Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Issue with Unreplied SSL Connections

Post Reply
 
plainlogic
just joined
Topic Author
Posts: 21
Joined: Thu Oct 07, 2010 8:06 pm

Issue with Unreplied SSL Connections

Wed Nov 17, 2010 12:04 am

I have a server behind a RouterOS firewall with a Src-Nat, Dest-Nat and Hairpin set up. From inside the firewall, I have no problem accessing all services from my server. However, from outside the firewall, I run into a problem when trying to access SSL web pages on my server. Looking at the Connections, I can see the request coming in, but it stops there.

It has a U-Unreplied status, with a "syn sent" TCP state. Again, this works fine when inside the firewall. I've disabled the entire filewall as a test, but didn't solve the issue.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Issue with Unreplied SSL Connections

Wed Nov 17, 2010 12:21 am

Please post a network diagram, and the output of "/ip address print detail", "/ip route print detail", "/ip service print detail", and "/ip firewall export".
Top
 
plainlogic
just joined
Topic Author
Posts: 21
Joined: Thu Oct 07, 2010 8:06 pm

Re: Issue with Unreplied SSL Connections

Wed Nov 17, 2010 12:41 am

Here you go!
Diagram.jpg
IP Address Print Detail:
Code: Select all
 1   address=10.10.2.254/24 network=10.10.2.0 broadcast=10.10.2.255 
     interface=ether4-P2P actual-interface=ether4-P2P 

 2   ;;; Fixed IP Address - THIS Router
     address=1.1.1.66/24 network=1.1.1.0 broadcast=1.1.1.255 
     interface=ether1-Gateway actual-interface=ether1-Gateway 

 4 X ;;; Fixed IP Address - Not Used
     address=1.1.1.69/24 network=1.1.1.0 broadcast=1.1.1.255 
     interface=ether1-Gateway actual-interface=ether1-Gateway
IP Router Print Detail:
Code: Select all
 0 A S  ;;; Default Gateway
        dst-address=0.0.0.0/0 gateway=1.1.1.1 
        gateway-status=1.1.1.1 reachable ether1-Gateway distance=1 
        scope=30 target-scope=10 
 1 A S  ;;; Route to Main Router
        dst-address=10.0.0.0/8 gateway=10.10.2.253 
        gateway-status=10.10.2.253 reachable ether4-P2P distance=1 scope=30 
        target-scope=10 
 2 ADC  dst-address=10.10.2.0/24 pref-src=10.10.2.254 gateway=ether4-P2P 
        gateway-status=ether4-P2P reachable distance=0 scope=10 
 3 ADC  dst-address=1.1.1.0/24 pref-src=1.1.1.66 
        gateway=ether1-Gateway gateway-status=ether1-Gateway reachable 
        distance=0 scope=10
IP Service Print Detail:
Code: Select all
 0   name="telnet" port=23 address=0.0.0.0/0 

 1   name="ftp" port=21 address=0.0.0.0/0 
 2   name="www" port=80 address=0.0.0.0/0 
 3   name="ssh" port=22 address=0.0.0.0/0 
 4 X name="www-ssl" port=443 address=0.0.0.0/0 certificate=none 
 5 X name="api" port=8728 address=0.0.0.0/0 
 6   name="winbox" port=8291 address=0.0.0.0/0
IP Firewall Export:
Code: Select all
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="General Outgoing Access to Gateway" \
    disabled=no out-interface=ether1-Gateway
add action=accept chain=forward comment="Grant Access to Web Server" \
    disabled=no dst-address=10.20.0.253
add action=drop chain=forward comment=\
    "Block General Routing From Gateway to Internal IP Addresses" \
    connection-state=new disabled=no in-interface=ether1-Gateway
add action=drop chain=input comment="Block Outside Web Access" \
    connection-state=new disabled=no dst-port=80 in-interface=ether1-Gateway \
    protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Dest NAT for Web Server" disabled=\
    no dst-address=1.1.1.67 to-addresses=10.20.0.253
add action=src-nat chain=srcnat comment="Src NAT for Web Server" disabled=no \
    src-address=10.20.0.253 to-addresses=1.1.1.67
add action=masquerade chain=srcnat comment=\
    "Hairpin NAT for Web Server  http://wiki.mikrotik.com/wiki/Hairpin_NAT" \
    disabled=no dst-address=10.20.0.253 out-interface=ether4-P2P src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat comment="Main Outgoing NAT" disabled=no \
    out-interface=ether1-Gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
You do not have the required permissions to view the files attached to this post.
Last edited by plainlogic on Wed Nov 17, 2010 6:49 am, edited 1 time in total.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Issue with Unreplied SSL Connections

Wed Nov 17, 2010 12:48 am

Thanks!

You need to add 1.1.1.67 to the WAN interface on the ISP facing router. Otherwise it will send out the packets NAT'd to that address, but when the ISP router tries to find the ARP mapping for 1.1.1.67 and sends out an ARP requests for that address your router won't respond to it as it doesn't have that address on any of its interfaces, and isn't configured for proxy ARP (which is good, as you don't appear to own that entire /24 - you'd break things pretty bad by turning proxy ARP on). Once you have implemented the IP address - it must be enabled! - the router will respond to ARP requests and the ISP will be able to send traffic for 1.1.1.67 to your router.

It works from the inside because all the NAT rewrites everything to addresses that the router does implement, but those rules don't apply to WAN initiated traffic.

On a sidenote, you tried to hide your real public IPs by editing them down but neglected to edit the network addresses, so the IP can be reconstructed from that. You may want to edit your post to reflect that.
Top
 
plainlogic
just joined
Topic Author
Posts: 21
Joined: Thu Oct 07, 2010 8:06 pm

Re: Issue with Unreplied SSL Connections

Wed Nov 17, 2010 7:24 am

Thank you! Ya, failed to mask those.

I did make a mistake in one of my printouts. For the IP Address Print Detail readout, I deleted the wrong IP address that was listed (I deleted inapplicable IP addresses). Here is my corrected applicable list:
Code: Select all
 1   address=10.10.2.254/24 network=10.10.2.0 broadcast=10.10.2.255 interface=ether4-P2P actual-interface=ether4-P2P 

 2   ;;; Fixed IP Address - THIS Router
     address=1.1.1.66/24 network=1.1.1.0 broadcast=1.1.1.255 interface=ether1-Gateway actual-interface=ether1-Gateway 

 6   ;;; Fixed IP Address - Web Server
     address=1.1.1.67/24 network=1.1.1.0 broadcast=1.1.1.255 interface=ether1-Gateway actual-interface=ether1-Gateway
Unfortunately, while had #6 indeed been missing, I can see where that would have created the problem. However, it actually is there, so your solution doesn't apply. Sorry for making you look through that with it being incorrect. Any other ideas?

You are also correct in that I have only been assigned 5 public IP addresses on the entire 1.1.1.0/24 subnet. I wish I did have an actual subnet assigned to me, so I could avoid using Dest-NAT all together.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Issue with Unreplied SSL Connections

Wed Nov 17, 2010 3:57 pm

The rest of the router configuration looks good to me. Is it possible that the web server doesn't have a correct default route?
Top
 
plainlogic
just joined
Topic Author
Posts: 21
Joined: Thu Oct 07, 2010 8:06 pm

Re: Issue with Unreplied SSL Connections

Thu Nov 18, 2010 4:55 pm

I think I found the problem. On my central router, the firewall allowed the external IP address through when it should have been allowing the private IP address instead. Looks like I was barking up the wrong tree.

Thanks for the help though!
Top
Post Reply

Who is online

Users browsing this forum: andrewrmack and 48 guests
  4. RouterOS
  5. Forwarding Protocols