Weird bug into Firewall rules??

CuninganReset · July 3, 2017, 6:53pm

Hello.
I am just getting familiar with RouterOS and i have find a strange behaviour.
Into NAT i have one rule to masquerade output traffic as usual and this work.

Into Firewall rules i have one rule to allow port 80 and 443 from network segment to reach whatever must be reach.
Second rule is a ping allow.
And third rule i have is drop everything.

Ok, looks easy but i do not know why i can ping whatever but i can not surf the web.

If i change into the drop rule and set in interface to my network interface all works ok.
I do not know why and in Mikrotik forum nothing is said.

Can anyone explain to me what i am doing wrong??

I am using routeros 6.39.2 in a RB2011iLM-RM

CuninganReset · July 3, 2017, 7:00pm

With 6.40 release candidate i have the same issue.

nescafe2002 · July 3, 2017, 7:20pm

Add an allow rule for established traffic:

/ip firewall filter
add place-before=1 action=accept chain=forward connection-state=established,related

CuninganReset · July 3, 2017, 7:30pm

But why I need to do that?
What happens with the new connections?.

Can you please explain a little more??

nescafe2002 · July 3, 2017, 7:46pm

Please take a look at the basic examples in https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
This is not a bug. You need to accept reply packets to make web browsing work.

The connection tracker will automatically remember the new (outgoing) connections that have been accepted by firewall rules.
You need to accept the return packets related to these connections to make traffic flow.

Also take a look at the default (firewall) configuration:

/system default-configuration print

If you have configuration specific questions, rather paste a configuration export of the relevant section instead of screenshots. E.g.:

/ip firewall export hide-sensitive

(about hide-sensitive: there is really no sensitive data in firewall, but it couldn’t hurt either.. this instruction hides passwords and secrets etc from export, e.g. ppp passwords).

CuninganReset · July 3, 2017, 7:56pm

Thanks for the class, I come from pFsense environment and in pFsense I only need to insert the rule to allow the connection and all the related packets will pass without notice to me.

For me the need to allow connections related packets is new.

Thanks you!

pe1chl · July 3, 2017, 8:04pm

Apparently pfsense has an invisible rule that allows established/related.
In RouterOS you can add this rule yourself and you can put things before it, or you can decide to use a
firewall that does not do connection tracking. (so you have to put forward/reverse rules yourself)