Community discussions

MikroTik App
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Jump outside of firewall's raw filter

Wed Jan 12, 2022 7:58 am

I have a raw rule to drop non-global IPs (specified via an address list) from WAN. But I need to let a regular firewall filter to work on a single non-global IP (cable modem) from WAN. One option is to modify the non-global IPs address list to exclude that single IP, but it seems cleaner to me to put a raw rule for that single IP just before the drop rule.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11447
Joined: Thu Mar 03, 2016 10:23 pm

Re: Jump outside of firewall's raw filter

Wed Jan 12, 2022 3:46 pm

Yes, allowing specifics before dropping in general is the way to be done.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Jump outside of firewall's raw filter

Wed Jan 12, 2022 9:47 pm

The issue is that my general dropping rule is RAW, but for that single IP (that is included in the range of IP addresses used by the general RAW rule) I want usual filtering with connection tracking.

Something like this:
/ip firewall raw
add action=??? chain=prerouting src-address=192.168.100.1 in-interface-list=WAN ;;; bypass the next rule and let usual filter to work on this IP
add action=drop chain=prerouting src-address=192.168.0.0/16 in-interface-list=WAN 

/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked ;;; allow 192.168.100.1 <-> WAN <-> LAN when connection is initiated from the LAN
add chain=forward action=drop src-address=192.168.100.1 in-interface-list=WAN
add chain=input action=accept connection-state=established,related,untracked ;;; allow 192.168.100.1 <-> WAN <-> Self when connection is initiated from Self
add chain=input action=drop src-address=192.168.100.1 in-interface-list=WAN
Is it possible to achieve without splitting the 192.168.0.0/16 into multiple networks just to exclude 192.168.100.1?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11447
Joined: Thu Mar 03, 2016 10:23 pm

Re: Jump outside of firewall's raw filter  [SOLVED]

Wed Jan 12, 2022 10:37 pm

Sure. Rules are ecaluated from top to bottom and first matching executes. So your first rule should have action=accept.

Accept in raw firewall does not mean that packets will skip firewall filter rules, those are still evaluated and executed.

Have a look at packet flow, after some thinking it becomes clear ...

Do you mind explaining what are you trying to achieve? The rules you shown in previous post don't make much sense to me.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Jump outside of firewall's raw filter

Wed Jan 12, 2022 11:58 pm

Accept in raw firewall does not mean that packets will skip firewall filter rules, those are still evaluated and executed.
Ah, you're right. I was not noticing it because my other, much more general, firewall rule for established,related was accepting it. I wish it was mentioned very early in the help page :)

The rules you shown in previous post don't make much sense to me.
I'll gladly answer the questions in the corresponding thread.

Who is online

Users browsing this forum: No registered users and 46 guests