Hi all,

i have very big problem with Mikrotik as Firewall router. My real situation:

MikroTik RB2011UAS RouterOS 6.10.

mikrotik must work as router with all static real address. I have, for example LAN: 80.200.10.160/27, in the Mikrotik one cable from provider connect on the port eth1 with router address 80.200.10.161 as default router. all other eth ports 2..10 its real address from LAN. in Mikrotik i make all ports as bridge, after this internet in all ports starting. All clients in real ip have parameters, for example:

IP: 80.200.10.163/27
Router: 80.200.10.161
Dns: xx.xx.xx.xx

Now my questions.

i have in incomming interface from my provider eth1 ipadres (80.200.10.162)

Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 RS eth1 ether 1500 1598 4074 D4:CA:
1 R eth2 ether 1500 1598 4074 D4:CA:
2 S eth3 ether 1500 1598 4074 D4:CA:6
3 S eth4i ether 1500 1598 4074 D4:CA:6D:
4 RS eth5 ether 1500 1598 4074 D4:C
5 S eth6 ether 1500 1598 2028 D4:CA:6D:6
6 S eth7 ether 1500 1598 2028 D4:CA:6D:61
7 RS eth8 ether 1500 1598 2028 D4:CA:6D:6F:
8 RS eth9 ether 1500 1598 2028 D4:CA:6D:6F
9 S eth10 ether 1500 1598 2028 D4:CA:6D:
10 sfp1-gateway ether 1500 1598 4074 D4:CA:6D:
11 R Internet bridge 1500 1598 D4:CA:6D

Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.88.1/24 192.168.88.0 eth5
1 80.200.10.162/27 80.200.10.160 Internet
2 X 80.200.10.163/27 80.200.10.160 eth2
3 X 80.200.10.164/27 80.200.10.160 eth3

on eth2 80.200.10.163, after i make basic firewall rules for ICMP, all incoming icmp request reject and send to mikrotik this rule. my firewall rules results:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Deny ICMP
chain=input action=drop protocol=icmp
1 ;;; Allow Established connections
chain=input action=accept connection-state=established
2 chain=forward action=accept

and now i send ping to 80.200.10.162, result: request timeout for icmp_seq xxx. its ok, now i send to other ip 80.200.10.163, result:
64 bytes from xxxxxxx: icmp_seq=0 and ...

WHY!? firewall make rules only for one interface or ip, not for all ip.

please help me! int the normal linux system all this rules function! but not in mikrotik.

real not answer ???

its very basic questions for linux, but not basic for mikrotik?

bridged and switched traffic not firewalled for some reason.
If you want filter bridged traff, enable it by command And for switched packets the only way to filter - by using switch rules

del

I see you have a bridge in interfaces with the Internet label. I'll make an educated guess.
Go to Bridge, Settings, and enable Use IP Firewall

bridged and switched traffic not firewalled for some reason.
If you want filter bridged traff, enable it by command

Code: Select all

/interface bridge settings set use-ip-firewall=yes

And for switched packets the only way to filter - by using switch rules

Code: Select all

/interface ethernet switch rule 

thank you for answer.

ok. can you me send example for rules? i need denied to mikrotik to one ip or one interface from worldwide all ip, except for list with my ip. can you me help?

I see you have a bridge in interfaces with the Internet label. I'll make an educated guess.
Go to Bridge, Settings, and enable Use IP Firewall

thank you. maybe can you me advise what its right i must make mikrotik for correct work?

thank you

It would be better, if you try at your own. Use wiki and google, where are lots of examples for you task.

Here are complete working example of using bridge ip-firewall, which may help you to start. As you can see, nothing special
(lan network - 7.7.7.0/24, internet gateway - 3.3.3.1/30, communication between clients - blocked)