Hello.
What is the best way to block network traffic from external network?
My router hap ax3 (v.7.20.6).
A cable from provider is connected to router's ether1 port.
The provider connects/authorizes via an l2tp tunnel, interface name freedom-l2tp.
So, what's the best way to block traffic from external network in firewall:
indicate ether1 in in. interface
or
indicate freedom-l2tp in in. interface (the interface from provider's L2TP authentication).
If your aim is to firewall your internal network from the WAN then what problems did you find with the default rules? Is there something else you are trying to do?
As indicated, default firewall is usually already enough for most.
I asked what's best?!
I deleted the standard rules, I don't need them.
Depends on your usage.
Again: default rules are for most the best.
Changes are depended on what you want to do (already asked before but you did not answer).
Seems that you however need them. They are very compact set of rules. You rather should add new ones relaxing good "deny me from the world offence" settings.
Block from the external network.
I decided to use the freedom-l2tp interface, I think it would be more appropriate to block from the external network.
Block WHAT from the external network ?
You really need to explain in a lot more detail what you want to do.
block everything that is not allowed in the firewall.
Pfff .. last attempt from my side.
Default firewall rules are very good.
LOOK at what they include, UNDERSTAND what they do.
Based on your last response, you do not understand or you would see what is needed.
Or your explanation is still not clear enough.
If you do not give more info which we can use to help you, I'm outta here ...
Select the same interface as in your masquerade rule. Could also be an interface-list (usually WAN)
If you want to be sure to block everything from the Internet:
/ip firewall rules
add action=drop chain=input in-interface=[your WAN interface]
add action=drop chain=forward in-interface=[your WAN interface]
Fine. No need for rules, so don’t ask for rules.
Otherwise, I promise that @erlinden’s will be quite effective…
Thank you all
Not really sure what traffic you want to block but from my understanding you want to know which is better? Selecting the interface Eth1 or the L2TP?
If you have the L2TP on Ether 1 then you should select in and L2TP. Its the same when you do port forwarding and you have a PPPoE config then you have to select that as your Interface.
Best practice is to create a Address List or on Interface list and work with your Firewall rules based of that.
Thank you.
That's right, my ISP's cable connects to Ether1, and this ISP uses login/password authentication via an L2TP connection.
I've already figured out that firewall rules need to use ISP's authentication interface (L2TP) rather than physical Ether1 interface.
You deleted the rules and now you say “block everything that is not allowed in the firewall.”
you have no firewall.
Restore the default config. It is a very strong firewall. Suggest not to mess with what you don't understand.
Just in case, Rule #8 :
If you want to comply with it, all you have to do is to categorize the L2TP interface as WAN in:
/interface list member
It's partialy true. A lot of traffic could happen on WAN's (Eth1) interface L2 level, traffic that comes from other routers connected to same L2TP concentrator.
Default config already uses interface lists (WAN in particular). If actual WAN setup doesn't match default (which uses ether1 as interface carrying IP traffic), then it's most often enough to adjust WAN interface list membership. In @bagas's particular case the L2TMP interface freedom-l2tp should be added as this will be the "normal" interface carrying IP traffic. Due to reasons outlined by @BartoszP it is very wise to include to WAN interface list also all interface underlying the "normal" IP-carrying interface ... in this particular case ether1 (which is there already by default). Similarly, when ISP requires use of PPPoE, one has to add pppoe-out1 (or whatever it's named) to WAN interface list ... but also the physical (e.g. ether1) interface, supporting that PPPoE tunnel, as well. If ISP uses tagged VLAN to transport IP (or any other tunnel), then add the corresponding VLAN interface to WAN interface list as well.
If there is an L2TP tunnel connection from an Internet provider, then what is the point of adding an physical port ether1 to the WAN for filtration firewall?
If traffic filtering occurs on the L2TP tunnel connection.