Community discussions

MikroTik App
 
bornpilot
just joined
Topic Author
Posts: 10
Joined: Sat Aug 20, 2022 3:05 am

RouterOS IP Firewall Filter Rules not working?

Sat Jan 28, 2023 8:57 pm

Greetings, I am running RouterOS 7.7 with a very basic setup. When I setup my firewall rules I have a default deny all on the bottom of the list. When I add an allow for TCP traffic it also allows DNS UPD traffic, I am not sure why and it's hard to know if my filters are applying correctly. The following is my last filter number 8.
 8    ;;; Default: Drop All
      chain=forward action=drop log=yes log-prefix="" 
When I allow the following rule, see the number for it's location, then DNS traffic is also allowed. The DNS Traffic is UDP Port 53
3  ;;; Allow HTTP(S) on LAN Net
      chain=forward action=accept connection-state=established,related,new,untracked protocol=tcp port=443,80 log=yes log-prefix="" 
Right not for testing these are the only two filters enabled on the firewall.

Why is the DNS trafficking going through on the forward chain?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS IP Firewall Filter Rules not working?

Sat Jan 28, 2023 9:16 pm

/export file=anynameyouwish ( minus router serial# and public WANIP information )
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: RouterOS IP Firewall Filter Rules not working?

Sat Jan 28, 2023 9:28 pm

Are you using the Mikrotik as a DNS-server ?
Then it is normal that FORWARD chain will not deal with any traffic GENERATED by the Mikrotik (example ; upstream DNS queries) or RESPONSES back to the Mikrotik.
 
bornpilot
just joined
Topic Author
Posts: 10
Joined: Sat Aug 20, 2022 3:05 am

Re: RouterOS IP Firewall Filter Rules not working?

Sat Jan 28, 2023 9:34 pm

Attached is the file. I had been testing some flashStart and Lucid View web filter tests. In this you will see that there are a couple of networks. The Mikrotik network in question is Natted behind another firewall and I have yet another network that's bridged to the the LAN on Router1.
You do not have the required permissions to view the files attached to this post.
 
bornpilot
just joined
Topic Author
Posts: 10
Joined: Sat Aug 20, 2022 3:05 am

Re: RouterOS IP Firewall Filter Rules not working?

Sat Jan 28, 2023 9:38 pm

Are you using the Mikrotik as a DNS-server ?
Then it is normal that FORWARD chain will not deal with any traffic GENERATED by the Mikrotik (example ; upstream DNS queries) or RESPONSES back to the Mikrotik.

Good Question. No, the DNS servers from quad9, so the forward chain should work.
 
bornpilot
just joined
Topic Author
Posts: 10
Joined: Sat Aug 20, 2022 3:05 am

Re: RouterOS IP Firewall Filter Rules not working?

Sun Jan 29, 2023 1:57 am

If the default firewall filter rule is allow what is the signficiance of adding the following rule?
;;; accept established,related,untracked
      chain=forward action=accept connection-state=established,related,untracked 
 
bornpilot
just joined
Topic Author
Posts: 10
Joined: Sat Aug 20, 2022 3:05 am

Re: RouterOS IP Firewall Filter Rules not working?

Sun Jan 29, 2023 2:06 am

I believe my issue was that I had some established connections that had not cleared. I lowered some of those setting from my test and cleared my connections packet flow seems to be working as expected.

Thanks!
 
User avatar
fcollini
newbie
Posts: 25
Joined: Sun Mar 01, 2020 12:53 pm
Contact:

Re: RouterOS IP Firewall Filter Rules not working?

Tue Apr 04, 2023 7:08 pm

Attached is the file. I had been testing some flashStart and Lucid View web filter tests. In this you will see that there are a couple of networks. The Mikrotik network in question is Natted behind another firewall and I have yet another network that's bridged to the the LAN on Router1.
Dear Bornpilot,
thanks so much for the mention; always at Mikrotik expert's side :)

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], CGGXANNX, jamesperks, tjr and 77 guests