Answer the question
In order to leave comments, you need to log in
How to create a rule for the Mikrotik firewall?
Tell me, how would it be correct to make a rule in the firewall for such a case:
Mikrotik:
95.х.х.х / 32 - WAN
192.168.1.1/24 - LAN
10.0.0.1/8 -
L2TP I get access to all resources of the local network 192.168.1.0/24 in the same way as such a route is registered in the micro.
I want all established and related connections (initialized from our office) from the 192.168.1.0/24 network to the 10.0.0.0/8 network to be allowed.
And all connections initiated from the 10.0.0.0/8 network to the 192.168.1.0/24 network were rejected.
By adding a rule
add action=reject chain=forward comment="from vpn" connection-state="" dst-address=192.168.1.0/24 log=yes reject-with=icmp-network-unreachable src-address=10.0.0.0/24
Answer the question
In order to leave comments, you need to log in
Below is a list of your firewall rules (which you submitted in a comment).
If we are talking about an icmp request from 192.168.1.0/24 to 10.0.0.0/8.
For example: running the ping 10.0.0.15 command on the host 192.168.1.44
We will only be interested in forward rules (if there are no tricky pre and post routing rules).
Simplified, we have two packages.
One from 192.168.1.44 to 10.0.0.15 ( request )
AND a response packet from 10.0.0.15 to 192.168.1.44 ( response )
The request does not match more than one rule from your list ( below ), and therefore successfully passes and "establishes" the connection ( the connection appears in connection tracking ).
The response to the request is subject to the rule:
/ip firewall filter
add action=reject chain=forward comment="from vpn" connection-state="" disabled=yes dst-address=192.168.1.0/24 log=yes reject-with=icmp-network-unreachable \
src-address=10.0. 0.0/8
And it is discarded with the response icmp-network-unreachable (why are you doing this I don’t understand, I’ve seen it not for the first time, drop was always recommended before, maybe something has changed).
Until the rule:
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
the packet is not getting. So you don’t have a response to a ping, i.e. Ping reached, but the answer did not come.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question