Miktotik Firewall Help

ZSam

Active Member
Joined
Jan 19, 2015
Messages
48
Hi all

I currently have a Mikrotik 750UP set up with PPPoE for client connections.

Having some unaccounted bandwidth being used on main gateway and the following rule: ""add action=drop chain=input comment="Drop anything else!" seems to work to keep it out and the network running smoothly.

Everything works well, except I have to disable "add action=drop chain=input comment="Drop anything else!"
when a client router disconnects due to power failure or reboot etc. because they are then unable to reconnect to the MT via PPPoE. This is frustrating, especially if I am not home to access the router and do this manually.

Any help on how I can get around this maybe with an accept rule or something?

Help would be appreciated!

Thanks.

Full firewall:

/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
disabled=yes src-address-list=support
add action=accept chain=input comment=\
"Accept all connections from local network" disabled=yes in-interface=\
ether2-master-local
add action=accept chain=input comment="Accept WinBox Access from Local" \
disabled=yes dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment="Accept WebFig Access from Local" \
disabled=yes dst-port=80 in-interface=ether2-master-local protocol=tcp \
src-address=192.168.88.0/24
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=accept chain=input connection-state=new in-interface=\
ether2-master-local src-address=192.168.88.110
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
 

Sarel0092

Active Member
Joined
Aug 24, 2015
Messages
89
Have you tried to use the sniffer tool on MikroTik to see why the PPPoE connection is being blocked/rejected?

I think the PPPoE connection uses port 443. If you add a rule to allow the incoming connection the connection should establish.

/ip firewall filter
add chain=input action=accept protocol=tcp dst-port=443 comment="Allow PPPoE" in-interface="your wan port"

The allow rule will have to be above the drop rule for all input traffic.
 
Last edited:
Top