Community discussions

MikroTik App
 
Fanfwe
just joined
Topic Author
Posts: 2
Joined: Thu Mar 26, 2020 5:06 pm

Firewall - how to block traffic to the router from one interface, no matter what the destination IP is

Thu Mar 26, 2020 5:34 pm

Hi,
I couldn't find a nice way to implement this. Maybe I'm missing something.
Let's say I have a router with two interfaces, ether1 and ether2.
I want to block ssh (tcp/22) traffic to the router itself when that traffic comes through ether1.
I have setup a filter, in the input chain, which says that traffic with protocol TCP, port 22 and In interface ether1 should be dropped. Great, but...
if somebody comes in through ether1 but tries to ssh into the router using the IP address of ether2, then he is not blocked.

I'm assuming this is because the router first has to "route" the packet internally, only then to realize that the packet is for the router itself, but because of that, I would need to make a rule in the forward chain also.

But that kinda sucks for me, because in my real use case, I have a lot more interfaces, so I'd have to basically add rules in order to block traffic for each and every IP address the router owns on its interfaces.

Is there an easier way to simply tell the router that if traffic comes in from interface X and is for you, no matter the IP address used as destination) then drop it ?
 
WeWiNet
Member Candidate
Member Candidate
Posts: 275
Joined: Thu Sep 27, 2018 4:11 pm

Re: Firewall - how to block traffic to the router from one interface, no matter what the destination IP is

Fri Mar 27, 2020 10:55 am

You confuse yourself. Routing does not work the way you imagine...

To get into the the router itself it is the "input chain" and nothing else . So what is the problem?

You do not need to define any address. Just drop input chain TCP port 22 on in interface ETH1
regardless of "address". Nothing will come through.

This is by the way the typical default firewall, where nothing from WAN (ETH1 mostly) can get into the router...
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 (good!), Audience (better) :-) !!!
 
Fanfwe
just joined
Topic Author
Posts: 2
Joined: Thu Mar 26, 2020 5:06 pm

Re: Firewall - how to block traffic to the router from one interface, no matter what the destination IP is

Fri Mar 27, 2020 11:20 am

Hi, thanks for your answer.
What you describe is indeed what I was expecting. Also in line with the Packet flow diagram that is on the Mikrotik website.
Fact is, yesterday, when I was testing this, I was still able to SSH when I was using an IP address of an interface that was not ether1. Not quite sure why, could be something related to connection tracking.
But well, this morning when I try again the same test, it now works just like I expected (and as you described also). So I'm not exactly sure what went wrong yesterday, but it does work as it should now, so that's great.
Thanks !
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 288
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Firewall - how to block traffic to the router from one interface, no matter what the destination IP is

Fri Mar 27, 2020 1:59 pm

Maybe you where connected before and connection state was still established.... when time is over and connection is dropped you started a new connection and for sure it will be dropped!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE

Who is online

Users browsing this forum: No registered users and 93 guests