Community discussions

MikroTik App
 
sleerf
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Sep 13, 2016 9:12 am

Firewall rule question

Fri Apr 16, 2021 11:34 am

The manual has some recommended firewall settings for an ISP and I'm curious about a couple.

add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

Questions
The first here, does it not prevent me either on a vpn or connected over the network from accessing devices on the network?
The second, dropping incoming packets that aren't natted.... does that not drop packets destined for the router itself from the outside - ie vpn access to the router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall rule question

Fri Apr 16, 2021 2:37 pm

The default rules work out of the box!
When you add VPN to the router, there are changes you make in the firewall rules (one adds accept rules) that permit the VPN traffic.
The rules you are wondering about remain in place.

Who is online

Users browsing this forum: 4l4R1, Ahrefs [Bot], emunt6, GoogleOther [Bot], mertak, Renfrew and 78 guests