Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

forward chain: no packets go through  [SOLVED]

Locked
 
jphconstantin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

forward chain: no packets go through

Wed Oct 11, 2017 7:09 pm

I think I didn't understand the flow across the chains. The manual has a good scheme (packet flow) but not easy for beginners.
There are my rules:
Code: Select all
1    ;;; Accept all establish related connection
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 2 X  ;;; Drop port scanner IP list
      chain=input action=drop src-address-list=Port_scanners_IP_list log=no log-prefix="" 

 3    ;;; Drop all invalid connection
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 4    ;;; Accept all establish connection to forward
      chain=forward action=accept connection-state=established connection-type="" log=yes log-prefix="" 

 5    ;;; Accept all related connection to forward
      chain=forward action=accept connection-state=related connection-type="" log=yes log-prefix="" 

 6    ;;; Drop all invalid connection to forward
      chain=forward action=drop connection-state=invalid connection-type="" log=no log-prefix=""
and the routing:
Code: Select all
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          85.xxx.xxx.1              1
 1 ADC  85.xxx.xxx.0/24    85.xxx.xxx.xxx  combo1                    0
 2 ADC  192.168.1.0/24     192.168.1.1     bridge1                   0
and the address list:
Code: Select all
/ip firewall address-list> print
Flags: X - disabled, D - dynamic 
 #   LIST              ADDRESS                               CREATION-TIME       
 0   Peoplefone        95.128.80.2-95.128.80.9               oct/05/2017 17:09:43
 1   Phones            192.168.1.100                         oct/06/2017 14:32:41
 2   Phones            192.168.1.40                          oct/06/2017 14:37:11
 3   Phones            192.168.1.36                          oct/06/2017 14:37:39
No packets go through the forward chain.
Top
 
andriys
Forum Guru
Forum Guru
Posts: 1528
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: forward chain: no packets go through

Wed Oct 11, 2017 7:21 pm

No packets go through the forward chain.
What makes you think so?
Top
 
jphconstantin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: forward chain: no packets go through

Wed Oct 11, 2017 7:53 pm

Yes this is the question: why ?
I should answer myself but ...
I think my ccr is not correctly configured and this explains that.
May I submit what I want to connect to my ccr and could you help me to configure the base ?
Top
 
andriys
Forum Guru
Forum Guru
Posts: 1528
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: forward chain: no packets go through

Wed Oct 11, 2017 11:09 pm

Please post you requirements and current configuration (type /export in the command line).
Also mention what device you have and describe your performance expectations.
Top
 
jphconstantin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: forward chain: no packets go through

Thu Oct 12, 2017 12:01 am

I have one ccr1009-7g-1c-pc connected to internet through combo1 (sfp).
On the ether4 I connect a cisco phone (spa301). The SIP Provider has 8 servers.
On the ether3 I connect an access point (tablett, notebook, ...).
On the ether1 a physical machine with virtual machines.
All these things are in the same lan: 192.168.1.0
No switches in my lan, behind the router.

You have my address list, my route, my firewall rules.
Bridge ?
At first I would like to have a basic protection, next to config SIP traffic.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: forward chain: no packets go through

Thu Oct 12, 2017 1:22 am

okay - so this means you're using a bridge for the LAN interfaces?
If so, then that's the reason you're not seeing traffic in the forward chain, because the IP firewall only receives packets that flow through IP interfaces.
If you're trying to filter traffic between bridged interfaces, then you need to use the bridge filter or else enable "Use IP Firewall" on your bridge.
Top
 
jphconstantin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: forward chain: no packets go through

Thu Oct 12, 2017 1:47 am

yes. I think I am obliged to use a bridge (correct me if i am wrong)
if not, ether3 and ether4 don't communicate with internet and ether1 doesn't "see" these ports (ping fails).
i created the bridge in the "interface list" window: correct ?
The bridge button display the created bridge.
I do: bridge tab > settings > use ip firewall > apply > ok

The forward chain has always no traffic !!!!!!!!!
Shall I reboot ? yes: a new forward rule was created and I see traffic (but which one ?) !
That means I must delete my forward rules #4 and #5.

My In.Interface is combo1 or bridge1 ?

I didn't check your first proposition (bridge filter)

Bad news: my phone on ether4 is not registered anymore.
- the traffic goes from ether4 to bridge1, bridge1 to combo1, but not combo1 to SIP server
- the traffic goes from SIP server to combo1, not from combo1 to bridge1, not from bridge to ether4
Top
 
User avatar
karlisi
Member
Member
Posts: 440
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: forward chain: no packets go through

Thu Oct 12, 2017 11:04 am

Which ports are in your bridge?
Also post nat rules.
Top
 
jphconstantin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: forward chain: no packets go through

Thu Oct 12, 2017 3:18 pm

all ports in my bridge. ether1,3,4 have devices.
Code: Select all
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=combo1 log=no log-prefix="" 

 1 X  ;;; VOIP
      chain=dstnat action=dst-nat to-ports=5060 protocol=tcp 
      src-address-list=Phones dst-address-list=Peoplefone in-interface=combo1 
      dst-port=5060 log=yes log-prefix="" 

 2    ;;; VOIP
      chain=dstnat action=dst-nat to-ports=5060 protocol=udp 
      src-address-list=Peoplefone dst-address-list=Phones in-interface=combo1 
      dst-port=5060 log=yes log-prefix="" 

 3    ;;; RTP ports
      chain=dstnat action=dst-nat to-ports=8000-30000 protocol=udp 
      src-address-list=Peoplefone dst-address-list=Phones in-interface=combo1 
      src-port="" dst-port=8000-30000 log=yes log-prefix=""
Top
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1627
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: forward chain: no packets go through

Thu Oct 12, 2017 3:27 pm

4 ;;; Accept all establish connection to forward
chain=forward action=accept connection-state=established connection-type="" log=yes log-prefix=""

There is no such connection-type="". Value must be unset not empty.

Same problem on all forward rules.
Top
 
jphconstantin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: forward chain: no packets go through  [SOLVED]

Thu Oct 12, 2017 4:06 pm

But in the manual, in the firewall rules examples, the "connection-type" is not set.
In service-ports, I disabled sip
I am not PPPoE


I turn off my sip phone and turn on: now the sip phone is registered !
I can call it and can call with

Thank you for everybody.
It's hard to be beginner !
Top
Locked

Who is online

Users browsing this forum: complexxL9, karlisi and 118 guests
  4. RouterOS
  5. Beginner Basics