Community discussions

 
User avatar
otgooneo
Trainer
Trainer
Topic Author
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Firewall and NAT

Mon Dec 06, 2010 5:44 pm

Hello,

My firewall NAT and IP configurations are below. I want to other not authorized persons not able to access to my Local network from WAN side. But people, who set address=192.168.123.0/24 gateway=192.168.123.80 is still can access to my local network through my RB1000.
What firewall rule I need to add? For example simple small routers not accessable from WAN side. How to do this?
chain=srcnat action=masquerade out-interface=WAN
address=192.168.123.80/24 network=192.168.123.0 broadcast=192.168.123.255 
     interface=WAN
----------------------------
Want to learn more and more...
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall and NAT

Mon Dec 06, 2010 5:54 pm

Put a stateful firewall in place. First accept all packets that are part of already established connections so that packets from the WAN can go back to the LAN as long as someone on the LAN initiated the connection, then only forward packets from the LAN to the WAN, and drop everything else.
/ip firewall filter
add chain=forward connection-state=invalid action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward in-interface=!WAN action=accept
add chain=forward action=drop
Some people don't like the negation of options (!WAN = "all interfaces that aren't the WAN interface"), so you could also write it like this:
/ip firewall filter
add chain=forward connection-state=invalid action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward in-interface=WAN action=drop
add chain=forward action=accept
The last accept rule in that is actually not strictly needed since the default behavior is to allow, but it's better to be explicit.

The wiki has many articles on firewalling.
 
User avatar
otgooneo
Trainer
Trainer
Topic Author
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Firewall and NAT

Wed Dec 08, 2010 4:14 am

Thanks, fewi
I found my mistake. I`m using bridged WAN interface, but the rules I wrote was on wrong interface.
----------------------------
Want to learn more and more...
 
User avatar
otgooneo
Trainer
Trainer
Topic Author
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Firewall and NAT

Wed Jan 05, 2011 10:11 am

Hello, Happy new year

How to add a lot of MAC addresses in the one firewall rule? "/ip firewall add src-mac-address=" is only supports 1 MAC address. I have a list of MAC addresses and need to add it to only one filter rule. Please advise
----------------------------
Want to learn more and more...
 
User avatar
martini
Member Candidate
Member Candidate
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: Firewall and NAT

Wed Jan 05, 2011 11:37 am

add mac-address to static arp list on interface and set mode of interface reply-only. In firewall you cant add more than 1 mac in one rule.
 
User avatar
otgooneo
Trainer
Trainer
Topic Author
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Firewall and NAT

Thu Jan 06, 2011 9:12 am

So need to add mac-address-list like an /ip firewall address-list and add feature to choose mac-address-list.
----------------------------
Want to learn more and more...

Who is online

Users browsing this forum: No registered users and 115 guests