Hello all
I am attaching here my working firewall rules for 2 WAN PCC mangling. The fast-track rule took me so long to understand that my mangling rules were ok, and I was struggling in vain. Of course, the routing table in version 7 is another major change that you have to consider.
Change your address in teh address table according to what you are using in your LAN.
The firewall rules have a complete basic working firewall with bogons protection ICM, TCP, UPD jump filters DDoS attack protection (simple) and brute force protection.
If someone would like just to use two WAN as failover with firewall rules, those rules are inside disabled.
Bellow following some rules disabled and description of them.
Is not working in the PCC mangling - It's the default rule. Ignore or disable it if you have it already.
Line 114-115: add action=fasttrack-connection chain=forward comment="Protect the LAN devices FastTra
ck Default Rule - not applicable to Mangling PCC" connection-state=established,related disabled=yes
hw-offload=yes Is not working in the PCC mangling
Rules that ONLY need to be applied if you are using the router as simple failover for two WAN (ENABLE it to firewall filters)
This was my IBPX that I wanted to get out of my mangling rules.
Line 195 -196: add action=accept chain=prerouting comment="Enter address from sites that you wish to exempt from PCC"
disabled=yes dst-address-list=sites-exempted-from-pcc src-address=192.168.200.134
You might need to use this route also to work with un-mangled IP addresses:
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=0.0.0.0 routing-table=main scope=255 suppress-hw-offload=no target-scope=10
Rules in mangling to be applied if used as WAN failover. Disable everything else
NAT works either with this rule or with the other two rules (enabled) for each WAN Ethernet in PCC mangling (Not failover-There, we have other rules below).
Line 223: add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN--> works either with thsi ruel or with teh other two rules for each WAN ethernet.
Rules in routing and NAT if you wish failover two WAN Disable everything else.
Line 226: add action=src-nat chain=srcnat comment="failover rules" disabled=yes out-interface=ether1-WAN1
Line 228: add action=src-nat chain=srcnat disabled=yes out-interface=ether2-WAN2 to-addresses=192.168.2.2
Line 240: add check-gateway=ping comment="Failover routes" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
Line 242: add comment="Failover routes" disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=\
Some modification in the firewall filter rules. I forgot the invalid in the invalid input rule and was not able to access the router through winbox with its IP. Was possible with its MAC
It's essential to have a valid firewall when making mangling also instead of using the default configuration and i consider myself a basic user still so supporting basic user out there also.
Mikrotik is a huge beast....
yeah your firewall is crap, you would be better served to use defaults and if mangling works from that be happy, then add in any other required rules for actual needed traffic flow… not cute youtube video garbage.
Thanks for your criticism. It works ok. As concerning my videos, I don’t care, as they also work as they should. If you don’t like them, watch Netflix mate. The firewall is made by default in wiki. Nice talk Anav
I need you feedback to find out what is outdated and what is wrong people. It took a lot of time to get the info that fast track do not work with PCC mangling
After feedback and soem more reading I have removed totally UDP and TCP jumps(if you have any feedback please send it as it might need soem filtering drops but i dont knwo which)
My firewall for PCC mangling is teh following:
FASTTRACKING removed totally
aug/27/2022 11:44:41 by RouterOS 7.4.1
model = 960PGS
serial number = A51509797D94
/ip firewall filter
add action=accept chain=input comment="Starting rules to protect Router Allow Established connections" connection-state=established,related
add action=accept chain=input comment="Allow router from inside LAN" in-interface-list=!WAN src-address-list=allowed_to_router
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow already established, related connections" connection-state=established,related
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid protocol=tcp
add action=accept chain=forward comment="Accept tries to reach WAN router addesses from LAN (access ISP routers from inside LAN)" in-interface=GNEMS log-prefix=!public_from_LAN out-interface-list=
WAN
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=GNEMS log=yes log-prefix=!public_from_LAN out-interface=
!GNEMS
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" dst-address-list=not_in_internet in-interface-list=WAN log-prefix=!public
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=GNEMS log=yes log-prefix=LAN_!LAN src-address=!192.168.200.0/24
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=icmp comment="ICMP filters echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp comment="port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0-255 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
Rules are evaluated in order from top to bottom, so after #5 unconditionally drops everything (not allowed before it), all following rules in chain=input are not reachable, i.e. useless. But it’s no big loss. Protecting router’s own FTP server against bruteforcing is nonsense, because it’s unlikely that you even need it enabled, and almost sure that you don’t need it accessible from internet. So just disable whole FTP server, it’s much better protection. SSH has slightly higher chance that you want it, but most people don’t. And this way of blocking is not great, it just counts connections and can’t distinguish between failed and successful logins.
Wont look at your firewall rules but will look at the mangles and can compare side by side…
What I see that is different is in yellow from dischers bible! And I present them in the order of Dischers doc…
In other words you didnt actually follow the guide?
(1) Why add the in-interfaces??
add action=accept chain=prerouting comment=
“allow usage of the default routing table for traffic to connected networks” dst-address=
192.168.1.0/24 in-interface=GNEMS
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=GNEMS
(5) Why the passthrough difference and these rules you have in a different order from the guide?
add action=mark-connection chain=prerouting comment=
“mark all new incoming connections, to remember what was the interface” connection-mark=no-mark
in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough**=no**
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2-WAN2
new-connection-mark=WAN2_conn passthrough**=no**
(6) For routes they look okay jut not sure if one puts the check-gateway ping on the standard route or the mangle route or doesnt matter.
"Overall I would get rid of all the disabled rules it made reading/troubleshooting way harder.
The rule, below at the start of the mangling section, I didnt comment on but assuming that you have some purpose for…
add action=accept chain=prerouting comment=“Enter address to equipment that you wish to exempt from PCC”
src-address-list=users-exempted-from-pcc
As concerning the passthrough rules you are right, but it is debatable whether they have to be used or not in the given rules.
I also checked the following. So it’s a mix mach between the two.
The last comment on the rule is for my IPBX to avoid connection marking and leave by default WAN which is one of the two in order not to lose the IP provider’s registration every time a connection is changing.
Thanks for your comments!!
Short version - crap.