Community discussions

MikroTik App
 
Pmillard
just joined
Topic Author
Posts: 5
Joined: Thu Feb 15, 2018 9:22 am

Firewall rule blocking capsman on hap ac2

Sun Apr 01, 2018 9:04 am

Hi there,

i have a really strange one.

i have a configured hap ac2 with capsman controlling the local radios.

the default firewall rules are in place.
i have found that if i have enabled the default rule block everything not coming from the lan
then when the router reboots the wireless interfaces keep looping and incrementing their cap number but are not able to make a stable connection to capsman to get their config.

rule is
general
chain input
interface list ! (looks like an exclamation in the checkbox) Lan
Action drop

no other config

With this rule disabled though a shields up scan reveals ports 21 22 23 and 80 open.

How can i block those ports but still enable capsman operation on reboot?

many thanks
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Firewall rule blocking capsman on hap ac2

Sun Apr 01, 2018 9:56 am

Real admins use real keyboards.
 
Pmillard
just joined
Topic Author
Posts: 5
Joined: Thu Feb 15, 2018 9:22 am

Re: Firewall rule blocking capsman on hap ac2

Sun Apr 01, 2018 10:11 am

Sorry newby to routeros.

Ihave already set static virtual to the wireless cap settings.
I have also added both cap and wlan interfaces that have been created to to the LAN group under interface list.

What am i looking at to do with that?

i should also add the issue only manifests itself on router reboot, if i disable the rule wait for connection then re-enable everything works fine.
 
Grickos
newbie
Posts: 32
Joined: Thu Aug 06, 2015 2:57 am

Re: Firewall rule blocking capsman on hap ac2

Sun Apr 01, 2018 10:36 am

Sorry newby to routeros.

Ihave already set static virtual to the wireless cap settings.
I have also added both cap and wlan interfaces that have been created to to the LAN group under interface list.

What am i looking at to do with that?

i should also add the issue only manifests itself on router reboot, if i disable the rule wait for connection then re-enable everything works fine.
Change Entry Firewal Comment "defconf: drop all not coming from LAN". Interface List: ! LAN to WAN.
I've already written that Default out of Box Firewal blocks the CAP on the same router. I do not remember what version of ROS.
 
sindy
Forum Guru
Forum Guru
Posts: 5409
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall rule blocking capsman on hap ac2

Sun Apr 01, 2018 10:59 am

i should also add the issue only manifests itself on router reboot, if i disable the rule wait for connection then re-enable everything works fine.
The explanation to this is that in order to save CPU, one of the first firewall rules is "accept packets belonging to already established connections". So if you disable a rule preventing the connection (between the cAP software module and the cAPsMAN software module in your case), the connection establishes, and re-enabling the rule has no further effect on that connection because that connection's packet get accepted before they reach the prohibitive rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: DanMos79, doush, gnulab, Google [Bot] and 118 guests