Community discussions

MikroTik App
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Rejecting or Dropping [Help]

Sat Sep 07, 2019 12:18 am

Hi guys,

I've been wondering about how to block the main webpage of the modem (usually 192.168.100.1) from within Mk so any device can't see it (except the ones I want). I've reading a lot but haven't figure it out yet.
People suggest L7 or address list but none of them worked for me.

Any ideas?
 
User avatar
chemy
just joined
Posts: 11
Joined: Mon Apr 30, 2018 11:16 pm
Location: Chile
Contact:

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 1:51 am

Do you want to restrict the access to the Mikrotik Web Administration? If so, you can create firewall rules for that purpose, without layer7 stuff.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 3:01 am

Do you want to restrict the access to the Mikrotik Web Administration? If so, you can create firewall rules for that purpose, without layer7 stuff.
Not exactly. I want to restrict access to the webpage of the modem. The one from Arris devices.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 3:07 am

What about simply blocking access from LAN subnet to 192.168.100.1?
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 3:17 am

What about simply blocking access from LAN subnet to 192.168.100.1?
That might be the one. I problem is that I am not an expert in this field. If you could provide me an example, I'll try right away.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 4:25 am

You can choose if you identify source by interface or subnet. So either:
/ip firewall filter
add chain=forward action=reject dst-address=192.168.100.1 reject-with=icmp-admin-prohibited in-interface=<LAN>
or:
/ip firewall filter
add chain=forward action=reject dst-address=192.168.100.1 reject-with=icmp-admin-prohibited src-address=192.168.x.0/24
(replace <LAN> or 192.168.x.0/24 with yours)
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 4:38 am

You can choose if you identify source by interface or subnet. So either:
/ip firewall filter
add chain=forward action=reject dst-address=192.168.100.1 reject-with=icmp-admin-prohibited in-interface=<LAN>
or:
/ip firewall filter
add chain=forward action=reject dst-address=192.168.100.1 reject-with=icmp-admin-prohibited src-address=192.168.x.0/24
(replace <LAN> or 192.168.x.0/24 with yours)
None of them seem to work.

This "192.168.100.1" can be accessed without internet it is the modem's status page.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 4:56 am

Then you need to provide more info about your config. Exported configuration with some description (like what's connected where) is good way.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 5:11 am

# model = RB450Gx4
# serial number =
/interface pptp-server
add name="PPTP Server" user=PPTP
/interface ethernet
set [ find default-name=ether1 ] name=LAN
set [ find default-name=ether5 ] name="WAN1 PoE" poe-out=off
set [ find default-name=ether2 ] disabled=yes name=WAN2
set [ find default-name=ether3 ] disabled=yes name=WAN3
set [ find default-name=ether4 ] disabled=yes name=WAN4
/interface l2tp-server
add name="L2TP Server" user=***
/interface vrrp
add disabled=yes interface=LAN name=VRRP priority=255 vrid=16
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=LAN name=dhcp1
/ip firewall layer7-protocol
add name=Netflix regexp="^.+\\.(netflix|netflix.com|netflixvideo.com).*\\\$"
add name=YouTube regexp="^.+\\.(youtube.com|youtu.be|googlevideo.com|m.youtube.c\
    om|youtube.googleapis.com|youtubei.googleapis.com|youtube-nocookie.com|ytimg\
    .com|ytimg.l.google.com|video-stats.l.google.com|rewind.youtube|youtube.com.\
    br|youtube.co.nz|youtube.de|youtube.es|youtube.it|youtube.nl|youtube.ru).*\\\
    \$"
add name=Facebook regexp="^.+\\.(facebook.com).*\\\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp4096,modp2048,modp1024,modp768 \
    enc-algorithm=aes-256,aes-192,aes-128,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=0s
/ip pool
add name=DHCP_Pool ranges=10.50.10.10-10.50.10.254
add name=VPN_Pool ranges=10.50.15.50-10.50.15.60
/ipv6 dhcp-server
add address-pool="IPv6 Pool" disabled=yes interface=LAN name="DHCPv6 Server"
/ipv6 pool
add name="IPv6 Pool" prefix-length=63
/ppp profile
add change-tcp-mss=yes dns-server=1.1.1.1,9.9.9.9 local-address=10.50.10.1 \
    name=L2TP remote-address=VPN_Pool session-timeout=1d use-encryption=yes
add dns-server=1.1.1.1,9.9.9.9 local-address=10.50.10.1 name=PPTP \
    remote-address=VPN_Pool session-timeout=1d use-encryption=yes
/queue type
add kind=sfq name=Download_SFQ sfq-perturb=10
add kind=sfq name=Upload_SFQ sfq-perturb=10
/queue simple
add burst-limit=10M/0 burst-threshold=5M/0 burst-time=5m/0s max-limit=5M/450M \
    name="Linksys EA8500" queue=Upload_SFQ/Download_SFQ target="10.50.10.254/32,\
    10.50.10.253/32,10.50.10.252/32,10.50.10.251/32,10.50.10.250/32,10.50.10.237\
    /32,10.50.10.245/32,10.50.10.248/32,10.50.10.247/32,10.50.10.231/32"
add disabled=yes max-limit=5M/450M name="MacBook Pro LAN" queue=\
    Upload_SFQ/Download_SFQ target=10.50.10.254/32
add disabled=yes max-limit=5M/300M name="iPhone 8 Plus" queue=\
    Upload_SFQ/Download_SFQ target=10.50.10.252/32
add disabled=yes max-limit=5M/300M name="iPad Pro 10.5 Cellular" queue=\
    Upload_SFQ/Download_SFQ target=10.50.10.250/32
add disabled=yes max-limit=1M/3M name="New Nintendo 3DS" queue=\
    Upload_SFQ/Download_SFQ target=10.50.10.248/32
add disabled=yes max-limit=1M/50M name=PSVITA queue=Upload_SFQ/Download_SFQ \
    target=10.50.10.247/32
add burst-limit=2M/0 burst-threshold=1M/0 burst-time=5m/0s disabled=yes \
    max-limit=1M/110M name="PS3 Super Slim" queue=Upload_SFQ/Download_SFQ \
    target=10.50.10.245/32
add disabled=yes max-limit=5M/50M name="HP PC WIFI" queue=\
    Upload_SFQ/Download_SFQ target=10.50.10.237/32
add burst-limit=5M/0 burst-threshold=1500k/0 burst-time=5m/0s max-limit=\
    1500k/110M name="WDR3600 Casa" queue=Upload_SFQ/Download_SFQ target=\
    10.50.10.101/32,10.50.10.239/32
add disabled=yes max-limit=1M/20M name="Amazon Fire TV" queue=\
    Upload_SFQ/Download_SFQ target=10.50.10.239/32
add max-limit=1M/110M name="PS4 Sala" queue=Upload_SFQ/Download_SFQ target=\
    10.50.10.246/32
add burst-limit=5M/0 burst-threshold=1500k/0 burst-time=5m/0s max-limit=\
    1500k/80M name=Kasami_WDR3600 queue=Upload_SFQ/Download_SFQ target=\
    10.50.10.116/32,10.50.10.241/32
add burst-limit=2M/0 burst-threshold=512k/0 burst-time=5m/0s disabled=yes \
    max-limit=512k/20M name="Kasami_PC Ariel" queue=Upload_SFQ/Download_SFQ \
    target=10.50.10.241/32
add burst-limit=3M/0 burst-threshold=1M/0 burst-time=5m/0s max-limit=1M/20M \
    name=Herminia_Router queue=Upload_SFQ/Download_SFQ target=10.50.10.117/32
add burst-limit=3M/0 burst-threshold=1M/0 burst-time=5m/0s max-limit=1M/20M \
    name="Jaimito_Router Sala" queue=Upload_SFQ/Download_SFQ target=\
    10.50.10.118/32,10.50.10.232/32
add burst-limit=1M/0 burst-threshold=512k/0 burst-time=5m/0s max-limit=512k/15M \
    name="Panchi_Old Router Sala" queue=Upload_SFQ/Download_SFQ target=\
    10.50.10.119/32
add burst-limit=5M/0 burst-threshold=1500k/0 burst-time=5m/0s max-limit=\
    1500k/120M name="Soto_Router Sala" queue=Upload_SFQ/Download_SFQ target=\
    10.50.10.120/32,10.50.10.233/32
add max-limit=1M/50M name="Router Testing" queue=Upload_SFQ/Download_SFQ \
    target=10.50.10.243/32
/queue tree
add max-limit=605M name="- QOS Download -" parent=LAN priority=1 queue=\
    Download_SFQ
add name="Prio 1 (ICMP, DNS)" packet-mark="PRIO 1" parent="- QOS Download -" \
    priority=1 queue=Download_SFQ
add name="Prio 2 (Games, RTSP, VoIP)" packet-mark="PRIO 2" parent=\
    "- QOS Download -" priority=2 queue=Download_SFQ
add name="Prio 3 (Web)" packet-mark="PRIO 3" parent="- QOS Download -" \
    priority=3 queue=Download_SFQ
add name="Prio 4 (Working Ports)" packet-mark="PRIO 4" parent=\
    "- QOS Download -" priority=4 queue=Download_SFQ
add name="Prio 5 (Others)" packet-mark="PRIO 5" parent="- QOS Download -" \
    priority=5 queue=Download_SFQ
add name="Prio 7 (Http, Downloads >50mb)" packet-mark="PRIO 7" parent=\
    "- QOS Download -" priority=7 queue=Download_SFQ
add max-limit=15M name="- QOS Upload -" parent="WAN1 PoE" priority=1 queue=\
    Upload_SFQ
add name="Prio 1 (ICMP, DNS)_U" packet-mark="PRIO 1" parent="- QOS Upload -" \
    priority=1 queue=Upload_SFQ
add name="Prio 2 (Games, RTSP, VoIP)_U" packet-mark="PRIO 2" parent=\
    "- QOS Upload -" priority=2 queue=Upload_SFQ
add name="Prio 3 (Web)_U" packet-mark="PRIO 3" parent="- QOS Upload -" \
    priority=3 queue=Upload_SFQ
add name="Prio 4 (Working Ports)_U" packet-mark="PRIO 4" parent=\
    "- QOS Upload -" priority=4 queue=Upload_SFQ
add name="Prio 5 (Others)_U" packet-mark="PRIO 5" parent="- QOS Upload -" \
    priority=5 queue=Upload_SFQ
add name="Prio 7 (Http, Downloads >50mb)_U" packet-mark="PRIO 7" parent=\
    "- QOS Upload -" priority=7 queue=Upload_SFQ
add name="Web Cache" packet-mark=Web_Cache_Download parent="- QOS Download -" \
    priority=3 queue=Download_SFQ
add name=YouTube packet-mark=YouTube parent="- QOS Download -" priority=3 \
    queue=Download_SFQ
add max-limit=30M name="Shared Bandwidth - YouTube" packet-mark=YouTube parent=\
    YouTube priority=3 queue=Download_SFQ
add max-limit=25M name="iPhone 8 Plus" packet-mark="iPhone 8 Plus_Down" parent=\
    YouTube priority=3 queue=Download_SFQ
add max-limit=25M name="iPad Pro 10.5 Cellular" packet-mark=\
    "iPad Pro 10.5 Cellular_Down" parent=YouTube priority=3 queue=Download_SFQ
add max-limit=25M name="MacBook Pro WIFI" packet-mark=MBP_WIFI_Down parent=\
    YouTube priority=3 queue=Download_SFQ
add max-limit=25M name="MacBook Pro LAN" packet-mark=MBP_LAN_Down parent=\
    YouTube priority=3 queue=Download_SFQ
/dude
set data-directory=disk1/dude-data enabled=yes
/interface bridge settings
set allow-fast-path=no
/ip settings
set allow-fast-path=no
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes \
    ipsec-secret=*** keepalive-timeout=60 max-mru=1460 max-mtu=1460 \
    use-ipsec=yes
/interface pptp-server server
set default-profile=PPTP enabled=yes
/ip address
add address=10.50.10.1/24 interface=LAN network=10.50.10.0
add address=10.50.10.3 interface=VRRP network=10.50.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="WAN1 PoE" \
    use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=WAN2 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid interface=WAN3 \
    use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid interface=WAN4 \
    use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=***
    
/ip dhcp-server network
add address=10.50.10.0/24 dns-server=10.50.10.1 gateway=10.50.10.1
/ip dns
set allow-remote-requests=yes cache-size=100000KiB servers=\
    1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall address-list
add address=10.50.10.1 list=DNS_Accept
add address=1.1.1.1 list=DNS_Accept
add address=8.8.8.8 list=DNS_Accept
add address=9.9.9.9 list=DNS_Accept
/ip firewall filter
add action=accept chain=input comment="Winbox from VPN" dst-port=8291 protocol=\
    tcp src-address=10.50.15.50-10.50.15.60
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 \
    protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" \
    dst-address-list=DNS_Accept port=53 protocol=udp
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=\
    DNS_DDoS
add action=drop chain=input comment="Block DNS Attacks" dst-port=53 \
    in-interface="WAN1 PoE" protocol=tcp
add action=drop chain=input dst-port=53 in-interface="WAN1 PoE" protocol=udp
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=\
    none-dynamic chain=DNS_DDoS comment="Add DNS_DDoS Offenders to Blacklist" \
    port=53 protocol=udp src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" \
    src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
add action=drop chain=input comment="Block Web Cache Attacks" dst-port=8080 \
    in-interface="WAN1 PoE" protocol=tcp
add action=reject chain=forward comment="Adblock TCP-Reset" connection-state=\
    new dst-address=240.0.0.1 log=yes log-prefix=ADBLOCK protocol=tcp \
    reject-with=tcp-reset
add action=reject chain=forward comment="Adblock UDP Unreachable" \
    connection-state=new dst-address=240.0.0.1 log=yes log-prefix=ADBLOCK \
    protocol=udp reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Adblock Drop" dst-address=240.0.0.1 log=\
    yes log-prefix=ADBLOCK
add action=drop chain=forward comment="Moroso - Herminia" disabled=yes \
    src-address=10.50.10.110
add action=drop chain=forward comment="Moroso - iPhone" disabled=yes \
    src-address=10.50.10.252
add action=reject chain=forward comment="Block Arris Modem Web" disabled=yes \
    dst-address=192.168.100.1 reject-with=icmp-admin-prohibited src-address=\
    !10.50.10.252
/ip firewall mangle
add action=mark-packet chain=output comment="Web Cache" dscp=4 new-packet-mark=\
    Web_Cache_Download passthrough=no
add action=mark-connection chain=prerouting comment=\
    ":: QoS - Prio 1 (ICMP, DNS)" new-connection-mark="PRIO 1" passthrough=yes \
    protocol=icmp
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=\
    "PRIO 1" passthrough=yes protocol=udp
add action=mark-connection chain=output dst-port=53 new-connection-mark=\
    "PRIO 1" passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark="PRIO 1" \
    new-packet-mark="PRIO 1" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
    "PRIO 1"
add action=mark-connection chain=prerouting comment=\
    ":: QoS - Prio 2 (Games, RTSP, VoIP)" dst-port=\
    25,110,465,554,587,777,993,1000,1024-1124,1863,1935,2099,2195-2196 \
    new-connection-mark="PRIO 2" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=\
    2545-2565,3074,3216,3478-3480,4244,5090,5190,5222-5223,5228,5242,5795-5847 \
    new-connection-mark="PRIO 2" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port="6667,6695-6699,7070,8088,8\
    393-8400,9960-9969,9988,10000-10100,12313,12400,12975" new-connection-mark=\
    "PRIO 2" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port="17502,18000,18060,22990,27\
    014-27050,28910,29900-29901,29920,37777,42127,50000,50318,59234" \
    new-connection-mark="PRIO 2" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=\
    88,500,554,1024-1124,1701,1723,2005,3000-3010,3074-3076,3098,3115,3117 \
    new-connection-mark="PRIO 2" passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-port=\
    3123,3124,3136,3139,3153,3155,3161,3163,3182-3191,3195,3478-3481,3544 \
    new-connection-mark="PRIO 2" passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-port=\
    3658-3659,4379-4380,4500,4950,4955,5000-5500,8088,9305-9308,14000-14016 \
    new-connection-mark="PRIO 2" passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-port="16384-16387,16393-16402,18\
    000,19302-19309,27000-27100,29900,30000,37000,37778,45395,49598" \
    new-connection-mark="PRIO 2" passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-port=\
    50000,55013,55296-55551,57888,60000,61455-61458 new-connection-mark=\
    "PRIO 2" passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark="PRIO 2" \
    new-packet-mark="PRIO 2" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
    "PRIO 2"
add action=mark-connection chain=prerouting comment=":: QoS - Prio 3 (Web)" \
    dst-port=80,443 new-connection-mark="PRIO 3" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 3" \
    new-packet-mark="PRIO 3" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
    "PRIO 3"
add action=mark-connection chain=prerouting comment=\
    ":: QoS - Prio 4 (Working Ports)" dst-port=21-23,25,110,143,1723,3389,5938 \
    new-connection-mark="PRIO 4" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=5938,20561 \
    new-connection-mark="PRIO 4" passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark="PRIO 4" \
    new-packet-mark="PRIO 4" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
    "PRIO 4"
add action=mark-connection chain=prerouting comment=":: QoS - Prio 5 (Others)" \
    new-connection-mark="PRIO 5" passthrough=yes
add action=mark-packet chain=prerouting connection-mark="PRIO 5" \
    new-packet-mark="PRIO 5" passthrough=yes
add action=mark-connection chain=prerouting comment=\
    ":: QoS - Prio 7 (Http, Downloads >50mb)" connection-bytes=50000000-0 \
    new-connection-mark="PRIO 7" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 7" \
    new-packet-mark="PRIO 7" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
    "PRIO 7"
add action=mark-connection chain=prerouting comment=\
    ":: QoS - YouTube Bandwidth" layer7-protocol=YouTube new-connection-mark=\
    YouTube_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=YouTube_Conn \
    new-packet-mark=YouTube passthrough=yes
add action=mark-connection chain=forward comment=\
    "YouTube Limit - MacBook Pro LAN" connection-mark=YouTube_Conn dst-address=\
    10.50.10.254 new-connection-mark=MBP_LAN_DConn passthrough=yes
add action=mark-packet chain=forward connection-mark=MBP_LAN_DConn \
    new-packet-mark=MBP_LAN_Down passthrough=yes
add action=mark-connection chain=forward comment=\
    "YouTube Limit - MacBook Pro WIFI" connection-mark=YouTube_Conn \
    dst-address=10.50.10.253 new-connection-mark=MBP_WIFI_DConn passthrough=yes
add action=mark-packet chain=forward connection-mark=MBP_WIFI_DConn \
    new-packet-mark=MBP_WIFI_Down passthrough=yes
add action=mark-connection chain=forward comment=\
    "YouTube Limit - iPhone 8 Plus" connection-mark=YouTube_Conn dst-address=\
    10.50.10.252 new-connection-mark="iPhone 8 Plus_DConn" passthrough=yes
add action=mark-packet chain=forward connection-mark="iPhone 8 Plus_DConn" \
    new-packet-mark="iPhone 8 Plus_Down" passthrough=yes
add action=mark-connection chain=forward comment=\
    "YouTube Limit - iPad Pro 10.5 Cellular" connection-mark=YouTube_Conn \
    dst-address=10.50.10.250 new-connection-mark="iPad Pro 10.5 Cellular_DConn" \
    passthrough=yes
add action=mark-packet chain=forward connection-mark=\
    "iPad Pro 10.5 Cellular_DConn" new-packet-mark=\
    "iPad Pro 10.5 Cellular_Down" passthrough=yes
add action=accept chain="finish process"
/ip firewall nat
add action=masquerade chain=srcnat comment=Internet out-interface="WAN1 PoE"
add action=redirect chain=dstnat comment="DNS Redirection" dst-port=53 \
    protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Web Cache Redirection" dst-port=80 \
    protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="Router TL-WDR3600_Casa" dst-address=\
    10.50.10.101 dst-port=9901 protocol=tcp to-addresses=192.168.1.1 to-ports=\
    9901
add action=dst-nat chain=dstnat comment="Router TL-WDR3600_Kasami" dst-address=\
    10.50.10.116 dst-port=9916 protocol=tcp to-addresses=192.168.1.1 to-ports=\
    9916
add action=dst-nat chain=dstnat comment="Router TL-WR841_Jaimito" dst-address=\
    10.50.10.118 dst-port=9918 protocol=tcp to-addresses=192.168.1.1 to-ports=\
    9918
add action=dst-nat chain=dstnat comment="Router TL-WR841_Panchi_Old" \
    dst-address=10.50.10.119 dst-port=9919 protocol=tcp to-addresses=\
    192.168.1.1 to-ports=9919
add action=dst-nat chain=dstnat comment="Router TL-WDR3600_Soto" dst-address=\
    10.50.10.120 dst-port=9920 protocol=tcp to-addresses=192.168.1.1 to-ports=\
    9920
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-on-disk=yes cache-path=disk1 enabled=yes max-cache-object-size=\
    131072KiB
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="WAN1 PoE" type=external
add interface=LAN type=internal
/ipv6 dhcp-client
add add-default-route=yes interface="WAN1 PoE" request=address
/ipv6 route
add distance=1 gateway="WAN1 PoE"
/ppp l2tp-secret
add address=10.50.10.1/32 secret=***
/ppp secret
add name=PPTP password=*** profile=PPTP service=pptp
add name=L2TP password=*** profile=L2TP service=l2tp
/system clock
set time-zone-name=America/Narnia
/system identity
set name=RB450Gx4
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.0
/system routerboard settings
set auto-upgrade=yes cpu-frequency=827MHz
/tool e-mail
set from="" start-tls=yes
/tool netwatch
/tool romon
set enabled=yes
If you see anything weird that could be fixed, I'll appreciate any advise for it.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sat Sep 07, 2019 6:52 pm

I don't see it. If the traffic goes through this router, the rule must catch it (when you enable it, but I assume you did that; and when you don't make a mistake to test it only from 10.50.10.252, which would not be blocked). You can add this before the reject rule as a test and see if it logs something:
/ip firewall filter
add action=log chain=forward dst-address=192.168.100.1 log-prefix="to modem"
But it's the same condition, so it shouldn't be any different.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 3:08 am

It does not log anything at all. Not even the bytes countered.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 3:33 am

So where exactly is 192.168.100.1? I assumed connected to WAN1 PoE, but it doesn't seem to be the case.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 4:31 am

So where exactly is 192.168.100.1? I assumed connected to WAN1 PoE, but it doesn't seem to be the case.
That address is the local page of the Modem. It is like 192.168.1.1 for routers to config. This modem has 4 WANs.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 4:52 am

It doesn't really tell me where the modem is. It's connected to this router, right? To which port? Does the router get some address (I'd assume some other 192.168.100.x) from it using dhcp? Try to describe everything in a way that even someone who doesn't see it can understand it.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 5:42 am

It doesn't really tell me where the modem is. It's connected to this router, right? To which port? Does the router get some address (I'd assume some other 192.168.100.x) from it using dhcp? Try to describe everything in a way that even someone who doesn't see it can understand it.
ISP > Modem > Mk > Switch

Modem has 4 WANs. One WAN is used for Mk. Public IP is assigned dynamically.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 6:57 am

Still not helpful. Let's try this:

1) What's the IP address of device you test it from? I mean some that should not be allowed to access the modem?

2) Can you show the output "/ip address print" from RB? You can censor public addresses if there are any, but keep the private ones untouched.

3) Can you run a traceroute from testing device (see point 1) to 192.168.100.1 and show the output? The command is "tracert -d 192.168.100.1" in Windows or "traceroute -n 192.168.100.1" in Linux.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 2:32 pm

Still not helpful. Let's try this:

1) What's the IP address of device you test it from? I mean some that should not be allowed to access the modem?

2) Can you show the output "/ip address print" from RB? You can censor public addresses if there are any, but keep the private ones untouched.

3) Can you run a traceroute from testing device (see point 1) to 192.168.100.1 and show the output? The command is "tracert -d 192.168.100.1" in Windows or "traceroute -n 192.168.100.1" in Linux.
Alright,

1- LAN is 10.50.10.0/24. I would like none of them except 10.50.10.254 to access that webpage.

2- IP/Addresses
 #   ADDRESS            NETWORK         INTERFACE                                
 0   10.50.10.1/24      	10.50.10.0   	  LAN                                      
 1 I 10.50.10.3/32   	   10.50.10.0      VRRP                                     
 2 D PUB. AD/22 		P.ADD   WAN1 PoE
3- MacOS
Traceroute has started…

traceroute to 192.168.100.1 (192.168.100.1), 64 hops max, 72 byte packets
 1  10.50.10.1 (10.50.10.1)  0.878 ms  0.349 ms  0.260 ms
 2  * * *
 3  10.48.40.xx (10.48.40.xx)  13.505 ms  14.822 ms  21.434 ms
 4  10.48.43.xx (10.48.43.xx)  13.820 ms  28.238 ms  24.537 ms
 5  10.48.42.xx (10.48.42.xx)  20.496 ms  20.813 ms  34.018 ms
 6  * * *
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Sun Sep 08, 2019 6:51 pm

I missed one more:

4) Output of "/ip route print" from RB.

But it doesn't look like there can be anything more than routes to connected subnets and then default route (to 0.0.0.0/0) with gateway IP address on "WAN1 PoE" interface. Traceroute clearly shows that first hop is 10.50.10.1 (so this router) and it continues further, so it seems impossible that:
/ip firewall filter
add action=log chain=forward dst-address=192.168.100.1 log-prefix="to modem"
would not see anything. Is it definitely going through this router and not through some other one (wild guess based on that you were trying something with now disabled VRRP)?
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Mon Sep 09, 2019 5:28 am

/ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          PUBLICIP             1
 1 ADC  10.50.10.0/24      10.50.10.1      LAN                       0
 2 ADC  PUBLICIP/22   PUBLICIP WAN1 PoE                  0

(For the VRRP, I was trying to make it work with a hEX (there is another post around) but I hung the gloves for now because I could not make it work. I was trying to make it work with static clients but some stayed in Rb Master and some in Backup.)
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Tue Sep 10, 2019 1:33 am

I think I see it. You're connecting to http://192.168.100.1, i.e. to default port 80, right? Then it's this rule, it redirects those connections to local web proxy and they are no longer going through forward chain:
/ip firewall nat
add action=redirect chain=dstnat comment="Web Cache Redirection" dst-port=80 protocol=tcp to-ports=8080
You can either configure filtering in proxy's settings, or you can get rid of the whole thing. It's probably useless anyway. Most websites now use https, so it bypasses the proxy. And 128MB cache wouldn't make any significant difference anyway. Only thing it will do is that it will kill your router's flash.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Tue Sep 10, 2019 5:36 am

I think I see it. You're connecting to http://192.168.100.1, i.e. to default port 80, right? Then it's this rule, it redirects those connections to local web proxy and they are no longer going through forward chain:
/ip firewall nat
add action=redirect chain=dstnat comment="Web Cache Redirection" dst-port=80 protocol=tcp to-ports=8080
You can either configure filtering in proxy's settings, or you can get rid of the whole thing. It's probably useless anyway. Most websites now use https, so it bypasses the proxy. And 128MB cache wouldn't make any significant difference anyway. Only thing it will do is that it will kill your router's flash.

I see. So, is there a viable solution?
The address of the modem is http://192.168.100.1/cgi-bin/status_cgi
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]

Tue Sep 10, 2019 10:23 pm

You can take a hint and choose what you like better, either:

a) Try with proxy config. I don't use it much, but this should work:
/ip proxy access
add action=deny dst-address=192.168.100.1
b) Re-evaluate if the proxy really does anything useful for you. And in case you find it doesn't, remove it and do normal blocking in firewall forward chain.
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Thu Sep 12, 2019 3:57 am

You can take a hint and choose what you like better, either:

a) Try with proxy config. I don't use it much, but this should work:
/ip proxy access
add action=deny dst-address=192.168.100.1
b) Re-evaluate if the proxy really does anything useful for you. And in case you find it doesn't, remove it and do normal blocking in firewall forward chain.
This one did the trick. Unfortunately I have another hitch from this. If I deny a segment of my net, it works fine but when I add another denying rule for a different subnet, it keeps blocking all ranges. I don't know if it is a bug or something. That means that if I use !10.50.10.120 as a src, to allow just that ip, I can't access the webpage if I am logging in from my Ipsec because VPN pool is different.

Any ideas of this behavior?
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Rejecting or Dropping [Help]  [SOLVED]

Fri Sep 13, 2019 6:10 am

Sometimes you need to use multiple rules to achieve desired result.

If you have something like:
add action=deny dst-address=192.168.100.1 src-address=!10.50.10.120
add action=deny dst-address=192.168.100.1 src-address=!10.50.10.121
and expect access to be allowed from both addresses, then of course it won't work, because access from 10.50.10.121 will be blocked by first rule and it will never reach the second. But you can do:
add action=allow dst-address=192.168.100.1 src-address=10.50.10.120
add action=allow dst-address=192.168.100.1 src-address=10.50.10.121
add action=deny dst-address=192.168.100.1
Last edited by krisjanisj on Fri Sep 13, 2019 8:43 am, edited 1 time in total.
Reason: Leave one line free above and below [code][/code] block for it to properly work
 
Lebzul
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: Rejecting or Dropping [Help]

Sat Sep 14, 2019 3:05 am

Sometimes you need to use multiple rules to achieve desired result.

If you have something like:
add action=deny dst-address=192.168.100.1 src-address=!10.50.10.120
add action=deny dst-address=192.168.100.1 src-address=!10.50.10.121
and expect access to be allowed from both addresses, then of course it won't work, because access from 10.50.10.121 will be blocked by first rule and it will never reach the second. But you can do:
add action=allow dst-address=192.168.100.1 src-address=10.50.10.120
add action=allow dst-address=192.168.100.1 src-address=10.50.10.121
add action=deny dst-address=192.168.100.1

Bingo! That was is for the champ. You nailed it. I wouldn't have think about it. Thanks so much.

Who is online

Users browsing this forum: No registered users and 25 guests