Understand firewall filter rules

easy1234 · March 2, 2014, 2:01pm

Hello,

since 3 years I use a Mikrotik router to connect to the internet by a ADSL pppoe connection. So I am very happy with the setup and the very good working QoS for VoIP. Since a few days I try to set up a port forwarding to my NAS with OpenVPN server, but I am not sure if I did it in a right way.

Setup:
ISP ----- ADSL Modem ------- RB750G (pppoe ether1); 10.0.0.1 local lan ether2-5 ------ NAS with VPN server (10.0.0.113, udp 1194)

I set up a dest-nat like described in the wiki (at the moment disabled)

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=10.0.0.0/24 

 1 X ;;; rules for openVPN connection to Diskstation
     chain=dstnat action=dst-nat to-addresses=10.0.0.113 to-ports=1194 protocol=udp dst-address=92.194.50.154 dst-port=1194 

 2 X chain=dstnat action=dst-nat to-addresses=10.0.0.113 to-ports=1194 protocol=udp in-interface=pppoe-ether1 dst-port=1194

but there is no connection possible due to my firewall filter rules, I copied this rules here from a thread, but did not really understand what they are doing. So in my opinion a rule like number 9 should do the forwarding, but is it secure, or do I open a securty hole by such a additional filter rule. I did not relay understand how the rules here working and what is really necessary.

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established in-interface=ether1-gateway 

 2   ;;; default configuration
     chain=input action=accept connection-state=related in-interface=ether1-gateway 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   chain=input action=accept connection-state=established 

 5   chain=input action=accept connection-state=related 

 6   chain=input action=drop connection-state=invalid 

 7   chain=input action=accept in-interface=ether2-local-master 

 8   chain=input action=drop 

 9 X ;;; filter rule for OpenVPN connection to Diskstation
     chain=forward action=accept protocol=udp dst-port=1194 

10   chain=forward action=accept connection-state=established 

11   chain=forward action=accept connection-state=related 

12   chain=forward action=drop connection-state=invalid 

13   chain=forward action=accept in-interface=ether2-local-master 

14   chain=forward action=drop 

15   ;;; Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST
     chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291

Thanks for helping

Regards Markus

TonyJr · March 2, 2014, 5:14pm

IP Firewall Filter #9 should read:

9 X ;;; filter rule for OpenVPN connection to Diskstation
chain=forward action=accept protocol=udp dst-address=10.0.0.113 in-interface=pppoe-ether1 dst-port=1194

And rule #2 in NAT should be removed. Rule #1 is fine.

Hope this works,

Tony

easy1234 · March 2, 2014, 8:42pm

Hi Tony,

thanks for your answer, so I changed my filter rule.
By the NAT rule I posted accidentally two versions, so the #1 was only for testing, I have a dialup connection with changing IP every 24 hours, is the a possibility to get the current dailup IP in the rule?

Regards Markus

TonyJr · March 2, 2014, 11:19pm

I don’t think there is a way to do this without setting up a script, due to the way that the NAT rules work. There are, however, quite a lot of good examples in the scripting section of the forum, and if you ask nicely, someone may even help by making one for you. I would recommend trying for yourself though, as it is quite easy to learn and can come in handy in the future.

Tony