Community discussions

MikroTik App
 
Commodore
just joined
Topic Author
Posts: 12
Joined: Sun Jan 13, 2008 11:06 am

Help with 2 ISPs

Thu Aug 14, 2008 3:11 pm

Hello,
please help for configuration with two Internet providers.
I want to restrict access from both the providers.
while I was with only one supplier, it became easier with "chain=input action=accept in-interface=!ether1"
but now even when added the same rule for other provider - there's no effect.
i try with "chain=input action=accept in-interface=ether2" for all networks that i want to have access, but rules of SSH applications began to go crazy.

this is my Filters
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid

 1   ;;; Allow esatblished connections
     chain=input action=accept connection-state=established

 2   ;;; Allow related connections
     chain=input action=accept connection-state=related

 3 X ;;; Allow UDP
     chain=input action=accept protocol=udp

 4   ;;; Allow ICMP
     chain=input action=accept protocol=icmp

 5 X ;;; Allow connection to router from local network
     chain=input action=accept in-interface=ether2

 6 X ;;; Allow connection to router from local network
     chain=input action=accept in-interface=pptp-in_name

 7 X ;;; Allow connection to router from local network
     chain=input action=accept in-interface=!ether1

 8   ;;; Allow connection to router from local network
     chain=input action=accept in-interface=!pppoe-out_isp

 9   ;;; dropping port scanners
     chain=input action=drop src-address-list=port_scanners

10   ;;; Port scanners to list
     chain=input action=add-src-to-address-list psd=21,3s,3,1 address-list=port_scanners address-list-timeout=2w protocol=tcp

11   ;;; NMAP FIN Stealth scan
     chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg address-list=port_scanners address-list-timeout=2w protocol=tcp

12   ;;; SYN/FIN scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn address-list=port_scanners address-list-timeout=2w protocol=tcp

13   ;;; SYN/RST scan
     chain=input action=add-src-to-address-list tcp-flags=syn,rst address-list=port_scanners address-list-timeout=2w protocol=tcp

14   ;;; FIN/PSH/URG scan
     chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack address-list=port_scanners address-list-timeout=2w protocol=tcp

15   ;;; ALL/ALL scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg address-list=port_scanners address-list-timeout=2w protocol=tcp

16   ;;; NMAP NULL scan
     chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg address-list=port_scanners address-list-timeout=2w protocol=tcp

17   ;;; Drop SSH brute forcers
     chain=input action=drop src-address-list=ssh_blacklist dst-port=22 protocol=tcp

18   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=4w2d
     dst-port=22 protocol=tcp

19   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=2>
     protocol=tcp

20   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=2>
     protocol=tcp

21   chain=input action=add-src-to-address-list connection-state=new address-list=ssh_stage1 address-list-timeout=1m dst-port=22 protocol=tcp

22   ;;; Drop FTP brute forcers
     chain=input action=drop src-address-list=ssh_blacklist dst-port=21 protocol=tcp

23   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=4w2d
     dst-port=21 protocol=tcp

24   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=2>
     protocol=tcp

25   chain=input action=add-src-to-address-list connection-state=new src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=2>
     protocol=tcp

26   chain=input action=add-src-to-address-list connection-state=new address-list=ssh_stage1 address-list-timeout=1m dst-port=21 protocol=tcp

27   ;;; Worm Protection
     chain=input action=drop dst-port=135,137,138,139,445 protocol=tcp

28   chain=input action=drop dst-port=135,137,138,139,445 protocol=udp

29   chain=forward action=drop dst-port=135,137,138,139,445 protocol=tcp

30   chain=forward action=drop dst-port=135,137,138,139,445 protocol=udp

31   ;;; Drop Blacklist
     chain=input action=drop src-address-list=ssh_blacklist

32   ;;; Allow SSH to router
     chain=input action=accept dst-port=22 protocol=tcp

33 I ;;; Allow HTTPS to router
     chain=input action=accept in-interface=ether1 dst-port=443 protocol=tcp

34 X ;;; Allow HTTP to router
     chain=input action=accept in-interface=ether1 dst-port=80 protocol=tcp

35 X ;;; Allow FTP to router
     chain=input action=accept in-interface=ether1 dst-port=21 protocol=tcp

36   ;;; Allow TCP 81 to router
     chain=input action=accept dst-port=81 protocol=tcp

37 X ;;; Allow OpenVPN
     chain=input action=accept in-interface=ether1 dst-port=1194 protocol=tcp

38 X chain=input action=accept in-interface=ether1 dst-port=1194 protocol=udp

39 I ;;; Allow PPTP
     chain=input action=accept in-interface=ether1 dst-port=1723 protocol=tcp

40 X chain=input action=accept in-interface=ether1 dst-port=1723 protocol=udp

41 X ;;; Allow Dude to router
     chain=input action=accept in-interface=ether1 dst-port=2211 protocol=tcp

42 I ;;; Allow DNS request
     chain=input action=accept in-interface=ether1 dst-port=53 protocol=udp

43   ;;; Drop everything else
     chain=input action=drop

44 I chain=forward action=jump jump-target=customer in-interface=ether1

45   ;;; Drop unwanted sites
     chain=forward action=drop src-address-list=blocked dst-address-list=block dst-port=80 protocol=tcp

46 X ;;; limit access for some users
     chain=forward action=drop src-address=192.168.0.1-192.168.0.10 dst-port=!80 protocol=tcp

47   ;;; Drop invalid connection packets
     chain=customer action=drop connection-state=invalid

48   ;;; Allow established connections
     chain=customer action=accept connection-state=established

49   ;;; Allow related connections
     chain=customer action=accept connection-state=related

50   ;;; Log dropped connections
     chain=customer action=log log-prefix="customer_drop"

51 I ;;; Allow TCP 80 for forward
     chain=customer action=accept in-interface=ether1 dst-port=80 protocol=tcp

52 I ;;; Allow TCP 21 for forward
     chain=customer action=accept in-interface=ether1 dst-port=21 protocol=tcp

53 I ;;; Allow TCP 901 for forward
     chain=customer action=accept in-interface=ether1 dst-port=901 protocol=tcp

54 I ;;; Allow UDP 27015 for forward
     chain=customer action=accept in-interface=ether1 dst-port=27015 protocol=udp

55 X ;;; Allow TCP 25 for forward
     chain=customer action=accept dst-port=995 protocol=tcp

56   ;;; Drop and log everything else
     chain=customer action=drop
thanks
Last edited by Commodore on Thu Aug 14, 2008 4:44 pm, edited 1 time in total.
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: Help with 2 ISPs

Thu Aug 14, 2008 3:19 pm

Try using a drop rule instead of an accept.
Drop connections to router coming in from ether1 and another rule for the interface connecting to the other provider.

Who is online

Users browsing this forum: alexanwar, Bing [Bot], Google [Bot], Majestic-12 [Bot], Phaere and 161 guests