Community discussions

MikroTik App
 
Dan44
just joined
Topic Author
Posts: 17
Joined: Mon May 16, 2022 3:26 pm

Simple filter rules not working

Wed Jan 25, 2023 4:41 pm

Hi everyone, I've been asked to make a config that essentially blocks all traffic from a specific VLAN to anything on the internet other than what has been whitelisted. Its a very basic config and to test my theory I setup a lab with the following config and yet its not working, all traffic gets dropped despite having an allowed forward filter rule above containing the whitelisted addresses in a list... Am I losing my marbles here?:
/interface bridge add name=bridge1
/ip pool
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/interface bridge port add bridge=bridge1 interface=ether2
/ip address add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client add interface=ether1 
/ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
/ip firewall address-list add address=1.1.1.1 list=Whitelist
add address=google.com list=Whitelist
/ip firewall filter
add action=accept chain=forward dst-address-list=Whitelist log=yes log-prefix=\
    "Allowed forward"
add action=drop chain=forward log=yes log-prefix=\
    "Dropped forward"
/ip firewall nat
add action=masquerade chain=srcnat
Here are the logs when I try to ping 1.1.1.1... It allows the forward, but also drops it?:
Allowed forward forward: in:bridge1 out:ether1, connection-state:new src-mac 00:50:79:66:68:03, proto ICMP (type 8, code 0), 10.0.0.254->1.1.1.1, len 84
Dropped forward forward: in:ether1 out:bridge1, connection-state:established,snat src-mac 00:50:56:e7:e4:3c, proto ICMP (type 0, code 0), 1.1.1.1->10.0.0.254, NAT 1.1.1.1->(192.168.41.130->10.0.0.254), len 84
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Simple filter rules not working

Wed Jan 25, 2023 4:50 pm

Check the "in" and "out" interfaces, that might give you a clue.
Hope this is not your entire firewall?
 
Dan44
just joined
Topic Author
Posts: 17
Joined: Mon May 16, 2022 3:26 pm

Re: Simple filter rules not working

Wed Jan 25, 2023 4:52 pm

Check the "in" and "out" interfaces, that might give you a clue.
Hope this is not your entire firewall?
Its a lab on a VM to test the idea of using the afore mentioned filter rules to achieve the desired result.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Simple filter rules not working

Wed Jan 25, 2023 4:54 pm

I could be totally wrong but how I see it:
- first ping goes through
- secondly the return from your ping is being dropped
I think you should add connection state=new to those rules.

Curious to see if I get the points or a lesson :D
 
Dan44
just joined
Topic Author
Posts: 17
Joined: Mon May 16, 2022 3:26 pm

Re: Simple filter rules not working

Wed Jan 25, 2023 4:56 pm

I could be totally wrong but how I see it:
- first ping goes through
- secondly the return from your ping is being dropped
I think you should add connection state=new to those rules.

Curious to see if I get the points or a lesson :D
Gave it a try, still happening (edit) - Close haha
Last edited by Dan44 on Wed Jan 25, 2023 8:55 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Simple filter rules not working

Wed Jan 25, 2023 5:00 pm

Make sure to clear all active connections in firewall before retesting.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Simple filter rules not working  [SOLVED]

Wed Jan 25, 2023 7:21 pm

As already mentioned, it is necessary to pass return traffic. And simplest way of doing it is to have rule

/ip firewall filter
add chain=forward action=accept connection-state=established,related

And have it above all drop rules which target connections with state different than established or related (other states are: new, invalid and untracked). And possibly also above specific allow rules, with lengthy connections vast majority of packets will be matched by this rule and for performance reasons (firewall rules are evaluated from top to bottom until matching rule executes) it's best to have this rule first so that only small number of packets pass further down the list of firewall filter rules.
The rule will make sure that e.g. reply to ICMP echo request (a.k.a. ping) will pass on the way back ... if firewall first saw a corresponding ICMP echo request. In lengthy connections this rule will also match subsequent forward packets (due to connection state of established).
And the same rule will work for any other connection allowed in forward direction (e.g. HTTPS to allowed server or DNS request, etc.).

And after that you can start narrowing down your allow rules by adding a few selectors (such as in-interface or src-address-list or anything else fitting use case).

You may decide to go with connection-state=established only. However this may break some functionality. E.g. any protocol whuch requires firewall helpers, such as FTP (data connection is separate connection between same hosts but if ftp helper can detetmine ports used, such additiknal connection gets "related" connectikn-state). Or some ICMP messages, such as "Fragmentation required, and DF flag set" message necessary in PMTUD process, these are related as well.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple filter rules not working

Wed Jan 25, 2023 8:27 pm

So you mean the default config with very slight changes LOL
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Simple filter rules not working

Wed Jan 25, 2023 8:37 pm

Almost right yet got a nice lesson from it :lol:
 
Dan44
just joined
Topic Author
Posts: 17
Joined: Mon May 16, 2022 3:26 pm

Re: Simple filter rules not working

Wed Jan 25, 2023 8:53 pm

As already mentioned, it is necessary to pass return traffic. And simplest way of doing it is to have rule

/ip firewall filter
add chain=forward action=accept connection-state=established,related

And have it above all drop rules which target connections with state different than established or related (other states are: new, invalid and untracked). And possibly also above specific allow rules, with lengthy connections vast majority of packets will be matched by this rule and for performance reasons (firewall rules are evaluated from top to bottom until matching rule executes) it's best to have this rule first so that only small number of packets pass further down the list of firewall filter rules.
The rule will make sure that e.g. reply to ICMP echo request (a.k.a. ping) will pass on the way back ... if firewall first saw a corresponding ICMP echo request. In lengthy connections this rule will also match subsequent forward packets (due to connection state of established).
And the same rule will work for any other connection allowed in forward direction (e.g. HTTPS to allowed server or DNS request, etc.).

And after that you can start narrowing down your allow rules by adding a few selectors (such as in-interface or src-address-list or anything else fitting use case).

You may decide to go with connection-state=established only. However this may break some functionality. E.g. any protocol whuch requires firewall helpers, such as FTP (data connection is separate connection between same hosts but if ftp helper can detetmine ports used, such additiknal connection gets "related" connectikn-state). Or some ICMP messages, such as "Fragmentation required, and DF flag set" message necessary in PMTUD process, these are related as well.
Awesome thank you for this. Solved my issue.
 
Dan44
just joined
Topic Author
Posts: 17
Joined: Mon May 16, 2022 3:26 pm

Re: Simple filter rules not working

Thu Jan 26, 2023 9:57 am

So you mean the default config with very slight changes LOL
What you mean?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple filter rules not working

Thu Jan 26, 2023 2:56 pm

Your issue basically stems from not using the default firewall rules or modifying them to the point of uselessness, take your pick.
 
Dan44
just joined
Topic Author
Posts: 17
Joined: Mon May 16, 2022 3:26 pm

Re: Simple filter rules not working

Fri Jan 27, 2023 5:31 pm

Your issue basically stems from not using the default firewall rules or modifying them to the point of uselessness, take your pick.
Oh yeah I see what you mean lol. Yeah I'm one of those people that often forget the obvious! It makes complete sense now that I know what was missing.

Who is online

Users browsing this forum: Amazon [Bot], andreacar, f008600, fibracapi, mickeymouse690 and 88 guests