Hello,
I have two hosts - Host-1 and Host-2
Host-1 connected to interface Ethernet-1 of Mikrotik
Host-2 connected to interface Ethernet-2 of Mikrotik
What I need:
I need to deny traffic (ICMP for example) from host 2.2.2.10 to host 1.1.1.10, but have access from 1.1.1.10 to 2.2.2.10 host.
It's like from DMZ to LAN - deny, but from LAN to DMZ - accept.
So, I can't to set firewall according this requirements.
I thought that if I accept traffic from 1.1.1.10 to 2.2.2.10 and apply common deny at the end It should work.
But in this case I can't traffic between both hosts: Host-1 hasn't access to Host-2 and vice versa.
What's wrong ?
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall connection tracking
set enabled=yes
/ip address
add address=1.1.1.1/24 interface=ether1 network=1.1.1.0
add address=2.2.2.1/24 interface=ether2 network=2.2.2.0
/ip firewall filter
add action=accept chain=forward dst-address=1.1.1.10 src-address=2.2.2.10
add action=drop chain=forward
[admin@MikroTik] >
Re: how to deny traffic in one direction ?
You have already enabled Connection Tracking which is needed to achieve this goal.
Your firewall rules should look for example like this:
Your router will then allow new, related and established connections coming from 1.1.1.10 with destination 2.2.2.10. The second rule will allow 2.2.2.10 to answer to established and related connections to 1.1.1.10. Everything else will be blocked.
See:
https://wiki.mikrotik.com/wiki/Manual:I ... n_tracking and
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
Your firewall rules should look for example like this:
Code: Select all
add chain=forward action=accept connection-state=new,established,related in-interface=ether1 out-interface=ether2 src-address=1.1.1.10 dst-address=2.2.2.10 comment="accept new, established and related connections from 1.1.1.10 to 2.2.2.10"
add chain=forward action=accept connection-state=established,related in-interface=ether2 out-interface=ether1 src-address=2.2.2.10 dst-address=1.1.1.10 comment="accept established and related connections from 2.2.2.10 to 1.1.1.10"
add action=drop chain=forward comment="drop default"
See:
https://wiki.mikrotik.com/wiki/Manual:I ... n_tracking and
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
Re: how to deny traffic in one direction ?
Thank you very much !
It works. But I'm comfused. I was wrong as I thought that firewall in mikrotik is statefull.
It works. But I'm comfused. I was wrong as I thought that firewall in mikrotik is statefull.
Re: how to deny traffic in one direction ?
Firewall is statefull if you use it that way (that means working with connection-state). I'd change posted rules a little:
Generally you want to accept all established, related or untracked connections, unless you're doing something special. Then if you drop invalid, everything what's left is new. And reject instead of drop maked debugging easier, because when something is blocked, router sends info about that, instead of silently dropping it.
Code: Select all
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether1 src-address=1.1.1.10 dst-address=2.2.2.10 action=accept
add chain=forward action=rejectWho is online
Users browsing this forum: Builithe85, sebol1204 and 61 guests