Community discussions

MikroTik App
 
S1RIUS
just joined
Topic Author
Posts: 7
Joined: Wed Oct 26, 2022 3:57 pm

Firewall seems inactive

Wed Oct 26, 2022 4:05 pm

Hi,
I'm quite new to Mikrotik but I've used a lot of other brands before.
As for today I m using a CR2004-16G-2S+ running RouterOS 7.6, no Bridge interfaces created, only my WAN on SFP2 (Interface list : WAN) and my Network on SFP1 (Interface list : LAN), masquerade on WAN.
Everything works well (6-7Gbit/s to WAN), but the firewall seem to be inactive for some reasons.

I have just created two or three simple rules to try it out but it seem that he is not kicking in.

/ip firewall address-list print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
0 MYLAN 172.16.0.0/16 oct/26/2022 14:24:21

/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=input action=drop connection-state="" connection-nat-state="" protocol=icmp src-address=172.16.0.0/16 dst-address=1.1.1.1 in-interface-list=LAN log=no log-prefix=""
1 chain=input action=drop connection-state=invalid,established,related,new,untracked protocol=tcp src-address-list=MYLAN in-interface-list=LAN src-port=53 dst-port=53 log=yes log-prefix=""
2 chain=input action=drop connection-state=invalid,established,related,new,untracked protocol=udp src-address-list=MYLAN in-interface-list=LAN src-port=53 dst-port=53 log=yes log-prefix=""

I can still ping 1.1.1.1 and dig @8.8.8.8 whateverdomain.tld

I tried with full address IP, with CIDR, address and source list etc... I dont get it :?

Thanks for helping,
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: Firewall seems inactive

Thu Oct 27, 2022 3:05 am

your source port is never going to be 53 when your doing a dns lookup, therefore it makes sense those 2 bottom rules did not work. and for the first rule the input chain would not be consulted on traffic going through the router.
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: Firewall seems inactive

Thu Oct 27, 2022 3:06 am

See this thread for helpful firewall learning links from me and @anav.
 
S1RIUS
just joined
Topic Author
Posts: 7
Joined: Wed Oct 26, 2022 3:57 pm

Re: Firewall seems inactive

Thu Oct 27, 2022 7:35 pm

your source port is never going to be 53 when your doing a dns lookup, therefore it makes sense those 2 bottom rules did not work. and for the first rule the input chain would not be consulted on traffic going through the router.
Hi,

Thanks for your answer. I'll read thoses links, but for the DNS rules i'm pretty sure I tested without src-port at first, and then since it was not working I added it just to tryout.

For the first one, how its not going through the routeur ? Its outside the network so it is going through the gateway (172.16.1.254, which is my SFP+1 interface on the Mikrotik routeur).
My WAN is on SFP+2 with my public IP. (routes are working).
Edit : Oh ok I should use "forward". Mikrotik's INPUT look like "Local" of others brands.

Also, I dont know why but I dont have any default rules like it is stated on Mikrotik help/docs (https://help.mikrotik.com/docs/display/ ... t+Firewall) or videos on YT (like this one https://youtu.be/hMj80ZIVBQs?t=406). Its just empty (from the CLI and webfig). I run Debian and I'm not using Winbox.

Who is online

Users browsing this forum: GoogleOther [Bot] and 37 guests