Code: Select all
[admin@router01] > /system/routerboard/print
routerboard: yes
model: RBD53G-5HacD2HnD
serial-number: C8CA0CB0B626
firmware-type: ipq4000L
factory-firmware: 7.0beta6
current-firmware: 7.0beta6
upgrade-firmware: 7.1beta2
[admin@router01] >
Due to the backup recovery issue I'm facing I decided to put together a bunch of commands to rebuild the router until I can get the recovery to work as it is taking a long time to rebuild the router between testing attempts.
I need to order firewall rules for my Wireguard instance.
There is an existing rule #3 that I want to put all Wireguard rules in front of:
Code: Select all
[admin@router01] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@router01] >
I decided to use the "place-before" argument and place all rules in front of existing rule #3 and leave the rule I want at #3 to be the last rule imported like this:
Code: Select all
/ip firewall filter add action=accept chain=input comment="wireguard accept dns" dst-port=53 in-interface=wireguard1 protocol=udp place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept ssh" dst-port=22 in-interface=wireguard1 protocol=tcp src-address-list=support place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept winbox" dst-port=8291 in-interface=wireguard1 protocol=tcp src-address-list=support place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept http/https" dst-port=80,443 in-interface=wireguard1 protocol=tcp src-address-list=support place-before=3
/ip firewall filter add action=accept chain=forward comment="wireguard accept to lan" dst-address=192.168.10.0/24 in-interface=wireguard1 src-address-list=support place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept" dst-port=13231 in-interface=lte1 protocol=udp place-before=3
I expected that by doing the above the rule "wireguard accept" should have ended up at position number 3 but it doesn't, it ends up at the bottom of the block as if it is still evaluating "3 ;;; defconf: accept ICMP" as being at position #3.
I end up with this:
Code: Select all
[admin@router01] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; wireguard accept dns
chain=input action=accept protocol=udp in-interface=wireguard1 dst-port=53
4 ;;; wireguard accept ssh
chain=input action=accept protocol=tcp src-address-list=support in-interface=wireguard1 dst-port=22
5 ;;; wireguard accept winbox
chain=input action=accept protocol=tcp src-address-list=support in-interface=wireguard1 dst-port=8291
6 ;;; wireguard accept http/https
chain=input action=accept protocol=tcp src-address-list=support in-interface=wireguard1 dst-port=80,443
7 ;;; wireguard accept to lan
chain=forward action=accept dst-address=192.168.10.0/24 src-address-list=support in-interface=wireguard1
8 ;;; wireguard accept
chain=input action=accept protocol=udp in-interface=lte1 dst-port=13231
9 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
10 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
11 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
12 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
13 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
14 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
15 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
16 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
17 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@router01] >