Community discussions

 
mcisar
just joined
Topic Author
Posts: 18
Joined: Fri Mar 20, 2015 5:51 pm

Firewall filter when port forwarded

Wed Mar 06, 2019 10:25 pm

Have been tasked with making some config changes to a router not originally configured by me, and figuring out what all they've done has put my brain almost to the point of meltdown :-)

My final task is to set up a couple of firewall filtering rules, should be simple right... but I know at this point I've been staring at the screen for far too long and I'm missing something very simple.

We have 3 separate servers sitting on the LAN side (10.0.1.12, .13 and .14) with a proprietary service listening on port 12500
From the outside we have one WAN IP... port 12612 is dst-NAT to 10.0.1.12:12500, 12613 to .13 and 12614 to .14

Have put the filtering rules in the forwarding chain, stuffed amongst the existing rules that were there. The 3 rules have dst-port 12612, 12613 and 12614 set however testing attempts all seem to rather hit a single existing rule that was set with dst-port 12500

What am I missing to get a filter rule that triggers on the port number the internet user is connecting to (ie. 12612, 12613, etc) rather than the port that resides at the inside end of the NAT (ie. 12500)

Know I'm going to kick myself, or remember the minute I click submit... but... :-)

Thanks,
Mike
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall filter when port forwarded

Wed Mar 06, 2019 11:39 pm

Okay your individual rules need to be in NAT, only one general firewall filter rule (forward chain) is needed to permit port forwarding to pass through the firewall.
format of individual rule with port translation is
/ip firewall NAT
add chain=dstnat action=dst-nat dst=port=12612 in-interface=WAN \
to address=10.0.1.12 to port=12500


For your filter rule
/ip firewall filter
fastrack accept established, related
.......
add chain=forward action=accept in-interface=WAN \
connection-state=new nat-connection-state=dst nat

........
add chain=forward action=drop comment="drop all else"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Firewall filter when port forwarded

Thu Jul 25, 2019 5:33 pm

Hi anav -

On this -
add chain=forward action=accept in-interface=WAN \
connection-state=new nat-connection-state=dst nat


Does/should the connection state need to be new? Or does it matter?

Thanks
...
Okay your individual rules need to be in NAT, only one general firewall filter rule (forward chain) is needed to permit port forwarding to pass through the firewall.
format of individual rule with port translation is
/ip firewall NAT
add chain=dstnat action=dst-nat dst=port=12612 in-interface=WAN \
to address=10.0.1.12 to port=12500


For your filter rule
/ip firewall filter
fastrack accept established, related
.......
add chain=forward action=accept in-interface=WAN \
connection-state=new nat-connection-state=dst nat

........
add chain=forward action=drop comment="drop all else"
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Firewall filter when port forwarded

Thu Jul 25, 2019 6:13 pm

On this -
add chain=forward action=accept in-interface=WAN \
connection-state=new nat-connection-state=dst nat


Does/should the connection state need to be new? Or does it matter?
It actually does not matter. Because there is a fastrack accept for established and related packets, the only time that the listed rule will function is for the first packet. After that, the accept established and related will accept the packet.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
anav
Forum Guru
Forum Guru
Posts: 2972
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall filter when port forwarded

Thu Jul 25, 2019 7:18 pm

I prefer to use NEW because its an accurate reflection of what is intended.
As stated by K6ccc, only the first packet is handled by the "generic dst nat forward filter rule" and the rest of the packets are handled by the established rule.
The new distinguishes this, as leaving out the NEW will not have any affect but may lead some to think that the rule is used for all dst nat packets while using NEW makes it clear that it is only for the first connection and the rest will go through the established rule.

The other important fact to discuss is the use of in-interface=wan (or ether1 etc).
It is best to leave that part out if doing hairpin NAT, otherwise I leave it in.
As always my last forward filter rule is always "drop all else"
add chain=forward action=drop comment="Drop all other traffic"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 96 guests