Community discussions

MikroTik App
 
dr18
just joined
Topic Author
Posts: 14
Joined: Sun Aug 29, 2021 11:58 pm

Firewall drop !LAN issues

Wed Apr 19, 2023 4:53 am

For some reason, if I have the drop !LAN firewall rule included, the Roku box crawls. If I remove it, I have DNS lookup issues. I also have a drop WAN rule.

Any ideas on next steps?

Is there a copy and paste way of going back to standard firewall rules?

Thanks
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Firewall drop !LAN issues

Wed Apr 19, 2023 6:18 am

Without your configuration, we're guessing. Please export and post your configuration. Also a description of your network or better, a network drawing.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall drop !LAN issues

Wed Apr 19, 2023 1:28 pm

Previous poster is bang on. The reason is usually that the OP doesnt understand how the routers firewall rules affect traffic flow.
 
dr18
just joined
Topic Author
Posts: 14
Joined: Sun Aug 29, 2021 11:58 pm

Re: Firewall drop !LAN issues

Thu Apr 20, 2023 4:34 am

Thanks! I'm using VPN on Raspi on 192.168.2.117 - not sure if I still have some router based VPN stuff left over. As well WTTR firewall list should no longer be there.
I should've taken better notes of what I tried and un-tried over the course of time... It may be easier to start from scratch.
Thanks
# apr/19/2023 21:22:41 by RouterOS 7.8
# software id = V66H-E3EW
#
# model = RB750Gr3
# serial number = CC230D3BTEST
/interface bridge
add admin-mac=08:55:31:00:00:00 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add disabled=yes name=Kid1 sun=1h-1h1m
add disabled=yes name=Kid2 sun=7h-21h
/ip pool
add name=pool1 ranges=192.168.2.10-192.168.2.254
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=192.168.2.201-192.168.2.251
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256-cbc enabled=yes \
require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
removed the leases
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
add address=159.148.172.226 name=upgrade.mikrotik.com
/ip firewall address-list
add address=wttr.in list="test list"
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"[Custom] allow connections from VPN network" disabled=yes src-address=\
192.168.89.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN bre\
aks router update and Roku issues" connection-nat-state="" \
connection-state="" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-port=53 protocol=udp src-address=\
192.168.2.201
add action=accept chain=forward dst-port=53 protocol=tcp src-address=\
192.168.2.201
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment=vpn dst-port=51820 in-interface-list=\
WAN protocol=udp to-addresses=192.168.2.117 to-ports=51820
/ip kid-control device
add mac-address=0C:DD:24:00:00:00 name="Chromebook" user=Kid1
add mac-address=48:7E:48:00:00:00 name="Onn box" user=Kid2
add mac-address=38:80:DF:00:00:00 name=moto user=Kid2
/ip service
set www address=192.168.2.0/24
/ppp secret
add name=vpn service=ovpn
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=192.168.2.222/32
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall drop !LAN issues

Thu Apr 20, 2023 7:11 pm

Yes you need a major cleanup.

(1) There should be no reason for this mess!

/ip pool
add name=pool1 ranges=192.168.2.10-192.168.2.254
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=192.168.2.201-192.168.2.251


(2) expectations here..
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=192.168.2.1
/ip dns
set allow-remote-requests=yes server=1.1.1.1,8.8.8.8


(3) Not sure of the purpose of these but you can get rid of the first one......
What is the second one for??

/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
add address=159.148.172.226 name=upgrade.mikrotik.com ?????

(4) Your firewall rules are disorganized, put all the input chain rules together and all the forward chain rules together, much easier to read, spot errors etc...
For examples duplicates would be easily spotted!!

/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control

add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"[Custom] allow connections from VPN network" disabled=yes src-address=\
192.168.89.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN bre\
aks router update and Roku issues" connection-nat-state="" \
connection-state="" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes

add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-port=53 protocol=udp src-address=\
192.168.2.201
add action=accept chain=forward dst-port=53 protocol=tcp src-address=\
192.168.2.201


(5) REPLACE this rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN bre\
aks router update and Roku issues" connection-nat-state="" \
connection-state="" in-interface-list=!LAN

And make it simpler
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"

(6) what is the purpose of these rules............ I would remove them......
add action=accept chain=forward dst-port=53 protocol=udp src-address=\
192.168.2.201
add action=accept chain=forward dst-port=53 protocol=tcp src-address=\
192.168.2.201


(7) What is the purpose of this rule?? Seems very unsafe>..........
/ip service
set www address=192.168.2.0/24
 
dr18
just joined
Topic Author
Posts: 14
Joined: Sun Aug 29, 2021 11:58 pm

Re: Firewall drop !LAN issues

Fri Apr 21, 2023 6:50 am

Thank you very much for pointing items in the configuration. It is very helpful.

Much of the extra stuff was related to a few initiatives, which could now be deleted. Some of the items were related to not being able to do the upgrades of firmware once the block of lan traffic was set...(adding the upgrade server IP manually, trying to forward dns..) Other items for related to trying to give one of the kids very limited access on a device.. Other items that came and went for related to using VPN on the router.

Honestly, if I knew about that export command before, it would have made life easier to see the end-to-end configuration. I don't know why I didn't think of looking for such a command.

Having a background in configuring the network on servers, but not switches, I knew that I should be able to handle learning this. The issue then came with switching jobs and familial timings, not giving me time to do an end-to-end holistic setup. As such, things were done piecemeal research as issues came up and ended up getting very sloppy. As well, people are working from home over the course of about 11 hours a day... As such, I really need to have separate development and production routers, not to impact people working, when I'm trying to fiddle. I seem to always be in a rush to make a change, which is not good.

The firewall rules were all done via UI, on the separate screens. I have no idea why the export jumbled things like that.
Thanks again.
 
dr18
just joined
Topic Author
Posts: 14
Joined: Sun Aug 29, 2021 11:58 pm

Re: Firewall drop !LAN issues

Sun Apr 23, 2023 11:59 pm

At this point, I noticed some Wi-Fi issues as well, so I bought a new router to use as an access point. As such, for the moment, I'm using my old access point as a router and we'll get back to this when I have a bit of time.

Thanks!

Who is online

Users browsing this forum: Bing [Bot] and 38 guests