Community discussions

 
miro10hr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Fri Nov 11, 2011 3:03 pm

RB2011 firewall - can't block winbox on one port

Fri Dec 21, 2012 10:23 am

Hi,

I don't know what else to check, I don't know what am I doing wrong. I configured RB2011 firewall as I configured RB450G and some others.

I used 9 ports as LAN ports, put them into bridge and 1 port (port 10) as WAN port (PPPoE connection configured). I want to block winbox on that WAN port. Not on the PPPoE interface, but on WAN port. If I directly connect ethernet cable to RB on that WAN port and connect through MAC address, I want that to be blocked.

Usually, my firewall was configured to block winbox traffic on ports where it is not explicitly allowed. But I accidentally noticed here, that this is not the case.
So I added rules to explicitly block winbox on that port and put them as first rules in the firewall.
add action=drop chain=input dst-port=5678 in-interface="WAN(eth10)" protocol=\
    udp
add action=drop chain=input comment="Disable Winbox on WAN port" dst-port=\
    20561 in-interface="WAN(eth10)" protocol=udp

I can still connect with winbox. What is even more strange is that I see a lot of packets matching those rules, but I can still connect with winbox and change the configuration.

What am I doing wrong?

I thought that maybe it has to do something with two groups of port 1-5 and 6-10 and that ports inside that group are automatically switched. Since, on ports 6-9 winbox is allowed, maybe that is translated to port 10 also? It sounds stupid to me, but I don't know what else to think.

Here is the compact configuration:
# jan/01/2002 02:10:02 by RouterOS 5.22
# software id = KHRA-3DJ0
#
/interface bridge
add arp=proxy-arp name="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" protocol-mode=\
    rstp
/interface
set "LAN(eth1)" name="LAN(eth1)"
set "LAN(eth2)" name="LAN(eth2)"
set "LAN(eth3)" name="LAN(eth3)"
set "LAN(eth4)" name="LAN(eth4)"
set "LAN(eth5)" name="LAN(eth5)"
set "LAN(eth6)" name="LAN(eth6)"
set "LAN(eth7)" name="LAN(eth7)"
set "LAN(eth8)" name="LAN(eth8)"
set "LAN(eth9)" name="LAN(eth9)"
set "WAN(eth10)" name="WAN(eth10)"
/interface pppoe-client
add add-default-route=yes disabled=no interface="WAN(eth10)" name=PPPoE-ADSL \
    use-peer-dns=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
    group-ciphers=tkip,aes-ccm management-protection=allowed mode=\
    dynamic-keys name=secure supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm wpa-pre-shared-key=xxxxxx wpa2-pre-shared-key=xxxxxxxxx
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no frequency=\
    2427 l2mtu=2290 mode=ap-bridge radio-name=Xxxx security-profile=secure \
    ssid=Xxxx wireless-protocol=802.11
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1
/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.199
add name=VPN_sve ranges=192.168.1.201-192.168.1.220
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" lease-time=8h name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.200 name=VPN_sve \
    remote-address=VPN_sve use-encryption=yes
set 2 local-address=10.60.1.1
/system logging action
add disk-file-count=3 disk-file-name=Firewall_log disk-lines-per-file=30000 \
    name=Firewall target=disk
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
    permissions=owner signup-allowed=no time-zone=-00:00
/interface bridge port
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth2)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth3)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth1)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface=wlan1
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth4)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth5)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth6)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth7)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth8)"
add bridge="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" interface="LAN(eth9)"
/interface l2tp-server server
set authentication=mschap2 default-profile=default
/interface pptp-server server
set authentication=mschap2 enabled=yes
/interface sstp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
/ip address
add address=192.168.1.2/24 interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)"
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 gateway=192.168.1.2 \
    netmask=24
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
    85.114.32.7,85.114.32.8
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=0.0.0.0/8 list=illegal_addr
add address=10.0.0.0/8 list=illegal_addr
add address=127.0.0.0/8 list=illegal_addr
add address=169.254.0.0/16 list=illegal_addr
add address=172.16.0.0/12 disabled=yes list=illegal_addr
add address=192.0.2.0/24 list=illegal_addr
add address=192.168.0.0/16 list=illegal_addr
add address=198.18.0.0/15 list=illegal_addr
add address=192.0.0.0/24 list=illegal_addr
add address=198.51.100.0/24 list=illegal_addr
add address=203.0.113.0/24 list=illegal_addr
add address=224.0.0.0/3 list=illegal_addr
add address=192.168.1.200-192.168.1.220 list=VPN
/ip firewall filter
add action=drop chain=input dst-port=5678 in-interface="WAN(eth10)" protocol=\
    udp
add action=drop chain=input comment="Disable Winbox on WAN port" dst-port=\
    20561 in-interface="WAN(eth10)" protocol=udp
add action=log chain=input comment="Allow limited PING reguests (5pps)" \
    log-prefix=ICMP_PING protocol=icmp
add chain=forward comment="Allow traffic between clients on LAN (would not pas\
    s illegal dest. addr. in sanity-check)" in-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" out-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)"
add action=jump chain=forward comment="Sanity check forward" jump-target=\
    sanity-check
add chain=forward comment=\
    "LAN to VPN traffic (accepted in established connection in sanity-check)" \
    dst-address-list=VPN src-address-list=LAN
add chain=forward comment="VPN to LAN traffic (accepted  in established connec\
    tion in sanity-check)" dst-address-list=LAN src-address-list=VPN
add chain=forward comment=\
    "LAN to VPN traffic (accepted in established connection in sanity-check)" \
    dst-address-list=VPN src-address-list=LAN
add chain=forward comment="VPN to LAN traffic (accepted  in established connec\
    tion in sanity-check)" dst-address-list=LAN src-address-list=VPN
add chain=forward comment="LAN to WAN traffic" in-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" out-interface=PPPoE-ADSL
add action=jump chain=forward comment=\
    "Drop everything that is not explicitly forwarded" jump-target=drop
add action=jump chain=sanity-check comment="Deny illegal NAT Traversal" \
    jump-target=drop packet-mark=illegal-nat-traversal
add chain=input comment="Allow the router to be visible via Neighbor Disovery \
    to WinBox on LAN port" dst-address=255.255.255.255 dst-port=5678 \
    in-interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" protocol=udp
add chain=input comment="LAN services - WinBox MAC on LAN port (20561/UDP)" \
    dst-address=255.255.255.255 dst-port=20561 in-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" protocol=udp
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=sanity-check comment="Block port scans" \
    protocol=tcp psd=84,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas Scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!fin,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=sanity-check comment="Block TCP NULL Scan" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment=\
    "Drop everything that is in bloc-addr list" jump-target=drop \
    src-address-list=blocked-addr
add action=jump chain=sanity-check comment="Drop TCP RST" jump-target=drop \
    protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" jump-target=\
    drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=\
    "Drop invalid connections immediately" connection-state=invalid \
    jump-target=drop
add action=drop chain=sanity-check comment=\
    "Drop everything that is in SSH black list (without logging)" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_login \
    address-list-timeout=2d chain=sanity-check comment="SSH trying to login" \
    connection-state=new disabled=yes dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=2d chain=sanity-check comment=\
    "SSH brute force attack - 4. login - blacklist" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=30s chain=sanity-check comment=\
    "SSH brute force attack - 3. login" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=sanity-check comment=\
    "SSH brute force attacks - 2. login" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=sanity-check comment=\
    "SSH brute force attacks - 1. login" connection-state=new dst-port=22 \
    protocol=tcp
add chain=sanity-check comment="Accept established connections" \
    connection-state=established
add chain=sanity-check comment="Accept related connections" connection-state=\
    related
add action=drop chain=sanity-check comment=\
    "Drop NetBios traffic without logging" dst-port=137-138 protocol=udp
add action=log chain=sanity-check comment="Log broadcast, multicast packets" \
    disabled=yes dst-address-type=broadcast,multicast log-prefix=\
    sanity-check_25
add action=jump chain=sanity-check comment=\
    "Drop broadcast, multicast packets" dst-address-type=broadcast,multicast \
    jump-target=drop
add action=jump chain=sanity-check comment=\
    "Drop illegal destination addresses (packet coming to LAN interface)" \
    dst-address-list=illegal_addr dst-address-type=!local in-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=drop
add action=jump chain=sanity-check comment="Drop everything that comes to LAN \
    interface, but not with LAN source address" in-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=drop src-address-list=\
    !LAN
add action=jump chain=sanity-check comment=\
    "Drop packets with illegal source addresses that come to WAN interface" \
    disabled=yes in-interface="WAN(eth10)" jump-target=drop src-address-list=\
    illegal_addr
add action=jump chain=sanity-check comment=\
    "Drop all traffic that comes from broadcast or multicast address" \
    jump-target=drop src-address-type=broadcast,multicast
add chain=input comment="Allow local traffice between Router's application" \
    dst-address-type=local src-address-type=local
add action=jump chain=input comment="Enabling DHCP (would not pass sanity-chec\
    \_so enabling it explicitly before other checks)" in-interface=\
    "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=dhcp port=67,68 \
    protocol=udp
add action=jump chain=input comment="Jump to Sanity Check" jump-target=\
    sanity-check
add action=jump chain=input comment="Drop all packets in input chain that go t\
    o router itself, but do not have destination IP of router itself (includin\
    g broadcast traffic)" dst-address-type=!local jump-target=drop
add chain=input comment="Allow limited PING reguests (5pps)" icmp-options=8 \
    limit=5,5 protocol=icmp
add action=jump chain=input comment="Allowed services on LAN network" \
    in-interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" jump-target=\
    "LAN services"
add action=jump chain=input comment=\
    "Allowed services from Internet to WAN  Public Interface" in-interface=\
    PPPoE-ADSL jump-target=Public-services_1
add action=jump chain=input comment=\
    "Allowed services from VPN to Router itself" jump-target="VPN services" \
    src-address-list=VPN
add action=jump chain=input comment="Drop everything else" jump-target=drop
add chain=dhcp comment=\
    "DHCP - accept broadcast packets from 0.0.0.0 source address" \
    dst-address=255.255.255.255 src-address=0.0.0.0
add chain=dhcp comment="DHCP - accept packets from source address 0.0.0.0 to b\
    e resolved in router - DHCP service" dst-address-type=local src-address=\
    0.0.0.0
add chain=dhcp comment="DHCP - allow packets with source IP from LAN to be res\
    olved in router (DHCP renewal)" dst-address-type=local src-address-list=\
    LAN
add chain="LAN services" comment="LAN services - SSH (22/TCP)" dst-port=22 \
    protocol=tcp
add chain="LAN services" comment="LAN services - DNS (53/UDP)" dst-port=53 \
    protocol=udp
add chain="LAN services" comment="LAN services - DNS (53/TCP) - additionally" \
    dst-port=53 protocol=tcp
add chain="LAN services" comment="LAN services - HTTP (Web) Proxy (3128/TCP)" \
    disabled=yes dst-port=3128 protocol=tcp
add chain="LAN services" comment=\
    "LAN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)" \
    dst-port=5678 protocol=udp
add chain="LAN services" comment="LAN services - WinBox (8291/TCP)" dst-port=\
    8291 protocol=tcp
add chain="LAN services" comment="LAN services - SNMP management (161/UDP)" \
    dst-port=161 protocol=udp
add chain="LAN services" comment="LAN services - FTP (21/TCP)" dst-port=21 \
    protocol=tcp
add chain="LAN services" comment="LAN services - HTTP (80/TCP)" dst-port=80 \
    protocol=tcp
add chain="LAN services" comment="LAN services - NTP server (123/UDP)" \
    disabled=yes dst-port=123 protocol=udp
add action=log chain="LAN services" comment="LAN services - Temporary log" \
    log-prefix="LAN services_56:"
add action=drop chain="LAN services" comment=\
    "LAN services - Drop everything else"
add chain=Public-services_1 comment="Public-services_1 - SSH (22/TCP)" \
    dst-port=22 protocol=tcp
add chain=Public-services_1 comment=\
    "Public-services_1 - PPTP - VPN (1723/UDP)" dst-port=1723 protocol=tcp
add chain=Public-services_1 comment="Public-services_1 - GRE for PPTP - VPN" \
    protocol=gre
add action=log chain=Public-services_1 comment=\
    "Public-services_1 services - Temporary log" log-prefix=\
    Public-servics_1_65:
add action=drop chain=Public-services_1 comment=\
    "Public-services_1 - Drop everything else"
add chain="VPN services" comment="VPN services - SSH (22/TCP)" dst-port=22 \
    protocol=tcp
add chain="VPN services" comment=\
    "VPN services - DNS (53/UDP) (otherwise mail forward doesn't work)" \
    disabled=yes dst-port=53 protocol=udp
add chain="VPN services" comment=\
    "VPN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)" \
    dst-port=5678 protocol=udp
add chain="VPN services" comment="VPN services - WinBox (8291/TCP)" dst-port=\
    8291 protocol=tcp
add chain="VPN services" comment="VPN services - SNMP management (161/UDP)" \
    dst-port=161 protocol=udp
add chain="VPN services" comment="VPN services - FTP (21/TCP)" dst-port=21 \
    protocol=tcp
add action=log chain="VPN services" comment="VPN services - Temporary log" \
    log-prefix="VPN services_75:"
add action=drop chain="VPN services" comment=\
    "VPN services - Drop DNS packets without logging" dst-port=53 protocol=\
    udp
add action=drop chain="VPN services" comment=\
    "VPN services - Drop everything else"
add action=drop chain=drop comment="Drop NetBios traffic without logging" \
    dst-port=137-138 protocol=udp
add action=log chain=drop comment="Drop - Log before dropping" log-prefix=\
    drop_77:
add action=drop chain=drop comment="Drop everything else"
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Detect packets with illegal destination IP (NAT-Traversal)" \
    dst-address-list=local_addr in-interface="WAN(eth10)" new-packet-mark=\
    illegal-nat-traversal passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN(eth10)" to-addresses=\
    0.0.0.0
/ip neighbor discovery
set wlan1 disabled=yes
/ppp secret
add name=Doma password=Doma profile=VPN_sve service=pptp
/snmp
set enabled=yes trap-community=public
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Doma_RB2011
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set PPPoE-ADSL disabled=yes display-time=5s
set "BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)" disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set "LAN(eth1)" disabled=yes display-time=5s
set "LAN(eth2)" disabled=yes display-time=5s
set "LAN(eth3)" disabled=yes display-time=5s
set "LAN(eth4)" disabled=yes display-time=5s
set "LAN(eth5)" disabled=yes display-time=5s
set "LAN(eth6)" disabled=yes display-time=5s
set "LAN(eth7)" disabled=yes display-time=5s
set "LAN(eth8)" disabled=yes display-time=5s
set "LAN(eth9)" disabled=yes display-time=5s
set "WAN(eth10)" disabled=yes display-time=5s
/system logging
set 0 action=echo topics=info,!firewall
add disabled=yes topics=firewall
add action=disk topics=critical
add action=disk topics=error
add topics=critical
add action=disk topics=system
add action=Firewall topics=firewall
add topics=info,!firewall
add topics=system
add action=echo topics=error
/system ntp client
set enabled=yes primary-ntp=161.53.123.5 secondary-ntp=161.53.160.5
/system scheduler
add interval=5m name=dynDNS on-event="/system script run dynDns\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-date=jan/01/2002 start-time=02:00:02
/system script
add name=dynDNS policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source="# Define User Variables\r\
    \n:global ddnsuser \"DYNDNSUSER\"\r\
    \n:global ddnspass \"DYNDNSPASS\"\r\
    \n:global ddnshost \"xxxxxxxxxxxxxxxxx\"\r\
    \n\r\
    \n# Define Global Variables\r\
    \n:global ddnsip\r\
    \n:global ddnslastip\r\
    \n:if ([ :typeof \$ddnslastip ] = nil ) do={ :global ddnslastip \"0\" }\r\
    \n\r\
    \n:global ddnsinterface\r\
    \n:global ddnssystem (\"mt-\" . [/system package get system version] )\r\
    \n\r\
    \n# Define Local Variables\r\
    \n:local int\r\
    \n\r\
    \n# Loop thru interfaces and look for ones containing\r\
    \n# default gateways without routing-marks\r\
    \n:foreach int in=[/ip route find dst-address=0.0.0.0/0 active=yes ] do={\
    \r\
    \n  :if ([:typeof [/ip route get \$int routing-mark ]] != str ) do={\r\
    \n     :global ddnsinterface [/ip route get \$int interface]\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n# Grab the current IP address on that interface.\r\
    \n:global ddnsip [ /ip address get [/ip address find interface=\$ddnsinter\
    face ] address ]\r\
    \n\r\
    \n# Did we get an IP address to compare\?\r\
    \n:if ([ :typeof \$ddnsip ] = nil ) do={\r\
    \n   :log info (\"DynDNS: No ip address present on \" . \$ddnsinterface . \
    \", please check.\")\r\
    \n} else={\r\
    \n  :if (\$ddnsip != \$ddnslastip) do={\r\
    \n    :log info \"DynDNS: Sending UPDATE!\"\r\
    \n    :local str \"/nic/update\?hostname=\$ddnshost&myip=\$ddnsip&wildcard\
    =NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
    \n    /tool fetch address=members.dyndns.org src-path=\$str mode=http user\
    =\$ddnsuser \\\r\
    \n        password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
    \n    :delay 1\r\
    \n    :local str [/file find name=\"DynDNS.\$ddnshost\"];\r\
    \n    /file remove \$str\r\
    \n    :global ddnslastip \$ddnsip\r\
    \n  }\r\
    \n}\r\
    \n"
/tool sniffer
set filter-direction=any interface="BRIDGE1(eth1,2,3,4,5,6,7,8,9,wlan1)"
Please help me solve this mystery.
 
User avatar
nickshore
Member
Member
Posts: 472
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: RB2011 firewall - can't block winbox on one port

Fri Dec 21, 2012 12:44 pm

To disable winbox access using mac address you have to disable mac-server on the NIC

Go to Tools -> MAC Server

Click on the WinBox Interfaces Tab

by default this is probably set to all

You can add specific interfaces, and disable the all entry

Hope that helps

Nick.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
miro10hr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Fri Nov 11, 2011 3:03 pm

Re: RB2011 firewall - can't block winbox on one port

Fri Dec 21, 2012 2:14 pm

Yes, it works this way. If I disable all interfaces and leave out only WAN interface - ethernet 10 port I cannont connect on that port.

Now I am interested why the firewall rules don't do the same job?

It seems like packets first pass the mac server check and then come to firewall check. For the moment I don't have device here, but it came to my mind that probably I should turn on bridging firewall. Maybe that would be a solution.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RB2011 firewall - can't block winbox on one port

Fri Dec 21, 2012 2:23 pm

IP firewall is layer3, while mac-telnet and mac-winbox is layer2. so you might have better luck with bridge firewall. Best use method you are using now to limit availability of mac-winbox. As Layer2 can only live within on Ethernet area, and to pass the border it has to go through Layer3.
 
miro10hr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Fri Nov 11, 2011 3:03 pm

Re: RB2011 firewall - can't block winbox on one port

Fri Dec 21, 2012 3:52 pm

Yes, but IP fields while using Winbox are not empty - inside is broadcast address 255.255.255.255.

So it is passing IP layer also and are matched with layer 3 firewall. And I can see in rule counters that winbox packets on that port are being dropped.
But it seems that they are to being dropped by firewall after the connection is made, because I can control the router. It is a little strange behavior, I can't completely explain it, but it seems it's behaving like that.

Who is online

Users browsing this forum: No registered users and 95 guests