Community discussions

MikroTik App
 
User avatar
Anastasia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Wed Oct 28, 2015 7:12 pm

Drop forward rules NOT worked between devices connected via Wi-Fi

Mon Jan 21, 2019 6:29 pm

Example. My Mikrotik-router Model 951Ui-2HnD
RouterOS v6.43.8 (stable) (192.168.1.1)
with Firewall rules (IP > Firewall > Filter Rules):
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.11 src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 src-address=192.168.1.11
Interface settings.
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
   use-ip-firewall-for-vlan=yes

/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge

First (expected) situation:
Notebook (192.168.1.11) connected to Mikrotik via Ethernet.
Tablet (192.168.1.12) connected to Mikrotik via Wi-Fi.
If we send ping packages from Notebook to Tablet they are drops, as should be according Firewall rules.

Second (not expected) situation:
Notebook (192.168.1.11) connected to Mikrotik via Wi-Fi.
Tablet (192.168.1.12) connected to Mikrotik via Wi-Fi.
In this case, if we send ping packages from Notebook to Tablet we got it back. Firewall rules not applied.

No traffic if you watch traffic through: Tools - > Torch.
No icmp packets between Tablet and Notebook if use Second situation.

What’s wrong and what to do to fix it for work rules Firewall and was in sight packages in Tools - > Torch?

+Attached picture below.
You do not have the required permissions to view the files attached to this post.
Last edited by Anastasia on Mon Jan 21, 2019 7:17 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Mon Jan 21, 2019 6:45 pm

Would have to see complete config to assess properly.
/export hide=sensitive file=yourlatestconfig

In general, if items are in the same LAN or VLAN, there is no way to block traffic between them because they are connected at layer 2, whilst firewall rules are applied at the router, layer 3.
Thus the trick is to put one LAN on a bridge, and the other not on a bridge, or both on separate bridges, or both off bridges and on separate LANs.

This may be a case for VLANs for example where you have ethernet and wifi for home users and then you provide separate WIFI for guest users.
In this case on your bridge you create a VLAN and then use one chain on the AP for the guest user or a virtual WLAN for the guest user.

It appears your unit is an AP and not a router??? However, perhaps via RouterOS, it has some use as a router.
Looks like a 2.4Ghz two chain unit??

There are also two specific functions in Mikrotik APs for client isolation. Not sure since its been awhile since I looked at that but one is easy to find and the other not so easy.
At least one of them is for Client to Client ISOLATION. In this case you want to block two users on the same WLAN from seeing each other. It is probably based on mac address.
It should work for you but the VLAN method and use of the router firewall is better security.
 
User avatar
Anastasia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Wed Oct 28, 2015 7:12 pm

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Mon Jan 21, 2019 7:16 pm

All settings default. These are Wi-fi settings that you asked:
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    arp=reply-only arp-timeout=23h band=2ghz-g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b="" \
    channel-width=20/40mhz-Ce comment="my Wi-Fi" \
    default-authentication=no default-forwarding=no disabled=no distance=\
    indoors frequency=2437 hw-protection-mode=rts-cts mode=ap-bridge \
    rate-set=configured security-profile=Wi-Fi-Profile ssid=AnastasiaWiFi \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled \
    wps-mode=disabled
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.11 src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 src-address=192.168.1.11
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Mon Jan 21, 2019 7:28 pm

Hmm I thought version 6.43.8 got rid of slave and master interface configurations??
In any case please post entire config......
/export hide=sensitive file=yourlatestconfig

(shows up in files, download to PC, open in notepad++ cut and paste here and apply code parenthesis from above text modification line)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Mon Jan 21, 2019 10:46 pm

Hmm I thought version 6.43.8 got rid of slave and master interface configurations??
It did. But if some device started life pre-6.40 and received upgrades, then upgrade script didn't change names of interfaces. Only setting master-port=ether2-master on all slave ports was removed ...


@Anastasia: are you completely sure that laptop indeed uses address 192.168.1.11 in both wired and wireless case?
 
User avatar
Anastasia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Wed Oct 28, 2015 7:12 pm

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Tue Jan 22, 2019 11:17 pm

address 192.168.1.11 in both wired and wireless case?
the address is definitely the same. I installed and checked it with my hands.


/export hide=sensitive file=yourlatestconfig
(shows up in files, download to PC, open in notepad++ cut and paste here and apply code parenthesis from above text modification line)
the code below...
Where can I see more possible settings for how firewall rules work?
# jan/22/2019 23:53:56 by RouterOS 6.43.8
# software id = 1111-2222
#
# model = 951Ui-2HnD
# serial number = 111111111
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:01 arp=reply-only auto-mac=no fast-forward=no \
    name=bridge-local
/interface ovpn-server
add disabled=yes name=ovpn-MiniLocalca user=""
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full comment=\
    "internet" name=ether1-gateway
set [ find default-name=ether2 ] advertise=100M-full,1000M-full arp=\
    reply-only comment=Computer name=ether2-master-local
set [ find default-name=ether3 ] advertise=100M-full,1000M-full arp=\
    reply-only comment=Notebook name=ether3-slave-local
set [ find default-name=ether4 ] advertise=100M-full,1000M-full arp=\
    reply-only name=ether4-slave-local
set [ find default-name=ether5 ] advertise=100M-full,1000M-full arp=\
    reply-only name=ether5-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Wi-Fi-Profile supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    arp=reply-only arp-timeout=23h band=2ghz-g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b="" \
    channel-width=20/40mhz-Ce comment="my Wi-Fi"  \
    default-authentication=no default-forwarding=no distance=indoors \
    frequency=2437 hw-protection-mode=rts-cts mode=ap-bridge rate-set=\
    configured security-profile=Wi-Fi-Profile ssid=AnastasiaWiFi  \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled \
    wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="my Wi-Fi"
/interface wireless nstreme
set wlan1 comment="my Wi-Fi" enable-polling=no
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=blowfish \
    hash-algorithm=md5
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=null enc-algorithms=blowfish \
    pfs-group=modp2048
/ip pool
add name=dhcp-Lan-Pool ranges=192.168.1.230-192.168.1.250
/ip dhcp-server
add add-arp=yes address-pool=dhcp-Lan-Pool authoritative=after-2sec-delay \
    disabled=no interface=bridge-local lease-time=23h name="DHCP serv Lan"

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set allow-fast-path=no route-cache=no
/interface l2tp-server server
set authentication=mschap2
/interface list member
add list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface ovpn-server server
set auth=sha1 cipher=aes256
/interface sstp-server server
set authentication=mschap2 force-aes=yes pfs=yes tls-version=only-1.2 \
    verify-client-certificate=yes
/interface wireless access-list
add comment="Tablet" interface=wlan1 mac-address=AA:AA:AA:AA:AA:12 \
    vlan-mode=no-tag
add comment=Notebook interface=wlan1 mac-address=AA:AA:AA:AA:AA:11 vlan-mode=\
    no-tag

/interface wireless connect-list
add comment="Tablet" interface=wlan1 mac-address=AA:AA:AA:AA:AA:12 \
    security-profile=Wi-Fi-Profile
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment="default configuration" default-route-distance=2 dhcp-options=\
    hostname,clientid disabled=no interface=ether1-gateway use-peer-dns=no \
    use-peer-ntp=no

/ip dhcp-server lease
add address=192.168.1.11 always-broadcast=yes comment="My Notebook LAN" \
    mac-address=AA:AA:AA:AA:AA:11 server="DHCP serv Lan"

add address=192.168.121.185 client-id=1:AA:AA:AA:AA:AA:12 comment="Phone W" \
    mac-address=AA:AA:AA:AA:AA:12 server="DHCP serv Lan"
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    1.1.1.1,1.0.0.1

/ip firewall address-list

/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.11 src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 src-address=192.168.1.11

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip proxy

/ip proxy access
add dst-port=80
/ip route

/ip service
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=bridge-local
/ip smb shares
set [ find default=yes ] disabled=yes
/ip socks

/ip socks access

/system identity
set name=MikroTik
/system leds
set 5 interface=wlan1

/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
trace323
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu May 07, 2015 5:52 pm

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Wed Jan 23, 2019 2:07 am

Your config is wrong.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Wed Jan 23, 2019 10:33 am

Your second "unexpected" condition is correct and is totally expected for me.
The traffic doesn't even enter the bridge - it remains in the wireless interface, the two devices use your wlan interface as a wireless switch.
Mitigation would be disabling default-forward on the AP - this will isolate clients connected to the same wireless interface.

-Chris
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Wed Jan 23, 2019 12:29 pm

Mitigation would be disabling default-forward on the AP - this will isolate clients connected to the same wireless interface.

OP set default-forwarding=no on wireless interface already. However, manual says that
This is the value of forwarding for clients that do not match any entry in the access-list
. OP has access-list constructed and there's again "forwarding=" with default value of "yes".

The problem might be then the following: does bridge send packets back to the ingress port? If forwarding was set to no, then all packets from wireless client 1 would be sent to bridge. Even if bridge rules would allow those packets to be delivered to wireless client 2, do those packets get sent back to wifi "port"?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Wed Jan 23, 2019 1:04 pm

Sorry, didn't notice the default-fwd=no in the config.
As OP also set default-authentication=no and created an access list with default-forward=yes per client, this setting overrides the setting in the interface setting.
So we're still talking about a default-forward issue on the w/l interface.
-Chris
 
User avatar
Anastasia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Wed Oct 28, 2015 7:12 pm

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Sat Jan 26, 2019 6:10 pm

I found a possible problem. in settings Wireless -> Access_List are the leaf access. Where indicated in the hand value of the Forwarding = Yes. if you remove the check mark (Forwarding = No), then everything is fine, the data exchange stops. Seems the problem solved.

Who is online

Users browsing this forum: fragment and 99 guests