Community discussions

MikroTik App
 
arjones85
just joined
Topic Author
Posts: 3
Joined: Mon Mar 07, 2022 3:59 am

Why did I have to add this firewall rule?

Fri Mar 25, 2022 6:10 pm

Hi all,

I am working on creating a guest wifi on my hap ac2 setup as a "dumb" access point, while my hex router handles all the DHCP traffic.

I have the guest ssid working correctly and pulling from my defined guest dhcp range, however DNS traffic was not working (DNS server for this network is defined as the vlan interface's IP address). I had to add the following to my firewall rules, above the "block all not coming from LAN":
add action=accept chain=input in-interface=all-vlan
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="DROP INPUT not from LAN - "
My question is - why?? I have the vlan interface already in the default bridge, which is in the LAN address list. This traffic should not have been getting dropped:
[admin@MikroTik] > interface list export
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
[admin@MikroTik] >
[admin@MikroTik] >

[admin@MikroTik] > interface bridge export

/interface bridge
add admin-mac=2C:C8:1B:77:D5:B3 auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=vlan-guestwifi

Here's my full firewall export. Thank you in advance for your help!


[admin@MikroTik] > ip firewall export

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="DROP INPUT invalid - "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=all-vlan
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="DROP INPUT not from LAN - "
add action=accept chain=forward in-interface=vlan-guestwifi
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="DROP drop invalid - "
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="DROP not DSTNATed - "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=<removed> out-interface=bridge protocol=tcp src-address=192.168.1.0/24

Who is online

Users browsing this forum: Bing [Bot], yosmithy and 44 guests