First time poster, long time MT/ROS user. Last night, I remoted into a router I had miss named and performed a reset to repurpose it. Due to my careless, I wiped the config on my primary router. Lost all my NAT, port forward, fire wall rules, so on. It shoved me into putting a new design into place so that I could have things isolated a little better.
I have NAT working. I have Port Fowarding working for DNS but my POP & SMTP seem to refuse the connection and I can’t seem to understand why. A closer look seems to show that only DNS w/ UDP is forwarding, nothing on TCP. I do see the size and packet counters moving up, but I just seem to be missing something. I’ve included a drawing of what I have, and configs of my main router. Thoughts?
[admin@FAY-RTR01] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 A.B.C.177 1
1 ADC A.B.C.176/29 A.B.C.180 ether2 0
2 ADr 172.16.64.0/18 192.168.10.3 120
3 ADC 192.168.10.0/23 192.168.10.1 vlan_810 0
4 ADr 192.168.100.0/24 192.168.10.2 120
5 ADr 192.168.200.0/24 192.168.10.2 120
[admin@FAY-RTR01] /routing rip route> print
Flags: C - connect, S - static, R - rip, O - ospf, B - bgp
# DST-ADDRESS GATEWAY FROM METRIC TIMEOUT
0 R 172.16.64.0/18 192.168.10.3 2 2m48s
1 R 192.168.10.0/23 1
2 R 192.168.100.0/24 192.168.10.2 2 2m51s
3 R 192.168.200.0/24 192.168.10.2 2 2m51s
[admin@FAY-RTR01] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept
1 ;;; Disallow weird packets
chain=input action=drop connection-state=invalid
2 ;;; Disallow weird packets
chain=forward action=drop connection-state=invalid
3 chain=forward action=accept
[admin@FAY-RTR01] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether2
1 ;;; DNS TCP Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.14 to-ports=53
protocol=tcp dst-address=70.63.80.180 dst-port=53
2 ;;; DNS UDP Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.14 to-ports=53
protocol=udp dst-address=70.63.80.180 dst-port=53
3 ;;; SMTP Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.12 to-ports=25
protocol=tcp dst-address=70.63.80.180 dst-port=25
4 ;;; POP3 Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.12 to-ports=110
protocol=tcp dst-address=70.63.80.180 in-interface=ether2 dst-port=110
5 ;;; IMAP Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.12 to-ports=143
protocol=tcp dst-address=70.63.80.180 dst-port=143
6 ;;; Secure SMTP Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.12 to-ports=465
protocol=tcp dst-address=70.63.80.180 dst-port=465
7 ;;; Secure POP Forward Rule
chain=dstnat action=dst-nat to-addresses=192.168.100.12 to-ports=995
protocol=tcp dst-address=70.63.80.180 dst-port=995
Okay, weird to me how the results are so different from each other. Also, you can see I have logging rules set to email to 192.168.100.12 but it fails as well, “Error connecting to host”.
From FAY-RTR01, I can ping 192.168.100.12&14. I can ping from the VLAN_810 interface successfully, and I can do so with a source address of 192.168.10.1.
FAY-RTR02, does not have any firewall rules, just interface and rip configs. I wonder if that accounts for anything? I can’t really imagine that it could though … here is the export for that. It also gives me an error in the log about the failed emails. The odd thing is that when, in VLANs 76,100, and 200, if I use 192.168.100.12 as my mail server in the email clients, they seem to be okay. I just can’t seem to use my DNS name which resolves to A.B.C.180 or that public IP address from inside, outside, or any where in between.
/interface vlan
add interface=ether1 name=vlan_810 vlan-id=810
add interface=ether1 name=vlan_100 vlan-id=100
add interface=ether1 name=vlan_200 vlan-id=200
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp_pool1 ranges=192.168.200.100-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan_200 lease-time=12h name=dhcp1
/system logging action
add email-to=192.168.100.12 name=email target=email
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=owner signup-allowed=no time-zone=-00:00
/ip address
add address=192.168.10.2/23 interface=vlan_810
add address=192.168.100.254/24 interface=vlan_100
add address=192.168.200.1/24 interface=vlan_200
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=192.168.100.2 gateway=192.168.200.1
/ip neighbor discovery
set vlan_810 disabled=yes
set vlan_100 disabled=yes
set vlan_200 disabled=yes
/ip route
add distance=1 gateway=192.168.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox address=192.168.100.0/24,192.168.200.0/24,192.168.10.0/23
/routing rip network
add network=192.168.10.0/23
add network=192.168.100.0/24
add network=192.168.200.0/24
/system identity
set name=FAY-RTR02
/system logging
add action=email topics=info
I am not seeing anything that would be causing you problems.
Do you have a full route table on both routers? Why are you using RIP instead of OSPF? Trying torching the traffic on your router to see where the traffic is actually making it to and stopping.
Its good to know that a second set of eyes can’t see anything outstanding on the configs. OSPF wouldn’t propagate the routes for some reason. RIP actually won’t either unless I manually specify its neighbor, then all is well. Would you like a print of both routers’ route tables?
I think the OSPF problem may be related to everything being in VMWare. Currently, I have everything in ESX5 w/ vCenter5, maybe there is a limitation in the stack preventing things to work as expected. I do have some plans on extracting things back to physical, but I’m hesitant to until I’m happy with how the set up is. Previously, FAY-RTR02 was handling NAT, Port Forwarding, inter-VLAN routing, DHCP for VLAN 200. I had miss labeled it, and thought it was my hotspot box. The goal was to reset the hotspot to remove the layer of NAT there, I don’t really feel it has a benefit in this environment. I have rebooted the VM several times, I wonder if I should delete it and re-install, and import the config? If this was a production environment, I would be writing the checks for support already, but seeing that it still in testing, I’d rather work all the details out before getting support. Here are the route tables.
FAY-RTR01
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=A.B.C.177 gateway-status=A.B.C.177 reachable via ether2 distance=1 scope=30 target-scope=10
1 ADC dst-address=A.B.C.176/29 pref-src=A.B.C.180 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10
2 ADr dst-address=172.16.64.0/18 gateway=192.168.10.3 gateway-status=192.168.10.3 reachable via vlan_810 distance=120scope=20 target-scope=10 route-tag=0
3 ADC dst-address=192.168.10.0/23 pref-src=192.168.10.1 gateway=vlan_810 gateway-status=vlan_810 reachable distance=0 scope=10
4 ADr dst-address=192.168.100.0/24 gateway=192.168.10.2 gateway-status=192.168.10.2 reachable via vlan_810 distance=120 scope=20 target-scope=10 route-tag=0
5 ADr dst-address=192.168.200.0/24 gateway=192.168.10.2 gateway-status=192.168.10.2 reachable via vlan_810 distance=120 scope=20 target-scope=10 route-tag=0
FAY-RTR02
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable via vlan_810 distance=1 scope=30 target-scope=10
1 ADr dst-address=172.16.64.0/18 gateway=192.168.10.3 gateway-status=192.168.10.3 reachable via vlan_810 distance=120 scope=20 target-scope=10 route-tag=0
2 ADC dst-address=192.168.10.0/23 pref-src=192.168.10.2 gateway=vlan_810 gateway-status=vlan_810 reachable distance=0 scope=10
3 ADC dst-address=192.168.100.0/24 pref-src=192.168.100.254 gateway=vlan_100 gateway-status=vlan_100 reachable distance=0 scope=10
4 ADC dst-address=192.168.200.0/24 pref-src=192.168.200.1 gateway=vlan_200 gateway-status=vlan_200 reachable distance=0 scope=10
What do ya know? I see success. That allows my VLAN200 sources to redirect at FAY-RTR02 to the directly connected VLAN100 that holds the servers vs going up a router, then back down - I guess that is where things were getting crazy.
After the fact I did as it was my original intention. I was hoping to prove a concept for a tiered model and reduce resources by remove some layers of NAT. I had already set up FAY-RTR03 (.3) with hotspot functioning as expected, so I haven’t mentioned it here. I haven’t tested yet but I feel its a safe assumption that POP/SMTP access also fails for hotspot users with out that PF rule? The whole point of the tiered model was to reduce rules like these, I feel like this is more than a work around than it is a fix? Am I wrong for that?
