Hi all.

Is it possible to make a firewall rule that will work for all IP's in the 192.168.0.1/24 except one IP, for example: 192.168.0.100

I don't know where is that option.

And one more question, I want to deny downloading a file that has more that 200MB, how to do that in RouterOS ?

Thank in advance.

Use an exclamation point to negate and match all but one IP address: "dst-address=!192.168.0.100". If you need to cover all IPs in a subnet save one you need to have two rules, one accepting on the negated IP that is to be included, one dropping on the negated subnet. You can possibly use an address list with one entry together with a negated destination on one line, but at that point I would argue that you may be making the rule hard to read for other people.

For connection size:
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

connection-bytes (integer-integer; Default: ) Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

Use an exclamation point to negate and match all but one IP address: "dst-address=!192.168.0.100". If you need to cover all IPs in a subnet save one you need to have two rules, one accepting on the negated IP that is to be included, one dropping on the negated subnet. You can possibly use an address list with one entry together with a negated destination on one line, but at that point I would argue that you may be making the rule hard to read for other people.

For connection size:
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

connection-bytes (integer-integer; Default: ) Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

fewi you are the best, thx

I would really appreciate if you would give an example (if it will not be to hard for you) rather than posting a link to the wiki page, it will much easier for a newbie like me to understand how a specific rule works.

For example:

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=<Your LAN IP for the Router>
to-ports=8080


Thank you again, sorry if I'm asking too much, but if I'll understand how things works there will be less posts/questions on this forum.

btw is it possible to see a rule in console when I made it using Winbox ?

To drop all connections through the router that have transferred more than 20MB:
Of course, usually that's a bad idea. What if a user wants to download a large file? Updates, or a Linux distro Live CD image?

To deny access to 192.168.1.100 but let 192.168.1.0/24 through:
And of course Winbox made rules show in the CLI. They're both ways to manipulate the same rule set. Change something with Winbox and "/ip firewall filter export" will reflect all the changes.

To drop all connections through the router that have transferred more than 20MB:

Code: Select all

/ip firewall filter
add chain=forward connection-bytes=20000000-0 action=drop

Of course, usually that's a bad idea. What if a user wants to download a large file? Updates, or a Linux distro Live CD image?

To deny access to 192.168.1.100 but let 192.168.1.0/24 through:

Code: Select all

/ip firewall filter
# let through all traffic that isn't from 192.168.1.100 = this drops 192.168.1.100
add chain=forward src-address=!192.168.1.100 action=accept
# drop all traffic that isn't from 192.168.1.0/24 = this drops everyone not on that subnet, and 192.168.1.100 is still dropped in the rule above
add chain=forward src-address=!192.168.1.0/24 action=drop

And of course Winbox made rules show in the CLI. They're both ways to manipulate the same rule set. Change something with Winbox and "/ip firewall filter export" will reflect all the changes.

Great stuff, thank you for your time explaining the procedure.
About the 20MB, it will set the rule for 200MB maybe a little bit more, it's a office environment, they don't need to download big files, except for movies or I don't know what other files that are prohibited to download, if they will need something they will ask permission.
Now I need to find out ow to deny specific extention like *.torrent, *.avi and so on....and another thing how to save router settings on my PC ? /system backup save - saves on the router but I need the config file on my computer.
Regards

As for saving the settings, use /export at the top menu and copy and paste it to a text file. The backup function was set up to only be used on like hardware, so uploading it to a different board will make a broken configuration.

One note for Fewi's rule that he specified, is that it will allow the first 20MB of a connection through, and once it reaches that, it will start to drop packets. The router has no way of knowing how big a connection is, or how much bandwidth it will consume. There is no real way of preventing it from starting to downloading files larger than a given amount altogether. With queues and mangle rules you can play around with scaling back bandwidth based on how much data has passed through the connection to make downloading large files painful for the end user.

As far as blocking specific extensions, you will need to play around with the layer7 settings and getting the regex you need set up. Once again a router in and of itself has no way of knowing what is contained in a packet/connection. It only routes the traffic, the layer7 functions will inspect the contents of the packets, but this is very CPU intensive since the routerboard is mainly a router and is not specifically designed for this.

Thank you fewi & Feklar....about blocking torrents to be downloaded or blocking websites I've made such a simple rule, I don't even know if it's made right but the truth is - it works! Maybe it needs some tweaking and with your help it will work better and faster.



I still don't know what Src. Address and Dst. Address mean, I put them both

Where should I put the setting that will block .torrent for all (192.168.0.1/24) except my IP, for example 192.168.0.100 ?

Thank you


btw this rule:

/ip firewall filter
add chain=forward connection-bytes=20000000-0 action=drop

...can be made only in console, in Winbox it is gray (disabled) and btw the rule doesn't work I can download files greater than 20MB

Like I said with that rule, it will allow the first x Bytes of traffic through and then start to drop stuff once it breaches that limit. If there is an accept rule for established connections above that, it will fire before the drop rule allowing the connection to continue. The router has no way of knowing the size of any given connection when it starts, it only knows how much has gone over it. Because of that, it will not be able to stop people from starting downloads of large files, only stop them once they transfer a certain amount. Also if they use something like a download manager, it will chop up any given download into several smaller chunks and would be fairly easy to get around since each chunk then gets it's own connection.

For src. address and dst. address, every packet has a header and that header contains information for the router to use to route traffic. Part of that information is the src. address of the packet (where it came from) and the dst. address, where it is headed to. This is so the packet can get where it is going, and so the reply knows where to come back to. With NAT you can change these attributes so that a private IP address is route-able by replacing src. address with a public route-able IP. You can also use NAT to change the dst. address of the packet to send it somewhere else.

The reason why your torrent rule is dropping stuff is because it is inspecting each packet for the word "torrent" and if it is in there, it will drop the packet. This works for TCP since it guarantees that every packet will get there and in order, however it will only work for HTTP web sites, if there is any encryption going on it will not catch it. It will also break any HTTP web sites that have "torrent" somewhere in their text, breaking all or part of the web site, which you may or may not want to happen.

Like I said with that rule, it will allow the first x Bytes of traffic through and then start to drop stuff once it breaches that limit. If there is an accept rule for established connections above that, it will fire before the drop rule allowing the connection to continue. The router has no way of knowing the size of any given connection when it starts, it only knows how much has gone over it. Because of that, it will not be able to stop people from starting downloads of large files, only stop them once they transfer a certain amount. Also if they use something like a download manager, it will chop up any given download into several smaller chunks and would be fairly easy to get around since each chunk then gets it's own connection.

For src. address and dst. address, every packet has a header and that header contains information for the router to use to route traffic. Part of that information is the src. address of the packet (where it came from) and the dst. address, where it is headed to. This is so the packet can get where it is going, and so the reply knows where to come back to. With NAT you can change these attributes so that a private IP address is route-able by replacing src. address with a public route-able IP. You can also use NAT to change the dst. address of the packet to send it somewhere else.

The reason why your torrent rule is dropping stuff is because it is inspecting each packet for the word "torrent" and if it is in there, it will drop the packet. This works for TCP since it guarantees that every packet will get there and in order, however it will only work for HTTP web sites, if there is any encryption going on it will not catch it. It will also break any HTTP web sites that have "torrent" somewhere in their text, breaking all or part of the web site, which you may or may not want to happen.

Thank you for explaining, so the only thing to do is to work the the Proxy that the RouterOS has, about the torrent, yes it's true it will drop any website that has "torrent" word in it.

Some spamm bots trying to send email through my mail server, my mail server blocks them but I want the router to block it.
For example to block the IP address below, I made one rule, but it doesn't work, what I'm doing wrong ? Thank you.

My rule:
/ip firewall filter add action=drop chain=input comment="" disabled=no dst-address=78.188.181.118 protocol=tcp


[11/Jan/2011 16:15:19] Relay attempt from IP address 78.188.181.118, mail from <jgygvi@yahoo.com.tw> to <lee3619255@yahoo.com.tw> rejected
[11/Jan/2011 16:15:19] Relay attempt from IP address 78.188.181.118, mail from <jgygvi@yahoo.com.tw> to <jennief0110@yahoo.com.tw> rejected
[11/Jan/2011 16:15:19] Relay attempt from IP address 78.188.181.118, mail from <jgygvi@yahoo.com.tw> to <mark567886@yahoo.com.tw> rejected
[11/Jan/2011 16:15:19] Relay attempt from IP address 78.188.181.118, mail from <jgygvi@yahoo.com.tw> to <quantum93@yahoo.com.tw> rejected
[11/Jan/2011 16:15:19] Relay attempt from IP address 78.188.181.118, mail from <jgygvi@yahoo.com.tw> to <yclmlcy@yahoo.com.tw> rejected

you need src no dst

you need src no dst

I've tried with src then with dst, doesn't work. I've added only the IP without the protocol, same thing.

The router isn't a good place to inspect e-mail and stop spam. Like doing layer7 inspection, it will be very resource intensive. What we do to cut down on spam is rate limit SMTP, and if the rate limits are violated, block the src. address from sending e-mails for an hour or two. The few spam e-mails that do get through are easily handled by the server and whatever scanning scheme you use.

These rules drastically cuts down on spam, and most of the time the end user doesn't know they are spamming so blocking port 25 for them doesn't make any difference.
Obviously adjust them to be more aggressive or less aggressive depending on the need.