Community discussions

MikroTik App
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

something wrong with firewall filter

Thu May 27, 2021 5:55 pm

EDITED 28/5/2021:
NO PROBLEM WITH FIREWALL, THE PROBLEM IS NAT AND IT IS SOLVED!!

Hi Sir

I have setup a router starting from a blank setup as following:
/interface list
add name=wan1
add name=wan2
add name=lan

/ip pool add name=lanPool ranges=192.168.9.100-192.168.9.250
/ip dhcp-server add address-pool=lanPool disabled=no interface=bridge lease-time=1w10m10s name=dhcpLan
/ip dhcp-server network add address=192.168.9.0/24 dns-server=1.1.1.1 gateway=192.168.9.1

/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/interface list member
add interface=ether1 list=wan1
add interface=ether2 list=wan2
add interface=bridge list=lan

/ip dns set servers=1.1.1.1,1.0.0.1

/ip address
add address=172.24.127.2/24 interface=ether1 network=172.24.127.0
add address=172.23.127.2/24 interface=ether2 network=172.23.127.0
add address=192.168.9.1/24 interface=bridge network=192.168.9.0

/ip route
add distance=1 gateway=172.24.127.1
add distance=1 dst-address=201.93.14.0/24 gateway=172.23.127.1

/ip firewall filter
add action=accept chain=input comment="rbMT" connection-state=established,related,untracked
add action=drop chain=input comment="rbMT" connection-state=invalid
add action=drop chain=input comment="deny all - LAN" in-interface-list=!lan
add action=accept chain=forward comment="byPass from wan2" in-interface-list=wan2
add action=accept chain=forward comment="rbMT" ipsec-policy=in,ipsec
add action=accept chain=forward comment="rbMT" ipsec-policy=out,ipsec
add action=fasttrack-connection comment="rbMT" chain=forward connection-state=established,related
add action=accept chain=forward comment="rbMT" connection-state=established,related,untracked
add action=drop chain=forward comment="rbMT" connection-state=invalid
add action=drop chain=forward comment="deny all - nat" connection-nat-state=!dstnat connection-state=new in-interface-list=wan1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan1
add action=masquerade chain=srcnat out-interface-list=wan2

with this setup, we can trace route to network 201.93.14.0 without problems, but there is something that is filtering data that come from that network because some apps in the lan are not working.

I would appreciate your answer thank you!!!
Last edited by diego73 on Fri May 28, 2021 11:03 pm, edited 2 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: something wrong with firewall filter

Thu May 27, 2021 6:04 pm

/interface list member
add interface=ether1 list=wan1
add interface=ether1 list=wan2
add interface=bridge list=lan

ether2 instead?

EDIT: the author now have fix this on first post
Last edited by rextended on Fri May 28, 2021 10:56 am, edited 1 time in total.
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: something wrong with firewall filter

Thu May 27, 2021 6:54 pm

/interface list member
add interface=ether1 list=wan1
add interface=ether1 list=wan2
add interface=bridge list=lan

ether2 instead?
Hi rextended!!!
I make a mistake typing, i correct it. thanks!
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: something wrong with firewall filter

Fri May 28, 2021 1:32 am

but it is not the problem.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with firewall filter

Fri May 28, 2021 3:37 am

Sorry the arrogance is suffocating that you think you know what we need to see to help you with YOUR problem not ours.

/export hide-sensitive file=anynameyouwish

and this time dont take chunks out.
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: something wrong with firewall filter

Fri May 28, 2021 7:46 pm

Surfing the web I found the problem with me setup, I post the solucion for anothres that have similar problem.

El problema no esta en el filtrado de paquetes sino en el NAT.
Masquerade funciona muy bien cuando tenemos solo un ISP, ya que selecciona automaticamente la ruta de salida.
Pero cuando tenemos mas de un ISP como es este caso masquerade suele traer problemas.
La solucion consiste en reemplazar masquerade por src-nat que es basicamente lo mismo y agrega la opcion de indicarle la salida.

change this
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan1
add action=masquerade chain=srcnat out-interface-list=wan2
to this
/ip firewall nat 
add action=src-nat chain=srcnat out-interface-list=wan1 to-addresses=172.24.127.2
add action=src-nat chain=srcnat out-interface-list=wan2 to-addresses=172.23.127.2
This work for me!!
Gracias a todos!!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with firewall filter

Fri May 28, 2021 8:43 pm

That is because your rules were wrong improper syntax etc.,
The ones you have put in place are good for static/fixed wanips.

For dynamic wanips they would be
/ip firewall nat
add action=masquerade chain=srcnat out-interface=isp1
add action=masquerade chain=srcnat out-interface=isp2

or a single rule
add action=masquerade chain=srcnat out-interface-list=WAN
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: something wrong with firewall filter

Fri May 28, 2021 9:13 pm

Hi Anav!
That is because your rules were wrong improper syntax etc.,
I put all the info in yours hands.. What's wrong?

Yes, my isp brings me static ip
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: something wrong with firewall filter  [SOLVED]

Fri May 28, 2021 9:56 pm

I meant the rules you had originally, the ones you put in now are good!

Who is online

Users browsing this forum: kevinds, qadir52786 and 39 guests