Community discussions

MikroTik App
 
bogomips
just joined
Topic Author
Posts: 1
Joined: Sun Sep 12, 2021 7:55 am

Firewall rule works with interface, but not interface-list?

Fri Sep 17, 2021 1:43 pm

Hi

I have a CCR1009-7G-1C-PC (on 6.48), and I'm trying to set up my firewall. After reading many thread, I can see interface-lists are often used. I like the idea, since you can group interfaces, making firewall rules easier to write, and you can give it a descriptive name "Trusted" / "Untrusted".

I've been trying to write my firewall rules only with interface-lists (I have pretty basic requirements), but I've gotten to a point where 1 drop-rule will work then I use the base interface, but refuse to work when I use the interface-list.

Setup:
vlan2 - trusted devices
vlan3 - untrusted devices
/interface vlan
add interface=bridge-vlan name=vlan2 vlan-id=2
add interface=bridge-vlan name=vlan3 vlan-id=3
/interface list
add name=Trusted
add name=Untrusted
add name=WAN
...
/interface list member
add interface=ether1 list=WAN
add interface=vlan2 list=Trusted
add interface=vlan3 list=Untrusted
...


Firewall Requirements:
trusted devices can see internet, and untrusted devices.
untrusted devices can only see internet

The firewall rules below were adapted from here: viewtopic.php?t=93309

Working, with interface:
In the example below, rules 1 and 2 work with interface-list, and rule 3 works with interface.
This gives both vlans internet access, trusted can see untrusted, but untrusted cannot see trusted.
/ip firewall filter
add action=accept chain=forward in-interface-list=Trusted
add action=accept chain=forward connection-state=established,related in-interface-list=Untrusted
add action=drop chain=forward in-interface=vlan3 out-interface=vlan2

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN


NOT Working, with interface-lists:
In the example below, rule 3 has been converted to interface-list, and doesn't work.
With this configuration, both vlans can see internet,
and each other
.
/ip firewall filter
add action=accept chain=forward in-interface-list=Trusted
add action=accept chain=forward connection-state=established,related in-interface-list=Untrusted
add action=drop chain=forward in-interface-list=Trusted out-interface-list=Untrusted

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN


Am I nuts? Shouldn't this work?

Thanks
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Firewall rule works with interface, but not interface-list?

Mon Nov 08, 2021 2:31 am

Maybe a bug.... but more likely a mistake in the Config

Can you please export your Config and Post it on the Forum (/export hide-sensitive file=anynameyouwish)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall rule works with interface, but not interface-list?

Mon Nov 08, 2021 2:38 am

Interface lists are excellent ways to manage GROUPs of users or devices (aka subnets).
Firewall address lists are better to form a group of USERs that is less than a subnet, Iike a subset of IPs on a subnet, IPs from different subnets, or mix of IPs and whole subnets!!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall rule works with interface, but not interface-list?

Mon Nov 08, 2021 2:53 am

As for your Interface lists, looks okayish
Here is what you want
/interface list
-WAN
-LAN
-TRUSTED

/interface list members
WAN -ether1
LAN -vlan3
LAN-vlan2
TRUSTED-vlan2

You dont really need to distinguish TRUSTED Or UNTRUSTED because you only have one vlan of each so no GROUPS of vlans here.
In other words your firewall rules should be very simple!

THe reason to keep the TRUSTED interface is because you will need that in
tools: mac winmac server interface=TRUSTED. ( it only allows selections from the interface list )

Your source for firewall rules is utter crap.
USE DEFAULT RULES
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=vlan3 out-interface=VLAN2 (or you could use out-interface-list=TRUSTED)

Do post the rest of your config as requested.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall rule works with interface, but not interface-list?

Mon Nov 08, 2021 2:55 am

What is amusing is that you blocked the trusted vlan from reaching the untrusted vlan,
add action=drop chain=forward in-interface-list=Trusted out-interface-list=Untrusted

whereas I am pretty sure you wanted the reverse,
the untrusted vlan not able to reach the trusted vlan. ;-)

Who is online

Users browsing this forum: rplant and 62 guests