Dear all,
after I've upgraded my RB750UP, I'm not anymore able to have my logging firewall rules and LAN queuing rules working.
In particular, it seems that is impossible to log or apply any kind of rule over packets travelling inside the LAN. Even torch, fails to find connections between devices over the same LAN.
Am I missing something?
Thanks
Re: Firewall rules not working after 6.42.6 upgrade
Upgrading from what?
I guess you know have some fasttrack rules.
If so, you need to disable them.
https://www.youtube.com/watch?v=6LaqhDm6PHI
I guess you know have some fasttrack rules.
If so, you need to disable them.
https://www.youtube.com/watch?v=6LaqhDm6PHI
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Hi,
thanks for the reply.
I upgraded from a 6.40.x version, but to be honest I do not remember the "x" value.
I did not have any fasttrack rule enabled.
My problem is that if I put a rule in the IP->Firewall->Filter rules for instance to log traffic from 192.168.1.x to 192.168.1.y, no packets are captured and displayed. Even rules that were there since before the RB upgrade and was working. Of course I checked and modified also the order of the entries.
The interesting/courious/worrying part is that I can't log or intercept any LAN to LAN traffic.
I noticed that after the upgrade, the concept of master port has been removed and the bridge was placed instead. I do not know whether this might be the (or part of the) cause of what I'm experiencing.
Thanks
thanks for the reply.
I upgraded from a 6.40.x version, but to be honest I do not remember the "x" value.
I did not have any fasttrack rule enabled.
My problem is that if I put a rule in the IP->Firewall->Filter rules for instance to log traffic from 192.168.1.x to 192.168.1.y, no packets are captured and displayed. Even rules that were there since before the RB upgrade and was working. Of course I checked and modified also the order of the entries.
The interesting/courious/worrying part is that I can't log or intercept any LAN to LAN traffic.
I noticed that after the upgrade, the concept of master port has been removed and the bridge was placed instead. I do not know whether this might be the (or part of the) cause of what I'm experiencing.
Thanks
Re: Firewall rules not working after 6.42.6 upgrade
That conversion is mandatory from 6.41 and Master port is replaced by bridge.
viewtopic.php?f=21&t=128915
viewtopic.php?f=21&t=128915
Re: Firewall rules not working after 6.42.6 upgrade
If you want to filter traffic on the bridge you need either configure bridge filter rules or set use-ip-firewall=on in bridge settings.
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Hi,
Many thanks
I understand this point, but does it mean that former configurations are broken?That conversion is mandatory from 6.41 and Master port is replaced by bridge.
Does it mean that all the firewall rules will not be in place? I hav also a lot of filtering rules for security reason ecc. Are those gone? What about queues? Are also them affected by this new situation?If you want to filter traffic on the bridge you need either configure bridge filter rules or set use-ip-firewall=on in bridge settings.
Many thanks
Re: Firewall rules not working after 6.42.6 upgrade
Have you already tried to set "use-ip-firewall" checkbox?Hi,
I understand this point, but does it mean that former configurations are broken?That conversion is mandatory from 6.41 and Master port is replaced by bridge.
Does it mean that all the firewall rules will not be in place? I hav also a lot of filtering rules for security reason ecc. Are those gone? What about queues? Are also them affected by this new situation?If you want to filter traffic on the bridge you need either configure bridge filter rules or set use-ip-firewall=on in bridge settings.
Many thanks
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Hi,
Is there any underlying assumption that makes bridge so complex and require a specific modification of the existing (legacy) rules?
I had in place an automatic mechanism for creating monthly backup of the devices I manage. As such, I still have a backup of the former installation. Would it be possible to rollback?
Thanks
Yes, I checked the box in the Bridge->Settings window. Nothing changed. It seems that packets are not "captured" by the firewall rules. This fact is quite annoying. I also tried to create a filter rule directly in the bridge section (with use ip firewall flag disabled) to check if traffic is captured there. Zero.Have you already tried to set "use-ip-firewall" checkbox?
Is there any underlying assumption that makes bridge so complex and require a specific modification of the existing (legacy) rules?
I had in place an automatic mechanism for creating monthly backup of the devices I manage. As such, I still have a backup of the former installation. Would it be possible to rollback?
Thanks
Re: Firewall rules not working after 6.42.6 upgrade
To get the idea, what is wrong with your config, anyone on this forum will need to see it. Together with your network topology scheme.Hi,
Yes, I checked the box in the Bridge->Settings window. Nothing changed. It seems that packets are not "captured" by the firewall rules. This fact is quite annoying. I also tried to create a filter rule directly in the bridge section (with use ip firewall flag disabled) to check if traffic is captured there. Zero.Have you already tried to set "use-ip-firewall" checkbox?
Is there any underlying assumption that makes bridge so complex and require a specific modification of the existing (legacy) rules?
I had in place an automatic mechanism for creating monthly backup of the devices I manage. As such, I still have a backup of the former installation. Would it be possible to rollback?
Thanks
Otherwise it would be just further guessing
So, please, make and export, remove all sensitive data from it, and let us have a look
...or you can downgrade to the version, where everything worked, by uploading needed packages to the router and using "downgrade" option in /system/packages menu.
But I don't recommend using 6.40.x versions unless it was 6.40.8 from "bugfix only" tree: all versions prior to v6.42.1 in the "current" tree are vulnerable to winbox exploit.
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Hi,
What is the most efficient and forum friendly way to post a router configuration?
Which part could be of interest?
yes you are completely rightTo get the idea, what is wrong with your config, anyone on this forum will need to see it. Together with your network topology scheme.
Otherwise it would be just further guessing
What is the most efficient and forum friendly way to post a router configuration?
Which part could be of interest?
I have a spare device. In parallel I will try to recover my old backup on that one and compare the functionalities and performance.But I don't recommend using 6.40.x versions unless it was 6.40.8
Re: Firewall rules not working after 6.42.6 upgrade
Make an /export in terminal, remove parts that are not related to the issue, substitute all public addresses, custom ports etc. by something like "public.ip.1", so it is still readable, and post it likeHi,
yes you are completely rightTo get the idea, what is wrong with your config, anyone on this forum will need to see it. Together with your network topology scheme.
Otherwise it would be just further guessing
What is the most efficient and forum friendly way to post a router configuration?
Which part could be of interest?
The sections to start with: /interface, /ip firewall, /ip address, /queueCode: Select all
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Thanks for the reply. I will make a configuration jump and post it. In the meanwhile I tested the 6.40.8 firmware and things seem to be the same O.O
Now I'm wondering whether I'm going mad or what.
I have a simple filter rule in the firewall like this
Chain:forward
src address: 192.168.0.0/24
dst address: 192.168.0.2/32
protocol: icmp
action: log
position: 0
Now, if I ping from any device in the network the 192.168.0.2 IP, the filter rule will not capture any single packet.
Am I missing some fundamental aspect here (e.g. filter rules do not apply over LAN-LAN network ?!?) or is it weird?
Will post the configuration soon
Thanks
Now I'm wondering whether I'm going mad or what.
I have a simple filter rule in the firewall like this
Chain:forward
src address: 192.168.0.0/24
dst address: 192.168.0.2/32
protocol: icmp
action: log
position: 0
Now, if I ping from any device in the network the 192.168.0.2 IP, the filter rule will not capture any single packet.
Am I missing some fundamental aspect here (e.g. filter rules do not apply over LAN-LAN network ?!?) or is it weird?
Will post the configuration soon
Thanks
Re: Firewall rules not working after 6.42.6 upgrade
Try to disable hw-offload on your bridge ports. If the packets can be forwarded in hardware by the switch chip, they will never reach the cpu for filtering.
Re: Firewall rules not working after 6.42.6 upgrade
What is the layout of your network?Thanks for the reply. I will make a configuration jump and post it. In the meanwhile I tested the 6.40.8 firmware and things seem to be the same O.O
Now I'm wondering whether I'm going mad or what.
I have a simple filter rule in the firewall like this
Chain:forward
src address: 192.168.0.0/24
dst address: 192.168.0.2/32
protocol: icmp
action: log
position: 0
Now, if I ping from any device in the network the 192.168.0.2 IP, the filter rule will not capture any single packet.
Am I missing some fundamental aspect here (e.g. filter rules do not apply over LAN-LAN network ?!?) or is it weird?
Will post the configuration soon
Thanks
What is 192.168.0.2? Is it connected to the router directly?
How are the other devices connected to your router: eth port on the router? switch? wireless AP?
Re: Firewall rules not working after 6.42.6 upgrade
Normally packets from 192.168.0.0/x to 192.168.0.0/x are not actually routed, they are delivered directly between the devices at L2, so the firewall rules which act at L3 won't ever see these packets. You can switch on use of ip firewall rules also for frames forwarded between ports of a bridge (/interface bridge settings set use-ip-firewall=yes), but if you have hardware accelerated bridging (which means that frames between switch chip ports are forwarded by the switch chip itself, not ever getting to the software bridge), these packets will not be seen by the firewall either.Am I missing some fundamental aspect here (e.g. filter rules do not apply over LAN-LAN network ?!?) or is it weird?
And if 192.168.0.2 is one of Mikrotik's own addresses, rule in chain=forward of /ip firewall filter won't match it either, as packets to local addresses are handled by chain=input. See this drawing for details.
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Hi,
Behind the router I have several devices that are connected either through cable or AP. I have also a NAS and a VoIP ATA. The former is locally used for backups and it is not exposed at all to the WAN side, whereas the latter is used to manage calls. For the ATA I have in place either NAT/firewall rules, as well as QoS through simple queues.
On top of this I had configured back in time few firewall rules to handle different security situations and filterings in general. So far, however, I always managed to work with LAN->WAN or WAN->LAN rules. Actually I never had the chance to try working over LAN->LAN configurations (something that I was able to handle with Sonicwall devices without particular problems btw).
As I said above, I would have liked to put in place some local (LAN-LAN) QoS mechanism to limit file trasner rates when backups are executed.
.
I will dump my config export in a while in a separate post
Thanks
The destination IP is not the router address, but is a device external to the router. In particular it is a NAS, and what I wanted to do was to create some kind of QoS over the LAN connection such to avoid saturation when PCs perform backup over the NAS. This is mainly driven by the fact that I have also a VoIP ATA behind the Mikrotik and I had the feeling that (even though QoS is in place for the WAN side for the VoIP device) the quality and lags over the call were accentuated when the backups were running.Normally packets from 192.168.0.0/x to 192.168.0.0/x are not actually routed, they are delivered directly between the devices at L2, so the firewall rules which act at L3 won't ever see these packets. You can switch on use of ip firewall rules also for frames forwarded between ports of a bridge (/interface bridge settings set use-ip-firewall=yes), but if you have hardware accelerated bridging (which means that frames between switch chip ports are forwarded by the switch chip itself, not ever getting to the software bridge), these packets will not be seen by the firewall either.
The network has Mikrotik as central router (192.168.0.1) and the internet connection is provided through bridged ADSL modem. Mikrotik hosts the PPPoE client to authenticate through the ADSL modem.What is the layout of your network?
What is 192.168.0.2? Is it connected to the router directly?
How are the other devices connected to your router: eth port on the router? switch? wireless AP?
Behind the router I have several devices that are connected either through cable or AP. I have also a NAS and a VoIP ATA. The former is locally used for backups and it is not exposed at all to the WAN side, whereas the latter is used to manage calls. For the ATA I have in place either NAT/firewall rules, as well as QoS through simple queues.
On top of this I had configured back in time few firewall rules to handle different security situations and filterings in general. So far, however, I always managed to work with LAN->WAN or WAN->LAN rules. Actually I never had the chance to try working over LAN->LAN configurations (something that I was able to handle with Sonicwall devices without particular problems btw).
As I said above, I would have liked to put in place some local (LAN-LAN) QoS mechanism to limit file trasner rates when backups are executed.
This makes sense, and could be the reason why the Mikrotik does not even consider those packets. I tried to work at the switch level, but it seems that I cannot neither copy nor redirect packets to the CPU as my switch chip is not supported for these tasksNormally packets from 192.168.0.0/x to 192.168.0.0/x are not actually routed, they are delivered directly between the devices at L2
.I will dump my config export in a while in a separate post
Thanks
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Here the export of my config
Code: Select all
# aug/05/2018 RouterOS 6.42.6
# model = 750UP
/interface bridge
add admin-mac=aa:bb:cc:dd:ee:ff auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] name=LAN2-Master poe-out=off
set [ find default-name=ether3 ] name=LAN3 poe-out=off
set [ find default-name=ether4 ] name=LAN4 poe-out=off
set [ find default-name=ether5 ] name=LAN5 poe-out=off
/interface pppoe-client
add disabled=no interface=bridge1 keepalive-timeout=disabled name=PPPoE_conn password=password user=user
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=default
/queue simple
add dst=PPPoE_conn max-limit=1M/10M name="Local Network" target=192.168.0.0/24
add max-limit=128k/128k name=VoipTraffic parent="Local Network" priority=1/1 target=192.168.0.165/32
add max-limit=384k/3M name=Youtube packet-marks=youtube_packets parent="Local Network" target=192.168.0.0/24
add dst=PPPoE_conn max-limit=512k/7M name="Data" packet-marks=no-mark parent="Local Network" target=192.168.0.0/24
add dst=PPPoE_conn max-limit=256k/5M name=Netflix packet-marks=netflix_packet parent="Local Network" queue=default-small/pcq-download-default target=192.168.0.0/24
add max-limit=128k/3M name=Dropbox_upload packet-marks=Upload-dropbox parent="Local Network" queue=pcq-upload-default/default-small target=192.168.0.0/24
/interface bridge port
add bridge=bridge1 interface=LAN3
add bridge=bridge1 interface=LAN4
add bridge=bridge1 interface=LAN5
add bridge=bridge1 interface=LAN2-Master
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=PPPoE_conn list=WAN
add interface=bridge1 list=discover
add interface=LAN3 list=discover
add interface=LAN4 list=discover
add interface=LAN5 list=discover
add interface=PPPoE_conn list=discover
add interface=bridge1 list=mactel
add interface=LAN3 list=mactel
add interface=bridge1 list=mac-winbox
add interface=LAN4 list=mactel
add interface=LAN3 list=mac-winbox
add interface=LAN5 list=mactel
add interface=LAN4 list=mac-winbox
add interface=LAN5 list=mac-winbox
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=bridge1 network=192.168.0.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.165 list=ATA
/ip firewall filter
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=none-dynamic chain=input comment="Blacklist all tentatives of connection from WAN" dst-port=\
8291,1723,3389,80,8080,8888,21,22,23,139 in-interface=PPPoE_conn protocol=tcp
add action=add-dst-to-address-list address-list=youtube_list address-list-timeout=30m chain=forward comment="Add IP youtube" content=youtube.com dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=youtube_list address-list-timeout=30m chain=forward comment="Add IP googlevideo" content=googlevideo.com dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - nflxvideo.net" content=nflxvideo.net dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - netflix.com" content=netflix.com dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - nflxext.com" content=nflxext.com dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - nflximg.net" content=nflximg.net dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=dropbox_list address-list-timeout=30m chain=forward comment="Add IP Dropbox" content=dropbox.com dst-address=!192.168.0.0/24 src-address=192.168.0.0/24
add action=reject chain=input comment="Reject blacklisted addresses" log-prefix=BLACKLIST- reject-with=icmp-network-unreachable src-address-list=Blacklist
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast in-interface-list=!WAN
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 in-interface=PPPoE_conn protocol=tcp src-address-list=Blacklist
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=none-static chain=input comment="Detect DoS attack" connection-limit=10,32 dst-port="" in-interface=PPPoE_conn protocol=tcp
add action=accept chain=input comment="Allow limited pings from WAN" in-interface=PPPoE_conn limit=50/5s,2:packet protocol=icmp
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=1d chain=input comment="Blacklist excess pings for one day" in-interface=PPPoE_conn protocol=icmp
add action=drop chain=input comment="Drop excess pings" in-interface=PPPoE_conn protocol=icmp
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=none-static chain=input comment="Detect and add blacklist portscan" in-interface=PPPoE_conn protocol=tcp psd=\
21,3s,3,1
add action=drop chain=input comment="Detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Block all the incoming traffic from addresses that do not belong to the VoIP list - UDP" dst-port=5060-5080 in-interface=PPPoE_conn protocol=udp src-address-list=!Safe_voip_list
add action=drop chain=input comment="Block all the incoming traffic from addresses that do not belong to the VoIP list - TCP" dst-port=5060-5080 in-interface=PPPoE_conn protocol=tcp src-address-list=!Safe_voip_list
add action=drop chain=forward comment="Avoid all the devices that are not the ATA to be able to register a voip session - UDP" dst-address-list=Safe_voip_listdst-port=5060-5080 protocol=udp src-address=!192.168.0.165
add action=drop chain=forward comment="Avoid all the devices that are not the ATA to be able to register a voip session - TCP" dst-port=5060-5080 protocol=tcp src-address=!192.168.0.165
add action=drop chain=input comment="Drop PPTP connections" dst-port=1723 log-prefix=PPTP protocol=tcp
add action=drop chain=input comment="Drop GRE packets" protocol=gre
add action=drop chain=input comment="Block DNS requests TCP" dst-port=53 in-interface-list=WAN protocol=tcp src-address-list="!LAN"
add action=drop chain=input comment="Block DNS requests UDP" dst-port=53 in-interface-list=WAN log-prefix=DNS protocol=udp src-address-list="!LAN"
add action=accept chain=input comment="Accept established connection packets" connection-state=established
add action=accept chain=input comment="Accept related connection packets" connection-state=related
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid in-interface-list=WAN log-prefix=DROP
add action=drop chain=input comment="Drop all the traffic that do not match the previous rules" in-interface=PPPoE_conn log-prefix=DALL protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark youtube connection" connection-mark=!youtube_conn dst-address-list=youtube_list new-connection-mark=youtube_conn passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Youtube packets" connection-mark=youtube_conn new-packet-mark=youtube_packets passthrough=no
add action=mark-connection chain=prerouting comment="Mark dropbox connection" connection-mark=!Dropbox_conn dst-address-list=dropbox_list new-connection-mark=Dropbox_conn passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Dropbox packets" connection-mark=Dropbox_conn new-packet-mark=Upload-dropbox passthrough=no
add action=mark-connection chain=prerouting comment="Mark Netflix connections" connection-mark=!netflix_conn dst-address-list=netflix_list new-connection-mark=netflix_conn passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Netflix packets" connection-mark=netflix_conn new-packet-mark=netflix_packet passthrough=no
add action=change-dscp chain=postrouting comment="Mark DSCP for VOIP" new-dscp=46 passthrough=yes src-address=192.168.0.165
/ip firewall nat
add action=dst-nat chain=dstnat comment="All the connections incoming from known Voip service providers are routed to the ATA" log=yes protocol=udp src-address-list=Safe_voip_listsrc-port=5060-5080 \
to-addresses=192.168.0.165 to-ports=5060
add action=masquerade chain=srcnat comment="Masquerade packets for internet connection"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yesRe: Firewall rules not working after 6.42.6 upgrade
The above has several sub-variants.I tried to work at the switch level, but it seems that I cannot neither copy nor redirect packets to the CPU as my switch chip is not supported for these tasks
- if two devices in the same subnet are not connected directly to Mikrotik's Ethernet ports but to some external switch, there is no way to force the frames between them to take the long path through Mikrotik's CPU if they can take the short one between ports of the switch
- if the two devices in the same subnet are connected directly to Mikrotik's Ethernet ports but hardware acceleration is activated (by them being members of the same group of one master and severel slave ports in pre-6.41 versions, or being members of the same bridge with hardware acceleration activated in 6.41 and above), the frames between them will again take the short path within the switch chip
- if the two devices in the same subnet are connected directly to Mikrotik's Ethernet ports but hardware acceleration is off (by direct membership of each interface in the bridge in pre-6.41 or by setting hw=no in /interface bridge port in 6.41 and above), the L2 frames are forwarded between the Ethernets by the CPU. But to let the ip firewall act on them, you must use the setting mentioned earlier, /interface bridge settings set use-ip-firewall=yes.
Re: Firewall rules not working after 6.42.6 upgrade
A RB750Gr3 and RB760iGS you can activate HW acceleration but still get local yo local traffic going through the processor. To partly avoid this, I notrack them in RAW.
Despite I enable switch in the config it won't stick and only HW acceleration is steering is doing it the background but does not mirrors that in the status displayed of the switch setting.
Despite I enable switch in the config it won't stick and only HW acceleration is steering is doing it the background but does not mirrors that in the status displayed of the switch setting.
-
-
lordwhiskey
newbie
- Posts: 27
- Joined:
Re: Firewall rules not working after 6.42.6 upgrade
Hi everyone,
thanks for your replies. This was the mother of all the observations:
thanks for your replies. This was the mother of all the observations:
Actually, by directly connecting the device to one of the ETH ports, it started to work properly. Many thanks for the hint!!if two devices in the same subnet are not connected directly to Mikrotik's Ethernet ports but to some external switch, there is no way to force the frames between them to take the long path through Mikrotik's CPU if they can take the short one between ports of the switch