Community discussions

MikroTik App
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Input firewall filter prioritization

Sun Jul 25, 2021 12:05 am

I have a setup where my main router has a DNS server accessible to clients on LAN. On the outside, there will be a Wireguard tunnel on port 53, the same port as DNS. If I add an input rule for port 53 from WAN, which router service will come first? Is there a way to disallow DNS from WAN and only allow WG?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:11 am

If you want to block it in RAW on TCP/UDP(53) traffic coming from the WAN.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:11 am

If you want to block it in RAW on TCP/UDP(53) traffic coming from the WAN.
This won't work because then I won't be able to use Wireguard with a listen port of 53.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:20 am

Sincerely, is a very bad idea to use wireguard on port 53.

As WISP I block all "53" traffic from my clients if is not directed directly to the CPE

All Italian ISP are forced to do this for idiot laws wrotten from someone then totally ignore of how internet works.

We do not inject or intercept unfound results, simply block all "blacklisted" sites from Italian law.

Using the port 53 just cause some warning on ISP, because see some anomalous traffic on that port, and probably close that.
Last edited by rextended on Sun Jul 25, 2021 12:24 am, edited 1 time in total.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:23 am

I have to use port 53 to bypass firewalls which block everything except ICMP, TCP port 80/443, and DNS. My ISP doesn't care that much about "weird" traffic.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:24 am

Not now, not today, but sooner or later ISP notices...


Your provider lock all UDP??? (also UDP on 53...)
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:28 am

Your provider lock all UDP??? (also UDP on 53...)
Not my provider, but at some places like a coffee shop, they have those restrictions.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:30 am

Ah, now with some other details I understand.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization  [SOLVED]

Sun Jul 25, 2021 12:31 am

Move local wireguard on another port and change on dst-nat the incoming port 53 udp from wan to local wireguard port
dst-nat is applied before routing, and routing is applied before input chain,
the packet change destination port and can reach internal service on another port.
https://help.mikrotik.com/docs/display/ ... rOS-Chains
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:44 am

If WG is running on router itself, then you might have a problem ... normally only one service can use a protocol/port number (e.g. TCP/53). When another service tries to acquire access to already used port, it's denied. In linux it is possible to attach service to one of configured IP addresses and another one to same combo of protocol/port number but on another IP address.
ROS UI OTOH provides address property which might be actually used in manner similar to how src-address property is used by e.g. DST-NAT: if packet's src address doesn't match, then packet is queued to input chain. I guess you'll have to try yourself.

If you're port forwarding WG somewhere else, then it's possible. From packet flow diagram: part of pre-routing is DST-NAT which provides information to routing decission and that one affect choice of different firewall chains (input versus forward).


BTW, never mind @rextended, he seems quite strong-minded and likes to troll whenever somebody tries to do something he doesn't approve.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:50 am

what are you writing? I already suggested the same thing you suggested 13 minutes before...

I have already helped other times @Cablenut9, if I don't remember correctly he can tell you too, I don't seem to have ever bothered him,

@Cablenut9 you make it clear, please...
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:58 am

@Cablenut9 you make it clear, please...
You gave me the dst-nat solution before mkx did, but mkx explained how my original setup might actually work.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 1:07 am

Okay, I wasn't clear, I was asking you if I bothered you, like mkx want say...
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 5:09 am

I was asking you if I bothered you, like mkx want say...
Maybe, but I can see why the ISP would want to block DNS.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Input firewall filter prioritization

Sun Jul 25, 2021 12:36 pm

what are you writing?

When I start to write reply, sometimes it takes some time to formulate it so that it fits the question as much as possible (trying to verify things on the go). It seems like you are much faster at writing your posts. But then, when I finished the answer and tried to post it, forum informed me that there were other posts. I reviewed them and I thought they didn't cover everything I wrote so I decided to post it anyway.

I see you are trolling again, this time about post (later than yours) essentially saying same as you did. But then, if this bothers you so much, why do you do the same occasionally? I could comlain about your posts being later than mine and saying the same a few times already. But I don't bother.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Input firewall filter prioritization

Sun Jul 25, 2021 1:23 pm

+1 for mkx

@cablenut9
Sorry, I did not noticed that you used port 53 also for WG. It is really strange and your ISP is keeping an eye on that port because of DDos attacks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 1:54 pm

what are you writing?
[...]
I try to explain better: is for the "troll part", I want to notice to you I already have write possibly helping solution, not one "troll post".
also @msatter say "It is really strange and your ISP is keeping an eye on that port because of DDos attacks"
and is what the same I want to say to @Cablenut9, not for bother him...

Try not to always think badly, I understand that sometimes I deserve a kick in the balls, but really this time there was nothing wrong...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 3:29 pm

what are you writing?
[...]
I try to explain better: is for the "troll part", I want to notice to you I already have write possibly helping solution, not one "troll post".
also @msatter say "It is really strange and your ISP is keeping an eye on that port because of DDos attacks"
and is what the same I want to say to @Cablenut9, not for bother him...

Try not to always think badly, I understand that sometimes I deserve a kick in the balls, but really this time there was nothing wrong...
Hehehe, since Cable is in this thread I would have used a different word..... " I deserve a kick in the "nuts"! ;-))
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Input firewall filter prioritization

Sun Jul 25, 2021 3:45 pm

Try not to always think badly, I understand that sometimes I deserve a kick in the balls, but really this time there was nothing wrong...

Your first post in this thread (the #4) was all about why OP should not do something and nothing about how OP could achieve what he wanted to do. Even if your goal was sincere (based on yor own policy as ISP) it was still unhelpful because OP's backround is unknown to you. At the time I was writing my post it was your only post in this thread.
Since you have habit of strongly expressing your views on posters' problems (generally on this forum), I feel you're trolling occasionally. Don't get me wrong, most of your posts are very useful and some even informative (your posts tend to be terse in providing solution without explanation why the solution is good/the best). It's just they are a bit rude sometimes (I attribute that to the fact you're not native English speaker and I understand that sometimes it's hard to find appropriate word).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 3:58 pm

Thanks @mkx for the courtesy of explaining ;)



@anav, but how do they come to your mind? :)))
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 4:09 pm

Just so you know how restrictive some of these firewalls are, I sometimes can't visit forum.mikrotik.com without a VPN because of this: "Sonicwall: Connection blocked to Latvia (GeoIP block)"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 4:09 pm

Can I ask you where you live?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Input firewall filter prioritization

Sun Jul 25, 2021 4:12 pm

@anav, but how do they come to your mind? :)))

Could be his finger hurts due to exposition to a nutcracker? ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 4:13 pm

Sometime I use this hack when I do not have time to VPN or others...
If Gogole is not blocked...
https://translate.google.com/translate? ... krotik.com
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Input firewall filter prioritization

Sun Jul 25, 2021 4:23 pm

Can I ask you where you live?
The Southeast US, but I've only seen these firewalls a couple times. I know Walmarts block L2TP/IPSec and they mess with TLS certificates leading to HSTS errors. However, a port 443 WG VPN works just fine, so it's this one place that blocks almost everything.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Input firewall filter prioritization

Sun Jul 25, 2021 5:22 pm

My little pebble skipping the surface of the water.

I had a longtime problem with DuckDuckGo not showing it's page. It worked and the next time it ignored my request many times. The solution was there but I just not applied it thinking this would never the case with DuckDuckGo.

I am using multiple connection at the same time and that was the cause of not having a usable search engine. This forum does not like when you are logged in and use multiple source addresses. Not logged in it is no problem.

So DuckDuckGo is now also on the list to use not multiple src-addresses and al is sailing smoothly as long the skipping pebble does not pierce the hull.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 7:53 pm

Can I ask you where you live?
The Southeast US, but I've only seen these firewalls a couple times. I know Walmarts block L2TP/IPSec and they mess with TLS certificates leading to HSTS errors. However, a port 443 WG VPN works just fine, so it's this one place that blocks almost everything.
Cablenut, does Walmart know you setup an office in their furniture department??
I mean really what are you going to need that kind of wifi for when you can use data..... Checking out Ikea prices vs Walmart?
Or does the US govt want you to monitor the nuclear codes 24/7 ???

(PS. I know it was just an example but couldnt resist the high security need for Walmart wifi)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 8:01 pm

 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Input firewall filter prioritization

Sun Jul 25, 2021 8:09 pm

Sorry Anav, to watch that I have to agree with Alphabet (Google). It is not going to happen.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Input firewall filter prioritization

Sun Jul 25, 2021 11:43 pm

I will try and find another resource for you that is not google.
https://www.bing.com/videos/search?q=sn ... &FORM=VIRE

Who is online

Users browsing this forum: aoravent, phascogale, Soleous75 and 82 guests