If you want to look your TV out of home, you need setup a simple rule wich will allow only your IP or IPs as a source. Others will just drop.

If you want to look your TV out of home, you need setup a simple rule wich will allow only your IP or IPs as a source. Others will just drop.

My IP is always different when I am outside. Still I should be able to block specific IP addresses.
I am sure I am doing something wrong.

I believe firewall rule is blocking blacklist, but then port forwarding is letting him in. Something like that.
But how to fix it?!

Just create anz VPN to zour router and do not expose STB to the public network at all.

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.

Yes, of course but only he could connect to this VPN. Noone else. And it is the point for setting VPN server.

There are two ways:

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.

B. Longer version:
Set up blocking rules for all connections trying to reach streaming and somehow inform router what is his current "valid" IP to have "accept" rule to be updated according to this information.
It is quite easy task if you install Dynamic DNS client and register your computer for such service.
In the firewall rule he needs to set address list of choosen Dynamic DNS names .... yes, yes .... instead of direct IP you can just use myname.dynamicdnsservice.com .... Then the firewall rule should specify "address-list=my_allowed_ips_list" as source of allowed IPs.
Mikrotik itself periodically refreshes current IPs in this aaddress list from global DNS so this list should be valid all the time.
The problem is when the user disconnects and reconnects with different IP then DynamicDNS change is not propagated immediatelly and router is droping connection till next DNS refresh.

So .... use option A.

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.
.......
So .... use option A.

If his IP is'nt static, problem the same. Time to time IP will switch to another, and he have to know what IP he got.

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.
.......
So .... use option A.

If his IP is'nt static, problem the same. Time to time IP will switch to another, and he have to know what IP he got.

No.
IPs assigned to users's computers are controlled with VPN settings so all users willing to watch TV are from static, predefined and known pool of LOCAL addresses assigned to VPN users. There is no need to make any rules blocking STB streaming, no need to make DST/SRC NAT. Users allowed to watch TV streaming HAVE TO connect to local network with VPN so they are verified/controlled/accepted/allowed with VPN authorization process and seen by STB device as local users = local addresses.

In my opinion VPN solves problem permanently. Period.

P.S.
What if current users' ISP (eg. hotel, cellular or any other) prohibits VPN connections?
Yes, it could be a problem but then users need to suffer TV detoxication

But it is common problem for VPN settings, sharing nothing with problem of exposing TV stream to the public for particular users "somewhere in the world".

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.

Right, but this chain have to be higher than accept chain, in order the router check incoming traffic first by drop chain and then by accept chain.

First of all your rule to drop traffic to your STB is wrong. The input chain is traffic going to the router itself, ie Webfig, Winbox, FTP, DNS... Your drop rule should be for the forward chain. The forward chain is any traffic that is forwarded from one interface of the router to another. The term, port forward, gives some clue.

You have several options to block forwards from your blacklist:

Code: Select all

/ip firewall filter add action=drop chain=forward comment="Drop Forwards from Blacklist" src-address-list=Blacklist

This will drop traffic in the Firewall Filter.

Code: Select all

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001

This modify's your DST-NAT rule to only forward traffic not (!=not, in winbox/webfig it is a small checkbox) from Blacklist.

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_one protocol=tcp to-addresses=192.168.0.30 to-ports=8001
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_two protocol=tcp to-addresses=192.168.0.30 to-ports=8001

Going back to the topic author's original question: 2frogs is correct. You are dropping requests on the INPUT chain. You need to drop on the forward chain. Also, I recommend dropping ICMP input requests.

And I would also like to suggest a double or tripple port knocking as another alternative. If the topic author does not want to set up a VPN, he can
1) first DROP ICMP requests,
2) set up pork knocking, and
3) if by some chance the bad guy gets through, he can drop the blacklist correctly in the forward chain.

It's a bit cumbersome compared to a VPN, but at least he'll learn a little more about setting up firewalls.

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.

Right, but this chain have to be higher than accept chain, in order the router check incoming traffic first by drop chain and then by accept chain.

Sorry for delayed answer. I was out of town.

You mean rule or chain?
Do you mean that drop rules have to be before(higher) accept?

So If I want to block connection for example to webfig or telnet port on router itself I block it in input chain and

If I want to block connection passing router and going to my devices behind NAT - I block connections in input and forward chains or only forward chain is enough?

Last question.
My drop rules should be on top of the filter list or they should be last rules (bottom of list)?

Thanks a lot for you help.

You mean I should drop ICMP requests to router itself. Like PING? If that's what you mean. I prefer to leave it ON so I can ping my host from outside to diagnose connection problems and availability.

So If I want to block connection for example to webfig or telnet port on router itself I block it in input chain

If I want to block connection passing router and going to my devices behind NAT - I block connections in input and forward chains or only forward chain is enough?

Can I have multiple lines for other blacklists, like this:

Code: Select all

/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_one protocol=tcp to-addresses=192.168.0.30 to-ports=8001
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_two protocol=tcp to-addresses=192.168.0.30 to-ports=8001

/ip firewall filter 
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward src-address-list=Blacklist_one
add action=drop chain=forward src-address-list=Blacklist_two
add action=drop chain=forward connection-nat-state=!dst-nat in-interface=ether1
/ip firewall nat 
add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=8001l

Last question. My drop rules should be on top of the filter list or they should be last rules (bottom of list)?

I recommend turning it off, or using port knocking for all necessary administrative ports, or simply use a VPN as the other members recommended.