Weird filtering issue on 7.15.3

atomicduck · August 11, 2024, 11:05am

I am just building a small network on 1100AHx4, and have encountered a weird issue with Firewall:

if I define a list for all local interfaces, and use it in the firewall it doesn’t see to catch anything. Only if I define input for a bridge interface it catches something.

Doesn’t work:

/ip firewall filter
add action=accept chain=input comment="Allow DNS UDP from all LANs" dst-port=53 in-interface-list="LANS" protocol=udp

Works:

/ip firewall filter
add action=accept chain=input comment="Allow DNS UDP from LAN1" dst-port=53 in-interface=LAN1 protocol=udp

I don’t remember having issues with this before? Or I am doing something wrong?

erlinden · August 11, 2024, 11:14am

Enable logging on the drop rule to get insights why this rule isn’t working.

I would expect the double quotes are the problem.

tangent · August 11, 2024, 2:19pm

“All LANs” implies VLANs are in use. Does your “LANS” interface list contain the raw interface names (e.g. “ether1”) or the VLAN virtual interfaces (e.g. “vlan99”)?

Also, are you aware of — and happy with — the fact that this rule catches only traffic destined for the router itself, as with local DNS lookups? It will do nothing with DNS that is forwarded through the router toward another server.