in-interface=ether2-FRC
out-interface=ether1-LAN log=no log-prefix=“”

3 chain=forward action=drop log=no log-prefix=“Drop it”

I can see the drop rule at the bottom catches everything – even the SSH-- - why?

erlinden · April 26, 2024, 7:43am

If you turn on logging, you can see what is happening.
Sure the dst-address-list is an IP address?

mkx · April 26, 2024, 11:04am

This.

dst-address-list property expects name of address list as parameter ... and doesn't complain if there isn't such list at the time of creating the rule. So in your case NAT rule expects address list with name "199.181.204.130" and containing at least one address. If you don't have such address list, then none of packets will obviously match.

karlisi · April 26, 2024, 12:12pm

Duplicate post, already solved
http://forum.mikrotik.com/t/this-very-simple-firewall-ruleset-should-work-but/175531/1

erlinden · April 26, 2024, 7:41pm

Duplicate post, already solved
http://forum.mikrotik.com/t/this-very-simple-firewall-ruleset-should-work-but/175530/1

8:43 a.m.