why does this rule interfere with my doing "apt update"?

RouterOS Beginner Basics
1

I start with the default config of an RB5009UG.

I perform “apt update” on my lan workstation and all is well.

Using Winbox I add this rule…
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-address=10.0.0.246 to-port=80 comment=“myconf: HTTP”

I perform “apt update” on my lan workstation and it fails.

This seems so rudimentary, yet I am stuck.
Many thanks for looking!

an export of my config is below…


# jul/07/2024 12:18:33 by RouterOS 7.8
# software id = **ELIDED**
#
# model = RB5009UG+S+
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="myconf: HTTP" dst-port=80 protocol=\
    tcp to-addresses=192.168.88.2 to-ports=80
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Clearly the router is smarter and wont let you upgrade until you fix your security violation. :slight_smile:
Never open up winbox to the internet. Only access from LAN or via VPN.

3

Winbox connects from the LAN via MAC. How am I exposing Winbox to the Internet?
My understanding is that the router is NATing egressed LAN traffic and blocking all ingress WAN traffic.
Am I wrong in my assumption that the router’s out-of-the-box config is secure and not exposing Winbox on the WAN?

All I am adding is one port 80 ingress rule to reach my web server on the LAN.
Sorry if I am daft, but please explain – I am having troubles with this.
What security violation have I breached by simply port-forwarding port 80?

4

Your NAT rule redirects every connection targeting port 80 to LAN server … without considering neither original target IP address (dst-address property) nor ingress interface (in-interface or in-interface-list property). So it’ll redirect also connections towards deb.debian.org (or whichever APT source) comming in via LAN interfaces.

5

dont know what anav is hallucinating about open winbox port lol.

@OP you nat rule needs a source as well. Otherwise it matches all traffic even local originating ones.

https://help.mikrotik.com/docs/display/RKB/Port+forwarding

6

@kendal; you forgott to add the interface list WAN otherwise everything gets redirected:

/ip firewall nat add chain=dstnat action=dst-nat in-interface-llst=WAN protocol=tcp dst-port=80 to-address=10.0.0.246 to-port=80 comment=“myconf: HTTP”

7

While we’re nit-picking, this:


/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

…is useless now that you’ve removed the default DHCP server.

8

Yeah read too fast, thought his comment on the first post was about winbox being port forwarded but just said he was using winbox to setup port forward rules.
Almost hallucinating LOL…

9

Thanks for that!

10

Thanks - that was the fix!

11

Not so fast…I think it’s me hallucinating now. Going back to your original post, there’s this:


/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf

I saw that in red here when diffing it against the fully-stock default configuration file I have here, meaning it’d been removed. I guess it was moved, not re-moved, and I missed the green copy inserted elsewhere.

If you want to take some blame for this confusion, it’s that you’re on ROS 7.8, and my file is from 7.15.2, and configuration items do sometimes move about from one release to the next. Upgrade, will ya? :nerd_face:

Otherwise, it’s all on me, and I apologize for the confusion.

12

You may wish to consider to change this default rule to one that is more flexible and better..

From:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”