0

I'm using a RouterOS device as a router on a stick.

I'd like to isolate a certain VLAN from the outside world so that the VLAN cannot instantiate any connections to other VLANs or to the Internet (WAN).

I've set up the following firewall rule:

/ip firewall filter
add chain=forward \
    action=reject reject-with=icmp-admin-prohibited \
    connection-state=!established,related,untracked \
    in-interface=vlan120

It works for ping:

ping www.google.com
PING www.google.com (172.217.20.4) 56(84) bytes of data.
From _gateway (192.168.120.1) icmp_seq=1 Packet filtered

It works for tcp:

telnet www.google.com 80
Trying 172.217.20.4...
Trying 2a00:1450:400d:805::2004...
telnet: Unable to connect to remote host: Cannot assign requested address

But it does not work for udp:

nc -z -v -u time1.google.com 123
Connection to time1.google.com 123 port [udp/ntp] succeeded!

Any help appreciated!

adamsfamily
  • 245
  • 2
  • 9
  • It's a false success message. See [Why do netcat scans for UDP ports always succeed?](https://serverfault.com/questions/797763/why-do-netcat-scans-for-udp-ports-always-succeed) – Michael Hampton Aug 03 '20 at 17:42
  • 1
    UDP is not connection-oriented, so it has no feature like "established." Every packet is independent. – Ron Trunk Aug 03 '20 at 18:55
  • Ok I learned from the link from Michael's comment that: a UPD packet is considered to be successfully delivered unless there is an ICMP reject. There is no way to know that a packet has been delivered unless there is a response sent back from the remote host. My question is: can I set up the Mikrotik router to send an ICMP reject for UDP packets? – adamsfamily Aug 04 '20 at 18:26

0 Answers0