Blocking admin services - Firewall rules

HoracioDos · Tue Jan 28, 2025 8:46 pm

Hello.
I am experiencing a situation where my router is being continuously flooded with external attempts to connect to admin services. My logs are completely full of entries like this, occurring every second:

Block-Admin input: in:ether1-isp out:(unknown 0), connection-state:new src-mac 28:52:61:f0:d8:19, proto TCP (SYN), 186.233.113.120:11628->201.212.96.246:443, len 60

Currently, I have only 2 admin services available from my LAN segment and none from WAN. I would like to know whether it is a good practice or not to add this firewall rule

add action=drop chain=input comment="Block Admin from WAN" disabled=no dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log=yes log-prefix=Block-Admin \
protocol=tcp

Thanks in advance

anav · Tue Jan 28, 2025 8:54 pm

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

mkx · Tue Jan 28, 2025 9:01 pm

While waiting for config: generally it's good practice (required actually) to drop everything except bare minimum of allowed services (e.g. wireguard/IPsec tunnels from whitelisted remote addresses). And it's normal not to log dropped attempts ... because those log entries don't give any information or value at all.

lurker888 · Tue Jan 28, 2025 9:30 pm

Concurring with mks.

Routers/devices connected to the internet with a publicly routable IP often get hundreds or thousands of such scanning/probing traffic. There's really no way around this.

It's the correct thing to block these attempts. Usually these are not logged - they really don't add anything of value. (Turning on debugging temporarily for verifying that they work correctly is of course good practice.)

I also concur with mks that generally firewalls should be configured to
1. allow some specific traffic (the bare minimum - so if you need some sort of VPN access, well there's really not much you can do about allowing connections to that specific port... whitelists can be used where applicable) This means to *not* single out specific things to block, but single out specifically what you want to allow. This should be a way shorter list and way easier to produce and maintain.
2. drop everything else

If you only want to apply these rules to external traffic, a qualifier such as in-interface-list=WAN can be used. (Based on default configuration.)

HoracioDos · Tue Jan 28, 2025 10:04 pm

Thanks for the quick response.
I've trimmed the config file a bit and also changed the IP segments, but everything makes sense.
Thanks again

panisk0 · Tue Jan 28, 2025 10:26 pm

why are you logging this? This is normal traffic on the Internet

 /ip firewall filter
add action=drop chain=input comment="Block Admin from WAN" dst-port=\
    21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log-prefix=\
    Block-Admin protocol=tcp

add a jump for WAN to the top of the firewall and cut everything there

add action=jump chain=input comment="Input_WAN" in-interface-list=WAN jump-target=Input_WAN
add action=accept chain=Input_WAN protocol=icmp
add action=accept chain=Input_WAN connection-state=established,related
add action=drop chain=Input_WAN

TheCat12 · Tue Jan 28, 2025 10:39 pm

Or better yet, just use the default firewall rule "Drop all not coming from LAN" as the last of the chain:

/ip firewall filter
add action=drop chain=input in-interface-list=!LAN

lurker888 · Tue Jan 28, 2025 11:02 pm

Not trying to be abrasive, but your firewall rules are kind of a mess. It's very typical of what newcomers produce on their first try, so if you're willing to learn, you'll get there. Just keep up trying/learning/reading. Just be careful: there are *lots* of "tutorials" on youtube and other places that are of *very* bad quality.

Group your chains! Only a specific chain is executed for a packet (at a time) so separating and intermixing rules doesn't hinder the router from doing its job, but it makes it much harder for us, anyone or even yourself to understand exactly what's going on.

A good start for an input firewall ruleset is the following:

1. drop connection state invalid
2. accept connection state established/related
3. accept all traffic with in-interface lo (loopback traffic)
4. accept all icmp
5. accept external connections that you want to enable - in your case udp 13231 for wireguard
*** This was the global part. From now on we do local traffic filtering.
6. accept udp 7 from LAN (this is echo service udp - you may not want or need this)
7. accept tcp 7 from LAN (this echo service tcp - you may not want or need this)
8. accept udp 53 from LAN (dns udp)
9. accept tcp 53 from LAN (dns tcp)
10. accept tcp 22 from LAN (ssh config)
11. accept tcp 80 from LAN (webfig config)
12. accept tcp 8291 from LAN (winbox config)
*** And now we drop *everything* that we didn't allow
13. drop (everything, unconditionally) - you might want to have this rule disabled when you set it, and then enable it using safe mode, so you don't get locked out of your router

Of course you might (should, probably) want to adjust these according to what exactly you want/need. For example it's generally a good idea to disable webfig, if you don't use it to configure your router. If you need additional things allowed, those have to be added as well.

Also, it's very good practice to add some short but descriptive comment for all your rules, so you can come in later and see at a glance what everything does.

A note about the echo service on port 7. Some programs and apps - especially on smartphones - like to use this to detect network access. It's mostly harmless to allow it and may help them provide a more consistent interface. All things that I have seen work without it too

So it's basically a preference.

EDIT: It seems Mikrotiks don't support the echo protocol at all. Wouldn't have thought.

HoracioDos · Wed Jan 29, 2025 12:11 am

Not trying to be abrasive, but your firewall rules are kind of a mess. It's very typical of what newcomers produce on their first try, so if you're willing to learn, you'll get there. Just keep up trying/learning/reading. Just be careful: there are *lots* of "tutorials" on youtube and other places that are of *very* bad quality.

Not taken! I'm here to learn. All filter rules commented as 'defcon' (0 to 10) belong to the router's default config and I kept them in exact same order. I only added rules 11 to 18. In the case of NAT rules, rule 0 belongs to default config and I added the rest. I didn't change the order of them when I exported all config but in both pictures you can see the current order of them.

lurker888 · Wed Jan 29, 2025 1:08 am

First, regarding the ordering of rules. It's best to keep the rules grouped by chains. It makes things clearer. The order of rules *within* a chain matters, between different chains it doesn't.

The default firewall basically gives you what you wound get in most consumer routers. The difference is that here you can customize them as much as you want.

While the default rules are written well, they are not the best in terms of being used as starting point for customization. I'm specifically not the biggest fan of the approach presented in them to do many things in one rule. I like separate/clear rules. Also they use a fall through approach to handling LAN traffic, which I'm also not a big fan of.

I think the rules I gave are a better point for further customization, but - as always - preferences may vary. As with many things in Linux, the firewall gives you a lot of options to do things as you like. But this also gives you a lot of rope to hang yourself with. It's the admin's job to ensure a consistent/correct set of rules, which is easiest done by maintaining a consistent approach to writing them.

All in all: My usual suggestion for someone who wants to customize their firewall is to just scrap the default and start from the beginning with whatever approach they most prefer, instead of patching the default around.

HoracioDos · Wed Jan 29, 2025 1:29 am

Thank you for your detailed response. I have carefully read your recommendations and I think I understand your point of view. I will wait for other people's opinions to finally decide which path I will take.
I really appreciate the time you have dedicated to responding. Very grateful! I equally appreciate those who have responded previously!

anav · Wed Jan 29, 2025 4:46 am

Nobody asked for just part of your config..........geez
So guess what I have to make up shit ..........thats fun

Version1-vlans
.........

/interface bridge
add name=bridge-lan protocol-mode=none vlan-filtering=no  { change this to yes as the last step }
/interface vlan
add interface=bridge-lan name=iot44  vlan-id=44
add interface=bridge-lan name=main33  vlan-id=33
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/ip pool
add name=main_pool ranges=192.168.33.10-192.168.33.96
add  name=iot_pool ranges=192.168.44.2-192.168.44.32
/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=33
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=33
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=44
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=44
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan untagged=ether2,ether3  vlan-id=33
add bridge=bridge-lan tagged=bridge-lan untagged=ether4,ether5  vlan-id=44
/interface list member
add interface=ether1 list=WAN
add  interface=main33 list=LAN
add interface=iot44 list=LAN
add interface=wireguard1 list=LAN
add interface=main33 list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface wireguard peers
add allowed-address=192.168.55.2/24 interface=wireguard1 public key="----" comment="admin laptop"
add allowed-address=192.168.55.3/24 interface=wireguard1 public key="++++" comment="admin smartphone"
/ip dhcp-client
add comment=defconf interface=ether1 default-route=yes
/ip dhcp-server
add address-pool=main_pool always-broadcast=yes comment=dhcp-server-lan \
    interface=main33  lease-time=5m name=dhcp-server-main
add address-pool=iot_pool always-broadcast=yes comment=dhcp-server-lan \
    interface=iot44 lease-time=5m name=dhcp-server-iot
/ip dhcp-server network
add address=192.168.33.0/24 dns-server=192.168.33.1 gateway=192.168.33.1 
add address=192.168.44.0/24 dns-server=192.168.44.1 gateway=192.168.44.1 
/ip dns
set allow-remote-requests=yes servers=9.9.9.9  { change it back to DOH once everything else is working and will use better dstnat rules too }
/ip address
add address=192.168.33.1/24 interface=main33 network=192.168.33.0
add address=192.168.44.1/24 interface=iot44 network=192.168.44.0
add address=192.168.55.1/24 interface=wireguard1 network=192.168.55.0
/ip firewall address-list
add address=192.168.33.XY  list=Authorized  comment="admin local device #1"
add address=192.168.33.AB  list=Authorized  comment="admin local device #2"
add address=192.168.33.GH  list=Authorized  comment="admin local device #3"
add address=192.168.55.2  list=Authorized  comment="remote admin laptop"
add address=192.168.55.3  list=Authorized  comment="remote admin smartphone"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"     { insert this rule last }
++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="trusted to iot"  in-interface-list=TRUSTED dst-address=192.168.44.0/24
add action=accept chain=forward comment="wg to main"  in-interface=wireguard1 dst-address=192.168.33.0/24
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.33.0/24
set api disabled=yes
set winbox address=192.168.33.0/24,192.168.55.0/24
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

.....

Version2 - Bridge for main, port for iot
............

/interface bridge
add name=bridge-lan protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/ip pool
add name=main_pool ranges=192.168.33.10-192.168.33.96
add  name=iot_pool ranges=192.168.44.2-192.168.44.32
/interface bridge port
add bridge=bridge-lan  interface=ether2 
add bridge=bridge-lan  interface=ether3 
add bridge=bridge-lan  interface=ether4 
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add interface=ether1 list=WAN
add  interface=bridge-lan list=LAN
add interface=ether5 list=LAN
add interface=wireguard1 list=LAN
add interface=bridge-lan list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface wireguard peers
add allowed-address=192.168.55.2/24 interface=wireguard1 public key="----" comment="admin laptop"
add allowed-address=192.168.55.3/24 interface=wireguard1 public key="++++" comment="admin smartphone"
/ip dhcp-client
add comment=defconf interface=ether1 default-route=yes
/ip dhcp-server
add address-pool=main_pool always-broadcast=yes comment=dhcp-server-lan \
    interface=bridge-lan  lease-time=5m name=dhcp-server-main
add address-pool=iot_pool always-broadcast=yes comment=dhcp-server-lan \
    interface=ether5 lease-time=5m name=dhcp-server-iot
/ip dhcp-server network
add address=192.168.33.0/24 dns-server=192.168.33.1 gateway=192.168.33.1 
add address=192.168.44.0/24 dns-server=192.168.44.1 gateway=192.168.44.1 
/ip dns
set allow-remote-requests=yes servers=9.9.9.9  { change it back to DOH once everything else is working and will use better dstnat rules too }
/ip address
add address=192.168.33.1/24 interface=bridge-lan network=192.168.33.0
add address=192.168.44.1/24 interface=ether5  network=192.168.44.0
add address=192.168.55.1/24 interface=wireguard1 network=192.168.55.0
/ip firewall address-list
add address=192.168.33.XY  list=Authorized  comment="admin local device #1"
add address=192.168.33.AB  list=Authorized  comment="admin local device #2"
add address=192.168.33.GH  list=Authorized  comment="admin local device #3"
add address=192.168.55.2  list=Authorized  comment="remote admin laptop"
add address=192.168.55.3  list=Authorized  comment="remote admin smartphone"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"     { insert this rule last }
++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="trusted to iot"  in-interface-list=TRUSTED dst-address=192.168.44.0/24
add action=accept chain=forward comment="wg to main"  in-interface=wireguard1 dst-address=192.168.33.0/24
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.33.0/24
set api disabled=yes
set winbox address=192.168.33.0/24,192.168.55.0/24
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

HoracioDos · Wed Jan 29, 2025 12:14 pm

Nobody asked for just part of your config..........geez
So guess what I have to make up shit ..........thats fun

Hi Anav,
I truly appreciate the help, but put yourself in my position. I'm caught between accepting help from people offering their knowledge selflessly and exposing my entire router configuration in an internet forum. The choice isn't easy.
Frankly, I would have preferred to read, 'hey, give me the full config, there are well-intentioned people here.' If this bothers you, you're free to decide whether to help or not, and I'm free to accept help while limiting the information I share.

HoracioDos · Wed Jan 29, 2025 12:33 pm

I'll try to upload the full config today but I will change all IP segments and individual IP addresses for each device

mkx · Wed Jan 29, 2025 6:20 pm

It's perfectly fine to obfuscate sensitive parts of config ... if that's done in consistent matter .... e.g. replace actual IP address with, say, X.Y.Z.W ... as long as all occurences of same IP address is replaced by same string of characters. And if you have different IPs, obfuscate them with different string of characters but keep some consistency (e.g. if second IP address is from same /24 IP subnet, then write it as X.Y.Z.a).

But don't get paranoid, unless you're running kind of ISP obfuscating private IP addresses won't add much to security. I'm fine telling everybody that my management IP subnet is 192.168.99.0/24 and subnet for PV inverter is 192.168.44.0/24 (so I have room for another 252 inverters

).

HoracioDos · Fri Jan 31, 2025 8:36 pm

Hello. I finally had time to upload the config file.
I'm still migrating some devices from my old LAN to the new main LAN segment, and this week I replaced a dumb switch with a managed one. Now I can start defining VLANs for the Guest WiFi network, the IoT LAN segment, and some other stuff.
Thanks!

Jotne · Fri Feb 07, 2025 10:26 pm

You are only blocking some ports on the outside with this rule, not all:

add action=drop chain=input comment="Block Admin from WAN" dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=WAN

Where is 53 that should be blocked.

Better rule:

/ip firewall filter
add action=drop chain=input comment="Drop all other WAN traffic" in-interface-list=WAN

Then open what you need to open.

The rule add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 protocol=udp allows anyone on the internet to connect.
I would use port knocking so Wireguard only works after a knock, but may not be possible for all situation.

The masquerade rule src-address=192.168.55.0/29 for WireGuard does not specify an out-interface, meaning it could be applied in unintended situations.

anav · Fri Feb 07, 2025 11:28 pm

First jotne took your config too seriously, and that is the I LOVE TO DRINK WINE bit........
Clearly sauced as this rule is completely legit, please ignore advice given:
add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 \
protocol=udp

What can be said is your rules are all over the place. You have to realize that to troubleshoot and read rules its important they be grouped in the same chain for starters.
Order within a chain is also important and logical.

Secondly your config is hosed, You cannot have two dhcp servers to same interface,
as you should have noted, you can use multiple bridges (not recommended) multiple vlans (recommended)

Jotne · Fri Feb 07, 2025 11:53 pm

Its Friday

rextended · Sat Feb 08, 2025 10:07 am

Only service that that you like to have open should be open, all other blocked. That you need to block 53 tells me that your fw are wrongly setup.
@Jotne Mikrotik default filters are active

I don't believe it.
And even if it did, you probably changed something else that made it not work.

The firewall an the nat are full of useless rules, and the default drop-all-at-the-end are deleted...

<put wireguard rule here>
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

All useless, if the previous rule is on place:
add action=drop chain=forward comment="Block traffic from WAN to LAN" in-interface-list=WAN out-interface-list=LAN
add action=drop chain=input comment="Block Admin from WAN" dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log-prefix=Block-Admin protocol=tcp
add action=accept chain=input comment="Allow Admin from LAN" dst-port=22,8291 in-interface-list=LAN log-prefix=admin-LAN protocol=tcp

must be put before mssing rule
add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 protocol=udp

useless, the router already allow traffic between CIDR. 192.168.1.0/24 and 192.168.33.0/25 are NOT classes and NOT separate LANs.
add action=accept chain=forward comment="Allow traffic from main-network to old-network" dst-address=192.168.1.0/24 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from old-network to main-network" dst-address=192.168.33.0/25 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow traffic from main-network to iot-network" dst-address=192.168.44.0/27 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from iot-network to main-network" dst-address=192.168.33.0/25 log=yes log-prefix=iot-to-main src-address=192.168.44.0/27

If are present switches, the firewall can not block any communications between different CIDR if different VLANs for each CIDR are not present.

I UPDATE the post with default firewall rules:
viewtopic.php?p=856824#p856824

HoracioDos · Sat Feb 08, 2025 1:57 pm

Secondly your config is hosed, You cannot have two dhcp servers to same interface,
as you should have noted, you can use multiple bridges (not recommended) multiple vlans (recommended)

Hello. I'm quite confused now. I don't understand why you say I have 2 DHCP servers, are you referring to this part of the configuration?

/ip dhcp-server network
add address=192.168.10.0/25 comment=main-network dns-server=192.168.10.1 domain=home.internal gateway=192.168.10.1 netmask=25
add address=192.168.20.0/27 comment=iot-network dns-server=192.168.20.1 domain=home.internal gateway=192.168.20.1 netmask=27

I didn't change filter default rules or the order of them. So default rules must be wrong.
I have almost the same rules that @rextended have pointed out in post viewtopic.php?p=856824
This one is missing

add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

Default rules

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

HoracioDos · Sat Feb 08, 2025 3:11 pm

Well. I've added the missing rule and reset all counters.

add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

I removed:

add action=drop chain=input comment="Block DNS from WAN UDP/53" dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Block DNS from WAN TCP/53" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Block Admin from WAN" dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log-prefix=Block-Admin protocol=tcp
add action=drop chain=forward comment="Block traffic from WAN to LAN" in-interface-list=WAN out-interface-list=LAN

anav · Sat Feb 08, 2025 3:15 pm

Please post your lastest config so that we can apply fresh thinking to the issue.

HoracioDos · Sat Feb 08, 2025 3:55 pm

Please post your lastest config so that we can apply fresh thinking to the issue.

Full config

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] comment=ether1-isp name=ether1-isp rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether8 ] rx-flow-control=auto tx-flow-control=auto
/interface wireguard
add comment=wireguard-interface listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Detect Internet" name=INTERNET
/ip pool
add comment=main_pool name=main_pool ranges=192.168.33.10-192.168.33.96,192.168.44.2-192.168.44.32
/ip dhcp-server
add address-pool=main_pool always-broadcast=yes comment=dhcp-server-lan interface=bridge-lan lease-time=5m name=dhcp-server-lan
/certificate settings
set crl-download=yes
/disk settings
set auto-media-interface=bridge-lan auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=INTERNET
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1-isp list=WAN
add comment="Detect Internet" interface=ether1-isp list=INTERNET
/interface ovpn-server server
add mac-address=XX:XX:XX:XX:XX:XX name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.55.2/29 comment="Lenovo Horacio" interface=wireguard1 name=peer1 public-key="I love drinking wine" responder=yes
/ip address
add address=192.168.33.1/25 comment=main-lan interface=bridge-lan network=192.168.33.0
add address=192.168.44.1/27 comment=iot-lan interface=bridge-lan network=192.168.44.0
add address=192.168.55.1/29 comment=wireguard interface=wireguard1 network=192.168.55.0
add address=192.168.1.1/25 comment=Old-Lan disabled=yes interface=bridge-lan network=192.168.1.0
/ip arp
add address=192.168.33.6 comment="Unifi Controller" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.33.9 comment="Unifi AP3" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.33.2 comment=CRS310 interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.33.7 comment="Unifi AP1" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.33.3 comment=CRS304-A interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.44.11 comment="EcoWitt GW2000" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.44.12 comment="EcoWitt Console" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.44.20 comment="HikVision NVR" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.44.21 comment="HikVision Cam1" interface=bridge-lan mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=Fibertel interface=ether1-isp use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=30m
/ip dhcp-server lease
add address=192.168.33.46 client-id=XX:XX:XX:XX:XX:XX:XX comment=Lenovo_Horacio_LAN mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.12 comment=SamsungTV_LAN mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.14 comment=FireTV_Living_LAN mac-address=XX:XX:XX:XX:XX:X server=dhcp-server-lan
add address=192.168.33.21 comment="\
    \nPS4_LAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.42 comment="HP Horacio LAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.47 comment=Lenovo_Horacio_WLAN mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.48 comment=PC_Fran_LAN mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.60 comment="\
    \nEasyWeather_WLAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.72 client-id=XX:XX:XX:XX:XX:X:XX comment="S22 Soledad" mac-address=X:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.71 client-id=XX:XX:XX:XX:XX:XX:XX comment="Luvi Redmi" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.36 client-id=XX:XX:XX:XX:XX:XX:XX comment="Dell Soledad????" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.43 client-id=XX:XX:XX:XX:XX:XX:XX comment="HP Horacio WLAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.74 client-id=XX:XX:XX:XX:XX:XX:XX comment="Iphone Fran" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.73 client-id=XX:XX:XX:XX:XX:XX:XX comment="S22 Soledad" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.22 client-id=XX:XX:XX:XX:XX:XX:XX comment=PS4_WLAN mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.2 client-id=XX:XX:XX:XX:XX:XX:XX comment=CRS310 mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.76 client-id=XX:XX:XX:XX:XX:XX:XX comment="Moto Horacio" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.70 client-id=XX:XX:XX:XX:XX:XX:XX comment="Luvi Redmi" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.3 client-id=XX:XX:XX:XX:XX:XX:XX comment=CRS304-A mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.77 client-id=XX:XX:XX:XX:XX:XX:XX comment="Moto Horacio" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.33.50 client-id=XX:XX:XX:XX:XX:XX:XX comment=Marconi mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
/ip dhcp-server network
add address=192.168.33.0/25 comment=main-network dns-server=192.168.33.1 domain=home.internal gateway=192.168.33.1 netmask=25
add address=192.168.44.0/27 comment=iot-network dns-server=192.168.44.1 domain=home.internal gateway=192.168.44.1 netmask=27
/ip dns
set allow-remote-requests=yes doh-max-server-connections=10 max-udp-packet-size=512 mdns-repeat-ifaces=bridge-lan servers=1.1.1.3,1.0.0.3 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query
/ip dns static
add address=192.168.33.1 comment=RB5009UG name=rb5009.home.internal type=A
add address=192.168.33.6 comment="Unifi Controller" name=unifi.home.internal type=A
add address=192.168.33.2 comment=CRS310 name=crs310.home.internal type=A
add address=192.168.44.3 comment=zabbix/cups/nut name=vesta.home.internal type=A
add address=192.168.44.6 comment="Nut UPS-APC" name=fulgora.home.internal type=A
add address=192.168.44.2 comment="Home Assistant" name=domus.home.internal type=A
add address=192.168.33.3 comment=CRS304-A name=crs304a.home.internal type=A
add address=192.168.33.7 comment="Unifi AP1" name=ap1.home.internal type=A
add address=192.168.33.9 comment="Unifi AP3" name=ap3.home.internal type=A
add address=192.168.44.11 comment="EcoWitt GW2000" name=ecogw.home.internal type=A
add address=192.168.44.12 comment="EcoWitt Console" name=ecoconsole.home.internal type=A
add address=192.168.44.20 comment="HikVision NVR" name=nvr.home.internal type=A
add address=192.168.44.21 comment="HikVision Cam1" name=cam1.home.internal type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 protocol=udp
add action=accept chain=forward comment="Allow traffic from iot-network to main-network" dst-address=192.168.33.0/25 log=yes log-prefix=iot-to-main src-address=\
    192.168.44.0/27
add action=accept chain=forward comment="Allow traffic from main-network to old-network" dst-address=192.168.1.0/24 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from old-network to main-network" dst-address=192.168.33.0/25 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow traffic from main-network to iot-network" dst-address=192.168.44.0/27 src-address=192.168.33.0/25
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Wireguard NAT to WAN" out-interface-list=WAN src-address=192.168.5.0/29
add action=src-nat chain=srcnat comment="Force traffic to IoT-Lan to appear from gateway - Don't delete!" dst-address=192.168.44.0/27 log-prefix=nat-iot src-address=\
    192.168.33.0/25 to-addresses=192.168.44.1
add action=src-nat chain=srcnat comment="Force traffic to Old-Lan to appear from gateway" dst-address=192.168.1.0/24 src-address=192.168.33.0/25 to-addresses=\
    192.168.1.1
add action=redirect chain=dstnat comment="Redirect DNS Requests UDP/53" dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Redirect DNS Requests  TCP/53" dst-port=53 protocol=tcp to-ports=53
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.33.0/25
set api disabled=yes
set winbox address=192.168.33.0/25
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=RG5009
/system logging
add disabled=yes topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=br.pool.ntp.org
add address=ar.pool.ntp.org
add address=cl.pool.ntp.org
/system scheduler
add interval=3m name=internet-check on-event=internet-check policy=read,write,policy,test start-date=2025-01-17 start-time=20:50:00
/system script
add dont-require-permissions=yes name=Internet_Down owner=admin policy=read,write,policy,test source=\
    "delay 30s; tool e-mail send to=mail@gmail.com subject=([/system identity get name].\" Internet DOWN\") body=(\"Desde: \$since \\r\\nHost: \$host\")"
add dont-require-permissions=yes name=Internet_Up owner=admin policy=read,write,policy,test source=\
    "delay 30s; tool e-mail send to=mail@gmail.com subject=([/system identity get name].\" Internet UP\") body=(\"Desde: \$since \\r\\nHost: \$host\")"
add dont-require-permissions=no name=internet-check owner=admin policy=read,write,policy,test source=":global previousState;\
    \n\
    \n:local id [/interface/detect-internet/state find];\
    \n:local ifaceName [/interface/detect-internet/state get \$id name];\
    \n:local ifaceState [/interface/detect-internet/state get \$id state];\
    \n:local ifaceTime [/interface/detect-internet/state get \$id state-change-time];\
    \n:local ifaceRTT [/interface/detect-internet/state get \$id cloud-rtt];\
    \n\
    \n:if (\$ifaceState != \$previousState) do={:set previousState \$ifaceState;\
    \n\
    \n:set ifaceRTT \"\$[([:tonsec \$ifaceRTT]/(1000*1000))] ms\"\
    \n\
    \n:local emailBody (\"Interface: \$ifaceName\\rState: \$ifaceState\\rLast change: \$ifaceTime\\rRTT: \$ifaceRTT\\rINTERNET state connectivity is checked every min\
    ute via cloud.mikrotik.com (UDP:30000). If unreachable for 3 consecutive minutes, state changes to WAN\");\
    \n\
    \n:if (\$ifaceState = \"internet\") do={/tool e-mail send to=\"mail@gmail.com\" subject=(\"Internet Available on \" . \$ifaceName) body=\$emailBody;};\
    \n\
    \n:if (\$ifaceState = \"wan\") do={/tool e-mail send to=\"mail@gmail.com\" subject=(\"Limited Internet Connection on \" . \$ifaceName) body=\$emailBody;};\
    \n} "
/tool e-mail
set from=mail@gmail.com port=587 server=smtp.gmail.com tls=starttls user=mail@gmail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Internet Connection Check" disabled=yes down-script=Internet_Down host=1.1.1.1 http-codes="" interval=1m name=Cloudflare test-script="" timeout=2s type=\
    simple up-script=Internet_Up

MichalPospichal · Sat Feb 08, 2025 5:32 pm

useless, the router already allow traffic between CIDR. 192.168.1.0/24 and 192.168.33.0/25 are NOT classes and NOT separate LANs.
If are present switches, the firewall can not block any communications between different CIDR if different VLANs for each CIDR are not present.

Sorry to hijack the thread but it is still kinda related to the OPs config, so relevant.
Regarding what you wrote above, I am a bit confused and I was actually wondering before if I need FW rules for this situation or not:

Let's assume I have 2 networks, 192.168.100.0/24 and 192.168.110.0/24, on their own VLANs.
If I do not want the devices to be able to communicate between these 2 networks, do I have to have blocking FW rules in place, or is it blocked by default being on different VLANs already?

mkx · Sat Feb 08, 2025 6:13 pm

If I do not want the devices to be able to communicate between these 2 networks, do I have to have blocking FW rules in place, or is it blocked by default being on different VLANs already?

Yes an No. VLANs prevent devices from communicating directly (via switch alone). So you have a router ... and router will pass traffic between any pair of its interfaces unless configured not to (either routing rules or some kind of firewall).

So yes, you need FW rules blocking traffic. But it might be that some of your existing rules already block traffic between VLANs. You have to sift through your rules, consider what each rule would do with a packet ... and if none of rules trigger, packet will be allowed to pass. If that's not what you want, you need to add rule which will trigger and consequentially drop packet.

HoracioDos · Sat Feb 08, 2025 7:00 pm

As these rules are not really needed right now, I've deleted them

add action=accept chain=forward comment="Allow traffic from iot-network to main-network" dst-address=192.168.33.0/25 log=yes log-prefix=iot-to-main src-address=\
    192.168.44.0/27
add action=accept chain=forward comment="Allow traffic from main-network to old-network" dst-address=192.168.1.0/24 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from old-network to main-network" dst-address=192.168.33.0/25 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow traffic from main-network to iot-network" dst-address=192.168.44.0/27 src-address=192.168.33.0/25

So my filter rules are the same as the default rules now.
I can't remember from where I took this NAT rule for WireGuard, but it never gets traffic, so it must be useless and wireguard client connects without any problem.

add action=masquerade chain=srcnat comment="Wireguard NAT to WAN" out-interface-list=WAN src-address=192.168.5.0/29

HoracioDos · Sat Feb 08, 2025 8:11 pm

@Jotne Mikrotik default filters are active

I don't believe it.
And even if it did, you probably changed something else that made it not work.
The firewall an the nat are full of useless rules, and the default drop-all-at-the-end are deleted...
Code: Select all
<put wireguard rule here>
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
All useless, if the previous rule is on place:
add action=drop chain=forward comment="Block traffic from WAN to LAN" in-interface-list=WAN out-interface-list=LAN
add action=drop chain=input comment="Block Admin from WAN" dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log-prefix=Block-Admin protocol=tcp
add action=accept chain=input comment="Allow Admin from LAN" dst-port=22,8291 in-interface-list=LAN log-prefix=admin-LAN protocol=tcp

must be put before mssing rule
add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 protocol=udp

useless, the router already allow traffic between CIDR. 192.168.1.0/24 and 192.168.33.0/25 are NOT classes and NOT separate LANs.
add action=accept chain=forward comment="Allow traffic from main-network to old-network" dst-address=192.168.1.0/24 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from old-network to main-network" dst-address=192.168.33.0/25 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow traffic from main-network to iot-network" dst-address=192.168.44.0/27 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from iot-network to main-network" dst-address=192.168.33.0/25 log=yes log-prefix=iot-to-main src-address=192.168.44.0/27

If are present switches, the firewall can not block any communications between different CIDR if different VLANs for each CIDR are not present.

I UPDATE the post with default firewall rules:
viewtopic.php?p=856824#p856824

@rextended You were absolutely right. That drop rule was the only one missing. I've already deleted all the other rules that you mentioned. I fixed the order for the wireguard filter too. I guess I'm ok now and I will start learning about vlans.

anav · Sat Feb 08, 2025 9:18 pm

Too funny, far from ready.
Not sure why the others are turning a blind ( perhaps bloodshot eye) too.
The fact that you are attempting to have your cake and eat it too.
Mainly having one pool containing two subnets, one dhcp server the bridge, and then two dhcp server networks and two ip addresses ( both having interace as bridge ).
Amazing anything works.

If you want to subnets then use vlans.

MichalPospichal · Sun Feb 09, 2025 4:09 pm

Yes an No. VLANs prevent devices from communicating directly (via switch alone). So you have a router ... and router will pass traffic between any pair of its interfaces unless configured not to (either routing rules or some kind of firewall).

So yes, you need FW rules blocking traffic. But it might be that some of your existing rules already block traffic between VLANs. You have to sift through your rules, consider what each rule would do with a packet ... and if none of rules trigger, packet will be allowed to pass. If that's not what you want, you need to add rule which will trigger and consequentially drop packet.

Thanks a lot for the explanation, now it makes sense to me, I did not realize there are 2 points to look at this, switching and routing.
I made a test with 2 laptops trying to connect between these 2 networks, and it turns out that if you do not explicitly allow it in the chain and you also have "drop all else" rule at the end of the forward chain, the networks are separated by this last rule. Previously, just to be safe because I was not sure how it works, I also had specific rules to separate these networks from each other higher in the chain (before allowing creation of new connections), but now I removed them because they are redundant.

HoracioDos · Sun Feb 09, 2025 4:25 pm

Yes an No. VLANs prevent devices from communicating directly (via switch alone). So you have a router ... and router will pass traffic between any pair of its interfaces unless configured not to (either routing rules or some kind of firewall).

So yes, you need FW rules blocking traffic. But it might be that some of your existing rules already block traffic between VLANs. You have to sift through your rules, consider what each rule would do with a packet ... and if none of rules trigger, packet will be allowed to pass. If that's not what you want, you need to add rule which will trigger and consequentially drop packet.
Thanks a lot for the explanation, now it makes sense to me, I did not realize there are 2 points to look at this, switching and routing.
I made a test with 2 laptops trying to connect between these 2 networks, and it turns out that if you do not explicitly allow it in the chain and you also have "drop all else" rule at the end of the forward chain, the networks are separated by this last rule. Previously, just to be safe because I was not sure how it works, I also had specific rules to separate these networks from each other higher in the chain (before allowing creation of new connections), but now I removed them because they are redundant.

Thank you @MichalPospichal for your test and explanation. I'm sure I was in the same situation but I wasn't able to troubleshoot and diagnose properly. Furthermore, after making change after change, you start losing track of the justification or reason why you defined a rule, whether it was correct or incorrect.

Blocking admin services - Firewall rules

Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules

Re: Blocking admin services - Firewall rules