Connection Tracking

linustorl · October 18, 2010, 3:44am

Hi Folks,

I am facing a problem which i don’t understand.

I had a routerboard 750.

The problem is whenever i enabled the connection tracking, my user wont be able to open file such as excel, word in my fileserver, but when i disabled it, my user wont be able to connect to internet.

Any Advice?

mrz · October 18, 2010, 7:38am

Client will not be able to access internet because NAT is not working when connection tracking is disabled
http://wiki.mikrotik.com/wiki/Connection_tracking

Most likely there are other rules that prevent client from opening files in file server.

Post your firewall and NAT rules.

linustorl · October 18, 2010, 8:50am

How to export those rules to a file?

Dunno how to export, print screen will do?

fewi · October 18, 2010, 11:57am

Somewhat wild guess, that screenshot doesn’t show much details - post the output of “/ip address print detail”, “/ip route print detail”, and “/ip firewall export” with a network diagram if this doesn’t work.

Your firewall is throwing away return traffic.

Add the below and move it (drag and drop in winbox) to the top of the respective chains:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop

linustorl · October 19, 2010, 1:27am

This is result for /ip address print detail

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; 192.168.2.1
     address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Unsecure actual-interface=Unsecure 

 1   ;;; 10.10.10.1
     address=10.10.10.1/24 network=10.10.10.0 broadcast=10.10.10.255 interface=Outsider actual-interface=Outsider 

 2   ;;; 192.1168.4.1
     address=192.168.4.1/24 network=192.168.4.0 broadcast=192.168.4.255 interface=Super actual-interface=Super 

 3   ;;; 192.168.1.1
     address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=Secure actual-interface=Secure 

 4   ;;; Internet
     address=192.168.103.1/24 network=192.168.103.0 broadcast=192.168.103.255 interface=103 actual-interface=103

This is output for /ip route print detail

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.103.254 interface=103 gateway-state=reachable distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=10.10.10.0/24 pref-src=10.10.10.1 interface=Outsider distance=0 scope=200 

 2 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 interface=Secure distance=0 scope=10 

 3 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 interface=Unsecure distance=0 scope=10 

 4 ADC  dst-address=192.168.4.0/24 pref-src=192.168.4.1 interface=Super distance=0 scope=10 

 5 ADC  dst-address=192.168.103.0/24 pref-src=192.168.103.1 interface=103 distance=0 scope=10

This is output for /ip firewall export

# jan/02/1970 11:40:18 by RouterOS 3.29
# software id = YD11-G8V0
#
/ip firewall layer7-protocol
add comment="" name=yahoo-messenger regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\C0\80"
/ip firewall address-list
add address=192.168.0.0/16 comment="" disabled=no list=All
add address=10.10.10.0/24 comment="" disabled=no list=Outsiders
add address=192.168.1.0/24 comment="" disabled=no list=Secure
add address=192.168.2.0/24 comment="" disabled=no list=Unsecure
add address=192.168.4.0/24 comment="" disabled=no list=Super
add address=192.168.103.0/24 comment="" disabled=no list=Sever
add address=69.63.0.0/16 comment="" disabled=no list=Facebook
add address=192.168.4.7 comment="Fendi Laptop" disabled=no list="Boleh Ym"
add address=192.168.103.252 comment=joseph disabled=no list="Boleh Ym"
add address=66.220.147.22 comment="" disabled=no list=Facebook
add address=192.168.4.6 comment=Joseph disabled=no list="Boleh Internet"
add address=192.168.1.42 comment=Suwendi disabled=no list="Boleh Internet"
add address=192.168.4.7 comment=Fendi disabled=no list="Boleh Internet"
add address=192.168.4.252 comment="Joseph Laptop" disabled=no list="Boleh Internet"
add address=192.168.4.252 comment="" disabled=no list="Boleh Ym"
add address=192.168.1.42 comment=Suwendi disabled=no list="Boleh Internet"
add address=192.168.4.137 comment=Risnawati disabled=no list="Boleh Internet"
add address=192.168.2.12 comment=Yuniana disabled=no list="Boleh Internet"
add address=192.168.2.11 comment="Jony Yeo" disabled=no list="Boleh Internet"
add address=192.168.2.66 comment="Wong - QA" disabled=no list="Boleh Internet"
add address=192.168.2.116 comment="KKLim - QA" disabled=no list="Boleh Internet"
add address=192.168.2.236 comment="CLWei - WC" disabled=no list="Boleh Internet"
add address=192.168.2.61 comment="GBChan - PPMC" disabled=no list="Boleh Internet"
add address=192.168.2.106 comment="TS Loh" disabled=no list="Boleh Internet"
add address=192.168.2.25 comment=Mardanus disabled=no list="Boleh Internet"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=30s tcp-close-timeout=10s tcp-close-wait-timeout=1m tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
    tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-syncookie=no tcp-time-wait-timeout=2m udp-stream-timeout=3m udp-timeout=30s
/ip firewall filter
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=input comment="" connection-state=established disabled=no
add action=accept chain=input comment="" connection-state=related disabled=no
add action=drop chain=input comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="Yahoo Messenger - Accept" disabled=no layer7-protocol=yahoo-messenger src-address-list="Boleh Ym"
add action=drop chain=forward comment="All To Yahoo Messenger - Block" disabled=no layer7-protocol=yahoo-messenger src-address-list=All
add action=drop chain=forward comment="HTTPS Facebook - Block" connection-state=new disabled=no dst-address-list=Facebook
add action=accept chain=input comment="Super (192.168.4.0) to Router - Telnet -  Accept" disabled=no dst-port=23 protocol=tcp src-address=192.168.4.0/24
add action=accept chain=input comment="Super (192.168.4.0) to Router - PING -  Accept" disabled=no protocol=icmp src-address=192.168.4.0/24
add action=drop chain=input comment="All to Router - Telnet - Block" disabled=no dst-port=23 protocol=tcp
add action=accept chain=forward comment="Super to All - Accept" connection-state=new disabled=no dst-address-list=All src-address-list=Super
add action=accept chain=forward comment="Server to All - Accept" connection-state=new disabled=no dst-address-list=All src-address-list=Sever
add action=accept chain=forward comment="Allow FTP All" disabled=no dst-address=192.168.103.3
add action=accept chain=forward comment="All to webserver - Accept" connection-state=new disabled=no dst-address=192.168.103.2 src-address-list=All
add action=accept chain=forward comment="All to Erp - Accept" connection-state=new disabled=no dst-address=192.168.103.138 src-address-list=All
add action=accept chain=forward comment="All to email - Accept" connection-state=new disabled=no dst-address=192.168.103.5 src-address-list=All
add action=accept chain=forward comment="Secure to Finance Server - Accept" connection-state=new disabled=no dst-address=192.168.103.144 src-address-list=Secure
add action=accept chain=forward comment="All To Artwork - Accept" connection-state=new disabled=no dst-address=192.168.4.143 src-address-list=All
add action=accept chain=forward comment="Secure to Fileserver - Accept" connection-state=new disabled=no dst-address=192.168.103.4 src-address-list=Secure
add action=accept chain=forward comment="fendi to laptop" connection-state=new disabled=yes dst-address=192.168.4.7 src-address=192.168.103.145
add action=drop chain=forward comment="All to Local - Block" connection-state=new disabled=no dst-address-list=All
add action=drop chain=forward comment="All to Outsiders - Block" connection-state=new disabled=no dst-address-list=Outsiders
add action=accept chain=input comment="Fendi to Internet - Accept" disabled=no dst-port=8080 protocol=tcp src-address-list="Boleh Internet"
add action=drop chain=forward comment="All to FTP - Block" disabled=yes dst-port=21 protocol=tcp src-address-list=All
add action=drop chain=input comment="All to Router - PING - Block" disabled=no protocol=icmp
add action=drop chain=input comment="All to Internet - Block" disabled=no dst-port=8080 protocol=tcp src-address=0.0.0.0/0
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=80 protocol=tcp to-addresses=192.168.103.254 to-ports=80
add action=masquerade chain=srcnat comment="" disabled=no out-interface=103
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

fewi · October 19, 2010, 3:17am

And is it working now that you’ve added those rules?

linustorl · October 19, 2010, 3:29am

seems to be working, will try and let you know fewi

Thanks for your assist.

Update:

not working, my user still facing a timeout problem.

Thanks

linustorl · October 20, 2010, 1:08am

Any advice guys, still stuck in here…

fewi · October 20, 2010, 1:33am

Who is trying to get where using what protocol? Source and destination IPs.

Make forward rules that accept that traffic explicitly and stick them at the top of the chain. Is it working at that point?