7.6 Address List Isn't Processing Accept Rule

Kelalatir · December 23, 2022, 2:28am

Greetings Mikrotik Forum!

I have a really strange problem with what should be a simple set of firewall rules. I have a CCR1036-12G-4S running RouterOS 7.6. This is a brand new router that I’m installing into a new remote site. After initial config, I started to setup a GRE tunnel back to the main office, and during testing I discovered that this new router could not ping either of its own local IPv4 addresses, though pinging across the tunnel works. Further testing showed that if I disabled my last input firewall rule, which says to drop everything else, then the pinging the local address started working. However, I have already allowed the local address ranges via an address list and an accept filter rule that calls the address list. For some reason the firewall rule that calls the safe list isn’t processing when I ping to the router’s own interfaces.

Here is my IP address configuration:

add address=10.12.0.200/16 interface=Bridge network=10.12.0.0
add address=172.17.12.2/30 interface="GRE Tunnel" network=172.17.12.0

The local IP address assigned to the router is 10.12.0.200. The local IP address assigned to the GRE tunnel is 172.17.12.2. Here is what happens when I ping with the last input rule enabled:

> ping 172.17.12.2
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                    
    0 172.17.12.2                                                  timeout                                                                                                   
    1 172.17.12.2                                                  timeout                                                                                                   
    2 172.17.12.2                                                  timeout                                                                                                   
    3 172.17.12.2                                                  timeout                                                                                                   
    4 172.17.12.2                                                  timeout                                                                                                   
    sent=5 received=0 packet-loss=100%
> ping 10.12.0.200
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                    
    0 10.12.0.200                                                  timeout                                                                                                   
    1 10.12.0.200                                                  timeout                                                                                                   
    2 10.12.0.200                                                  timeout                                                                                                   
    3 10.12.0.200                                                  timeout                                                                                                   
    4 10.12.0.200                                                  timeout                                                                                                   
    sent=5 received=0 packet-loss=100%

My firewall rules look like this, both the filter list and the address list:

/ip firewall address-list
add address=10.0.0.0/12 comment="Network safe" list=safe
add address=XXX.YYY.118.11 comment="IP for VPN Access" list=safe
add address=AAA.BBB.78.0/29 comment="Allow Access from Public IPs" list=safe
add address=192.168.18.0/24 comment="Network safe" list=safe
add address=159.148.147.204 comment="download.mikrotik.com for router updates" list=safe
add address=159.148.172.226 comment="download.mikrotik.com for router updates" list=safe
add address=192.168.20.0/24 comment="Network safe" list=safe
add address=192.168.22.0/24 comment="Network safe" list=safe
add address=192.168.23.0/24 comment="Network safe" list=safe
add address=172.16.0.0/12 list=safe comment="Network safe" list=safe
/ip firewall filter
add action=accept chain=forward comment="Allow Established and Related Connections" connection-state=established,related
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment="Allow addresses in safe list to forward" src-address-list=safe
add action=accept chain=forward comment="Allow local devices to forward" in-interface=Bridge
add action=drop chain=forward comment="Block all remaining forwards (last forward rule)"
add action=accept chain=input comment="Allow Established and Related Connections" connection-state=established,related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow local devices access to this router" in-interface=Bridge
add action=accept chain=input comment="Allow safe list" src-address-list=safe
add action=drop chain=input comment="Block all remaining input (last input rule)"

Using the terminal I also confirmed both local IPs are included in the safe list:

/ip/firewall/address-list> print where 172.17.12.2 in address
Columns: LIST, ADDRESS, CREATION-TIME
# LIST  ADDRESS        CREATION-TIME       
;;; Network safe
0 safe  172.16.0.0/12  dec/22/2022 16:59:14
/ip/firewall/address-list> print where 10.12.0.200 in address
Columns: LIST, ADDRESS, CREATION-TIME
# LIST  ADDRESS      CREATION-TIME       
;;; Network safe
1 safe  10.0.0.0/12  dec/13/2022 16:57:17

I don’t understand why the rule that is “add action=accept chain=input comment=“Allow safe list” src-address-list=safe” isn’t allowing the router to ping itself. If that particular address isn’t processing, are the rest of my safe list addresses not working? Have I found a bug, or am I missing some configuration?

Any help with this matter would be greatly appreciated.
Thank you

rextended · December 23, 2022, 2:40am

Add the log on the drop rule and read what is written on the log when you ping.

Kelalatir · December 27, 2022, 7:46pm

Here is the the log of the last input firewall rule during the pings:

Dec/27/2022 11:39:45 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->172.17.12.2, NAT (172.17.12.2->XXX.YYY.118.75)->172.17.12.2, len 56
Dec/27/2022 11:39:46 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->172.17.12.2, NAT (172.17.12.2->XXX.YYY.118.75)->172.17.12.2, len 56
Dec/27/2022 11:39:47 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->172.17.12.2, NAT (172.17.12.2->XXX.YYY.118.75)->172.17.12.2, len 56
Dec/27/2022 11:39:48 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->172.17.12.2, NAT (172.17.12.2->XXX.YYY.118.75)->172.17.12.2, len 56
Dec/27/2022 11:39:49 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->172.17.12.2, NAT (172.17.12.2->XXX.YYY.118.75)->172.17.12.2, len 56
Dec/27/2022 11:39:52 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->10.12.0.200, NAT (10.12.0.200->XXX.YYY.118.75)->10.12.0.200, len 56
Dec/27/2022 11:39:53 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->10.12.0.200, NAT (10.12.0.200->XXX.YYY.118.75)->10.12.0.200, len 56
Dec/27/2022 11:39:54 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->10.12.0.200, NAT (10.12.0.200->XXX.YYY.118.75)->10.12.0.200, len 56
Dec/27/2022 11:39:55 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->10.12.0.200, NAT (10.12.0.200->XXX.YYY.118.75)->10.12.0.200, len 56
Dec/27/2022 11:39:56 firewall,info Drop input:  input: in:(unknown 1) out:(unknown 0), connection-state:new,snat proto ICMP (type 8, code 0), XXX.YYY.118.75->10.12.0.200, NAT (10.12.0.200->XXX.YYY.118.75)->10.12.0.200, len 56

Thanks

Kelalatir · December 27, 2022, 10:17pm

Looking at the firewall log, it appears the traffic for internal and for the GRE tunnel is being natted. I don’t know why this might be the case, but I was able to fix it by adding two NAT accept rules:

add action=accept chain=srcnat comment="Don't NAT private IPs" dst-address=10.0.0.0/8 src-address=10.12.0.0/16
add action=accept chain=srcnat comment="Don't NAT GRE Tunnel Traffic" dst-address=172.17.12.0/30 src-address=172.17.12.2

I don’t understand why I need these rules, but these rules appear to have fixed the issue.

Kelalatir · December 27, 2022, 10:28pm

Aha, I figured out the weirdness. Our NAT masquerade rule did not specify any addresses or interfaces, so it was trying to NAT everything. The rule used to be:

add action=masquerade chain=srcnat

I fixed it by changing it to:

add action=masquerade chain=srcnat comment="NAT for public internet" out-interface="ether1"

Mystery solved.

chechito · December 28, 2022, 12:31am

Lately I see more and more frequently the use of the src-nat rule without specifying interfaces, i dont know why this is so popular

Kelalatir · December 28, 2022, 12:37am

I don’t know if the masquerade rule was from the default config, or just a mistake when the router was originally configured. I also don’t understand why that is popular.