Community discussions

MikroTik App
 
Jrslick22
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Sun Feb 06, 2005 3:25 am

Firewall rule

Wed Aug 02, 2006 2:02 pm

i have a p2p firewall rule set up like this

add chain=forward p2p=all-p2p time=7h30m-22h00m,sat,fri,thu,wed,tue,mon,sun \
action=drop comment="" disabled=no

it works fine.

I want to make it so that the rule only applys to certin ip ranges, so i added this:

add chain=forward src-address=10.10.54.0/24 p2p=all-p2p \
time=7h30m-23h55m,sat,fri,thu,wed,tue,mon,sun action=drop comment="" \
disabled=no

I was hoping this would make it so anyone with a 10.10.54.* address would have limited p2p access between 7:30am and 10pm.

Help please.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Wed Aug 02, 2006 4:43 pm

it loogs ok, jsut add another rule to do same for dst-address too so all packets are going to be dropped.
 
Jrslick22
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Sun Feb 06, 2005 3:25 am

Wed Aug 02, 2006 10:54 pm

ok ive updated the rule but p2p still gets through. With the src and dst addresses removed the rule works fine.

chain=forward src-address=10.10.54.0/24 dst-address=10.10.54.0/24
p2p=all-p2p time=7h30m-22h,sat,fri,thu,wed,tue,mon,sun action=drop
 
Jrslick22
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Sun Feb 06, 2005 3:25 am

Wed Sep 06, 2006 4:03 am

Anyone? MT please?
 
fireflash
just joined
Posts: 1
Joined: Tue Sep 20, 2005 9:18 am

not working

Wed Oct 18, 2006 7:46 pm

hi , tried that rule ... it works fine...
but if the p2p client is already connected it dosnt drop the connection...

any clues!?
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Re: not working

Thu Oct 19, 2006 1:53 am

hi , tried that rule ... it works fine...
but if the p2p client is already connected it dosnt drop the connection...

any clues!?
because p2p matching only happens once (somewhere around the beginning of a connection). all-p2p only matches to a single packet in a given connection.

instead mark p2p traffic in mangle forward with a connection mark and then change the filter rule to drop packets belonging to that connection-mark.

Djeeze :D
 
Jrslick22
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Sun Feb 06, 2005 3:25 am

ah dope

Wed Nov 15, 2006 7:11 am

ok ive set up the connection mark:

chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p-conn-drop passthrough=yes

and then the firewall rule:

;;; p-2-p Control
chain=forward src-address=10.10.54.0/24 dst-address=10.10.54.0/24
connection-mark=p2p-conn-drop p2p=all-p2p action=drop

The idea once again was to stop any customer whos address is in the 10.10.54.* pool

what am i missing??
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Wed Nov 15, 2006 10:37 am

It should be like this:


/ ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=p2p_connection p2p=all-p2p passthrough=yes

/ ip firewall mangle add action=mark-packet chain=prerouting connection-mark=p2p_connection new-packet-mark=p2p_packet passthrough=yes

/ ip firewall filter add action=drop chain=forward packet-mark=p2p_packet
 
User avatar
skillful
Trainer
Trainer
Posts: 552
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Wed Nov 15, 2006 5:42 pm

In addition to what macgaiver said, You need to have two separate rule to drop P2P for this to work. i.e.

/ ip firewall filter add chain=forward src-address=10.10.54.0/24 packet-mark=p2p_packet p2p=all-p2p action=drop

/ ip firewall filter add chain=forward dst-address=10.10.54.0/24 packet-mark=p2p_packet p2p=all-p2p action=drop

Just replace the last rule in Macgaiver's post with these two rules.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Thu Nov 16, 2006 12:03 pm

strange it seems p2p programs has been updated :shock:
 
Jrslick22
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Sun Feb 06, 2005 3:25 am

Mon Nov 20, 2006 12:58 pm

Thanks for the help guys.

Mac's part works like a trick, i can see the counters for both packet and connection mark working and counting together. cheers

Skillful, the rule does not seem to stop the 10.10.54.0 subnet? does the rules have to be on the wireless MT? i have one as my gateway, the other as my AP i have put the rules on the gateway not the AP?

Cheers
 
User avatar
skillful
Trainer
Trainer
Posts: 552
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Thu Nov 30, 2006 7:59 pm

Jrslick22, the rules have been modified slightly as follows:


/ ip firewall filter add chain=forward src-address=10.10.54.0/24 packet-mark=p2p_packet action=drop

/ ip firewall filter add chain=forward dst-address=10.10.54.0/24 packet-mark=p2p_packet action=drop

Put these rules on the MT closest to the source IP. It works for me.
 
User avatar
jose
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Thu Sep 22, 2005 4:56 am

Sat Dec 02, 2006 6:14 pm

What would happen if I just put

/ip firewall filter add chain=forward p2p=all-p2p action=drop ?
 
Jrslick22
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Sun Feb 06, 2005 3:25 am

Sat Dec 02, 2006 11:33 pm

you would drop all p2p

Who is online

Users browsing this forum: collerok, CoMMyz, VinceKalloe and 71 guests