Dear forum members!
I am a bit lost and I'd like to ask for your help.
So I've been using Mikrotik for years now - happily.
I have a few deployed remote devices (wAP LTE and wAP R LTE kits, some with mANT LTE). They work great.
A few days ago I remembered to update my IPs in the firewall Address List.
My basic rules looked like this:
- IF the IP is in address list, protocol is TCP, ACCEPT.
- IF the IP is NOT in address list AND it's a TCP connection AND the port is between 1-9999 then DROP.
The port range is because I have services that people use above that range. I juts wanted to safeguard Mikrotik Services basically.
And it worked well!
But oh boy, was I trying to be smart.
So I changed the rules...
I added a new rule as #2, right after the default fast track one.
#2 IF the SRC IP is mine, ACCEPT (protocol not specified)
#3 IF the SRC IP is in Address List, ACCEPT (protocol not specified)
#4 IF the SRC IP is not in Address List, DROP (protocol not specified) -> this was not even correct because it breaks the remote too
To me, this looks super safe. Because if my IP is coming in, I am good.
And the rules are accepted in a sequential order.
However!
At first, the firewall screen showed an increase of packets on this new #2 rule. Hallelujah, I said.
I even started doing my other stuff, just to MAKE SURE it works perfect.
But oh boy, the Mikrotik devil doesn't sleep.
After doing this to a bunch of devices to better safeguard them, they started kicking me out. Oh no.
And this is where I am. I managed to restore a few because I have computers on them and the remote desktop allowed me to access the router from LAN.
But the rest? They are inaccessible. I can't SSH into them, I can't Winbox them, nothing.
Question A:
Could you explain why my firewall rule is wrong?
Because I plan on putting back the TCP and also limit port range.
But I'd like to know where I went wrong with my rule.
Question B:
Do you have any ideas how I could somehow bypass this situation? Any crazy, wild idea?
(I tried to access + nmap from both my static IP and my address list IP machines.)
Maybe there is some UDP service? Maybe.. maybe something? I don't know.
Thank you.