Yes, dst-nat is processed in the prerouting phase so the dst-nat has
occurred prior to the forward rules being processed, see
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
On 12/17/2013 12:02 PM, Rory McCann wrote:
Okay, so I spoke too soon. The rule still wasn't catching ANYTHING.
Apparently, the rule was expecting to see the internal SQL server
(private) IP and not the public one. Once I changed the rule back to a
forward chain and set the IP to my internal public IP of the SQL
server, it started working as expected.
Is this normal behavior?
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 12/17/2013 10:46 AM, Rory McCann wrote:
I'm betting that's it. I didn't even think of it like that.
Thanks!
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 12/17/2013 10:43 AM, Josh Luthman wrote:
Uh is the dst-address on the MT? That would be input, not forward.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Dec 17, 2013 11:42 AM, "Rory McCann" <[email protected]> wrote:
No, it wasn't matching any traffic.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 12/17/2013 10:40 AM, Josh Luthman wrote:
Is the firewall rule counting packets?
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Dec 17, 2013 11:39 AM, "Rory McCann" <[email protected]> wrote:
Shouldn't be. I created the firewall rule before the NAT rule
and there
wasn't any pre-existing connections to SQL.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 12/17/2013 10:33 AM, Josh Luthman wrote:
Maybe using an already established connection?
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Dec 17, 2013 11:29 AM, "Rory McCann" <[email protected]>
wrote:
There are allow rules, but nothing that would have matched
anything in
this particular rule.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 12/17/2013 10:23 AM, Louis Arsenault wrote:
Do you have an allow established rule before this rule?
Having the allow established rule will continue to allow those
bad
connections until you move the drop rule above it or restart the
router.
-Louis
On Tue, Dec 17, 2013 at 11:19 AM, Rory McCann
<[email protected]>
wrote:
Can someone explain to me why the following firewall rule
isn't
working:
/add action=drop chain=forward comment="SQL Access"
dst-address=1.2.3.4
dst-port=1433 protocol=tcp src-address-list=!SQL/
From what I understand, this rule should drop SQL traffic
from any
address
not in the SQL address list, correct?
My corresponding NAT rule is this:
/add action=dst-nat chain=dstnat comment="My Farm Records - SQL
Access"
dst-address=1.2.3.4 dst-port=1433 protocol=tcp
to-addresses=10.2.7.7
to-ports=1433/
It seems as though the NAT rule was taking precedence over the
Firewall
rule. My SQL server was getting hammered with invalid logins
until I
added a
src-addrerss-list entry to the NAT rule as well.
This is on ROS v6.7
--
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to
Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to
Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.butchevans.com/pipermail/mikrotik/
attachments/20131217/4fd1c693/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.butchevans.com/pipermail/mikrotik/
attachments/20131217/1fbe80e1/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20131217/433b5931/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
