Community discussions

MikroTik App
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Fri Jun 11, 2021 1:03 pm

The problem:
Filter table gets so polluted that on routers with lots of rules, it's difficult to understand what's being filtered and why sometimes. If you have dynamic rules, it makes it even more challenging.

On iptables, there's a solution for this by creating additional chains, and then joining those chains to the input chain.

If RouterOS is already capable of this, how do we achieve it?

I'm at 90 rules on my one router and as much as I'd love to add more rules to it, I'm reluctant to simply for the reason that it will become more unusable and the chances of me having forgotten about some edge cases to account for because of the mess is quite high. If I could organize it, it would make it so much more manageable.

The particular use case where I have requirement for a lot of filter rules:
I have a master VPN server. That VPN server is used by my own company and a number of clients. I want my clients to be able to access all of their assets, but nothing else. I want myself and my techs to be able to access all of our assets, and all client assets. I have monitoring servers that also need to be able to access all client assets.

Sometimes I will need to put in additional masquerade rules so that the end customer doesn't see subnets from outside their known world showing up in their logs as well.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Fri Jun 11, 2021 1:54 pm

jump
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Fri Jun 11, 2021 2:29 pm

You can create own chains and jump to...
/ip firewall filter add chain=custom ...
/ip firewall filter add action=jump jump-target=custom ...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Fri Jun 11, 2021 2:32 pm

You can create own chains and jump to...
/ip firewall filter add chain=custom ...
/ip firewall filter add action=jump jump-target=custom ...
no need two instructions,
simply first jump instruction on new chain create the new chain
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Fri Jun 11, 2021 9:11 pm

Sure, but you want the chain to contain rules, no? :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Fri Jun 11, 2021 10:04 pm

ok, misunderstanded:

I usually do:
...
add action=jump chain=input comment="Inizio Protezione IP Pubblico 1" dst-address=0.6.6.6 in-interface=ether1 jump-target=input_gateway
add action=jump chain=input comment="Inizio Protezione IP Pubblico 2" dst-address=1.9.9.9 in-interface=ether2 jump-target=input_gateway
add action=accept chain=input_gateway ...
add action=accept chain=input_gateway ...
add action=accept chain=input_gateway ...
add action=drop chain=input_gateway ...
add action=drop chain=input_gateway ...
add action=drop chain=input_gateway ...
add action=return chain=input_gateway comment="Fine Protezione IP Pubblico"
...
add action=drop chain=input
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Sat Jun 12, 2021 7:32 am

Thank you guys.

I keep forgetting it's almost exactly the same as iptables.
ok, misunderstanded:

I usually do:
...
add action=jump chain=input comment="Inizio Protezione IP Pubblico 1" dst-address=0.6.6.6 in-interface=ether1 jump-target=input_gateway
add action=jump chain=input comment="Inizio Protezione IP Pubblico 2" dst-address=1.9.9.9 in-interface=ether2 jump-target=input_gateway
add action=accept chain=input_gateway ...
add action=accept chain=input_gateway ...
add action=accept chain=input_gateway ...
add action=drop chain=input_gateway ...
add action=drop chain=input_gateway ...
add action=drop chain=input_gateway ...
add action=return chain=input_gateway comment="Fine Protezione IP Pubblico"
...
add action=drop chain=input
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Suggestion: Ability to Create New Tables (like iptables) or at least group rules

Sat Jun 12, 2021 12:38 pm

Remember it is named "jump" but it is actually "call" (for those who know about programming).
So, indeed you can "return" to the place where the "jump" was done, and in fact this is what happens automatically when the jumped table just ends without a terminating action (drop, reject, accept).
This may be unexpected to new users. I normally make sure that any table that I "jump" to ends in a "add action=drop" just as I use at the end of the input and forward tables (I like to do a default-drop configuration where everything I want to allow as an "accept" and at the end of everything there is a "drop" or "reject" instead of the default "accept" that is in RouterOS).

Who is online

Users browsing this forum: baragoon, duartev, menyarito and 89 guests