As always, I apologise if this is a really stupid question with a really obvious answer... have googled around for an answer already, but clearly I'm not using the right search key-words.
Our setup is as follows:
- We have an RB4011, running ROS7.6
- Each of the interfaces is a member of its own bridge, and each bridge has its own VLAN assigned. Each interface is then connected to a switch port which is tagged to the same VLAN, and as expected, we have different types of devices on different VLANS (phones on a single VLAN, CCTV on a VAN etc)
Code: Select all
/interface bridge add name=bridgeVLAN10
/interface bridge add name=bridgeVLAN20
/interface bridge add name=bridgeVLAN30
/interface bridge add name=bridgeVLAN40
/interface bridge add name=bridgeVLAN50
/interface bridge add name=bridgeVLAN60
/interface bridge add name=bridgeVLAN70
/interface bridge add name=bridgeVLAN80
/interface bridge add name=bridgeVLAN90
/interface bridge add name=bridgeVLAN100
/interface vlan add interface=bridgeVLAN10 name=VLAN10 vlan-id=10
/interface vlan add interface=bridgeVLAN20 name=VLAN20 vlan-id=20
/interface vlan add interface=bridgeVLAN30 name=VLAN30 vlan-id=30
/interface vlan add interface=bridgeVLAN40 name=VLAN40 vlan-id=40
/interface vlan add interface=bridgeVLAN50 name=VLAN50 vlan-id=50
/interface vlan add interface=bridgeVLAN60 name=VLAN60 vlan-id=60
/interface vlan add interface=bridgeVLAN70 name=VLAN70 vlan-id=70
/interface vlan add interface=bridgeVLAN80 name=VLAN80 vlan-id=80
/interface vlan add interface=bridgeVLAN90 name=VLAN90 vlan-id=90
/interface vlan add interface=bridgeVLAN100 name=VLAN100 vlan-id=100
/interface bridge port add bridge=bridgeVLAN10 interface=ether1
/interface bridge port add bridge=bridgeVLAN20 interface=ether2
/interface bridge port add bridge=bridgeVLAN30 interface=ether3
/interface bridge port add bridge=bridgeVLAN40 interface=ether4
/interface bridge port add bridge=bridgeVLAN50 interface=ether5
/interface bridge port add bridge=bridgeVLAN60 interface=ether6
/interface bridge port add bridge=bridgeVLAN70 interface=ether7
/interface bridge port add bridge=bridgeVLAN80 interface=ether8
/interface bridge port add bridge=bridgeVLAN90 interface=ether9
/interface bridge port add bridge=bridgeVLAN100 interface=ether10
We have various firewall filter rules as one would expect to allow traffic to go from one VLAN to another, and also to prevent traffic going from certain places to certain other places. For example, we have rules in place to prevent the CCTV Cameras and IP Phones from being able to get to the internet. The firewall filter rules currently look like this:
Code: Select all
/ip firewall filter add action=accept chain=input comment="Allow established, related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="Drop Invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow SSL VPN" dst-port=443 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow access to WinBox to DH-IT" dst-port=8291 protocol=tcp src-address-list=DH-IT
/ip firewall filter add action=accept chain=input comment="Allow to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!INTERNAL log-prefix="DROPPED: "
/ip firewall filter add action=drop chain=input in-interface=pppoe-out1
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked log-prefix="defcon accept"
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward comment="SIP System" dst-port=8893,5060-5075,32766-65535 protocol=udp src-address-list="BT SIP System"
/ip firewall filter add action=accept chain=forward comment="Allow DNS --> DC" dst-address-list=DHSC-DC3 dst-port=53 in-interface=!pppoe-out1 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow SNTP --> DC" dst-address-list=DHSC-DC3 dst-port=123 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow DH-IT" src-address-list=DH-IT
/ip firewall filter add action=accept chain=forward comment="Allow DHSC-DC3 --> External DNS" dst-address-list="External DNS" src-address-list=DHSC-DC3
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="Allow xxx Home Office --> Phone System" dst-address-list=DH-VLAN20 src-address-list=xxx-HomeOffice
/ip firewall filter add action=accept chain=forward comment="Allow DH-STAFF --> Printers" dst-address-list=DH-PRINTERS src-address-list=DH-STAFF
/ip firewall filter add action=accept chain=forward comment="Allow VLAN40 --> Internet + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80,8802 protocol=tcp src-address-list=DH-VLAN40
/ip firewall filter add action=accept chain=forward comment="Allow VLAN40 --> Microsoft Teams + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=3478-3481,8801 protocol=udp src-address-list=DH-VLAN40
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> Internet + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80,8802 protocol=tcp src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> Microsoft Teams + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=3478-3481,8801 protocol=udp src-address-list=DH-COMPUTERS src-port=""
/ip firewall filter add action=accept chain=forward comment="Allow Server APPS2 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80 protocol=tcp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="Allow Server DC3 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80 protocol=tcp src-address-list=DHSC-DC3
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> WiFi Access Points" dst-address-list=DH-ACCESSPOINTS src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> Cameras" dst-address-list=DH-CCTV src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Computers --> Phones" dst-address-list=DH-PHONES src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Computers --> Netgenium" dst-address-list=DH-ACCESSCONTROL src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Netgenium --> DC3" dst-address-list=DHSC-DC3 src-address-list=DHSC-NETGENIUM
/ip firewall filter add action=accept chain=forward comment="Allow Phones --> APPS2 (Firmware Updates vis HTTP, TFTP)" dst-address-list=DHSC-APPS2 dst-port=80,69 protocol=tcp src-address-list=DH-PHONES
/ip firewall filter add action=accept chain=forward comment="Allow SMC Gateway --> Google DNS" dst-address-list="Google DNS Servers" dst-port=53 protocol=udp src-address-list=DHSC-SMCGATEWAY
/ip firewall filter add action=accept chain=forward comment="Allow SMC Gateway --> Repeater" dst-address-list=DHSC-REPEATER src-address-list=DHSC-SMCGATEWAY
/ip firewall filter add action=accept chain=forward comment="Allow: Repeater --> SMC Gateway" dst-address-list=DHSC-SMCGATEWAY src-address-list=DHSC-REPEATER
/ip firewall filter add action=accept chain=forward comment="Allow: Repeater --> Phone Exchange" dst-address-list=Phone-Exchange src-address-list=DHSC-REPEATER
/ip firewall filter add action=accept chain=forward comment="Allow: Phone Exchange --> Repeater" dst-address-list=DHSC-REPEATER src-address-list=Phone-Exchange
/ip firewall filter add action=accept chain=forward comment="Allow Netgenium --> Milestone" dst-address-list=DHSC-MILESTONE src-address-list=DHSC-NETGENIUM
/ip firewall filter add action=accept chain=forward comment="Allow Mobile Repeaters --> Repeater" dst-address-list=DHSC-REPEATER src-address-list="Mobile Repeaters"
/ip firewall filter add action=accept chain=forward comment="Allow Repeater --> Mobile Repeaters" dst-address-list="Mobile Repeaters" src-address-list=DHSC-REPEATER
/ip firewall filter add action=accept chain=forward comment="Allow Milestone --> Cameras" dst-address-list=DH-CCTV src-address-list=DHSC-MILESTONE
/ip firewall filter add action=accept chain=forward comment="Allow Cameras --> Milestone" dst-address-list=DHSC-MILESTONE src-address-list=DH-CCTV
/ip firewall filter add action=accept chain=forward comment="Allow VLAN10 --> Azure Server" dst-address-list="Azure Servers" src-address-list=DH-VLAN10
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (CCTV)" dst-address-list=DH-CCTV log-prefix=PRTG protocol=icmp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (Netgenium Devices)" dst-address-list=DH-ACCESSCONTROL dst-port=3743,80 log-prefix=PRTG protocol=tcp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (WIFI Access Points)" dst-address-list=DH-ACCESSPOINTS protocol=icmp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (Access Points SNMP)" dst-address-list=DH-ACCESSPOINTS dst-port=161 protocol=tcp src-address-list=DHSC-APPS2
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix="NOT NAT: "
/ip firewall filter add action=drop chain=forward comment="Block access from VLAN10 to VLAN40 (CS: Remove when \"Block Packets on Forward Chain\" is enabled\?)" dst-address-list=DH-VLAN40 log=yes log-prefix="Access attempted from VLAN10 to VLAN40" src-address-list=DH-VLAN10
/ip firewall filter add action=drop chain=forward comment="Block Access to VLAN 10 (CS: Can be removed when \"Block Packets on Forward Chain\" is enabled\?)" dst-address-list=DH-VLAN10 log=yes log-prefix="DROP --> VLAN 10"
/ip firewall filter add action=drop chain=forward comment="Block Wifi/Guest Users from accessing the WiFi Access Points, if not in the DH-IT Group - RW This never going to happen as on same VLAN. AP's need management IP moving into Management network" dst-address-list=DH-ACCESSPOINTS log=yes log-prefix="Access attempted from VLAN40 to Access Points" src-address=192.168.40.0/22 src-address-list=!DH-IT
/ip firewall filter add action=drop chain=forward comment="Block Milestone --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DHSC-MILESTONE
/ip firewall filter add action=drop chain=forward comment="Block Netgenium --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DHSC-NETGENIUM
/ip firewall filter add action=drop chain=forward comment="Block VLAN20 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DH-VLAN20
/ip firewall filter add action=drop chain=forward comment="Block VLAN30 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DH-VLAN30
/ip firewall filter add action=passthrough chain=forward log=yes log-prefix="Uncaught Packet"
/ip firewall filter add action=drop chain=forward comment="Block Packets on Forward Chain" disabled=yes log=yes log-prefix="Drop Forward Chain"
What's my problem:
- The logging exercise is showing up packets hitting the logging rule at the bottom of the filter list that are destined to go places but via interfaces which have nothing to do with the destination IP address.
- VLAN10 is where all the computers, servers etc are connected.
- Internet comes in via the SFP interface and a PPPoE client (the PPPoE is called "pppoe-out1" in the config)
- In Interface: bridgeVLAN10
- Source IP: 192.168.10.31 (which is one of our on-site computers)
- Destination IP: 52.143.80.xxx (which is clearly an external IP somewhere on the internet)
- Out Interface: bridgeVLAN30
- Destination Port: 443
What I'm confused about in this specific example is why this packet isn't being cause by the "DH-Computers --> Internet" rule, as that's much higher up in the filter list than the passthrough rule.
And also why the packet is showing up as exiting the firewall via what to me looks to be the wrong interface.
My questions are really, do I need to worry about this, or is this fairly normal and in fact the packets aren't really going anywhere? The Routing in the firewall just has the normal dynamically created routes for the IP Addresses that exist in IP--> Addresses.
I've tried using the PING Tool from within RouterOS and it's not possible to ping any of the internal devices via any interface other than the one to which they are connected... so that at least is working. I also can't ping external addresses (that respond to a ping, like google's 8.8.8.8 server) via any interface other than the pppoe-out1 interface, so that appears to be working.
I can of course put some DROP rules in the filter list for packets where the DstIP doesn't belong to an IP Pool that's assigned to the interface through which the packet is trying to exit the firewall, but before I do this, I'd like to understand what's happening (and maybe why) and to know if it's really a problem.
Again, apologies if this is a really dumb thing to ask. Hopefully I've put enough detail here for the issue to be understood (if it is indeed an issue and not just normal behaviour).
Thanks for your time...
Colin