What do these firewall rules do?

rgrocery · March 18, 2020, 7:28am

What do these rules do?

add action=drop chain=forward comment=“Drop IP Cam From Wan” log=yes
out-interface=ether1 src-address-list=“Block IP”

action=accept chain=forward comment=“Forward IP Cam to VPN”
connection-state=established,related log=yes out-interface=
src-address-list=“IP”

Asking for a friend(really me)

Trying to stop a device from accessing the internet or vice versa
&
Trying to force its data only through a vpn and not back over the router/network. Assuming its already on the network due to switches inbetween it and the router.

thanks for any help.

anav · March 18, 2020, 4:12pm

The first rule seems to block any traffic from that IP CAM to the internet. (assuming that ether1 is your wan port and the source address list contains the IPs you wish to block.

However VPN is a tricky beast and if you want to control that traffic someone better qualified needs to answer.
Suggest you post your config
/export hide-sensitive file=anyfilename

rgrocery · March 20, 2020, 2:18pm

Heres our inherited configuration. Its a bit messy with all the disabled rules & static entries

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.46.4 (c) 1999-2020       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[xx.xx.xx.Main1] > export compact
# mar/20/2020 10:02:39 by RouterOS 6.46.4
# software id = BEUB-UCGA
#
# model = 951G-2HnD
# serial number = 4F4404AEF76D
/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country="united states" \
    frequency=auto frequency-mode=manual-txpower mode=station-bridge rx-chains=0 ssid=\
    "Use me Sommers Wifi" tx-chains=0 wireless-protocol=nv2-nstreme-802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key= xx.xx.xx. wpa2-pre-shared-key= xx.xx.xx.
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.3.100-192.168.3.200
add name=VPN ranges=192.168.3.25-192.168.3.75
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=VPN name=roadwarrior remote-address=VPN use-encryption=yes
/queue interface
set ether1 queue=ethernet-default
set wlan1 queue=default
/queue tree
add comment=dscp_8 disabled=yes name="Priority (ether1) (Pri: 8)" packet-mark=dscp_8 queue=\
    ethernet-default
add disabled=yes name="8. Routine (ether1)" queue=ethernet-default
add comment=dscp_7 disabled=yes name="Routine (ether1) (Pri: 1)" packet-mark=dscp_7 parent=\
    "8. Routine (ether1)" priority=1 queue=ethernet-default
add comment=dscp_6 disabled=yes name="Routine (ether1) (Pri: 2)" packet-mark=dscp_6 parent=\
    "8. Routine (ether1)" priority=2 queue=ethernet-default
add comment=dscp_5 disabled=yes name="Routine (ether1) (Pri: 3)" packet-mark=dscp_5 parent=\
    "8. Routine (ether1)" priority=3 queue=ethernet-default
add comment=dscp_4 disabled=yes name="Routine (ether1) (Pri: 4)" packet-mark=dscp_4 parent=\
    "8. Routine (ether1)" priority=4 queue=ethernet-default
add comment=dscp_3 disabled=yes name="Routine (ether1) (Pri: 5)" packet-mark=dscp_3 parent=\
    "8. Routine (ether1)" priority=5 queue=ethernet-default
add comment=dscp_2 disabled=yes name="Routine (ether1) (Pri: 6)" packet-mark=dscp_2 parent=\
    "8. Routine (ether1)" priority=6 queue=ethernet-default
add comment=dscp_1 disabled=yes name="Routine (ether1) (Pri: 7)" packet-mark=dscp_1 parent=\
    "8. Routine (ether1)" priority=7 queue=ethernet-default
add comment=dscp_0 disabled=yes name="Routine (ether1) (Pri: 8)" packet-mark=dscp_0 parent=\
    "8. Routine (ether1)" queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=5000
set 1 disk-file-name=log
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!passw\
    ord,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 enabled=yes ipsec-secret=" xx.xx.xx." max-mru=\
    1460 max-mtu=1420 use-ipsec=required
/interface pptp-server server
set default-profile=roadwarrior
/interface sstp-server server
set authentication=mschap2 enabled=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.3.187/32
/ip address
add address=192.168.3.1/24 interface=bridge1 network=192.168.3.0
add address= xx.xx.xx.253/29 interface=ether1 network= xx.xx.xx.248
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.3.81 client-id=1:0:b:82:63:3e:58 comment=\
    "Grand Central Analog Wireless Phone Adapter Ext 106" mac-address=00:0B:82:63:3E:58 server=\
    dhcp1
add address=192.168.3.200 client-id=1:0:17:61:10:f2:e7 comment="Warehouse Employee Time Clock" \
    mac-address=00:17:61:10:F2:E7 server=dhcp1
add address=192.168.3.175 client-id=1:48:5d:60:69:f9:12 comment="W Freezer Temp" mac-address=\
    48:5D:60:69:F9:12 server=dhcp1
add address=192.168.3.113 client-id=1:0:15:65:73:ae:19 comment="Yealink Cordless NF 1" \
    mac-address=00:15:65:73:AE:19 server=dhcp1
add address=192.168.3.80 client-id=1:0:b:82:63:48:db comment=\
    "Grand Central Analog Wireless Phone Adapter Ext 108" mac-address=00:0B:82:63:48:DB server=\
    dhcp1
add address=192.168.3.196 client-id=1:28:92:4a:b6:9b:dd comment=\
    "Warehouse 1st Floor Printer 8600" mac-address=28:92:4A:B6:9B:DD server=dhcp1
add address=192.168.3.121 client-id=1:d8:cb:8a:54:24:8b comment=EPLUM mac-address=\
    D8:CB:8A:54:24:8B server=dhcp1
add address=192.168.3.136 always-broadcast=yes client-id=1:3c:d9:2b:6c:60:f7 comment=\
    "NF2 Pricing" mac-address=3C:D9:2B:6C:60:F7 server=dhcp1
add address=192.168.3.100 client-id=1:9c:ad:ef:20:5e:ac comment="OBI Fax Device" mac-address=\
    9C:AD:EF:20:5E:AC server=dhcp1
add address=192.168.3.172 client-id=1:ec:b1:d7:c7:84:47 comment=\
    "Warehouse Basement Printer HP 8610" mac-address=EC:B1:D7:C7:84:47 server=dhcp1
add address=192.168.3.138 client-id=1:0:21:70:5c:a2:38 mac-address=00:21:70:5C:A2:38 server=\
    dhcp1
add address=192.168.3.108 client-id=1:78:61:7c:e9:39:3f comment=IT-Tablet mac-address=\
    78:61:7C:E9:39:3F server=dhcp1
add address=192.168.3.167 client-id=1:0:b:82:63:12:da comment="Warehouse LunchRoom 112" \
    mac-address=00:0B:82:63:12:DA server=dhcp1
add address=192.168.3.6 client-id=1:0:15:5d:3:c6:1 comment="Leviticus VTC DB" mac-address=\
    00:15:5D:03:C6:01 server=dhcp1
add address=192.168.3.103 client-id=1:0:15:5d:3:c6:3 comment=SL-Server mac-address=\
    00:15:5D:03:C6:03 server=dhcp1
add address=192.168.3.5 client-id=1:0:15:5d:3:c6:4 comment=NumbersQB mac-address=\
    00:15:5D:03:C6:04 server=dhcp1
add address=192.168.3.139 mac-address=00:50:C2:E3:ED:54 server=dhcp1
add address=192.168.3.4 client-id=1:0:15:5d:3:c6:2 mac-address=00:15:5D:03:C6:02 server=dhcp1
add address=192.168.3.180 comment="Verizon Network Extender Basement" mac-address=\
    20:DB:AB:1F:DC:44 server=dhcp1
add address=192.168.3.194 client-id=1:10:bf:48:4f:15:36 comment="2nd Floor VTC" mac-address=\
    10:BF:48:4F:15:36 server=dhcp1
add address=192.168.3.137 comment="Server Room Main Switch Netgear" mac-address=\
    A0:04:60:01:2C:37 server=dhcp1
add address=192.168.3.154 client-id=1:0:15:5d:3:a5:2 comment=Kaspersky mac-address=\
    00:15:5D:03:A5:02 server=dhcp1
add address=192.168.3.174 client-id=1:d0:17:c2:ae:ff:10 mac-address=D0:17:C2:AE:FF:10 server=\
    dhcp1
add address=192.168.3.150 client-id=1:d8:cb:8a:3b:5e:61 mac-address=D8:CB:8A:3B:5E:61 server=\
    dhcp1
add address=192.168.3.101 client-id=1:d4:ca:6d:da:7a:85 comment="2nd Floor wifi" mac-address=\
    D4:CA:6D:DA:7A:85 server=dhcp1
add address=192.168.3.105 client-id=1:4c:5e:c:b9:6c:9d comment="Basement WIFI" mac-address=\
    4C:5E:0C:B9:6C:9D server=dhcp1
add address=192.168.3.2 client-id=1:c0:25:e9:f:23:33 comment="3CX 2 NIc Card" mac-address=\
    C0:25:E9:0F:23:33 server=dhcp1
add address=192.168.3.3 client-id=1:18:66:da:9f:23:49 mac-address=18:66:DA:9F:23:49 server=dhcp1
add address=192.168.3.178 client-id=1:9c:8e:cd:22:b:7b comment="C W1 Basement Door" mac-address=\
    9C:8E:CD:22:0B:7B server=dhcp1
add address=192.168.3.134 client-id=1:9c:8e:cd:21:b8:68 comment="C W1 2nd Floor Food Side" \
    mac-address=9C:8E:CD:21:B8:68 server=dhcp1
add address=192.168.3.135 client-id=1:9c:8e:cd:21:b7:bd comment="C W1 1st Floor Freezer Stairs" \
    mac-address=9C:8E:CD:21:B7:BD server=dhcp1
add address=192.168.3.133 client-id=1:9c:8e:cd:22:b:33 comment="C1 W1 2nd Floor Dock Door" \
    mac-address=9C:8E:CD:22:0B:33 server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.3.133 list="Block IP CAM"
add address=192.168.3.134 list="Block IP CAM"
add address=192.168.3.135 list="Block IP CAM"
add address=192.168.3.178 list="Block IP CAM"
/ip firewall filter
add action=drop chain=forward comment="IP cam 133" disabled=yes dst-address=0.0.0.0/0 log=yes \
    src-address=192.168.3.133
add action=drop chain=forward comment="IP cam 133" disabled=yes dst-address=192.168.3.133 \
    src-address=192.168.3.0/24
add action=drop chain=forward comment="IP cam 134" disabled=yes dst-address=0.0.0.0/0 \
    src-address=192.168.3.134 src-mac-address=9C:8E:CD:21:B8:68
add action=drop chain=forward comment="IP cam .135" disabled=yes dst-address=0.0.0.0/0 \
    src-address=192.168.3.135 src-mac-address=9C:8E:CD:21:B7:BD
add action=drop chain=forward comment="IP cam .178" disabled=yes dst-address=0.0.0.0/0 \
    src-address=192.168.3.178 src-mac-address=9C:8E:CD:22:0B:7B
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
    input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Drop IP Cam From Wan" out-interface=ether1 \
    src-address-list="Block IP CAM"
add action=drop chain=forward disabled=yes log=yes src-address-list="Block IP CAM"
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=\
    established,related
# no interface
add action=accept chain=forward comment="Forward IP Cam to VPN" connection-state=\
    established,related log=yes out-interface=*F0000A src-address-list="Block IP CAM"
add action=accept chain=forward connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow all things ipsec from anywhere" dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="established, related" connection-state=\
    established,related
add action=accept chain=forward comment="established, related" connection-state=\
    established,related
add action=accept chain=input comment="established, related" connection-state=new
add action=accept chain=forward comment="established, related" connection-state=new
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=drop chain=input connection-state="" in-interface=ether1
add action=drop chain=forward connection-nat-state=!dstnat connection-state="" in-interface=\
    ether1
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec \
    new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec \
    new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1 protocol=udp to-addresses=\
    192.168.3.2 to-ports=5060
add action=accept chain=dstnat dst-port=5000 in-interface=ether1 protocol=tcp
add action=dst-nat chain=dstnat dst-port=9000-9500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.3.2 to-ports=9000-9049
add action=dst-nat chain=dstnat dst-port=5090 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.3.2 to-ports=5090
add action=dst-nat chain=dstnat dst-port=5090 in-interface=ether1 protocol=udp to-addresses=\
    192.168.3.2 to-ports=5090
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.3.103 to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip hotspot user
add name=admin password=admin
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=xx.xx.xx.249
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.3.0/24,192.168.0.0/24,10.0.9.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.3.0/24,192.168.0.0/24,65.189.40.65/32
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/ppp secret
add comment="for remote users" name= xx.xx.xx. password= xx.xx.xx. profile=roadwarrior \
    service=l2tp
add comment="for store" local-address=10.0.5.1 name= xx.xx.xx. password= xx.xx.xx. profile=\
    default-encryption remote-address=10.0.5.2 routes="192.168.0.0/24 10.0.5.2" service=l2tp
/system clock
set time-zone-name=America/New_York
/system identity
set name=" xx.xx.xx.Main1"
/system logging
add topics=info
/system ntp client
set enabled=yes primary-ntp=13.65.245.138 secondary-ntp=199.102.46.73
/system scheduler
add name="Reboot schedule" on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/25/2018 \
    start-time=13:28:12
/system script
add dont-require-permissions=no name="fasttrack Ipsec " owner=josh policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall mangle \
    add action=mark-connection chain=forward comment=\"mark ipsec connections\" ipsec-policy=out,\
    ipsec new-connection-mark=ipsec\r\
    \n/ip firewall mangle add action=mark-connection chain=forward comment=\"mark ipsec connectio\
    ns\" ipsec-policy=in,ipsec new-connection-mark=ipsec"
add dont-require-permissions=no name=FastTrack owner=josh policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall filter \
    add chain=forward action=fasttrack-connection connection-state=established,related connection\
    -mark=!ipsec\r\
    \n/ip firewall filter add chain=forward action=accept connection-state=established,related"
/tool romon
set enabled=yes
[xx.xx.xx.Main1] >