C
C
CrunchHru2014-01-07 00:41:05
Mikrotik
CrunchHru, 2014-01-07 00:41:05

A few questions about the firewall in mikrotik, you need to set the right path

The situation is this, the Mikrotik router (rb493g v6.7) if you immediately abstract it, for example, 3 ports wan1, eth1, eth2 are used, other clients sit on the remaining ports, but they can be omitted here.
wan1 - local LAN behind NAT (no internet access)
eth1 - server with internet access
eth2 - client (i.e. computer) - ip 192.168.10.100
rules on filter
0 chain=forward action=drop dst-address=94.100 .181.218
1 chain=forward action=drop src-address=!192.168.10.100 out-interface=eth1
no other filter rules.
Question 1:rule 0 should block all packets on ip 94.100.181.218, here it seemed to work correctly during the initial installation, rebooted Mikrotik and it turned out that it stopped blocking it, the packets ran freely, then stopped again. But then, considering it necessary in the interfaces, I changed from enabled to arp-proxy for master port interfaces. There were no problems after the reboot.
The question is, is this how it should be? Those. it was sent on another level, where it did not fall under the rule, because there was no match. I read about arp-proxy, just with some gaps in knowledge, it's hard to catch some points.
Question 2: I figured it out, threw the rule into the mangle, set the logging and understood the essence of the passing traffic. Again, due to lack of knowledge and experience,filter rule #2 if you do not explicitly specify the eth1 interface through which the traffic will pass, then access to wan1 is blocked altogether. For a client on eth2 with ip 192.168.10.100. (I tested a little more and realized that I was mistaken and this rule as such does not work)
Why is it necessary? I would like to make a rule that, upon command (applying the rule), access was blocked for all other clients, except for .100 to the Internet (eth1), but access to wan1 remained.
Here at first I thought that I had made a stub, but it turns out that at first glance it was. I wanted to get by with a little blood. Because Everything went smoothly in my opinion.
If ip is not 192.168.10.100 and the outgoing interface is eth1 , then block it.
Logically, everything turns out correctly here, but in reality it’s not like that, I tried to make another option, add a second negation if the interface is not wan1 then block, but it didn’t help here either.
Maybe I started catching it in the wrong place, or there is some kind of nuance, in general, I just got confused and reached a dead end.
upd1: the reason for the interface not working in some cases is this.
Traffic between the client and the server with access to the Internet is considered from the interface bridge1
20:10:10 firewall,info forward: in:bridge1 out:bridge1, src-mac c8:60:00 :de:f0:45,
proto TCP (ACK,PSH), 192.168.10.100:51553->95.108.194.209:5222, len 88
Question 3: This is "open connections" information
ip firewall connection print
# PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
1 tcp 192.168.10.100:44304 12.54.9.8:80 established 23h59m40s
for example, it just sets me up in such a situation that some connections in the established state hang until the last, even if the client it was already disconnected for a couple of hours, if there was a torrent client, then there might be a couple of thousand connections. From my point of view, this is wrong - a waste of resources. Although a home training ground for gaining experience and knowledge, at home this piece of iron is more than enough, but I want there to be "order".

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dmitry Tallmange, 2014-01-07
@CruncHru

With such a chaotic, crumpled and inconsistent narrative, you will unfortunately have to wait a long time for answers.
Mikrotik packet flow - I recommend reading until you're blue in the face.
If any interfaces are in bridges, then the behavior of the Mikrotik is not always "obvious". Read the link.
On question 3 - Read about what TCP / IP is in general. Then everything will fall into place.

D
Dmitry Tallmange, 2014-01-07
@p00h

This rule will deny access to all local clients hanging behind the wan1 interface access to the Internet.

chain=forward in-inteface=wan1 out-interface=eth1 action=drop

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question