Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Firewall drop rule not working

Post Reply
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Firewall drop rule not working

Wed Dec 01, 2021 11:52 am

Hi
I have an Mikrotik Hap AC2 router that I have managed to get a vlan on ether4 with a subnet 192.168.10.0/24. Now I want to only allow traffic on port 1883 from vlan to my other subnet 192.168.0.0/24
First i added this rule
Code: Select all
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.10.0/24
to the end of firewall to drop all traffic from vlan to lan but the traffic is still allowed

This is my complete firewall settings
Code: Select all
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.10.0/24
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Wed Dec 01, 2021 1:49 pm

If you dont know what the problem is, why do you think only showing us part of the config will help?

Please post your config
/export hide-sensitive file=anynameyouwish

Seeing as you only wanted one port the rule could be refined to
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.10.0/24 dst-port=!1883
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Wed Dec 01, 2021 2:21 pm

Sorry

Here is my config
Code: Select all
# dec/01/2021 13:14:45 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan10 ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10 name=\
    dhcp_vlan10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=defconf
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=defconf
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=defconf
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=defconf
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=defconf
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=defconf
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=defconf
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=defconf
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=defconf
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=defconf
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=defconf
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=defconf
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=defconf
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=defconf
add address=192.168.10.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan10
add address=192.168.10.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan10
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=defconf
add address=192.168.10.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan10
add address=192.168.10.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan10
add address=192.168.10.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan10
add address=192.168.10.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan10
add address=192.168.10.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan10
add address=192.168.10.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan10
add address=192.168.10.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan10
add address=192.168.10.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan10
add address=192.168.10.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan10
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=defconf
add address=192.168.10.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan10
add address=192.168.10.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan10
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=defconf
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=defconf
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
add address=192.168.0.2-192.168.0.254 list=LAN
add address=192.168.10.2-192.168.10.254 list=Smarthome
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Wed Dec 01, 2021 9:48 pm

Why is ether4 on the Bridge?
Should be removed.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4

To help decide the above......what is attached to ether4?

If you dont need this, suggest setting to NONE as its known to cause issues from time to time.
/interface detect-internet
set detect-interface-list=all

Missing Line
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN

As stated modify the firewall rule to that required which will state, drop all traffic TO bridge from vlan10 for all ports except 1883.
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.10.0/24 dst-port=!1883
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Thu Dec 02, 2021 7:59 am

Thank you

To ether 4 is a WiFI AP attached with two SSID. SSID 1 is on the 192.168.0.0 subnet with VLAN ID 1. SSID 2 is on the 192.168.10.0 subnet with VLAN ID 10.

I thought that ether4 must be on the bridge for SSID 1 to work?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Thu Dec 02, 2021 4:01 pm

I see what you have done, okay in that case leave ether4 on the bridge..................

I would never do it that way because I dont like mixing bridge dhcp and vlan DHCP on the same port and implicitly using vlan1 like that.
I always prefer to have vlan1 NEVER carrying data and assign other vlans to do that.
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Fri Dec 03, 2021 8:24 am

Hi

I made the changes above and added the firewall rule without the port to see if it was blocking all traffic but it didnt work. Traffic still were able to access 192.168.0.0/24 from 192.168.10.0/24

Here is my complete config after changes
Code: Select all
# dec/03/2021 07:11:13 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan10 ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10 name=\
    dhcp_vlan10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=defconf
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=defconf
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=defconf
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=defconf
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=defconf
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=defconf
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=defconf
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=defconf
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=defconf
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=defconf
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=defconf
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=defconf
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=defconf
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=defconf
add address=192.168.10.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan10
add address=192.168.10.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan10
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=defconf
add address=192.168.10.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan10
add address=192.168.10.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan10
add address=192.168.10.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan10
add address=192.168.10.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan10
add address=192.168.10.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan10
add address=192.168.10.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan10
add address=192.168.10.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan10
add address=192.168.10.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan10
add address=192.168.10.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan10
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=defconf
add address=192.168.10.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan10
add address=192.168.10.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan10
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=defconf
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=defconf
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
add address=192.168.0.2-192.168.0.254 list=LAN
add address=192.168.10.2-192.168.10.254 list=Smarthome
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I would never do it that way because I dont like mixing bridge dhcp and vlan DHCP on the same port and implicitly using vlan1 like that.
I always prefer to have vlan1 NEVER carrying data and assign other vlans to do that.

So I should create two more VLANS? One for the other WLAN and one for wired stuff? And each VLAN must have a DHCP server with it own subnet?
Last edited by ressof on Sat Dec 04, 2021 2:04 pm, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Fri Dec 03, 2021 9:14 pm

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN

/ip dhcp-server
add address-pool=dhcp interface=vlan20 name=main_dhcp
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether3 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether4 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether5 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan1 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,wlan1,wlan2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

/ip address
add address=192.168.0.1/24 interface=vlan20 network=192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0

/ip firewall address
add chain=forward action=drop in-interface=vlan10 out-interface=vlan20 dst-port=!1883

LAST change go to BRIDGE setting and change vlan filtering from NO to YES.


AS TO YOUR QUESTION..........................
If WLAN1 is home wifi VLAN20
and you want another WLAN for guests lets make it vlan30
Then
add interface=bridge name=vlan30 vlan-id=30
and needs--> pool, ip address, dhcp server and dhcp server network
Plus (add)
/interface list member
add interface=vlan30 list=LAN

/interface bridge port
add bridge=bridge comment=defconf interface=wlan2 pvid=30 ingress-filtering=yes frame-types=only-untagged-and-priority

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,wlan1 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan2 vlan-ids=30

I do note that this rule has no such defined firewall address list....?????????????? besides the fact that its not a wan address.
add action=dst-nat chain=dstnat dst-address-list=dst-port=443 \
protocol=tcp to-addresses=192.168.0.10
Last edited by anav on Sat Dec 04, 2021 3:31 pm, edited 1 time in total.
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Sat Dec 04, 2021 2:07 pm

It was an error in my config. I have now corrected it. Can you please remove ******.se from your post or replace it with WAN-IP?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Sat Dec 04, 2021 3:31 pm

What was the error?? I couldnt find it.
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Wed Dec 15, 2021 12:20 pm

Hi

I have not had the time to test this until now.

But when I try to add your rules above I loose access to router and internet when I added this command
Code: Select all
add address=192.168.0.1/24 interface=vlan20 network=192.168.0.0
Is there any special order to add the commands? Or can I do it all together?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Wed Dec 15, 2021 4:58 pm

You will need to repost the latest config for me to make sense of the question and any potential answer.
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Wed Dec 15, 2021 8:34 pm

I have renamed vlan10 to vlan20 and IP range to 192.168.20.0 for it
Code: Select all
# dec/15/2021 19:31:22 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_main ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_main disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
    dhcp_vlan20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=defconf
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=defconf
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=defconf
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=defconf
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=defconf
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=defconf
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=defconf
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=defconf
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=defconf
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=defconf
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=defconf
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=defconf
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=defconf
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=defconf
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=defconf
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.20.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=defconf
add address=192.168.20.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan20
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=defconf
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=defconf
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=defconf
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=defconf
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Wed Dec 15, 2021 8:50 pm

The config looks okay, what is the issue now?
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Wed Dec 15, 2021 9:29 pm

When I have that config I cannot get the firewall rule to work.

I tried to implement your config like this
Code: Select all
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN

/ip dhcp-server
add address-pool=dhcp interface=vlan20 name=main_dhcp
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether3 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether4 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether5 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan1 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,wlan1,wlan2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

/ip address
add address=192.168.0.1/24 interface=vlan20 network=192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0

/ip firewall address
add chain=forward action=drop in-interface=vlan10 out-interface=vlan20 dst-port=!1883

LAST change go to BRIDGE setting and change vlan filtering from NO to YES.
But then I cant access the router or internet and I had to factory reset the router
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Wed Dec 15, 2021 9:47 pm

Okay, on the config without vlans try these two things.
I am going to assume that you want VLAN20 on ether4 (and only vlan20, no other subnets, assumes a smart device is not attached to ether4!!)

(1) remove ether4 from the bridge.

(2) We are going to remove this rule...
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

and replace it with 4 rules.

# dec/15/2021 19:31:22 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_main ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_main disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
dhcp_vlan20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 REMOVE FROM BRIDGE
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=\
192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\ REMOVE THIS RULE
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet access"
add chain=forward action=accept add action=drop chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add chain=forward action=accept in-interface=vlan20 dst-address=192.168.0.0/24 dst-port=1883
add chain=forward action=drop comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Wed Dec 15, 2021 11:11 pm

On ether4 is one AP connected that have two SSIDs. One main with no vlan id (or vlan id 1) with normal wifi access. And the other SSID is for smarthome devices with vlan id 20.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Thu Dec 16, 2021 1:23 am

Which AP is this........... ? ( manufacturer and model #)
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Thu Dec 16, 2021 9:48 am

It is a AP from Grandstream that is called GWN7630. I have disabled the internal WiFi on my router and only use GWN7630 for WiFi
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Thu Dec 16, 2021 2:23 pm

Well here is what I would do to get it working.......
Go back to using both vlans and ether4 will be a trunk port to the Grandstream.
The important point is that the Grandstream needs an IP address itself on vlan10 subnet 192.168.0.0/24
Vlan10 being the home vlan. vlan20-guest for the wifi guests on AP.

But here is how we go about it.
First is to change ether5 to an emergency access port and we will do the changeback to vlans on that port (configuring either via laptop or desktop through that port).

So enter router as you are doing now...........(presumably not from ether5)
1. Remove eth5 from the Bridge
2. rename it ether5-emerg
2. Give it an IP address of 192.168.5.2 network 19.2.168.5.0
3. add ether5 to the LAN interface list members
4. Then exit router and then plug in laptop.desktop into ether 5 after setting your ipv4 to 192.168.5.5 gateway 192.168.5.1 netmask 255.255.255.0
5. Confirm you can enter winbox and the router for configuration from ether5.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now add back in vlans as indicated before........

/interface vlan
add interface=bridge name=vlan20-guests vlan-id=20
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=vlan20-guests list=LAN
add interface=vlan10 list=LAN
add interface=ether5-emerg list=LAN
add comment=defconf interface=ether1 list=WAN

/ip dhcp-server
add address-pool=dhcp interface=vlan10 name=main_dhcp
add address-pool=dhcp_pool_vlan20 interface=vlan20-guests name=dhcp_vlan20

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether3 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-types=only-tagged
add bridge=bridge comment=defconf interface=wlan1 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority disabled=yes
add bridge=bridge comment=defconf interface=wlan2 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority disabled=yes

/interface bridge vlans
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,wlan1,wlan2 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20

/ip address
add address=192.168.0.1/24 interface=vlan10 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20-guests network=192.168.20.0

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet access"
add chain=forward action=accept comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add chain=forward action=accept in-interface=vlan20 out-interface=vlan10 dst-port=1883
add chain=forward action=drop comment="drop all else"

Ensure Bridge vlan filtering is set to yes.
When up and running you can add ethernet 5 back to the bridge or keep it as a separate entry point..........
IF you add it back.
/interface bridge port
add bridge=bridge comment=defconf interface=ether5 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
/interface bridge vlans
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,ether5,wlan1,wlan2 vlan-ids=10
Last edited by anav on Fri Dec 17, 2021 2:27 pm, edited 1 time in total.
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Fri Dec 17, 2021 10:36 am

I now have this config
Code: Select all
# dec/17/2021 09:24:12 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=ether4 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_main ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_main disabled=no interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
    dhcp_vlan20
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=dhcp_vlan10
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan10
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.20.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan20
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=dhcp_vlan10
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward
add action=drop chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I had to choose "frame-types=admit-only-vlan-tagged" because "frame-types=only-tagged" was not in the list.
I dont know if I got the firewall rules correct? I think you missed a new line on your previous post?

I still have some issues:
I cant access my Grandstream AP. Was i suppose to set an fixed IP on it before? Can I change something temporary to access it and put in a fixed IP?
The firewall still doesn't block traffic from 192.168.20.0 network to 192.168.0.0 network
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Fri Dec 17, 2021 2:24 pm

Three steps from success :-)

(1) FROM
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=ether4 name=vlan20 vlan-id=20

TO
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20

(2) a. OF COURSE YOU CAN REACH SUBNETS. The rule in red allows all traffic LOL! Thus every packet flow will be matched and never move to the next rules for inspection. Just need to remove it!

b. The action for allow port forwarding should be ACCEPT change drop to accept. I screwed that up before so that one is on me, fixed it above as well.

add action=accept chain=forward comment="allow internet access" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward
add action=drop chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"

NOTE: I see you removed the rule allowing access from vlan20 to vlan10 for port 1883, was that on purpose?
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Fri Dec 17, 2021 3:15 pm

Now I have this
Code: Select all
# dec/17/2021 14:10:17 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_main ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_main disabled=no interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
    dhcp_vlan20
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=dhcp_vlan10
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan10
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.20.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan20
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=dhcp_vlan10
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The reason I removed the port 1883 rule is that I want to see if all traffic from 192.168.20.0 to 192.168.0.0 network is blocked.
That is not the case now. It seems that all traffic is allowed now.

And I still cant access my Grandstream AP
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Fri Dec 17, 2021 3:59 pm

What is the IP address of the Grandstream?
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Fri Dec 17, 2021 5:23 pm

It got its ip from DHCP. If I change vlan id to 10 on ether4 port I can see that it gets an IP but I cannot access it.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall drop rule not working

Fri Dec 17, 2021 6:36 pm

What I am saying is that it absolutely has to have an IP from VLAN10.
Try it both ways statically assigned or dynamically assigned.
You can set the IP in the grandstream and then add it to the dhcps lease (via mac and IP address) for example on the MIKROTIK and make it static.

Then you should be able to access the Grandstream via its IP address or mac address when you are on your PC in the SAME VLAN (vlan10).

I suspect its some setting on the Grandstream getting in the way......
NET Port Type: You can configure Trunk port or Access port. If you
chose Access, you also need to specify its VLAN ID. This feature is
not supported in GWN7600/7600LR/GWN7610.

In this case it would TRUNK port.............
Top
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Firewall drop rule not working

Tue Dec 21, 2021 1:56 pm

I have know fixed access to my AP with this config
Code: Select all
# dec/21/2021 12:51:04 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan1 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10 name=\
    dhcp_vlan10
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
    dhcp_vlan20
add address-pool=dhcp_pool_vlan1 disabled=no interface=vlan1 name=dhcp_vlan1
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan2 pvid=10
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=1
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
add interface=vlan1 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
add address=192.168.30.1/24 interface=vlan1 network=192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=dhcp_vlan10
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.20.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan20
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=dhcp_vlan10
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
add address=192.168.30.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan1
add address=192.168.30.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10
add action=accept chain=forward dst-port=1883 in-interface=vlan20 \
    out-interface=vlan10 protocol=tcp
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward in-interface=vlan10 out-interface=vlan1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I added this rule for my hairpin NAT to work
Code: Select all
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10
I just wonder if you have anything to comment on my config?
Top
Post Reply

Who is online

Users browsing this forum: miha99, predel, sebol1204, seriosha and 57 guests
  4. RouterOS
  5. Beginner Basics