Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Sat Aug 03, 2019 11:06 pm

firewall filter doesnt work with in-interface-list

Sat Aug 03, 2019 11:46 pm

Hello all,
I was having issues connecting with ssh/https/etc to my mikrotik hex router after I updated it to 6.45.3.
I have solved the issue and it is working, but I have zero idea why it works. I'm just trying to learn a little.

I'll post config snippets at the bottom, but a general idea of the way I have it set up is..
bridge1: #
- eth1 # WLAN
- eth2 # desktop. has 192.168.88 address from dhcp
- eth3 # access point. not important
and then I have a interface list named "LAN" with "bridge1" in it.

The reason I couldn't ssh was this firewall filter
6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
Which I assumed would not affect connections from my desktop -- since my desktop is coming from bridge1 which is in the LAN list.
When I added this rule above it..
5    chain=input action=accept protocol=tcp in-interface=bridge1 dst-port=""
      log=no log-prefix=""
everything worked fine. If the rule was added below it -- ssh would not work.

Why would the firewall rule that uses in-interface-list not work the exact same as a rule except it specified the interface directly? In my head the rules are basically identical.

heres the /export with the rule that fixed it. If the
# aug/03/2019 15:37:59 by RouterOS 6.45.3
# software id = 97SK-QQYJ
# model = RB750Gr3
# serial number = 8B0009994A4C
/interface bridge
add admin-mac=B8:69:F4:D7:A1:7D auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=ether3 name=homePublic vlan-id=192
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=
add name=poolHomePublic ranges=
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge1 name=defconf
add address-pool=poolHomePublic disabled=no interface=homePublic lease-time=\
    2w name=dhcpClientsHomePublic
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=homePublic list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address= comment=defconf interface=bridge1 network=\
add address= interface=homePublic network=
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
/ip dhcp-server network
add address= dns-server= gateway=\ netmask=24
add address= comment=defconf gateway=
/ip dns
set allow-remote-requests=yes
/ip dns static
add address= name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=log chain=input dst-port=22 in-interface=bridge1 protocol=tcp \
add action=accept chain=input dst-port="" in-interface=bridge1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
add action=drop chain=forward comment="defconf: drop invalid" \
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set ssh address=
set www-ssl disabled=no
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Any knowledge is very much appreciated. Been a fun day messing with this! This community seems pretty great.
Posts: 40
Joined: Sun Feb 25, 2018 2:05 am
Location: Sofia, Bulgaria

Re: firewall filter doesnt work with in-interface-list

Sun Aug 04, 2019 2:52 pm

I read your config two times and I cannot figure out a problem. The only thing for you to correct in your post is that in the beginning, you wrote "eth1 # WLAN" and it should be WAN.

It looks like you did an upgrade from a version before 6.41 and the configuration was upgraded from "the master-slave model" to the "bridge" model (I hope I am saying it correctly). I would add new interface list called LAN_NEW, add bridge1 in it and test again. If it works then maybe it is a bug or something. I am curious if someone else will spot an issue in your config.
Every moment something magical is happening!
Forum Guru
Forum Guru
Posts: 6076
Joined: Mon Apr 20, 2009 9:11 pm

Re: firewall filter doesnt work with in-interface-list

Sun Aug 04, 2019 6:19 pm

Default action is accept, so since there's nothing after "action=drop in-interface-list=!LAN" rule, it must be the one blocking it. But you do have bridge1 in LAN list, so it should not. Your logging rule does log something when you connect, right?

Other than that, the only wrong thing I see is your VLAN, it shouldn't be on bridge port interface. But I wouldn't expect it to influence this.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
just joined
Posts: 1
Joined: Thu Mar 22, 2018 3:34 am

Re: firewall filter doesnt work with in-interface-list

Mon Jun 22, 2020 4:29 pm

Why would the firewall rule that uses in-interface-list not work the exact same as a rule except it specified the interface directly? In my head the rules are basically identical.
I have exactly the same problem in the latest stable version of ROS.
My dst-nat rules don't work when I specify the input interface for it.
If I don't, they work properly. Temporary solution was to dial by the interface IP, this way it works.
Any ideas? I have no bridge around here
just joined
Posts: 1
Joined: Thu Oct 15, 2020 6:18 pm

Re: firewall filter doesnt work with in-interface-list

Thu Oct 15, 2020 6:21 pm

I had this issue too, which is the reason I found this post.
Problem in my case was much older firmware version than software version, it even caused problem with tcp connection after def config.

After firmware update it works as it should.

Who is online

Users browsing this forum: No registered users and 56 guests