MikroTik community:
I have one example that I would like to get your opinion about. I'm using upnp on my routerboard to deal with p2p and IM applications. Basically what it does, it creates dynamic NAT rules. However it does not do anything with forward chain. That is the thing I need to configure manually. Usually what I do in any mikrotik setup, I use a rule in forward chain to block all incoming packets from interface that is connected to my ISP. One of the reasons to do that is, if it's not set, it allows other hosts being on the same subnet and using my mikrotik IP address as gateway access all private IP addresses that I use behind firewall. This also blocks packets that have NAT rules set up and also because forward chain processes packets after their destination address has been changed I cannot add a safe rule to allow packets to be forwarded. Right now the only safe single rule way that I have found is using mangle rule in prerouting chain to mark packets whose destination IP address is my Internet IP address used on mikrotik and then in forward chain another rule checks for that packet mark to allow it to be forwarded. This way it only allows to forward packets that have NAT rules set up and not directly to internal network IPs.
I would be glad if somebody could share their practice of setting forwarding rules in similar setup, where dynamic NAT rules are used.
grg
Re: Forward chain and dynamic NAT rules when using uPnP
I don't use UPnP, but I think the following approach could work:
First you mark all new connection initiated from the WAN with a connection mark in prerouting. Then you test them - still in prerouting - for destination IP address, and throw away the packet if it isn't local to the router, and also if it is within your LAN IP range. This would discard all new connections coming in from the Internet that don't have a destination IP address of your WAN interface IP.
Then you test connections with that mark again in forward, and again look at the destination IP address. If it now is a LAN IP address (forward is after destination NAT) it must have been translated by some destination NAT rule - be that static or dynamic - and should be permitted.
Assuming a router with just two interfaces (WAN and LAN) and a dynamic WAN IP address and an inside network of 192.168.0.0/24:
Completely untested, of course, might contain errors, and it's nowhere near as elegant as dynamic filter rules inserted by the router itself.
First you mark all new connection initiated from the WAN with a connection mark in prerouting. Then you test them - still in prerouting - for destination IP address, and throw away the packet if it isn't local to the router, and also if it is within your LAN IP range. This would discard all new connections coming in from the Internet that don't have a destination IP address of your WAN interface IP.
Then you test connections with that mark again in forward, and again look at the destination IP address. If it now is a LAN IP address (forward is after destination NAT) it must have been translated by some destination NAT rule - be that static or dynamic - and should be permitted.
Assuming a router with just two interfaces (WAN and LAN) and a dynamic WAN IP address and an inside network of 192.168.0.0/24:
Code: Select all
/ip firewall mangle
add chain=prerouting in-interface=WAN connection-state=new action=mark-connection new-connection-mark=initiated_from_WAN
/ip firewall filter
add chain=prerouting in-interface=WAN connection-mark=initiated_from_WAN dst-address-type=!local action=drop comment="new connection from WAN that isn't destined to router IP address gets discarded"
add chain=prerouting in-interface=WAN connection-mark=initiated_from_WAN dst-address=192.168.0.0/24 action=drop comment="new connection from WAN destined to router inside interface gets discarded"
add chain=forward connection-state=established action=accept comment="already established connections are OK"
add chain=forward connection-state=related action=accept comment="connections related to already established connections are OK"
add chain=forward in-interface=LAN action=accept comment="LAN to WAN is always OK"
add chain=forward connection-mark=initiated_from_WAN dst-address=192.168.0.0/24 action=accept comment="connections destination NAT'd to the inside must have been OK'd by a NAT rule"
add chain=forward action=drop comment="drop everything else"Re: Forward chain and dynamic NAT rules when using uPnP
This is what I use to cover uPnP needs:
This way I don't have to worry about internal network packet forwarding (wired and wireless for example).
Code: Select all
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Marks packets for checking against NATed destinations" connection-state=new disabled=no dst-address=<my external ip address on mikrotik> new-packet-mark=nat passthrough=yes
/ip firewall filter
add action=accept chain=forward comment="Allow established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="Allow NATed connections to Workstation (based on packet mark)" connection-state=new packet-mark=nat
add action=drop chain=forward comment="Drop all packets from Internet, that do not match criteria above" in-interface=ether1
Re: Forward chain and dynamic NAT rules when using uPnP
I found my previous solution useless with dynamic external IP address. In my opinion MikroTik should update UPnP the way that it also adds dynamic forward firewall rule matching NAT rule that it adds or something like that.