Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Firewall DNS Problem

Post Reply
 
johnb175
just joined
Topic Author
Posts: 16
Joined: Mon Nov 02, 2020 11:57 pm

Firewall DNS Problem

Tue Nov 03, 2020 12:17 am

I just setup a RBcAPGi-5acD2nD running stable 6.47.7 firmware as a home router using ether1 as LAN and ether2 as WAN. I've created a address-list for LAN for 192.168.1.0/24. I've implemented the default firewall set below:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
With this setup I cannot get DNS to resolve. If I disable the drop all not coming from LAN" in-interface-list=!LAN rule DNS will work, or alternately add an input rule above the drop that allows DNS such as:
Code: Select all
add action=accept chain=input comment=DNS protocol=udp src-port=53
My question is why would DNS not work when I am obviously on the LAN and should not be subject to the drop rule? I've looked at this for a while and maybe I am missing something obvious. Any advice, tips would be greatly appreciated.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall DNS Problem

Tue Nov 03, 2020 6:35 pm

Easier to reply with facts vice guessing if we see the config.
/export hide-sensitive file=anynameyouwish.

I agree the (default) rules you have should permit access to the router for DNS by lan users so the answer probably lies elsewhere in the config.
Top
 
aesmith
Member Candidate
Member Candidate
Posts: 264
Joined: Wed Mar 27, 2019 6:43 pm

Re: Firewall DNS Problem

Tue Nov 03, 2020 7:06 pm

It's not advisable to have an open access for DNS traffic from the Internet into your network. The default "accept established" should permit in replies to your actual requests.

Have you confirmed whether your requests are being prevented from going out, or whether the replies are being prevented for coming in? You could do a quick packet capture on your Internet interface to confirm. Or look in the connection tables to see if the DNS requests are appearing and properly NATed.
Top
 
johnb175
just joined
Topic Author
Posts: 16
Joined: Mon Nov 02, 2020 11:57 pm

Re: Firewall DNS Problem

Tue Nov 03, 2020 9:30 pm

I figured it out last night. Looking through Winbox on the rule "drop all not coming from LAN" in-interface-list=!LAN" I had the connection type box selected. There was nothing in it (empty white space) but that was stopping DNS queries from reaching the router.
type.JPG
Once I deselected it everything worked. I must have accidentally did that and just overlooked it.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall DNS Problem

Tue Nov 03, 2020 10:26 pm

Weird it didnt show up on the config?

In any case I prefer to use accept rules and as last rule to drop all else and avoid ! rules if possible.
allow admin to access router
allow lan users to access router services (DNS, NTP)
drop all else.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 25 guests
  4. RouterOS
  5. Beginner Basics