Community discussions

MikroTik App
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Firewall input chain and broadcast packets

Mon Apr 12, 2021 11:30 am

On my Cloud Core Router I have the last firewall rule on input chain to drop everything. It is getting a lot of broadcast packets from LAN hosts on ports such as 137 (Netbios) and from other mikrotiks on port 5678 (discovery).

Questions:
1. Is this to be expected?
2. Should I allow these broadcasts through and any harm in doing so?
3.I have a hAP AC2 with near identical firewall rules but I do not see this behaviour. My guess is that this is because this router has VLANS setup on the bridge so these packets are not filtered. Am I correct?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall input chain and broadcast packets

Mon Apr 12, 2021 6:12 pm

If you are connecting to the internet just fine and users are not complaining, then why open up your router to garbage. Drop all is fine.
Near identical is not identical and one rule can make a huge difference.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Firewall input chain and broadcast packets

Tue Apr 13, 2021 12:24 pm

Thanks for reply. Yes OK makes sense.
 
BrandonSk
newbie
Posts: 37
Joined: Wed May 06, 2015 12:21 am

Re: Firewall input chain and broadcast packets

Sun Feb 25, 2024 11:14 pm

If you are connecting to the internet just fine and users are not complaining, then why open up your router to garbage. Drop all is fine.
Near identical is not identical and one rule can make a huge difference.
Sorry to bring this up after 3 years, but I think the original aim of the question may still deserve a little more advice than "if users are not complaining".
Now, just to avoid misunderstanding, (1) I value anav's contributions and advice in this post and elsewhere in the forums. I started to built my rules based on his answers. (2) I myself cannot provide a better answer, but I have come to similar situation and thus I dare to reopen this topic for discussion.

Basis of my question is - what if my "users" cannot complain? In the world of IoT and all this smart home stuff it can easily happen that no-one is complaining but things do not work.

To make it more to the point. I ran into the same situation = bunch of broadcast traffic dropped on the "Drop all" rule in input chain. No one is complaining, everything seems to be working. I thought, well, whatever the broadcasts are, they should not be destined to router anyway (at least 99% of them). But then I thought - hang on a second, how about forward chain? How do I know that some of my rules are not blocking some super smart home devices protocols and prevents devices to see/talk to each other.

The way I go about it is that I log everything on DROP ALL rules (input and forward chains) and I try to create a separate drop rule for every type of dropped traffic I can identify. This is a bit tedious at the beginning, but manageable. Since individual rules I do not log, that way eventually I can get my log pretty clean and only once in a while something pops out and I check what it is.

Bottom line - is that the "best approach"? Or is there something better (perhaps different to input and forward chains).
If I am completely off, then let me know. I will be just as satisfied :)

Thank you.

Cheers,
B.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall input chain and broadcast packets

Sun Feb 25, 2024 11:35 pm

The bottom line is that in the wilderness of internet the only safe approach is to block all except what you know you have to pass. So you can either create a bunch of drop rules (anything you can think of) and make your router a bit slower (because some packets will have to traverse many drop rules before being dropped) but you'll have (a feeling of) better observability. But you still need that "drop the rest" rule because you won't have enough explicit drop rules to be entirely safe. Or you can simply "drop the rest" (without other explicit drop rules) and don't bother with logging.

When the moment comes when you'll have to pass another thing, you may be lucky to see what to open from the stats of your bunch of drop rules. Or you'll have to learn about what you're about to allow and just add appropriate allow rule(s) above that single "drop the rest" rule. If things get messy, then ahead-of-time preparations may help, but more often they don't.

If you care about "what if my users can't complain", then you might not be able to go for full security ... ease of use and security are pretty contradictory between each other so if you have to go with ease of use, you'll have to sacrifice (some of) security.

Who is online

Users browsing this forum: Ahrefs [Bot], BinaryTB, raphaps, rplant and 61 guests