Dear MikroTIK Community,
there is one thing, i cannot understand really, i think it has to do with my network knowledge but maybe you people could help me.
When i do firewall rules, i do basically this: input drop invalid - input accept related,established and than the same with forward and at the end: drop input in-interface:WAN
This way i think im fine, but i read a comment somewhere, where they do the same kind of fw and asked, why do the connections work from the laptop? Arent thoose connections new? Why can i pass the firewall without a rule like this: forward accept con-state:new in-interface:LAN or something like this?
Your answer would greatly apreciated,because i think im missing something!
Thank you in advance!
Re: connection state question
The default for the firewall filter is to accept. If you remove all rules, everything would be accepted.
If you only add chain=forward action=drop, then all being forwarded would be dropped.
Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being dropped.
This allows the LAN (laptop) to connect to the Internet, but the replies can not come back. This is why you need to accept the Established, Related. Now the the returns are accepted.
Hope this helps!
If you only add chain=forward action=drop, then all being forwarded would be dropped.
Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being dropped.
This allows the LAN (laptop) to connect to the Internet, but the replies can not come back. This is why you need to accept the Established, Related. Now the the returns are accepted.
Hope this helps!
Re: connection state question
i just wanted to write down, why i still dont understand, but now i get it, because there is NO rule, what is talkin about "conn-state:new", the rule is already enabled, right?
Re: connection state question [SOLVED]
Correct! It is already accepted!
Re: connection state question
Thank you, now im in a state, where i do understand, few seconds later again the whole thing is just crazy.Correct! It is already accepted!
If i have 4 forward rules (which affect the, for example: browsing web on my lapton)
accept forward established/releated
drop forward invalid
accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS (i now, now bogons dont have to do anything with it, but i wanted to copy the whole command i used now in my fw)(my lan is now 192.168.1.0/24)
accept forward source-address list: 192.168.1.0/24 out-interface:WAN Source-AddressList: !BOGONS
drop forward (drop all forward,no more rules)
This is now my config, for the forward part, my question is: if i drop at the end all FORWARD, does this not include the "forward , conn-state:new"? Because it seams so, i can just browse the web and stuff, and now its not logical again for me
I did not say anything about conn-state:new, but i did say all other forwarded traffic should be dropped!Could you please help me?
Re: connection state question
ahh i think i found out, its because of the THIRD fw rule, that rule is responsible i can get out to the web and have not mentioned new-conns, right?Thank you, now im in a state, where i do understand, few seconds later again the whole thing is just crazy.Correct! It is already accepted!
If i have 4 forward rules (which affect the, for example: browsing web on my lapton)
accept forward established/releated
drop forward invalid
accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS (i now, now bogons dont have to do anything with it, but i wanted to copy the whole command i used now in my fw)(my lan is now 192.168.1.0/24)
accept forward source-address list: 192.168.1.0/24 out-interface:WAN Source-AddressList: !BOGONS
drop forward (drop all forward,no more rules)
This is now my config, for the forward part, my question is: if i drop at the end all FORWARD, does this not include the "forward , conn-state:new"? Because it seams so, i can just browse the web and stuff, and now its not logical again for me
Could you please help me?
Re: connection state question
All rules in Mikrotik are processed sequentially. Look in Winbox, on the left side of the ip/firewall rules. You will see a column labeled "#". This is the number of the firewall rule. Click the "#" to order the list. The firewall rules will be processed in that order, starting from 0 (zero). Once a rule is matched, the other rules are not processed, except if action=passthrough. action=passthrough is used primarily to gather statistics.
In your case, the rule
accept forward source-address list: 192.168.1.0/24 out-interface:WAN
matches before the rule
drop forward
In your case, the rule
accept forward source-address list: 192.168.1.0/24 out-interface:WAN
matches before the rule
drop forward
Re: connection state question
Dear 2frogs and stoser,
thank you, for your time, now i got it and it helpd meg a lot
I marked 2frog-s reply as an aswer, bc that was the answer for the original question, but your answer was helping me too, to fully understand what im doing
Thank you and have a nice day!
thank you, for your time, now i got it and it helpd meg a lot
I marked 2frog-s reply as an aswer, bc that was the answer for the original question, but your answer was helping me too, to fully understand what im doing
Thank you and have a nice day!
Re: connection state question
This doesn't look like something you want to have:
It's basically that everything from WAN (including new connections) is allowed to access your LAN (except what's in BOGONS address list). You shouldn't need this. You want to keep the rule allowing access from LAN to WAN, and replies will be allowed by "accept forward established/related". If you have any forwarded ports, add another accept rule with connection-nat-state=dstnat.accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS
Re: connection state question
This doesn't look like something you want to have:It's basically that everything from WAN (including new connections) is allowed to access your LAN (except what's in BOGONS address list). You shouldn't need this. You want to keep the rule allowing access from LAN to WAN, and replies will be allowed by "accept forward established/related". If you have any forwarded ports, add another accept rule with connection-nat-state=dstnat.accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS
Hello Sob,
thank you for your time and for your tipp!
in this case my question would be: if there is a rule, like this ->
1.) accept forward established/releated
2.) drop forward invalid
3.) accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS
4.)accept forward source-address list: 192.168.1.0/24 out-interface:WAN Source-AddressList: !BOGONS
5.) drop forward (drop all forward,no more rules)
then for me this means: from WAN side everything can come in, what is: not on the bogon list, and the most important, only the established/related. So only what internal users initiated and not from/to bogons! Am i right? How would you build your public firewall rules? Im really curious, but sadly everyone is protecting its public fw config from the public
Thank you in advance for your reply and time Re: connection state question
edit: i see the error now, this way i did DMZ my LAN, right? (without the bogons, but thats not intersting now)This doesn't look like something you want to have:It's basically that everything from WAN (including new connections) is allowed to access your LAN (except what's in BOGONS address list). You shouldn't need this. You want to keep the rule allowing access from LAN to WAN, and replies will be allowed by "accept forward established/related". If you have any forwarded ports, add another accept rule with connection-nat-state=dstnat.accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS
Hello Sob,
thank you for your time and for your tipp!
in this case my question would be: if there is a rule, like this ->
1.) accept forward established/releated
2.) drop forward invalid
3.) accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS
4.)accept forward source-address list: 192.168.1.0/24 out-interface:WAN Source-AddressList: !BOGONS
5.) drop forward (drop all forward,no more rules)
then for me this means: from WAN side everything can come in, what is: not on the bogon list, and the most important, only the established/related. So only what internal users initiated and not from/to bogons! Am i right? How would you build your public firewall rules? Im really curious, but sadly everyone is protecting its public fw config from the public
Re: connection state question
And what do you expect from DMZ (*)? Because what your rule does is opening unlimited access to all devices in 192.168.1.0/24 subnet to anyone (except BOGONS). Well, theoretically, random person from internet won't be able to connect to your private addresses, but any device connected to your router's WAN port would be able to access anything.
Look it at like this, first two rules take care of established/related/invalid, so what's left is new/untracked. We can forget untracked now, because it doesn't happen by itself, you have to skip tracking for some packets in raw table. So you can imagine all following rules as having connection-state=new. Do you really want to accept all new connections from WAN? Probably not.
(*) Problem with term DMZ is that home routers completely screwed up the meaning. It's supposed to be network isolated from the rest of LAN, but they use it as "better looking" (I guess) term for simple dstnat to device in LAN.
Look it at like this, first two rules take care of established/related/invalid, so what's left is new/untracked. We can forget untracked now, because it doesn't happen by itself, you have to skip tracking for some packets in raw table. So you can imagine all following rules as having connection-state=new. Do you really want to accept all new connections from WAN? Probably not.
(*) Problem with term DMZ is that home routers completely screwed up the meaning. It's supposed to be network isolated from the rest of LAN, but they use it as "better looking" (I guess) term for simple dstnat to device in LAN.
Re: connection state question
No, sure i dont want to do this, thank you for pointing out the mistake!So you can imagine all following rules as having connection-state=new. Do you really want to accept all new connections from WAN? Probably not.
" So you can imagine all following rules as having connection-state=new." -> you mean all following connections have a connstate:new, right?
Re: connection state question
Sob, i totally understand now how this works and what the problem was, thank you for pointing out my mistake, this really helpd me a lot to understand the mikrotik way of thinking!
Who is online
Users browsing this forum: Valerio5000 and 24 guests