…
I really like/prefer to end the chains with a drop all rule.
hi i am also new to this router but i am facing a problem with firewall rule when i want to drop the whole network its still active with internet connection also i see mine is default with bridge mode
So I have to put an
add action=drop chain=input
at the end?
Both on input and on forward chain. And indeed, last in line. Also order by input rules, than forward rules to make it morstreadable.
There are predefined rules, which are more than enough to get started.
Why did you delete them?
Any removal from the default basic rules is a mistake.
So removing the drop-all-at-the-end makes any configuration made ridiculous.
Start with this, note organization of chains together for easy reading and understanding
/ip firewall address-list { mostly from static set DHCP leases)
add address=lan-IP1 list=Admin (desktop)
add address=lan-IP2 list=Admin (laptop)
add address=lan-IP3 list=Admin (smartphone)
add address=wg-IP list=Admin (wireguard IP)
/interface list
name=WAN
name=LAN
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(user rules)
add action=accept chain=input src-address-list=Admin comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else” *****
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wireguard to LAN” in-interface=wireguardname out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface-list=WAN
I didn’t delete any rules, I only added 2 in the end to block internet access to 2 devices.
Keep in ons the order will be first match.
So if the traffic of the two devices you are trying to block fits an allow rule above the block, the traffic will be allowed.
In general, specific block rules should be almost on the top of the list.
Also bear with the suggestion to order by chain.
This is how it turned out following all your advice. Please tell me if I’m wrong, I really want to learn.
Code:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" dst-limit=30,30,dst-address/1m40s limit=30,30:packet protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Config Access" src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=forward comment="Block EZVIZ C6N" src-address-list="EZVIZ C6N"
add action=drop chain=forward comment="Block HP Printer" src-address-list="Impresora HP"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Winbox:
(1) No need to get fancy with ICMP, personal choice I guess.
(2) Why do you have user rules in the forward chain before the initial set of default rules move those block rules lower.( after the invalid rule ).
As to the rest, hard to say as you dont provide the full config.
I don’t know what you mean about ICMP. I’ll get the rules sorted and I will provide you with the full config, but I don’t have a computer at reach atm.
Thanks for your help! 
This is the default rule and no need to modify it.
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
Here you have the full config file, I’ve used the hide sensitive and erased the MAC adresses. The forward rules have been sorted.
BTW, I have to thank you for your help and I’m sorry for all the questions I’ve asked.
# dec/25/2023 17:57:02 by RouterOS 6.49.11
# software id = 6M2E-EHLZ
#
# model = RB760iGS
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
service-name=telefonica user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.33-192.168.1.199
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
XXXXXXXXXXXXXXXXXXXXXX
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
192.168.1.111,192.168.1.72 gateway=192.168.1.1
/ip dns
set servers=192.168.1.111,192.168.1.72
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.197 list="EZVIZ C6N"
add address=192.168.1.87 list="Impresora HP"
add address=192.168.1.56 comment=Desktop list=Admin
add address=192.168.1.51 comment=iPhone list=Admin
add address=192.168.1.45 comment=Macbook list=Admin
add address=192.168.1.3 comment=Wireguard list=Admin
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Config Access" src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="Block EZVIZ C6N" src-address-list=\
"EZVIZ C6N"
add action=drop chain=forward comment="Block HP Printer" src-address-list=\
"Impresora HP"
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Wireguard (network_pi)" dst-port=\
51820 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.111 \
to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox port=7891
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Madrid
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
(1) Looks better, not quite sure what you are trying to accomplish with this rule..
add action=dst-nat chain=dstnat comment=“Wireguard (network_pi)” dst-port=
51820 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.111
to-ports=51820
May be perfectly fine if I understood its intention?
(2) I notice you block two LANIP addresses altogether.
Not normal or generally a good idea and probably you think you are accomplishing something you are not.
For example,
a. there is no point trying to block C6N or HP printer from reaching own subnet IPaddresses as that occurs at L2 while the firewall rules are aimed at L3.
The only value is you wanted to explicitly block them from reaching different subnets/vlans, but in this case this already done via the last rule in the forward chain (BLOCK ALL ELSE), since we dont explicitly allow subnet to different subnet traffic in the forward chain.
AND
b. if you are simply trying to block them from the internet you have two options, create a firewall address list of those IPs not allowed to the internet and make an additional clear firewall rule with the rule being BEFORE the general allow rule to the internet like so:
add chain=forward action=drop src-address-list=Blocked-Internet out-interface-list=WAN
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
OR modify existing rule as such.
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN src-address-list=!Blocked-Internet
You should have enough information and understanding to figure out pretty much anything else you need.
Thanks again for your help!
-
That’s an open port redirected to a Raspberry Pi where I’m running Wireguard to access the network from outside.
-
I will have a look at you have proposed in order to block Internet traffic to C6N and HP Printer.
I can’t express how much I appreciate your help, I won’t disturb you anymore.
Thank you
Why are you running Wireguard on a raspberry Pi and NOT the router???
Because I read that it would decrease performance, and it was easier to install. (I have a Hex S)