Community discussions

MikroTik App
 
User avatar
suloveoun
newbie
Topic Author
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 7:29 am

Hello dear,
In my design:
My Windows DHCP/DNS/AD Server is in LAN1: 192.168.0.3/24
Mikrotik is for internet is in LAN1: 192.168.0.1/24 (I don't use Mikrotik as DHCP or DNS, instead I use Microsoft Server for this job)

PC1=192.168.0.10/24
PC2=192.168.0.20/24

I create firewall to block protocol ICMP from PC1 to PC2
> ip firewall filter add chain=input protocal=icmp src-address=192.168.0.10 dst-address=192.168.0.20 action=drop
After create this rule I don't see its packet is block in Mikrotik at all, please help what i am wrong with firewall?
 
Guntis
MikroTik Support
MikroTik Support
Posts: 48
Joined: Fri Jul 20, 2018 1:40 pm

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 8:06 am

You should use "forward" chain, instead of "input".
 
User avatar
suloveoun
newbie
Topic Author
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 9:44 am

I use "forward" now but it seem like the router rule doesn't work. I see the Byte and Package doesn't counted.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 218
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 9:54 am

I use "forward" now but it seem like the router rule doesn't work. I see the Byte and Package doesn't counted.
Can you make small drawing ? Reading your post is very weird.
You say PC's & servers are on the SAME IP-network, but perhaps you made a typo in writing. All the IP's below are in the same IP-network.
Are PC1 / PC2 *directly* attached to the Mikrotik physical ports ? Are there any switches ?
Because depending on the way you have wired up ... it can be very possible that no traffic passes through the Mikrotik if PC1 or PC2 wants to talk to DHCP/DNS-server....so you will not see anything...

My Windows DHCP/DNS/AD Server is in LAN1: 192.168.0.3/24
Mikrotik is for internet is in LAN1: 192.168.0.1/24 (I don't use Mikrotik as DHCP or DNS, instead I use Microsoft Server for this job)

PC1=192.168.0.10/24
PC2=192.168.0.20/24
 
User avatar
suloveoun
newbie
Topic Author
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 11:04 am

Please my simple network drawing on what my problem above:

Image
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 218
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 11:15 am

Well ... drawn like this the Mikrotik will NOT "see" any DHCP or DNS requests from clients fly by.
These PC's can communicate DIRECTLY with the server (because they are in the IP-network)
For DHCP, the clients will yell with a "broadcast" and the DHCP will answer that.

Also, impossible to limit the traffic between PC1 & PC2 by means of the Mikrotik. Again, PC's are in the same IP-network and will talk ICMP directly with each other...
The only option is to physically CABLE PC1 & PC2 onto a Mikrotik or some LAN-switch with RouterOS (eg. CRS). Then you have more control.

If you want to control traffic FROM/TO DNS/DHCP you have to move this Windows server more direct on the Mikrotik somehow.
 
User avatar
suloveoun
newbie
Topic Author
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 11:44 am

Sorry it may be confused you with my drawing, please take a look below again it all in the same switch.

Image
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 660
Joined: Fri Nov 10, 2017 8:19 am

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 11:52 am

Nobody got confused. Your computers are on the same subnet and on the same L2 segment (unless you separated them on the switch), therefore they can communicate directly between each other. Mikrotik will not even know about the communication because the switch will directly forward it to the correct PC.

jvanhambelgium gave you very precise answer and all his statements are correct.
 
User avatar
suloveoun
newbie
Topic Author
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 11:56 am

Mikrotik will not even know about the communication because the switch will directly forward it to the correct PC.
Could you give me small clue how could I make Mikrotik to control traffic with my drawing please?
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 218
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 11:59 am

Same outcome. Your "unmanaged switch" is a simple L2-switch right ?
With a design like this, it is IMPOSSIBLE to intervene/filter/capture/firewall traffic between PC1/PC2/PC3/PC4/SERVER because they all share the same IP-SUBNET.
A device will only "contact" the Mikrotik if it needs to reach something OUTSIDE of its IP-network.
How does it know that ? Well it uses the SUBNETMASK + IP-ADDRESS to figure out the "boundary" of the network and then when it realizes it needs to communicate outside of this network it will forward the IP-packets to the DEFAULT-GATEWAY setting you have in a PC and packet will hit the Mikrotik.That is simplified what happens.

Again, as long as you keep using the 192.168.0.x/24 "range" for ALL endpoints you are stuck and there is nothing to firewall.
Solution can be to create multiple bridge-groups / multiple IP's on the Mikrotik.

Eg. 192.168.0.1/24 (=LAN1) and also create 192.168.1.1/24 on Mikrotik.
Then give PC2 an IP adress 192.168.1.20/24 and make sure default gateway is set to Mikrotik on 192.168.1.1
Now if PC2 (192.168.1.x/24) want to talk to PC1 (192.168.0.x/24) it will have to pass through the Mikrotik and you have control!
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall Rule not work with Microsoft DHCP server

Thu May 21, 2020 1:02 pm

To add some optimism, you may use a managed switch, or the Mikrotik itself acting as such switch, and set up L2 filtering and/or port isolation to restrict traffic among hosts in the same IP subnet.
Also, if you just wanted to test the firewall rules and your actual application case does not require filtering of traffic between hosts in the same subnet, it may just be a matter of a wrongly chosen test case.
And if it is sufficient for you to restrict access between the Microsoft DHCP server at one side and all the PCs on the other one, just connect the DHCP server to the Mikrotik directly (if the latter has free Ethernet ports), make the two ports to which the dumb switch and the DHCP server are connected members (slaves) of the same bridge, and use /interface bridge filter rules to control the traffic between the DHCP server and the PCs.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
suloveoun
newbie
Topic Author
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Re: Firewall Rule not work with Microsoft DHCP server

Sat May 23, 2020 7:03 am

Thank everyone now i create separate LAN it work.

Who is online

Users browsing this forum: alexanwar, Baidu [Spider], Jacka, mtgate, roe1974, td32 and 118 guests