Community discussions

MikroTik App
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

copy reverse in firewall?

Fri Sep 16, 2022 10:59 am

This is more request rather than a problem.
Please add copy reverse option when do some nats. That would be very helpful
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: copy reverse in firewall?

Fri Sep 16, 2022 11:55 am

This is not the correct way to make requests.

But what exactly are you talking about anyway?
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: copy reverse in firewall?

Tue Sep 20, 2022 2:49 pm

This is not the correct way to make requests.

But what exactly are you talking about anyway?
like anyother firewall has.
If i make rules in both directions, ussualy i will copy rule and change source/destination IP, but it'll be better to have copy reversed to reverse source and destination IP.
not only in NAT rules, also in FILTER, logic is the same.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: copy reverse in firewall?

Tue Sep 20, 2022 3:23 pm

No your logic is flawed.

A rule is one way on purpose!
If I allow the admin on one vlan, access to a shared printer on another vlan, that means I am allowing traffic ORIGINATING from the admin to access the printer, as desired.

I DO NOT WANT the printer being able to originate and reach the admin as a default rule of any sort. BAD BAD BAD.
Most admins like the concept of BLOCK ALL and only allow traffic the specific explicitly allows.

ALso do not get confused, when I say a one way rule this means the return traffic from the originating request is passed back to the originator. One does not need a return firewall rule to allow the answer to get back to the originator. Its all considered the same session!! The key is where is the traffic originated and where is it going to!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: copy reverse in firewall?

Tue Sep 20, 2022 7:02 pm

like anyother firewall has.
I just check some toys from tenda, zyxel, dlink and tplink, no one have that option...
"anyother" for me, at this point, not exist.

I do not remember that option on Cisco...

In all these years that I have been working, it has never helped me to copy the reverse(¹)… of something, also because "on the contrary" would not make sense or would be useless ....
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: copy reverse in firewall?

Tue Sep 20, 2022 7:07 pm

Just to complete @anav's answer, return traffic works automatically if you have stateful firewall (which is generally good idea), i.e. you allow established connections with connection-state=established,related.
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: copy reverse in firewall?

Tue Sep 20, 2022 8:58 pm

like anyother firewall has.
I just check some toys from tenda, zyxel, dlink and tplink, no one have that option...
"anyother" for me, at this point, not exist.

I do not remember that option on Cisco...

In all these years that I have been working, it has never helped me to copy "the reverse"(¹) of something, also because "on the contrary" would not make sense or would be useless ....
try on FortiGate :)
Clone Reverse is the option name.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: copy reverse in firewall?

Tue Sep 20, 2022 10:24 pm

FortiGate != "anyother"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: copy reverse in firewall?

Tue Sep 20, 2022 11:21 pm

OMFG, you can copy firewall rules ( not that hard to switch in interface to out interface or src-address to dst-address etc.........)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: copy reverse in firewall?  [SOLVED]

Wed Sep 21, 2022 7:58 am

Clone Reverse are not some thing you need to do to make the firewall work. It would be interesting and see you fortigate firewall if you have done that for all your rules???
Its just like anav writes, an option for you to save some click if you need a revers rule to be created.

Reading the manual do help:
https://docs.fortinet.com/document/fort ... ch%20other.
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: copy reverse in firewall?

Wed Sep 21, 2022 10:30 am

No your logic is flawed.

A rule is one way on purpose!
If I allow the admin on one vlan, access to a shared printer on another vlan, that means I am allowing traffic ORIGINATING from the admin to access the printer, as desired.

I DO NOT WANT the printer being able to originate and reach the admin as a default rule of any sort. BAD BAD BAD.
Most admins like the concept of BLOCK ALL and only allow traffic the specific explicitly allows.

ALso do not get confused, when I say a one way rule this means the return traffic from the originating request is passed back to the originator. One does not need a return firewall rule to allow the answer to get back to the originator. Its all considered the same session!! The key is where is the traffic originated and where is it going to!
I am not telling you about traffic that is not required, what about computers in the managed server computers group, where it must initiate conversation with each other (for load balacing information sharing for example), and what if there is no internal routes for that kind of traffic (if both server are inside or outside the dmz segnment)? Bi-directional rule is needed than.
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: copy reverse in firewall?

Wed Sep 21, 2022 10:32 am

Clone Reverse are not some thing you need to do to make the firewall work. It would be interesting and see you fortigate firewall if you have done that for all your rules???
Its just like anav writes, an option for you to save some click if you need a revers rule to be created.

Reading the manual do help:
https://docs.fortinet.com/document/fort ... ch%20other.
Sorry fortigate guru :(

You can close this thread, mikrotik firewall forever!!!!
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: copy reverse in firewall?

Wed Sep 21, 2022 10:34 am

FortiGate != "anyother"
sorry i didnt mean for exclusive leaders firewall devices like tenda, zyxel, dlink and tplink :) My mistake :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: copy reverse in firewall?

Wed Sep 21, 2022 10:38 am

like anyother firewall has.
I don't know if you get it, but I'm not disputing whether the option is useful or not (probably can be useful, why not...),
but the fact that since ONE brand has this option (on one model or on all, no matter),
when you use any other brand you can't find it, so you can't talk about "anyother firewall"...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: copy reverse in firewall?

Wed Sep 21, 2022 2:26 pm

As I stated, it wont happen on MT routers because they allow you to do that already by the ability to copy any rule.
The diifference is MT doesnt assume its necessarily the interfaces you want to switch out as feeblegate does.
What if its dst address or src address or a firewall address list etc....... Since MT has more options than fortishit, it would make little sense to reverse clone.

Don't get me wrong, if there is some functionality that would be helpful I am all ears, personally I like zyxels ability to do hairpin nat with a check box LOL.
However I had no clue what that checkbox actually did. With mikrotik you have to learn and understand packet flow so as to address the issue, so in the end I am better for it not being automated as the skills learned are transferable to other situations outside hairpin nat.

Who is online

Users browsing this forum: anav, Bing [Bot], GoogleOther [Bot], hatred, koer, lurker888 and 99 guests