Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall Sequence - Rules not executed orderly  [SOLVED]

Post Reply
 
jamthejame
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Jan 15, 2018 12:12 pm

Firewall Sequence - Rules not executed orderly

Sun May 27, 2018 5:00 pm

My dilemma, is that I have RB3011 and on ether5 I want to put a network with is to be used for specific few IPs:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="FORWARD Chain - Packets towards Mikrotik itself (Established,Related)" connection-state=established,related
add action=accept chain=forward comment="Permit DNS requests from clients over TCP" dst-port=53 in-interface=ether5 protocol=tcp
add action=accept chain=forward comment="Approved Demo_Farm" dst-address-list=Demo_Farm dst-port=15000-15100,50000-50200 in-interface=ether5 out-interface=Ovpn protocol=tcp src-address-list=permitted-local-sources
add action=accept chain=forward comment="Approved HTTP" dst-address-list=permitted-http-destinations-address dst-port=80 in-interface=ether5 out-interface=Ovpn protocol=tcp src-address-list=permitted-local-sources
add action=accept chain=forward comment="Approved HTTPS" dst-address-list=permitted-https-destinations-address dst-port=443 in-interface=ether5 out-interface=Ovpn protocol=tcp src-address-list=permitted-local-sources
add action=drop chain=forward comment="Drop anything attempting to pass through Demo_Farm LAN that doesn't match the rules above" in-interface=ether5 out-interface=Ovpn

/ip firewall address-list
add address=72.XXX.XXX.152 comment="Demo#1" list=permitted-http-destinations-address
add address=79.XXX.XXX.28 comment=Demo2 list=permitted-https-destinations-address
add address=192.XXX.XXX.15 comment="Local Permitted IP Address" list=permitted-local-sources
add address=XXX.XXX.156.1-XXX.XXX.156.255 list=Demo_Farm
add address=XXX.XXX.148.1-XXX.XXX.148.255 list=Demo_Farm
However, when testing, everything gets dropped. When I disable "Drop anything attempting to pass through Demo_Farm LAN that doesn't match the rules above" traffic passes, so the address-list IPs are not being processed which are before the drop rule, does anyone know why something like that would happen?
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall Sequence - Rules not executed orderly

Sun May 27, 2018 5:15 pm

I don't believe that everything gets dropped.

Requests from ether5 to tcp/53 are allowed and must pass. Except you probably want udp, because that's what clients use for DNS.

Other rules are also clear and anything from 192.XXX.XXX.15 (current permitted-local-sources list) to defined combinations of destination addresses and ports must pass too.

Add logging to your drop rule and then check addresses and ports of logged dropped packets, something there won't match the previous accept rules.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11362
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall Sequence - Rules not executed orderly

Sun May 27, 2018 5:27 pm

Maybe you have just copy-pasted other rules and added in-interface=ether5 without removing src-address-list=permitted-local-sources and these conditions never match simultaneously? Why I think this is because the drop rule checks only in-interface and out-interface, and it still stops the traffic if enabled. So if the traffic was not actually coming from ether5 or be leaving via Ovpn, the drop rule would not match it, so the reason why it does not match to any of the previous rules must be in some other condition, and the src-address-list is the most likely one given the history.
Top
 
jamthejame
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Jan 15, 2018 12:12 pm

Re: Firewall Sequence - Rules not executed orderly

Sun May 27, 2018 5:39 pm

So I just triple checked the permitted-local-sources and its IP, which is a match, also the same with other IPs. The odd thing is that if I 'disable' the 'drop' rule, i see packets processed in the other rules.

If I would have mistaken IPs and dst-list or src-list, those rules would have 0 packet transferred next to them.

Frankly, I'm lost as to where else to look for issue right now...
Top
 
jamthejame
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Jan 15, 2018 12:12 pm

Re: Firewall Sequence - Rules not executed orderly

Sun May 27, 2018 5:50 pm

Found the issue. Had a Layer7 rule and within the set had a word, which was being matched with one of the platforms, thus was blocking connection way before the mentioned rule set.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11362
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall Sequence - Rules not executed orderly  [SOLVED]

Sun May 27, 2018 5:54 pm

Found the issue. Had a Layer7 rule and within the set had a word, which was being matched with one of the platforms, thus was blocking connection way before the mentioned rule set.
That was my question, whether you have posted all the rules in the /ip firewall filter chain=forward or only those you've considered relevant.
Top
 
jamthejame
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Jan 15, 2018 12:12 pm

Re: Firewall Sequence - Rules not executed orderly

Sun May 27, 2018 6:06 pm

This RB3011 has 8 different networks where every single one is configured very differently... I decided not to confuse people, and then to obfuscate everything would take me hours. So yeah... thank you for point me out to other rules. I went through them so many times that it made me blind to the very small things

Also, Sob, thank you for pointing out DNS, that also had to be added.
Top
Post Reply
  4. RouterOS
  5. General