[HECnet] UDP filter chain for bridge

Mark Wickens mark at wickensonline.co.uk
Mon Sep 16 18:36:31 PDT 2013 

Hi guys,

I'm having some problems configuring my new Mikrotik RouterBoard RB2011UAS-2HnD-IN which is a great multiport router with wireless. However, it runs RouterOS which is fantastic, highly configurable and mostly beyond me!

I have managed to hook up a Netgear DM111PSP ADSL modem in bridge mode so that the MikroTik box is the ADSL end point. I have configured the router to allow HTTP and SSH traffic through the router but am struggling getting the rules right for the UDP routing and firewall configuration. I wondered whether there were folks out that who could shed some light. In my naive little brain I can see how configuration using IP chains is similar to how linux can be configured to provide the same functionality.

The router is on 192.168.1.2 and the HP microserver running Johnny's bridge is 192.168.1.126

Here are the forwarding rules I have:

/ip firewall filter

add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add chain=forward comment="Allow UDP connection to hpm from internet" dst-address=192.168.1.126 dst-port=4711 in-interface=pppoe-wan protocol=\
      udp
add action=log chain=forward comment="Log everything else" log-prefix="IPv4 Drop forward:"
add action=drop chain=forward comment="default configuration" connection-state=invalid

add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established in-interface=pppoe-wan
add chain=input comment="default configuration" connection-state=related in-interface=pppoe-wan
; Forward UDP bridge requests to HPM running the bridge
add chain=input comment="bridge traffic on 4711" dst-address=192.168.1.126 dst-port=4711 in-interface=pppoe-wan protocol=udp
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="IPv4 Drop input:"
add action=drop chain=input comment="default configuration" in-interface=pppoe-wan

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-wan
; Forward webserver requests to SLAVE
add action=dst-nat chain=dstnat comment="Forward tcp:80 to slave" dst-address=92.27.220.250 dst-port=80 protocol=tcp to-addresses=192.168.1.229 \
      to-ports=80
; Connect SSH/SFTP requests through to SLAVE
add action=dst-nat chain=dstnat comment="Forward ssh to slave" dst-address=92.27.220.250 dst-port=22 protocol=tcp to-addresses=192.168.1.229 \
      to-ports=22
; Connect UDP requests on port 4711 to HPM running bridge
add action=dst-nat chain=dstnat comment="Forward bridge udp to hpm" dst-address=92.27.220.250 dst-port=4711 protocol=udp to-addresses=\
      192.168.1.126 to-ports=4711


When I turn on logging before the drop rule I get the following
IPv4 Drop input: input: in:bridge-local out:(none), src-mac b4:99:ba:bf:46:e3, proto UDP, 192.168.1.126:41301->192.168.1.2:53, len 57

Any ideas folks?

Thanks in advance,

Mark.

More information about the Hecnet-list mailing list