Community discussions

 
erlinden
Member Candidate
Member Candidate
Topic Author
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Firewall help

Wed Nov 23, 2016 10:01 am

A previously created (and working) port forward is no longer working. This is port 50022 outside forwarded to my Synology NAS.
The only things I changed afterwards is installing a VPN server, adding a guest vlan and block all traffic from guest vlan .

Another problem I can't solve is how to block all guest vlan traffic to the router itself (Winbox/web/etc.).

This is my config:
 
0  D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 
1    ;;; defconf: accept ICMP chain=input action=accept protocol=icmp 
2    ;;; defconf: accept established,related chain=input action=accept connection-state=established,related 
3    ;;; L2TP VPN chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 
4    chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix="" 
5    chain=input action=accept protocol=udp dst-port=4500 port="" log=no log-prefix="" 
6    ;;; defconf: drop all from WAN chain=input action=drop in-interface=WAN 
7    ;;; defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related 
8    ;;; drop guest vlan to defconf chain=forward action=drop in-interface=vlan-guest out-interface=!WAN log=no log-prefix="" 
9    ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related 
10    ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid 
11    ;;; defconf:  drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN 
NAT
0    ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=WAN
1    chain=dstnat action=dst-nat to-addresses=192.168.50.10 to-ports=22 protocol=tcp in-interface=WAN dst-port=50022 log=no log-prefix=""
2    ;;; masq. vpn traffic chain=srcnat action=masquerade src-address=0.89.168.192-255.89.168.192
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Firewall help

Wed Nov 23, 2016 10:37 am

Hi,

2nd question is easy. Just block IP addresses from guest VLAN to input chain.
Regarding your first question, try to move rule #6 to bottom. Also, if that does not work, try to allow port 50022 in input.
I have bigger routing table.
 
erlinden
Member Candidate
Member Candidate
Topic Author
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: Firewall help

Wed Nov 23, 2016 9:50 pm

Thanks blajah, for some reason the forward is working again AND the block is working as well :)

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 47 guests