Community discussions

MikroTik App
 
Tulga
just joined
Topic Author
Posts: 5
Joined: Wed Jun 02, 2021 9:41 am

Router Firewall

Thu Jun 10, 2021 4:03 am

Hello?
I use CRS226******. And I need to implement firewall configuration on specific interface list(DotNetVlan). Interface list includes two interfaces. Rule is allow 80, 443, 8530, 8531 ports in both directions from server. Do I need set IP address of server for destination address? I tried to configure, but it doesn't work. Please see the attached picture.
Screenshot_1.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router Firewall

Thu Jun 10, 2021 8:06 am

Screenshot doesn't show everything, next time create text export by executing command /export hide-sensitive file=anynameyouwish from terminal window. Open resulting file in text editor, copy-paste contents ...

With firewall filter rules everything (except chain and action) is optional, specifying multiple properties help to refine conditions under which a rule triggers.

Also: MT runs stateful firewall but your rules don't seem to take that into consideration. They only take care of "forward" packets (packets sent from clients toward server(s)), but don't take care of "return" packets (apart from the last rule which drops all packets and that includes return packets). When rules actually care about connections, there are a few (pretty general) rules at the top of the list:
/ip firewall filter
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
The third rule is there to improve performance and has to be followed by fourth rule. And again: rule order is essential, first rule matching packet gets executed and no further packet matching occurs.


However there's gotcha: by default firewall filter rules only apply to packets being routed by device, that is packets which enter router through one interface with IP address set and leave router through another (logical) interface with IP address set (in certain conditions egress interface could be the same as ingress). This is not the case when packets are bridged/switched between bridged/switched ports - in normal conditions these are packets between two machines members of same IP subnet.

If adding rules I pasted above doesn't fix your problem, post your complete config and describe network topology in some more details.

Who is online

Users browsing this forum: Bing [Bot], lurker888, svh79, syslog, Wovka and 46 guests