Community discussions

MikroTik App
 
Johnster001
newbie
Topic Author
Posts: 48
Joined: Fri Jan 11, 2019 5:02 pm

Very high traffic on Firewall "Drop all traffic not from Lan" rule

Tue Mar 21, 2023 1:26 am

I recently had issues with a firmware upgrade to my home router, a hAP ac^2 (R1). After the second attempt I discovered my DHCP reservations were allmost gone, and the next day I discovered the firewall list was empty, not even the "dummy" counter remained. This has prompted me to get my secondary router up and running, an RBG750r3 (R2). Because I had to re-create the firewall on the hAP, I was a little more focused on creating the new one, and to that end I followed the Mikrotik doc on creating an advanced firewall https://help.mikrotik.com/docs/display/ ... d+Firewall. I have followed that guide to the letter, only changing the entries and lists to match my particular environment (LAN IP addresses etc.). I finally got that up and running today and had it running side-by-side with R1 which has only a basic firewall. I was monitoring the firewalls to see what the differences in traffic look like and right off the bat, one thing stood out; the new router has what I would consider a ton of traffic, (20-30 p/s) that was being caught and dropped by the 3rd rule of:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Whereas R1 only had the occasional hit (0-3 p/s intermittently).
My R1 firewall config up to that rule is:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP VPN Incoming" disabled=yes \
dst-port=1723 log=yes log-prefix=PPTP-VPN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

On both routers my LAN interface list contains only the ethernet port that is connected to my LAN and the bridge interface.

Can anyone see why R2 would see so much more traffic on that rule than R1? Both are connected directly to my modem and both have an IP directly from my ISP.

Sorry for the long-windedness of the post but I'm trying to include all pertinent information. At this point I'm pretty sure my R2 firewall is sound but I'm wondering if there's something in my R1 config thats missing these packets. I'm happy to post the entire firewall config of both routers if that helps.

Thanks for any insight anyone can provide.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Very high traffic on Firewall "Drop all traffic not from Lan" rule

Tue Mar 21, 2023 1:56 am

Because there is tons of traffic on the WWW always hitting routers, nothing unusual.
You are simply in effect logging it now by showing what is dropped.

For a starting firewall this is ideal...........
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN



Dont add any more noise to the firewall other than to ensure allowed traffic is permitted like to a shared printer between vlans for example.
 
Johnster001
newbie
Topic Author
Posts: 48
Joined: Fri Jan 11, 2019 5:02 pm

Re: Very high traffic on Firewall "Drop all traffic not from Lan" rule

Tue Mar 21, 2023 7:00 pm

Thanks for the response. I did enable logging on the R1 rule, then sat there and watched the log file scroll. There was definitely 10-20x more traffic on that rule on the R2 box. I've unplugged it for now, but I plan on revisiting this later in the week, if I see any different behaviour I'll post here.

I can say that there is definitely much more to the new firewall on R2, so now I'm wondering if just the basic firewall in the Mikrotik docs or what you have posted would be enough. I'm not doing anything special with these boxes, it's just for a home setup, but I admit I'm having fun playing with this stuff. Thanks for the advice.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Very high traffic on Firewall "Drop all traffic not from Lan" rule

Wed Mar 22, 2023 3:28 am

I have 3 layers of firewalls in the user article, viewtopic.php?t=180838

NOVICE --> raw beginner newbie
NOVICE + MODIFIED --> Beginner with some experience
APPRENTICE --> Beginner with confidence/knowledge/understanding

Nothing else is really required.............
PS Dont forget to read para's 3-9.
 
Johnster001
newbie
Topic Author
Posts: 48
Joined: Fri Jan 11, 2019 5:02 pm

Re: Very high traffic on Firewall "Drop all traffic not from Lan" rule

Tue Mar 28, 2023 3:05 pm

I have 3 layers of firewalls in the user article, viewtopic.php?t=180838

NOVICE --> raw beginner newbie
NOVICE + MODIFIED --> Beginner with some experience
APPRENTICE --> Beginner with confidence/knowledge/understanding

Nothing else is really required.............
PS Dont forget to read para's 3-9.

Read this through from start to finish, very helpful. thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Very high traffic on Firewall "Drop all traffic not from Lan" rule

Tue Mar 28, 2023 4:11 pm

Updated it last night so some changes.

Who is online

Users browsing this forum: Bing [Bot], bp0, rplant, Victoravv and 85 guests