MikroTik

Posted: **Fri Nov 23, 2018 4:09 pm**

I have RB1100AHx4 and made a new bridge for one ethernet port.
I gave new IP to eth5 adapter and disconnected from default bridge.

Made a forward drop rule between two IP range and still I can ping between the OS's.

2018-11-23_15-06-21.jpg

2018-11-23_15-05-59.jpg

2018-11-23_15-06-43.jpg

Posted: **Fri Nov 23, 2018 4:56 pm**

Your IP addresses should go to bridge1 and bridge99 rather than the physical interfaces.
You will also need a rule in the opposite direction. It is possible to set things up like you have so that access is only in one direction.

Posted: **Fri Nov 23, 2018 5:03 pm**

Hello!
Thank you for the answer.
I made the changes and ping still works:

2018-11-23_22-53-40.jpg

2018-11-23_22-53-20.jpg

2018-11-23_22-52-37.jpg

2018-11-23_22-52-17.jpg

2018-11-23_22-51-56.jpg

Posted: **Sat Nov 24, 2018 11:43 am**

because the forward chain accepts by default, you should end the chain in an explicit drop all:

/ip firewall filter add chain=forward action=drop

if you can still ping across subnets, you probably have another router which is doing the routing.

for testing purposes i suggest switching to instant-error reject

/ip firewall filter set [find action=drop] action=reject reject-with=icmp-admin-prohibited

when everything works you can go back to drop:

/ip firewall filter set [find action=reject] action=drop

Posted: **Sat Nov 24, 2018 3:05 pm**

Hi SunBlade0!
Thank you for your reply! The problem is that I need forward rules I can not block them because I have a few port/IPs forwarded.
If I add

/ip firewall filter add chain=forward action=drop

and move it to top my necessary forwards stops.

2018-11-24_14-03-06.jpg

There is no additional device because eth5 goes directly to an ESXi port where a virtual switch dedicated only to that adapter and VM too.

Posted: **Sat Nov 24, 2018 3:57 pm**

What is key here for firewall rules to work is to ensure your LANS that require control are NOT on the same bridge.
They can be on different bridges, or one on a bridge and one not on a bridge and so on.
Putting LANs on the same bridge connects them at layer two and thus firewall controls (layer3) have no affect.
If you have to have LANs on the same bridge, then use VLANS instead running on that LAN/ethport
and then apply fw rules to the vlans.
Post your complete config for better assistance.

Posted: **Sat Nov 24, 2018 5:56 pm**

Dear anav!
Please see config below:

# # nov/24/2018 16:48:10 by RouterOS 6.42.4
# software id = xxxxxxxxxxxxxxxxxxxx
#
# model = RouterBOARD 1100x4
# serial number = xxxxxxxxxxxxxxxxxxxx
/interface bridge
add name=bridge1
add fast-forward=no name=bridge99
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether3 ] comment=iDRAC-DELL
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=vmnic3
set [ find default-name=ether8 ] comment=NAS
set [ find default-name=ether9 ] comment=NAS
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
add name=vpn-pool ranges=192.168.2.201-192.168.2.210
add name=99_pool ranges=192.168.99.250-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
add address-pool=99_pool disabled=no interface=bridge99 name=server1
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.2.5 remote-address=\
    vpn-pool
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add auto-isolate=yes bridge=bridge99 interface=ether5
/interface l2tp-server server
set enabled=yes ipsec-secret=SECRETPASSWORD use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=XXX.XXX.XXX.XXX/24 comment=defconf interface=ether1 network=\
    XXX.XXX.XXX.XXX
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.99.254/24 interface=bridge99 network=192.168.99.0
add address=192.168.2.254/24 interface=bridge1 network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.2.199 client-id=1:0:c:29:c0:cd:9f mac-address=\
    00:0C:29:C0:CD:9F server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
add address=192.168.99.0/24 gateway=192.168.99.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=forward disabled=yes
add action=accept chain=forward
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=50 protocol=tcp
add action=accept chain=input dst-port=51 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.0.0/24 src-address=192.168.2.0/24
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.99.0/24
add action=drop chain=forward dst-address=192.168.99.0/24 src-address=\
    192.168.2.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=5000 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.2.2 to-ports=5000
add action=dst-nat chain=dstnat disabled=yes dst-port=443 protocol=tcp \
    to-addresses=192.168.2.4 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=902 protocol=tcp \
    to-addresses=192.168.2.4 to-ports=902
add action=dst-nat chain=dstnat dst-port=4203 protocol=tcp to-addresses=\
    192.168.2.199 to-ports=4203
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.2.0/24
/ip ipsec peer
add address=XXX.XXX.XXX.XXX/32 dh-group=modp1024 disabled=yes enc-algorithm=\
    aes-256,aes-192,aes-128 nat-traversal=no secret=PASSWORD \
    send-initial-contact=no
add address=XXX.XXX.XXX.XXX/32 dh-group=modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128 nat-traversal=no secret=PASSWORD \
    send-initial-contact=no
/ip ipsec policy
add disabled=yes dst-address=192.168.0.0/24 sa-dst-address=XXX.XXX.XXX.XXX \
    sa-src-address=XXX.XXX.XXX.XXX src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.1.0/24 sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=\
    XXX.XXX.XXX.XXX src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=XXX.XXX.XXX.XXX
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="192.168.2.0/24,192.168.1.0/24,192.168.0.0/24,XXX.XXX.XXX.XXX\
    /32,XXX.XXX.XXX.XXX/32"
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=admin password=THISISTHEPASSWORD profile=default-encryption \
    service=l2tp
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=THEPROVIDERNAME
/system logging
add topics=ipsec
/system routerboard settings
set silent-boot=no

Posted: **Sat Nov 24, 2018 10:09 pm**

you have
/ip firewall filter add chain=forward action=accept
at the top of your forward chain, which means you forward everything.

any forward rule after this is ignored. including your blocking attempts.

in order to see how often specific rules got hit enable the packet count column in WinBox:

PacketCounter.jpg

PacketCount.jpg

Posted: **Sat Nov 24, 2018 10:34 pm**

Hmmm,
Looking through your list

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
99?????
add list=LAN

a. where is bridge99 on the - LAN list
/interface list member

b. I think the add list=LAN entry is in error and should be removed

/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
/interface bridge port
add bridge=bridge1 interface=ether2

c. Compare this address rule to the listing in bridge ports, the interface should be bridge1

/ip firewall filter
add action=drop chain=forward disabled=yes
add action=accept chain=forward

d. First two firewall rules are strange, removing them both for now, but considering taking the first one and making it your LAST RULE in the forward chain,
In other words clearly state what you need to allow, and then at the end drop everything else (don't forget to enable the rule).

In addition for reading sake, put the forward chain rules AFTER the input chain rules.
{edit: I note another poster has also commented on the second rule above, quite correct it needs to be punted to a land far far away}

e. Your rules to block 99 to the LAN and LAN to 99 should work because they are on separate bridges.

f. Your rule to block .200 and below from .201 and above on the same IP pool on the same bridge will NOT WORK.
They are both on the same bridge and thus connected at layer 2.

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
192.168.2.0/24

g. Call me cwazee but a NAT rule should have an action that is scr-nat or dst-nat or masquerade, NOT accept?????? I will note that I am not familiar with all the uses of NAT so you may be doing something perfectly legitimate here.

h. Only the first dstnat rule has the IN-INTERFACE, the rest are missing this necessary component. (also the first 3 rules are disabled)

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
192.168.2.0/24
i. Dont have a sweet clue as to what this raw rule does???

Posted: **Mon Dec 03, 2018 5:09 pm**

Hi anav!
I made the changes , you can see below:

Hmmm,
Looking through your list

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
99?????
add list=LAN

a. where is bridge99 on the - LAN list
/interface list member

*************done
2018-12-03_15-00-27.jpg
b. I think the add list=LAN entry is in error and should be removed

/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
/interface bridge port
add bridge=bridge1 interface=ether2

*************done
2018-12-03_15-15-41.jpg

c. Compare this address rule to the listing in bridge ports, the interface should be bridge1

/ip firewall filter
add action=drop chain=forward disabled=yes
add action=accept chain=forward

d. First two firewall rules are strange, removing them both for now, but considering taking the first one and making it your LAST RULE in the forward chain,
In other words clearly state what you need to allow, and then at the end drop everything else (don't forget to enable the rule).
In addition for reading sake, put the forward chain rules AFTER the input chain rules.
{edit: I note another poster has also commented on the second rule above, quite correct it needs to be punted to a land far far away}

e. Your rules to block 99 to the LAN and LAN to 99 should work because they are on separate bridges.

***************
2018-12-03_16-06-16.jpg
Thank you!
Now it seems works as I need!

Posted: **Tue Dec 04, 2018 7:51 pm**

Excellent, good news allround.
I would like a better view of your complete firewall rules, but if it works, no need!!
But how do you add images to your posts....... something I need to figure out LOL.

MikroTik

firewall forward drop rule not working between LAN IPs

firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs [SOLVED]

Re: firewall forward drop rule not working between LAN IPs

Re: firewall forward drop rule not working between LAN IPs