Community discussions

MikroTik App
 
User avatar
antoxic
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Wed Jul 22, 2015 2:50 pm
Location: Spain

ROS7: Firewall rule trigerring incorrectly

Thu Jun 30, 2022 12:14 pm

Hi.

I'm running RouterOS 7.3.1 on a RB5009.
I have 2 DNS servers at home and I want to log the DNS requests from all the IP addresses except those two servers. In the firewall, I have created the two following rules:
/ip firewall filter
add action=accept chain=forward dst-port=53 log=yes log-prefix=_dns2 out-interface=vlan1609-spf1-ptp-dvblab protocol=udp \
    src-address=!192.168.69.2
add action=accept chain=forward dst-port=53 log=yes log-prefix=_dns3 out-interface=vlan1609-spf1-ptp-dvblab protocol=udp \
    src-address=!192.168.69.3
From what I understand, those rules should accept and log all the traffic to the udp port 53 coming from any IP except 192.168.69.2 and 192.168.69.3. But in the logs i get the following messages:
 11:07:56 firewall,info _dns3 forward: in:vlan69-data out:vlan1609-spf1-ptp-dvblab, src-mac 6e:dd:5f:40:06:68, proto UDP, 192.168.69.2:55996->8.8.8.8:53, len 71
 11:07:56 firewall,info _dns3 forward: in:vlan69-data out:vlan1609-spf1-ptp-dvblab, src-mac 6e:dd:5f:40:06:68, proto UDP, 192.168.69.2:51263->9.9.9.9:53, len 71
 11:09:57 firewall,info _dns3 forward: in:vlan69-data out:vlan1609-spf1-ptp-dvblab, src-mac 6e:dd:5f:40:06:68, proto UDP, 192.168.69.2:27622->8.8.8.8:53, len 71
 11:09:57 firewall,info _dns3 forward: in:vlan69-data out:vlan1609-spf1-ptp-dvblab, src-mac 6e:dd:5f:40:06:68, proto UDP, 192.168.69.2:27373->9.9.9.9:53, len 71
Looks like the firewall rule is ignoring the ! in front of the ip addresses, or, am I wrong?

Thanks in advance.
Regards
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: ROS7: Firewall rule trigerring incorrectly

Thu Jun 30, 2022 12:26 pm

This is correct... Each rule excludes one address, but the other one allows it nevertheless.
 
User avatar
antoxic
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Wed Jul 22, 2015 2:50 pm
Location: Spain

Re: ROS7: Firewall rule trigerring incorrectly

Thu Jun 30, 2022 12:28 pm

This is correct... Each rule excludes one address, but the other one allows it nevertheless.
Oh, silly me, now I get it! Thank you very much! I will make an address list with both servers and put them into a single rule.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: ROS7: Firewall rule trigerring incorrectly

Thu Jun 30, 2022 12:29 pm

You could try something like this:
/ip/firewall/address-list/add list=dns-server address=192.168.69.2
/ip/firewall/address-list/add list=dns-server address=192.168.69.3
/ip/firewall/filter/add action=accept chain=forward dst-port=53 log=yes log-prefix=_dns out-interface=vlan1609-spf1-ptp-dvblab protocol=udp src-address-list=!dns-server
 
User avatar
antoxic
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Wed Jul 22, 2015 2:50 pm
Location: Spain

Re: ROS7: Firewall rule trigerring incorrectly

Thu Jun 30, 2022 6:37 pm

You could try something like this:
/ip/firewall/address-list/add list=dns-server address=192.168.69.2
/ip/firewall/address-list/add list=dns-server address=192.168.69.3
/ip/firewall/filter/add action=accept chain=forward dst-port=53 log=yes log-prefix=_dns out-interface=vlan1609-spf1-ptp-dvblab protocol=udp src-address-list=!dns-server
Yes, excatly! Works like a charm! Thanks

Who is online

Users browsing this forum: Amazon [Bot], asmman, GoogleOther [Bot], InfraErik and 46 guests