Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

open the output traffic for a specific port

Post Reply
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

open the output traffic for a specific port

Wed Dec 21, 2022 6:40 pm

Hello My friends..!
sorry if this sound a silly question..
if i want to open port 8070 for outgoing traffic through my firewall rule, what is the best rule for that..? and where i have to insert..?
this is my firewall rules:
Code: Select all
ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231,47112 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=47111 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=34567 protocol=tcp to-addresses=192.168.1.10 to-ports=34567
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=554 protocol=tcp to-addresses=192.168.1.244 to-ports=554
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: open the output traffic for a specific port

Wed Dec 21, 2022 8:13 pm

Probably you have wroted a wrong question,
Is like you ask how open 443 https on output....
On output is "all" already opened...
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: open the output traffic for a specific port

Wed Dec 21, 2022 8:39 pm

Your asking us basically is my solution of allowing only port 8070 for outbound traffic the answer?, but we dont know the real question.

Its not clear whether you want all traffic heading to the internet to be able to use port 8070, OR
if you want really to block any incoming traffic that is using port 8070, OR
Do you want to block users LAn to LAN traffic on port 8070, OR.
etc..


Thus the requirement is not clear, there is no use case analysis and one must understand how the firewall rules works prior to implementing any schema.

Do you really need three wireguard tunnels???
Last edited by anav on Thu Dec 22, 2022 4:17 am, edited 1 time in total.
Top
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: open the output traffic for a specific port

Thu Dec 22, 2022 4:15 am

Your asking us basically is my solution of allowing only port 8070 for outbound traffic the answer?, but we dont know the real question.

Its not clear whether you want on traffic heading tot he iinternet to be able to use port 8070, OR
if you want really to block any incoming traffic that is using port 8070, OR
Do you want to block users LAn to LAN traffic on port 8070, OR.
etc..


Thus the requirement is not clear, there is no use case analysis and one must understand how the firewall rules works prior to implementing any schema.

Do you really need three wireguard tunnels???
so why i am asking this question..?
i have an intrusion alarm system in my office (satel) connected to internet through Ethernet Model, to push alarm notification to me through a mobile app.
this ethernet model already had an IP address from my MT router, and use port 8070 to connect to the intrusion company server to keep the connection up, but i always have a problem
with this connection, i always recived a dissconnect message with the server, so i want to create a firewall rule to accept the incaming and the outcaming traffic to it.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: open the output traffic for a specific port

Thu Dec 22, 2022 4:21 am

Well, there is nothing that we can help with in terms of traffic outbound.
Unless you have a rule blocking LAN to WAN, the model will be allowed out to the internet, so no problem there.

In addition any return traffic originating from the router out to the internet would be allowed to return through the router back to the originator in case the Model.
Thus, the responses thus far that basically say, the router already allows that traffic and thus do not understand the issue.

In both cases the only problem i see is maybe the ISP is blocking ports.

+++++++++++++++++++++++++++++++++++++++++++++++++++

If however, there is traffic that originates on the internet that has to reach the model, then you need port forwarding for that traffic to reach the model.
Top
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: open the output traffic for a specific port

Thu Dec 22, 2022 11:52 am

Well, there is nothing that we can help with in terms of traffic outbound.
Unless you have a rule blocking LAN to WAN, the model will be allowed out to the internet, so no problem there.

In addition any return traffic originating from the router out to the internet would be allowed to return through the router back to the originator in case the Model.
Thus, the responses thus far that basically say, the router already allows that traffic and thus do not understand the issue.

In both cases the only problem i see is maybe the ISP is blocking ports.

+++++++++++++++++++++++++++++++++++++++++++++++++++

If however, there is traffic that originates on the internet that has to reach the model, then you need port forwarding for that traffic to reach the model.
so if i want to make a rull to open connection to a specific DNS like "cntctbx.satel.pl" what i have to add in this case..?
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: open the output traffic for a specific port

Thu Dec 22, 2022 12:14 pm

You can leave the door open, but if connection go on timeout because theres'not packet exchange between alarm and cloud, the connection is closed.
The alarm must implement keepalive for connection.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: open the output traffic for a specific port

Thu Dec 22, 2022 2:51 pm

so if i want to make a rull to open connection to a specific DNS like "cntctbx.satel.pl" what i have to add in this case..?
Why are you making us chase different things....................... if you dont explain the context or requirements clearly, this becomes a fruitless exercise.........
We are not dentists pulling teeth to see which one is rotten LOL
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], freezerfcb and 26 guests
  4. RouterOS
  5. Beginner Basics