MikroTik

Posted: **Sun May 27, 2018 5:00 pm**

My dilemma, is that I have RB3011 and on ether5 I want to put a network with is to be used for specific few IPs:

/ip firewall filter
add action=accept chain=forward comment="FORWARD Chain - Packets towards Mikrotik itself (Established,Related)" connection-state=established,related
add action=accept chain=forward comment="Permit DNS requests from clients over TCP" dst-port=53 in-interface=ether5 protocol=tcp
add action=accept chain=forward comment="Approved Demo_Farm" dst-address-list=Demo_Farm dst-port=15000-15100,50000-50200 in-interface=ether5 out-interface=Ovpn protocol=tcp src-address-list=permitted-local-sources
add action=accept chain=forward comment="Approved HTTP" dst-address-list=permitted-http-destinations-address dst-port=80 in-interface=ether5 out-interface=Ovpn protocol=tcp src-address-list=permitted-local-sources
add action=accept chain=forward comment="Approved HTTPS" dst-address-list=permitted-https-destinations-address dst-port=443 in-interface=ether5 out-interface=Ovpn protocol=tcp src-address-list=permitted-local-sources
add action=drop chain=forward comment="Drop anything attempting to pass through Demo_Farm LAN that doesn't match the rules above" in-interface=ether5 out-interface=Ovpn

/ip firewall address-list
add address=72.XXX.XXX.152 comment="Demo#1" list=permitted-http-destinations-address
add address=79.XXX.XXX.28 comment=Demo2 list=permitted-https-destinations-address
add address=192.XXX.XXX.15 comment="Local Permitted IP Address" list=permitted-local-sources
add address=XXX.XXX.156.1-XXX.XXX.156.255 list=Demo_Farm
add address=XXX.XXX.148.1-XXX.XXX.148.255 list=Demo_Farm

However, when testing, everything gets dropped. When I disable "Drop anything attempting to pass through Demo_Farm LAN that doesn't match the rules above" traffic passes, so the address-list IPs are not being processed which are before the drop rule, does anyone know why something like that would happen?

Posted: **Sun May 27, 2018 5:15 pm**

I don't believe that everything gets dropped.

Requests from ether5 to tcp/53 are allowed and must pass. Except you probably want udp, because that's what clients use for DNS.

Other rules are also clear and anything from 192.XXX.XXX.15 (current permitted-local-sources list) to defined combinations of destination addresses and ports must pass too.

Add logging to your drop rule and then check addresses and ports of logged dropped packets, something there won't match the previous accept rules.

Posted: **Sun May 27, 2018 5:27 pm**

Maybe you have just copy-pasted other rules and added in-interface=ether5 without removing src-address-list=permitted-local-sources and these conditions never match simultaneously? Why I think this is because the drop rule checks only in-interface and out-interface, and it still stops the traffic if enabled. So if the traffic was not actually coming from ether5 or be leaving via Ovpn, the drop rule would not match it, so the reason why it does not match to any of the previous rules must be in some other condition, and the src-address-list is the most likely one given the history.

Posted: **Sun May 27, 2018 5:39 pm**

So I just triple checked the permitted-local-sources and its IP, which is a match, also the same with other IPs. The odd thing is that if I 'disable' the 'drop' rule, i see packets processed in the other rules.

If I would have mistaken IPs and dst-list or src-list, those rules would have 0 packet transferred next to them.

Frankly, I'm lost as to where else to look for issue right now...

Posted: **Sun May 27, 2018 5:50 pm**

Found the issue. Had a Layer7 rule and within the set had a word, which was being matched with one of the platforms, thus was blocking connection way before the mentioned rule set.

Posted: **Sun May 27, 2018 5:54 pm**

Found the issue. Had a Layer7 rule and within the set had a word, which was being matched with one of the platforms, thus was blocking connection way before the mentioned rule set.

That was my question, whether you have posted all the rules in the /ip firewall filter chain=forward or only those you've considered relevant.

Posted: **Sun May 27, 2018 6:06 pm**

This RB3011 has 8 different networks where every single one is configured very differently... I decided not to confuse people, and then to obfuscate everything would take me hours. So yeah... thank you for point me out to other rules. I went through them so many times that it made me blind to the very small things

Also, Sob, thank you for pointing out DNS, that also had to be added.

MikroTik

Firewall Sequence - Rules not executed orderly

Firewall Sequence - Rules not executed orderly

Re: Firewall Sequence - Rules not executed orderly

Re: Firewall Sequence - Rules not executed orderly

Re: Firewall Sequence - Rules not executed orderly

Re: Firewall Sequence - Rules not executed orderly

Re: Firewall Sequence - Rules not executed orderly [SOLVED]

Re: Firewall Sequence - Rules not executed orderly