Have a new subnet from my isp so I set up a Mikrotik CHR as a VM (on Hyper-v server).
It seems to work ok but if I RDP into a windows machine on that subnet I can not get any browser responses back from within that vm. If I disable that final DROP all statement then the browser responses show up. I was under the impression that the initial forward rule (established,related) took care of allowing responses from requests being sent out?

Here are my rules on that subnet. Ping and Ping by name all return proper responses and I can access the Windows machine just fine, just not get any responses back from requests generated inside that VM on that new subnet.

[root@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow Established connections
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

1 ;;; RDP allowed
chain=forward action=accept protocol=tcp src-address-list=RDP Allowed
dst-port=3389 log=no log-prefix=""

2 ;;; Allow ICMP
chain=forward action=accept protocol=icmp log=no log-prefix=""

3 ;;; Drop everything else
chain=forward action=drop protocol=tcp log=no log-prefix=""
[root@MikroTik] /ip firewall filter>

Thanks!

You have no rule that allows new traffic from inside the subnet except for ICMP. So that is not surprising.
Also the "Drop everything else" comment for rule 3 is misleading because that is not what the rule does.
(and because there is a default "Accept" at the end of every rule list it will make your network potentially vulnerable)

You have no rule that allows new traffic from inside the subnet except for ICMP. So that is not surprising.
Also the "Drop everything else" comment for rule 3 is misleading because that is not what the rule does.
(and because there is a default "Accept" at the end of every rule list it will make your network potentially vulnerable)

Can you give me a hint of a rule that allows new traffic inside the subnet or point me to a url. I am not using Nat just straight routing. My main Mikrotik had a Drop everything rule at the end of all filter lists. Is this not the proper way to securely allow only ports I have opened in the rule?

Thanks

It is a good idea to have a drop everything rule at the end of a list that only allows intended traffic, but it is not a good idea to have a rule with comment "Drop everything" that in reality does not drop everything!
That only confuses you and anyone else looking at it.

And you have to insert a rule that allows the traffic you want to allow (from your new subnet to outside). You will have to add that before rule #3.

I have a rule #1 RDP port 3389 which is for Windows Remote Desktop. It works great and allows access to the Windows servers on that subnet and all functions on that server.
But when I go to Chrome on that server it does not go to the website. if I type google.com.com or ipchicken.com nothing comes back to the browser

If I remove the Drop statement at the end of the rule then the browser on the server I am logged into works and returns the website I'm trying to access

This tells me the response (Which should be above port 1024) is not being allowed. I thought the purpose of the established and related rules was to allow any traffic that was related to my request. If my request goes out is on port 80 and the response is on port 13456 then the established-related rule would realize this was a response and let all the traffic thru.

The established/related rule allows traffic to already established connections.
To allow the connection to be established you need another rule further down.
Usually you would allow limited traffic inbound (e.g. your RDP session) and all traffic outbound.
You should add another rule to allow your outbound traffic. And it also is a good idea to specify your traffic more precisely, not allow all traffic to TCP port 3389 at any address, but explictly specify the address(es) you want to allow.

You should add another rule to allow your outbound traffic.

Can you give me a sample of a rule to allow outbound traffic?

Post your existing configuration exported using "/export hide-sensitive". Otherwise it is impossible to make single-line config items that fit into your total situation.
Also specify what you want to allow.

Decided to create rules for well know ports like 22, 3306, etc with the DROP option and then set up access lists for valid users. The subnet is not that large and it will work out best that way.

Thanks!