Community discussions

MikroTik App
 
mikron00b
just joined
Topic Author
Posts: 16
Joined: Mon Dec 24, 2018 1:43 pm

Firewall is blocking FORWARDING? WHY??

Wed Dec 26, 2018 11:31 am

Dear Experts,

I am expierienced with firewalls, and new to Mikrotik products. VLAN, DHCP set, NAT for Internet setup is working, now i want to define the firewall.
At basic experimenting i have a big problem:
I have a generic FORWARD ACCEPT rule as Rule 0,
a generic INPUT ACCEPTule as Rule 1,
a generic FORWARD DENY as Rule 2.
When i activate Rule 2 -> no Internet, no interlan connection (E.g. 2LAN to VLAN20).
When i deactivate Rule 2, everything is ok?

I dont get it, RULE 0 should be handled first and overrule RULE 3?? Why does then RULE 3 affect ??

export:

# jan/02/1970 01:55:00 by RouterOS 6.43.7
# software id = XXXX
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 924908CF1253
/interface ethernet
set [ find default-name=ether1 ] name=1WAN
set [ find default-name=ether2 ] name=2LAN
set [ find default-name=ether3 ] name=3LAN
set [ find default-name=ether4 ] name=4LAN
set [ find default-name=ether5 ] name=5LAN
/interface vlan
add interface=3LAN name=VLAN10 vlan-id=10
add interface=3LAN name=VLAN20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_MAIN ranges=192.168.1.2-192.168.1.10
add name=dhcp_VLAN10 ranges=192.168.10.2
add name=dhcp_VLAN20 ranges=192.168.20.2
/ip dhcp-server
add address-pool=dhcp_MAIN disabled=no interface=2LAN lease-time=23h name=\
dhcpMAIN
add address-pool=dhcp_VLAN10 disabled=no interface=VLAN10 lease-time=23h \
name=dhcpVLAN10
add address-pool=dhcp_VLAN20 disabled=no interface=VLAN20 lease-time=23h \
name=dhcpVLAN20

/interface bridge nat
add action=accept chain=srcnat
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.1/24 interface=2LAN network=192.168.1.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=1WAN
/ip dhcp-server lease
add address=192.168.1.2 mac-address=60:EB:69:5D:5D:34 server=dhcpMAIN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.167.1.3 gateway=192.167.1.3
add address=192.168.10.0/24 dns-server=192.167.1.3 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.167.1.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=207.67.220.220,208.67.222.222
/ip firewall filter
add action=accept chain=forward connection-state=established,related \
connection-type=""
add action=accept chain=input
add action=drop chain=forward connection-state=\
invalid,established,related,new disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1WAN
/ip service
set www-ssl disabled=no
/system identity
set name=ROUTERFOO


Helpy is appreciated,
 
mikron00b
just joined
Topic Author
Posts: 16
Joined: Mon Dec 24, 2018 1:43 pm

Re: Firewall is blocking FORWARDING? WHY??

Fri Dec 28, 2018 4:08 pm

Update: Error above is not existent anymore..?
Next problem: Same configuration, but when i want to define precise forward rules i cant define dest. ports or siurce addresses /interfaces (e.g.80,443).
I can choose option: any port, which work, but i want to define dest. port (which is more secure)
When i select ingoing/outgoing interface (Internet = 1WAN) once again no connection.
Is this a bug or do i miss something here....

/ip firewall address-list
add address=192.168.30.0/24 list=WALLEDVLANS
add address=192.168.110.0/24 list=WALLEDVLANS
add address=192.168.130.0/24 list=WALLEDVLANS
add address=192.168.20.2 list=R3DV1PR
add address=0.0.0.0/8 list=Bogons
add address=192.168.1.2 list=SRVC
add address=192.168.1.2 list=INETUSERS
add address=192.168.1.2 list=SFTPUSERS
/ip firewall filter
add action=accept chain=forward comment="INTERNET USERS TCP" connection-state=established,related,new dst-port="" port=80,443 protocol=tcp
add action=accept chain=forward comment="INTERNET USERS UDP" connection-nat-state="" connection-state=established,related,new port=53 protocol=udp
add action=accept chain=forward connection-nat-state="" connection-state=established,related,new port=2201 protocol=tcp
add action=drop chain=forward comment="WALLED R3DV1PR VLAN20" src-address-list=R3DV1PR
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=1WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=1WAN
add action=drop chain=forward log=yes
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Firewall is blocking FORWARDING? WHY??

Fri Dec 28, 2018 4:28 pm

With regards to your first post:
rule 0: was accepting already established connections
rule 2: was rejecting any new connections

second post: you need to select type of protocol such as udp or tcp to be able to select which port to use. Port is meaningless for icmp as example
 
mikron00b
just joined
Topic Author
Posts: 16
Joined: Mon Dec 24, 2018 1:43 pm

Re: Firewall is blocking FORWARDING? WHY??

Fri Dec 28, 2018 6:24 pm

Hy, thank you for reply,
yes protocol is always used during tests.

Below is working (meanwhile) firewall.

Whei always just changed the first rule. to following examples i cthen ant forward to internet.

192.168.1.2 is my test PC on network SRVC (LAN PORT 2).

define destination port doesnt work:

add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new dst-port=80,443 protocol=tcp

define address source doesnt work:

add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new protocol=tcp src-address=\
192.168.1.2

define outgoing interface doesnt work:

add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new out-interface=1WAN protocol=tcp

define ingoing interface doesnt work:

add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new in-interface=2SRVC protocol=tcp

but define any port (TCP) works:
add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new port=80,443 protocol=tcp

Hmm..i dont think the bug is not inside the router but sitting in front of 192.168.1.2...
Can you please help me to understand how this works.... I like Mikrotik very much but this is getting me *****.....

Thank you,


/ip firewall filter
add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new dst-port="" port="" protocol=tcp
add action=accept chain=forward comment="INTERNET USERS UDP" \
connection-nat-state="" connection-state=established,related,new port=53 \
protocol=udp
add action=accept chain=forward connection-nat-state="" connection-state=\
established,related,new port=2201 protocol=tcp
add action=drop chain=forward comment="WALLED R3DV1PR VLAN20" \
src-address-list=R3DV1PR
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=1WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=1WAN
add action=drop chain=forward log=yes
/ip firewall nat
add action=masquerade chain=srcnat routing-table=main
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall is blocking FORWARDING? WHY??

Fri Dec 28, 2018 10:00 pm

I would go back to a basic secure setup and then add some of the extras stuff and that way you will more easily find your errors.

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
    "INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment=\
    "Drop invalid/malformed packets" connection-state=invalid \
    log-prefix=INVALID
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
  {name of your bridge or etherport etc} log-prefix="ALLOWED LAN 2 WAN TRAFFIC" 
    out-interface=WAN
add action=accept chain=forward comment=\
    "Allow Port Forwarding " connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" log-prefix="FORWARD DROP ALL"

/ip firewall nat
add action=masquerade chain=srcnat routing-table=main ???? 

Its usually but if the above NAT rule works then no need to change.
add action=masquerade chain=srcnat out-interface=eth1  (or whatever port is your WAN port_
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Firewall is blocking FORWARDING? WHY??

Fri Dec 28, 2018 11:02 pm

/ip firewall filter
add action=accept chain=forward comment="INTERNET USERS TCP" \
connection-state=established,related,new dst-port="" port="" protocol=tcp
add action=accept chain=forward comment="INTERNET USERS UDP" \
connection-nat-state="" connection-state=established,related,new port=53 \
protocol=udp
add action=accept chain=forward connection-nat-state="" connection-state=\
established,related,new port=2201 protocol=tcp
Please note that any rules with settingname="" will not work. None of the three rules above will work because each has a setting set to "" which will never be true, so those three rules will never match any traffic. For instance, the first rule matches traffic where dst-port is NULL and where port is NULL ("" means NULL). With TCP and UDP there will always be a port, it will never be NULL, so these rules will not work at all.
 
mikron00b
just joined
Topic Author
Posts: 16
Joined: Mon Dec 24, 2018 1:43 pm

Re: Firewall is blocking FORWARDING? WHY??

Sat Dec 29, 2018 8:12 pm

Dear mducharme, anav,

thank you.
getting closer, used above iptable and define inet (tcp,dns) rules work.
As said i am coming from zyxel, where empty boxes in the gui == any..... Now i know....sorry for that.
Using main table / routing in src NAT was just left from my trials..... removed, thank you.

No i see that the problem of connection/firewalling is based mainly based on the VLANS.... i cant connect to vlan now (Server).
I want to avoid bridges...
I have on Ether 2 : VLAN 10,20,30,40 comes tagged from switch connected to Ether 2....
Ehter3: 110,120,130,140 comes tagged from switch connected to Ether 3....

How can i manage that Every VLAN could connect to another VLAN(LAN/WAN)?
Just connect the ehters in a bridge without WAN?
regards,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall is blocking FORWARDING? WHY??

Sat Dec 29, 2018 8:14 pm

I came from zyxel as well. Its a different mind set altogether.
I cannot help further, unless you start from the basic setup I suggested and then progress.
Too difficult to muck about with too many unknown rules you may have.
I have VLANS going on my HEX router without issue for both wired and wireless for example.
 
mikron00b
just joined
Topic Author
Posts: 16
Joined: Mon Dec 24, 2018 1:43 pm

Re: Firewall is blocking FORWARDING? WHY??

Sat Dec 29, 2018 8:33 pm

hy,
i did an clean install / no configuration today morning.
I remember that i was able to connect SSH to my media server some days ago (within VLAN from LAN), but with new setup no luck.
i will try tomorrow to do another run with basic default setting, maybe Mikrotik implemented something there to get this going...
Thank you for help, the iptable above was very helpfull for my understanding how to do things in Mikrotik universe and will be the pile for my final rule setting ;)

Some setups from now i will be able to run this thing ;),

regards
 
mikron00b
just joined
Topic Author
Posts: 16
Joined: Mon Dec 24, 2018 1:43 pm

Re: Firewall is blocking FORWARDING? WHY??

Wed Jan 02, 2019 3:55 pm

so, after 5 days of hardwork...everything is ok.
Major problem: How Mikrotik does things...its different but after a while i can sayits not bad.

Putting up VLAN/IPSEC /OVPN, Firewalling /Mangle for packet routing/ Access control.

Will stick on Mikrotik ;).
Only con is the OVPN client, which is slow due to TCP and non state of the art crypto (sha1 ?? yes, unlikely to break but there are newer techs out there).

Thank everyone for your input. i will delete this thread, because no "real" input for others is involved, just debugging myself.

regards

Who is online

Users browsing this forum: h1ghrise, lifeboy, RobertsN, UkRainUa and 50 guests