Community discussions

MikroTik App
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Aug 01, 2019 2:13 pm

Firewall Help Please

Thu Nov 24, 2022 2:41 am

Ive been using this rule for Guest networks on edge routers and I have been trying to recreate the same thing on the Mikrotik. Im trying to allow access from one network to the other but I dont want the second network to be able to initiate the communication. I dont know what im doing wrong but on edge routers the rules get applied by interface. This long list on the Mikrotik is confusing me. Is this something that can be done on the Mikrotik? Thanks in advance..
joshhboss@BigRedOffice# show firewall name BLOCK_IN 
 default-action accept
 rule 10 {
     action accept
     description "Accept Established/Related"
     protocol all
     state {
         established enable
         related enable
     }
 }
 rule 30 {
     action drop
     description "Drop PROTECT_NETWORKS"
     destination {
         group {
             network-group PROTECT_NETWORKS
         }
     }
     protocol all
 }
[edit]
 
akakua
newbie
Posts: 49
Joined: Mon Apr 06, 2020 4:52 pm

Re: Firewall Help Please

Thu Nov 24, 2022 4:18 am

/ip firewall filter add action=drop chain=forward connection-state=new out-interface=ether1 src-address=192.0.0.0/24 place-before=0
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Firewall Help Please

Thu Nov 24, 2022 7:55 am

I dont know what im doing wrong but on edge routers the rules get applied by interface. This long list on the Mikrotik is confusing me. Is this something that can be done on the Mikrotik?
That's an incomplete example, but I will make some assumptions:
PROTECT_NETWORKS is a network group that contains networks you don't want the "guest" interface to forward to (e.g. all rfc1918 addresses). The MikroTik analogue for vyatta's nework-group is
/ip firewall address-list

Have you read Building Your First Firewall and Building Advanced Firewall?

Naming in MikroTik is more like linux iptables, and not like vyatta. chain=forward is similar to the vyatta "in" direction, it applies to traffic that is routed (not terminating on a service on the MikroTik)
If you want the closest to the filtering on the "ingress interface" you would use something like if you wanted to block devices on ether3 (and possibly other interface you add to GUEST) from establishing new connections to "PROTECT_NETWORKS"

/interface list add GUEST
/interface list member add ether3 GUEST
/ip firewall filter
...
add action=accept chain=forward comment="Allow established/related traffic" connection-state=established,related
...
add action=drop chain=forward comment="Block new connections to PROTECT_NETWORKS" connection-state=new in-interface-list=GUEST
...
add action=drop chain=forward comment="default action drop - the final catchall rule"
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Firewall Help Please

Thu Nov 24, 2022 8:41 am

I dont know what im doing wrong but on edge routers the rules get applied by interface. This long list on the Mikrotik is confusing me. Is this something that can be done on the Mikrotik?
That's an incomplete example, but I will make some assumptions:
PROTECT_NETWORKS is a network group that contains networks you don't want the "guest" interface to forward to (e.g. all rfc1918 addresses). The MikroTik analogue for vyatta's nework-group is
/ip firewall address-list

Have you read Building Your First Firewall and Building Advanced Firewall?

Naming in MikroTik is more like linux iptables, and not like vyatta. chain=forward is similar to the vyatta "in" direction, it applies to traffic that is routed (not terminating on a service on the MikroTik)
If you want the closest to the filtering on the "ingress interface" vyatta paradigm, you would use something like the following if you wanted to block devices on ether3 (and possibly other interface you add to GUEST) from establishing new connections to "PROTECT_NETWORKS"

/interface list add GUEST
/interface list member add ether3 GUEST
/ip firewall filter
...
add action=accept chain=forward comment="Allow established/related traffic" connection-state=established,related
...
add action=drop chain=forward comment="Block new connections to PROTECT_NETWORKS" connection-state=new in-interface-list=GUEST
...
add action=drop chain=forward comment="default action drop - the final catchall rule"

Who is online

Users browsing this forum: arm920t, ccrsxx and 59 guests