Community discussions

MikroTik App
 
pelikuin
just joined
Topic Author
Posts: 4
Joined: Wed Apr 19, 2023 12:37 am

2B Apprentice in Defacto Firewall Setup

Mon Apr 24, 2023 7:27 pm

I'm working through the The DEFACTO DEFAULT FIREWALL Setup, and have got to stage (2B) APPRENTICE SETUP.

Aside: Grateful that such resources exist for newcomers.

My question relates to this element of the guide

(2) RAW RULE Inbound/Destination Address - Designed to Stop Cold, any incoming traffic (passing inbound on the WAN) whose destination-address is different from the public IPs on the router. Thus we make use of a firewall address list to identify the available public IPs at the router.

After adding the RAW rules all seemed fine until one day I restarted the router and found I had no internet connection. I had been assigned a new dynamic IP and I believe the address-list was unable to resolve my new external address as the raw rules were blocking traffic back into the router, so I had a circular problem which I could only resolve by temporarily blocking the rule which denied traffic from the WAN.

Question: Am I right in thinking that this section of the guide is problematic for people with dynamic IPs?

These are the lines that I believe are relevant, noting that in the address list I had something like home.mydomain.com.
/ip firewall address-list
{...}
add list=expected-dst-address-to-my-ISP address=my.public.wan.ip

/ip firewall raw
{...}
add action=drop chain=prerouting in-interface-list=WAN dst-address-list=!expected-dst-address-to-my-ISP comment="drop  non-legit dst-addresses hitting WAN side" 
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2B Apprentice in Defacto Firewall Setup

Mon Apr 24, 2023 7:51 pm

If you use domain name in that address list, then you have to allow at least traffic with selected DNS server before blocking everything else... or else router is not able to populate/renew the IP address.

This is not a problem when WAN IP address is static and is set in address list as IP address.
 
pelikuin
just joined
Topic Author
Posts: 4
Joined: Wed Apr 19, 2023 12:37 am

Re: 2B Apprentice in Defacto Firewall Setup

Mon Apr 24, 2023 10:56 pm

Ah, of course, that makes sense :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2B Apprentice in Defacto Firewall Setup

Mon Apr 24, 2023 11:24 pm

Thanks for bringing this up, perhaps I may have to add a script for that case.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2B Apprentice in Defacto Firewall Setup

Sat Apr 29, 2023 7:28 pm

Would this solve the dilemma introduced by dynamic WANIPs and not being able to resolve WANIP in a timely manner???

/ip firewall
add chain=prerouting action=accept dst-address=1.1.1.1
add chain=prerouting action=accept src-address=1.1.1.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2B Apprentice in Defacto Firewall Setup

Sat Apr 29, 2023 8:12 pm

Okay here is the solution.

A. We are attempting to resolve the new WANIP via the firewall address list........

/ip firewall address-list
add list=expected-dst-address-to-my-ISP address=my.public.wan.ip

We know that the response back will be blocked as the destination address will be the old WANIP.......


B. SOLUTION, is to identify the new WANIP assigned on outgoing traffic and add it to the list. In our case we know the router will send outgoing traffic to resolve the WANIP.
We will use that traffic to discern the new WANIP and add it to the list :-)

add chain=output action=add-src-address-to-list src-address=local address-list=expected-dst-address-to-my-ISP \
out-interface-list=WAN address-list-timeout=1m

Who is online

Users browsing this forum: SMARTNETTT, tangent and 45 guests