I am using RouterOS 7.11.2
I need to perform multiple actions AFTER an ACCEPT rule is matched.
For example:
/ip firewall filter add chain=input protocol=tcp dst-port=1234 src-address=10.0.90.10 action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=1234 src-address=10.0.90.10 action=add-src-to-address-list address-list=test_list
The problem in the above example is that if the first rule is matched and the packet is accepted, the following rule not evaluated.
I remember in RouterOS 6, there use to be a passthrough=yes parameter that allows the following rule to be evaluated.
I tried jumping to a user defined chain, but the same issue still there.
Can someone help please?
Thanks
Re: How to run a second action after ACCEPT in RouterOS 7
Passthrough is in mangle rules. In filter rules, first match wins.
If you reversed the order (e.g. accept last), your problem be solved.
If you have more complex rules, you can create a new chain, and then use a "jump" to that chain. Or redesign your rules so that assume accept and have "drop" with filter on the unwanted traffic.
If you reversed the order (e.g. accept last), your problem be solved.
If you have more complex rules, you can create a new chain, and then use a "jump" to that chain. Or redesign your rules so that assume accept and have "drop" with filter on the unwanted traffic.
Re: How to run a second action after ACCEPT in RouterOS 7
Hi,
Traffic is falling into the first rule it founds.
You may even have an "established, related" - rule on top of this all for Fasttrack-Connection.
After the initial "accept" it might fall into "established" and got bypassed / fasttracked.
If not, the first statement still fits and it only will fall into the first of the rules.
I would try to fill Address-lists with "mangle-rules" -> https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle
This should be the recommended way.
Best,
Martin
*edit*: Amm0 was faster with the answer
Traffic is falling into the first rule it founds.
You may even have an "established, related" - rule on top of this all for Fasttrack-Connection.
After the initial "accept" it might fall into "established" and got bypassed / fasttracked.
If not, the first statement still fits and it only will fall into the first of the rules.
I would try to fill Address-lists with "mangle-rules" -> https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle
This should be the recommended way.
Best,
Martin
*edit*: Amm0 was faster with the answer
Last edited by Filo on Tue Oct 10, 2023 5:44 pm, edited 1 time in total.
Re: How to run a second action after ACCEPT in RouterOS 7
That's a good point: if it's already established, an accept may not help.Traffic is falling into the first rule it founds.
You may even have an "established, related" - rule on top of this all for Fasstrack-Connection.
[...]
*edit*: Amm0 was faster with the answer
Re: How to run a second action after ACCEPT in RouterOS 7
Thanks all for your replies,
You all are correct, the first matching ACCEPT or DROP rule preempts the chain.
Your hint of using the mangle rules helped, this is how I solved the problem:
The idea is to limit a telnet client to connect to the router not faster than one connection per minute.
So, The mangle prerouting rule marks the incoming connection like this:
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new dst-port=23 log=yes new-connection-mark=\
port23 passthrough=yes protocol=tcp src-address=10.0.90.10
Then the packet will go through an INPUT filter rule that will DROP all packets coming from nodes in the list, but since this connection is not yet added to the list , it will not drop it:
/ip firewall filter add action=drop chain=input connection-state=new dst-port=23 log=yes log-prefix="Drop telnet:" protocol=tcp \
src-address-list=test
Then as the telnet server of the router reply to the client, an OUTPUT filter rule will be triggered to add the destination address to the list and set timeout for one minute:
/ip firewall filter add action=add-dst-to-address-list address-list=test address-list-timeout=1m chain=output connection-mark=\
port23 connection-state=""
I am sure there is a better way to achieve such functionality, since the routerOS is so amazing, so your suggestions are highly appreciated.
Thanks
You all are correct, the first matching ACCEPT or DROP rule preempts the chain.
Your hint of using the mangle rules helped, this is how I solved the problem:
The idea is to limit a telnet client to connect to the router not faster than one connection per minute.
So, The mangle prerouting rule marks the incoming connection like this:
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new dst-port=23 log=yes new-connection-mark=\
port23 passthrough=yes protocol=tcp src-address=10.0.90.10
Then the packet will go through an INPUT filter rule that will DROP all packets coming from nodes in the list, but since this connection is not yet added to the list , it will not drop it:
/ip firewall filter add action=drop chain=input connection-state=new dst-port=23 log=yes log-prefix="Drop telnet:" protocol=tcp \
src-address-list=test
Then as the telnet server of the router reply to the client, an OUTPUT filter rule will be triggered to add the destination address to the list and set timeout for one minute:
/ip firewall filter add action=add-dst-to-address-list address-list=test address-list-timeout=1m chain=output connection-mark=\
port23 connection-state=""
I am sure there is a better way to achieve such functionality, since the routerOS is so amazing, so your suggestions are highly appreciated.
Thanks
Re: How to run a second action after ACCEPT in RouterOS 7
Awesome.
It's cool to see what other people are struggeling with and how they find a solution using MikroTik-Devices
Thanks for sharing.
Regards
It's cool to see what other people are struggeling with and how they find a solution using MikroTik-Devices
Thanks for sharing.
Regards
Who is online
Users browsing this forum: g0didit and 35 guests