Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Need help with my firewall rules  [SOLVED]

Locked
 
meazz1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue Nov 28, 2017 9:44 pm
Location: Auburn, GA

Need help with my firewall rules

Tue Dec 19, 2017 5:39 am

I added an entry to drop pings from the wan side with the help of google, does it look right? I added the entry in line #16.
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
Top
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:
Contact evince

Re: Need help with my firewall rules

Tue Dec 19, 2017 4:26 pm

Hello, there is a mistake :

add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255

should be

add action=drop chain=input in-interface=ether1 protocol=icmp icmp-options=8:0-255
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Need help with my firewall rules  [SOLVED]

Tue Dec 19, 2017 4:36 pm

There's no need to have a rule to explicitly drop ICMP in your posted filter rules.
Code: Select all
add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
The final rule in the chain will drop anything that has not been accepted by a previous rule. The previous rules only accept packets in the established / related states - meaning that the router will only accept packets which are replies to requests generated by the router itself. (assuming that your router's public IP address is on interface ether1 - NOT pppoe1 or some vlan sub-interface of ether1)

Essentially, this special rule only serves to waste CPU resources by performing an extra set of checks on every single packet received by the router. The final rule will drop the icmp packets anyway because they will not be part of established connections, or related to those established connections.

And to elaborate on evince's post - the problem in your posted rules is that the in-interface is set to !ether1 which means "not ether1" so in your original post, the first rule would block pings to the router from every interface EXCEPT ether1.
Top
 
meazz1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue Nov 28, 2017 9:44 pm
Location: Auburn, GA

Re: Need help with my firewall rules

Wed Dec 20, 2017 3:30 pm

There's no need to have a rule to explicitly drop ICMP in your posted filter rules.
Code: Select all
add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
The final rule in the chain will drop anything that has not been accepted by a previous rule. The previous rules only accept packets in the established / related states - meaning that the router will only accept packets which are replies to requests generated by the router itself. (assuming that your router's public IP address is on interface ether1 - NOT pppoe1 or some vlan sub-interface of ether1)

Essentially, this special rule only serves to waste CPU resources by performing an extra set of checks on every single packet received by the router. The final rule will drop the icmp packets anyway because they will not be part of established connections, or related to those established connections.

And to elaborate on evince's post - the problem in your posted rules is that the in-interface is set to !ether1 which means "not ether1" so in your original post, the first rule would block pings to the router from every interface EXCEPT ether1.
Thanks to you both.
I took the entry out for ICMP and left the default rule alone.
Top
Locked

Who is online

Users browsing this forum: adwlodaro, Bing [Bot], pre and 109 guests
  4. RouterOS
  5. Beginner Basics