Firewall doesn't work

soulreaver1 · Sat Feb 17, 2018 11:15 am

Hello,

I have a Mikrotik Router with configuration I don't understand.

There is a first WAN IP which is netmapped to local network.

 1    ;;; WAN
      chain=srcnat action=netmap to-addresses=xxx.241.19.250 
      src-address=192.168.16.0/24 out-interface=ether13_Netia_WAN log=no 
      log-prefix=""

There are some dstnat rules on specific ports to allow external hosts connect though WAN xxx.241.19.250 and this works as expected (when there is no accept on firewall connections don't go through NAT rules). However there is also dstnat rule for WAN xxx.241.19.251 which is not allowed on the firewall but works anyway!

15    ;;; service - HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.16.20 to-ports=80 
      protocol=tcp dst-address=xxx.241.19.251 dst-port=80 log=no log-prefix=""

I checked that xxx.241.19.251 is not masquaraded to 192.168.16.0/24 or netmapped to 192.168.16.20 so maybe the firewall in Mikrotik OS works only for masquaraded or netmapped IPs?

Sob · Sat Feb 17, 2018 12:13 pm

Firewall filter works for anything passing through router. It's impossible to tell what's happening with yours, if we don't see it. Remember that it allows everything by default, there can also be the magic rule with connection-nat-state=dstnat to allow all forwarded ports at once, and order of rules is very important.

soulreaver1 · Sun Feb 18, 2018 10:30 am

Thank you, I've found the reason. The forward chain on this device was not closed (like I do on devices which I configure).

  ;;; drop all on WANs
      chain=forward action=drop connection-state="" in-interface-list=WANs 
      log=no log-prefix=""

Firewall doesn't work [SOLVED]

Firewall doesn't work

Re: Firewall doesn't work [SOLVED]

Re: Firewall doesn't work

Who is online