Community discussions

MikroTik App
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

firewall rule not working

Sun Jan 16, 2011 7:46 am

Hi Experts,

I have setup a simple hotspot system but I am unable to add specific firewall rules to restrict access to one specific host. Here is my network setup

ADSL modem 10.1.1.x/16 ---> 10.1.1.9 Host (transparent web filter) (in bridge mode) --> 10.1.1.10 RB750 --> HS 192.168.5.x/24

I added the rule to drop packets from source = 192.168.5.0/24 to dst 10.1.1.9 set as forward but connections still get through.

Can someone help me out? I must be doing something basic wrong.

I don't want anyone on the hotspot to initiate a connection to the web filter host over ports 80 or 443

Thanks in advance.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: firewall rule not working

Sun Jan 16, 2011 12:44 pm

You should post "/ip firewall filter". But just as a start, insure the rule is before the rule with the comment "place hotspot rules here". In the CLI, the command is "move".
/ip firewall filter
print
move 5 0
Moves the filter rule at position 5 to position 0, and moves the rules in between down one place.
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Sun Jan 16, 2011 1:21 pm

Hi,

here is the print out. My rule is # 1

0 ;;; Make sure that proxy is not a open proxy
chain=input action=drop protocol=tcp src-address=0.0.0.0/0 in-interface=ether1-gateway dst-port=8080

1 ;;; stop hs to untangle
chain=input action=drop dst-address=10.1.1.9 in-interface=ether5-local-slave

2 ;;; Deny all P2P connections
chain=forward action=drop p2p=all-p2p

3 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

4 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth

5 D chain=input action=jump jump-target=hs-input hotspot=from-client

6 I chain=hs-input action=jump jump-target=pre-hs-input

7 D chain=hs-input action=accept protocol=udp dst-port=64872

8 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875

9 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth

10 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp

11 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited

12 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

13 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

14 ;;; default configuration
chain=input action=accept protocol=icmp

15 ;;; default configuration
chain=input action=accept connection-state=established in-interface=ether1-gateway

16 ;;; default configuration
chain=input action=accept connection-state=related in-interface=ether1-gateway

17 ;;; default configuration
chain=input action=accept src-address=10.1.0.0/16 in-interface=ether1-gateway

18 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: firewall rule not working

Sun Jan 16, 2011 1:24 pm

1 ;;; stop hs to untangle
chain=input action=drop dst-address=10.1.1.9 in-interface=ether5-local-slave
This rule should be "chain=forward", not "chain=input".
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Sun Jan 16, 2011 1:42 pm

Hi,

I changed the rule to forward but still no luck. The only rule that gets packet counts are rules 5 and 8. It looks like it is skipping/not matching to my rule (1) at all.

Thanks.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: firewall rule not working

Sun Jan 16, 2011 1:47 pm

Try using a src-address rather than in-interface.
1 ;;; stop hs to untangle
chain=forward action=drop dst-address=10.1.1.9 src-address=192.168.5.0/24
The filter may not "see" ether5-local-slave if it is still on a switch.
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Sun Jan 16, 2011 1:55 pm

strange... still nothing.

Does the MikroTik HS do something strange with firewalls filter rules?
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: firewall rule not working

Sun Jan 16, 2011 2:00 pm

Well, yes kinda. But only after the "place hotspot rules here" line. Can you post "ip hotspot" and "/ip hotspot profile"?
The hotspot does a 1:1 NAT that might affect the rule.
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Sun Jan 16, 2011 2:11 pm

ip hotspot

0 name="hotspot1" interface=vlan15bridge address-pool=hs-dhcp-pool
profile=hsprof2 idle-timeout=1m keepalive-timeout=none
addresses-per-mac=1 ip-of-dns-name=10.10.0.1 proxy-status="running"

ip hotspot profile

0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no
use-radius=no

1 name="hsprof2" hotspot-address=10.10.0.1 dns-name="wifi"
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=mac,cookie,http-chap,https,http-pap,trial
mac-auth-password="" http-cookie-lifetime=3h ssl-certificate=none
split-user-domain=no trial-uptime=2m/0s trial-user-profile=publicuser
use-radius=no
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: firewall rule not working

Sun Jan 16, 2011 2:22 pm

Your hotspot is showing a 10.10.0.1 ip, not 192.168.5.1. Can you post "/ip pool"?
Take a look in "ip hotspot host". You don't need to post it, but the only ips the router "sees" are the "to-address" ips.

ADD: This is why the in-interface did not work:
0 name="hotspot1" interface=vlan15bridge address-pool=hs-dhcp-pool
profile=hsprof2 idle-timeout=1m keepalive-timeout=none
addresses-per-mac=1 ip-of-dns-name=10.10.0.1 proxy-status="running"
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Sun Jan 16, 2011 2:45 pm

Sorry copied the wrong HOTSPOT profile info. Everything is right except for the range.

Here it is

ip hotspot

0 name="hotspot1" interface=vlan15bridge address-pool=hs-dhcp-pool
profile=hsprof2 idle-timeout=1m keepalive-timeout=none
addresses-per-mac=1 ip-of-dns-name=192.168.5.1 proxy-status="running"

ip hotspot profile

0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no
use-radius=no

1 name="hsprof2" hotspot-address=192.168.5.1 dns-name="wifi"
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=mac,cookie,http-chap,https,http-pap,trial
mac-auth-password="" http-cookie-lifetime=3h ssl-certificate=none
split-user-domain=no trial-uptime=2m/0s trial-user-profile=publicuser
use-radius=no

ip pool is

0 default-dhcp 192.168.88.10-192.168.88.254
1 hs-dhcp-pool 192.168.5.242-192.168.5.254
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: firewall rule not working

Sun Jan 16, 2011 2:51 pm

Did you take a look in "/ip hotspot host"? Are the "to-address" ips what you expect? 192.168.5.x
Is that hotspot interface a bridge? Can you post "/ip bridge port"?

BTW: The "dns-name=wifi" is going to cause you some real problems with Windows. That is considered a malformed URL. Most Windows browsers will not redirect to that URL.

ADD: I just ran a test with V4.16 and this firewall rule. My hotspot localnet is 192.168.0.0/24
/ip firewall filter
add chain=forward action=add-src-to-address-list src-address=192.168.0.0/24 address-list=test
Then I moved this rule to the top of the filter rules. I logged in and the ip (192.168.0.249) was in "/ip firewall address-list".
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Mon Jan 17, 2011 2:10 am

Hi,

Here is the bridge port print out

# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 I vlan8_e5 ManagementBridge 0x80 10 none
1 ether2-local-master ManagementBridge 0x80 10 none
2 I vlan15_e5 vlan15bridge 0x80 10 none

Just to provide some clarification on what I have currently setup -
I have setup 2 vlans (one for management and the other for the hotspot)

I have my WAP plugged into eth 5. On eth5 i have setup two bridge.

I had a look at the IP host in the hotspot and they are in the 192.168.5.x range

Thanks SurferTim
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: firewall rule not working

Mon Jan 17, 2011 2:22 am

Your original post said you don't want anyone contacting the web filter host on ports 80 or 443. Hotspots redirect that traffic to themselves via destination NAT so they can intercept requests to web servers and show login or advertising pages.

You can add this to make firewall filters work normally for authenticated clients:
/ip firewall nat
add chain=pre-hotspot hotspot=auth action=accept
At that point the rules Tim walked you through should start working.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: firewall rule not working

Mon Jan 17, 2011 4:21 am

Thanks fewi and Tim for your help.

It works.

Who is online

Users browsing this forum: chaigeo, DuncanCT, sindy and 71 guests