Problem with port forwarding or how to properly configure the firewall in Mikrotik?

V

Valentin Net2016-12-19 16:54:27

Mikrotik

Valentin Net, 2016-12-19 16:54:27

Добрый день, Гуру!
Практически все маны в интернете советуют в конце правил фаерволла на Микротике закрывать входящий и проходящий траффик:
/ip firewall filter add chain=forward action=drop comment="drop everything else"
Например здесь - https://bozza.ru/art-189.html#script
Но сталкиваюсь уже не впервый раз, что не работает проброс портов в локалку, когда есть такое правило.
На скринах настройка фильтра и ната. Если правило 14 включить проброс не работает.
Что я делаю не так?
И есть ли смысл в этом правиле?
Какие могут быть последствия при отключеном правиле №14?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

C

Cool Admin, 2016-12-19
@vdemon

Show the config with export, on the screen with NAT the final nutting port is not visible (this is important for the forward blocking rules), on the screen with the firewall rules it is not visible what is eventually blocked in those rules that are already there.

W

Wexter, 2016-12-19
@Wexter

If you add drop of all the others to the end, then you need to add accept input of the necessary ports / protocols for forwarding before it

V

voltage0, 2016-12-29
@voltage0

Good afternoon.
By default, the Mikrotik firewall allows all traffic. If there is no rule with DROP ANY, then there is no point in setting up a firewall. The logic is such that at the end there is a rule that prohibits everything. And before him are the rules that allow what is necessary.
If you are configuring NAT, then there must be an allow rule in the forward chain for traffic that will fall under your NAT rules.
In general, you can use a rule like
chain=forward action=accept connection-nat-state=dstnat log=no log-prefix=""
which says to allow all traffic that goes through dstnat