Community discussions

MikroTik App
 
socier
just joined
Topic Author
Posts: 3
Joined: Fri Aug 26, 2022 3:17 am

Firewall filter blocking all other subnets

Fri Aug 26, 2022 3:50 am

Hi, there.

I'm trying to configure my hAP ac2 (v.7.4.1) to allow specific local address, and to block all other networks.

I made following rule and got the expected result.
It seems block ping to desired address (10.12.11.210) and allow all others.

Chain : forward
Dst, Address : 10.12.11.210
Action : reject


$ ping 10.12.11.210
Pinging 10.12.11.210 with 32 bytes of data:
Reply from 10.1.1.1: Destination net unreachable.

$ ping 10.12.12.31
Pinging 10.12.12.31 with 32 bytes of data:
Reply from 10.12.12.31: bytes=32 time<1ms TTL=126


$ ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=39ms TTL=116




And I used exclamation mark ( ! ) to invert the result.

Chain : forward
Dst, Address : !10.12.11.210
Action : reject


I expected I could ping to 10.12.11.210 and all other addresses would be rejected.
But I could not ping to any addresses including 10.12.11.210.

$ ping 10.12.11.210
Pinging 10.12.11.210 with 32 bytes of data:
Request timed out.

$ ping 10.12.12.31
Pinging 10.12.11.2 with 32 bytes of data:
Reply from 10.1.1.1: Destination net unreachable.

$ ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 10.1.1.1: Destination net unreachable.

What did I misunderstand ?
Could anyone help me to configure correct filter ?

I want
1. Allow specific address (10.12.11.210 or 10.12.11.0/24)
2. Block all other addresses.

Thank you.
Last edited by socier on Sat Aug 27, 2022 6:17 am, edited 2 times in total.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Firewall filter blocking all other subnets

Fri Aug 26, 2022 5:40 pm

Without seeing what your configuration is, we are guessing. Please post a sanitized version of your your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filter blocking all other subnets

Fri Aug 26, 2022 6:56 pm

Besides the config, a network diagram to show all the connected devices and subnets involved is also very helpful in troubleshooting
 
socier
just joined
Topic Author
Posts: 3
Joined: Fri Aug 26, 2022 3:17 am

Re: Firewall filter blocking all other subnets

Sat Aug 27, 2022 5:23 am

Without seeing what your configuration is, we are guessing. Please post a sanitized version of your your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.


Thank you for your reply.
I attached my configurations below.

# aug/27/2022 09:16:06 by RouterOS 7.4.1
# software id = S77I-JIVN
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=C4:AD:34:87:DC:30 arp=reply-only auto-mac=no comment=defconf \
    name=bridge
/interface wireless
set [ find default-name=wlan1 ] disabled=no hide-ssid=yes mode=ap-bridge \
    ssid=Jay wireless-protocol=802.11
set [ find default-name=wlan2 ] disabled=no hide-ssid=yes mode=ap-bridge \
    ssid=Jay wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp2 ranges=10.1.2.101-10.1.2.150
add name=dhcp next-pool=dhcp2 ranges=10.1.1.101-10.1.1.150
/ip dhcp-server
add add-arp=yes address-pool=dhcp interface=bridge lease-time=10h name=dhcp1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=wlan2
add bridge=bridge ingress-filtering=no interface=wlan1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface wireless cap
set bridge=bridge caps-man-addresses=10.1.1.1 discovery-interfaces=bridge \
    interfaces=wlan1,wlan2
/ip address
add address=10.1.1.1/24 interface=bridge network=10.1.1.0
add address=10.12.13.33/24 interface=ether1 network=10.12.13.0
add address=10.1.2.1/24 interface=bridge network=10.1.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.1.1.0/24 gateway=10.1.1.1 netmask=24
/ip dns
set servers=10.12.11.222,8.8.8.8
/ip firewall filter
add action=reject chain=forward dst-address=10.12.11.210 reject-with=\
    icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=10.12.13.33 dst-port=3389 \
    protocol=tcp to-addresses=10.1.1.11 to-ports=3389
/ip firewall service-port
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.13.2 pref-src=\
    0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
/ppp secret
add name=jay
/system clock
set time-zone-name=Asia/Bangkok
 
socier
just joined
Topic Author
Posts: 3
Joined: Fri Aug 26, 2022 3:17 am

Re: Firewall filter blocking all other subnets

Sat Aug 27, 2022 6:22 am

Besides the config, a network diagram to show all the connected devices and subnets involved is also very helpful in troubleshooting


Thank you for your reply.
I attached my draft diagram here.

I just want to allow packets from TEST PC (and Laptop) to Server 1 & 2 (10.12.11.0/24)
and to block all others (Server3, Server4, Internet, etc...)
mtfw.png
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall filter blocking all other subnets  [SOLVED]

Sat Aug 27, 2022 7:15 am

You need to remember that all packets are checked against same rules. So if you block packets to "not 10.12.11.0/24", it will work. But it will also reliably block all response packets from allowed servers, because those will be to 10.1.1.x, so "not 10.12.11.0/24" condition will match.

You want stateful firewall that can recognize connection state for each packet and work with it. See at least the first point in viewtopic.php?t=180838.

Who is online

Users browsing this forum: No registered users and 23 guests