Do I have a firewall or DNS problem?

IloDys · October 3, 2023, 10:55am

Hey everyone,
I don’t know if i’m right here, because i don’t know if it’s a problem with my mikrotik setup, my isp or just the software i’m using, but let’s start. (And sorry for the wall of text)
So to make it short here is my network simplified:
ISP → (DSL) Fritzbox 7490 → (PPPoE) Mikrotik Hex S → Everything else.
Mikrotik Config:

# 2023-10-03 12:10:45 by RouterOS 7.11
# software id = Z7PZ-Z184
#
# model = RB760iGS
# serial number = F94B0F431B04
/interface bridge
add admin-mac=DC:2C:6E:80:35:99 auto-mac=no igmp-snooping=yes \
    ingress-filtering=no multicast-querier=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard
/interface vlan
add interface=bridge name=VBase vlan-id=1
add interface=bridge name=VDevices vlan-id=20
add interface=bridge name=VGuest vlan-id=99
add interface=bridge name=VIoT vlan-id=30
add interface=bridge name=VMain vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=TRUST
add comment="TRUST + VLAN" include=TRUST,VLAN name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=base ranges=10.0.0.200-10.0.0.250
add name=guest ranges=10.0.99.2-10.0.99.250
add name=devices ranges=10.0.20.200-10.0.20.250
add name=iot ranges=10.0.30.200-10.0.30.250
add name=main ranges=10.0.10.200-10.0.10.250
/ip dhcp-server
add address-pool=base comment=0 interface=VBase lease-time=12h name=Base
add address-pool=devices comment=20 interface=VDevices lease-time=12h name=\
    Devices
add address-pool=iot comment=30 interface=VIoT lease-time=10m name=IOT
add address-pool=guest comment=99 interface=VGuest lease-time=10m name=Guests
add address-pool=main comment=10 interface=VMain lease-time=12h name=Main
/port
set 0 name=serial0
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 comment=TelekomDSL disabled=\
    no interface=ether1 name=pppoe-out1 profile=default-encryption user=<pppoe-login>
/user group
add name=homeassistant policy="reboot,read,write,policy,test,api,!local,!telne\
    t,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether4 pvid=30
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge disabled=yes ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5 vlan-ids=1
add bridge=bridge tagged=ether2,bridge,ether5,ether3 vlan-ids=20
add bridge=bridge tagged=ether2,bridge,ether3,ether5 vlan-ids=30
add bridge=bridge tagged=ether2,bridge,ether3,ether5 vlan-ids=99
add bridge=bridge tagged=bridge,ether2,ether3,ether5 vlan-ids=10
/interface list member
add interface=pppoe-out1 list=WAN
add interface=VDevices list=VLAN
add interface=VGuest list=VLAN
add interface=VIoT list=VLAN
add interface=VBase list=TRUST
add interface=VMain list=TRUST
add interface=Wireguard list=TRUST
add disabled=yes interface=bridge list=TRUST
add interface=VBase list=VLAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
<<<All Wireguard Peers>>>
/ip address
add address=10.0.11.1/24 interface=Wireguard network=10.0.11.0
add address=10.0.20.1/24 interface=VDevices network=10.0.20.0
add address=10.0.30.1/24 interface=VIoT network=10.0.30.0
add address=10.0.99.1/24 interface=VGuest network=10.0.99.0
add address=10.0.0.1/24 interface=VBase network=10.0.0.0
add address=10.0.10.1/24 interface=VMain network=10.0.10.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip dhcp-server lease
<<<All devices in my network>>>
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3,10.0.0.1 gateway=10.0.0.1 \
    netmask=24
add address=10.0.10.0/24 dns-server=10.0.0.3,10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.0.3,10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.0.3,10.0.30.1 gateway=10.0.30.1
add address=10.0.99.0/24 dns-server=1.1.1.1 gateway=10.0.99.1
/ip dns
set servers=10.0.0.3
/ip firewall address-list
add address=10.0.0.0/24 list=BASE
add address=10.0.10.0/24 list=MAIN
add address=10.0.20.0/24 list=DEVICES
add address=10.0.30.0/24 list=IOT
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=drop_inval
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept all from LAN" \
    in-interface-list=TRUST
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=input comment="drop all else" log-prefix=drop_input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=drop_f_inval
add action=accept chain=forward in-interface-list=TRUST out-interface-list=\
    LAN
add action=accept chain=forward comment="DNS Adguard" dst-address=10.0.0.3
add action=accept chain=forward comment="MediaControl for VDevices" \
    dst-address=10.0.0.2 port="" protocol=tcp src-address-list=DEVICES
add action=accept chain=forward comment=MQTT dst-address=10.0.0.2 port=1883 \
    protocol=tcp src-address-list=ESP
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept port-forwarding" \
    connection-nat-state=dstnat connection-state=new
add action=drop chain=forward comment="drop everything else" log-prefix=\
    drop_f
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Reverse Proxy for Unraid" dst-port=\
    80,443 in-interface-list=WAN protocol=tcp to-addresses=10.0.0.2
add action=dst-nat chain=dstnat comment=Minecraft disabled=yes dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.2
/ip firewall service-port
set ftp disabled=yes
/ip service
set ftp disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system console
set [ find ] disabled=yes
/system leds
set 0 disabled=yes
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system scheduler
add comment="Change DNS Server between Adguard/Cloudflare depending on Adguard\
    \_status" interval=10m name=DNS_active on-event=":local currentDNS [/ip dn\
    s get server]\
    \n:local piholeDNS \"10.0.0.3\"\
    \n:local backupDNS \"1.1.1.1\"\
    \n:local testDomain \"www.google.com\"\
    \n\
    \n:if (\$currentDNS = \$piholeDNS) do={\
    \n    :do {\
    \n        :resolve \$testDomain server=\$piholeDNS\
    \n    } on-error={\
    \n        /ip dns set servers=\$backupDNS\
    \n    }\
    \n} else={\
    \n    :do {\
    \n        :resolve \$testDomain server=\$piholeDNS\
    \n        /ip dns set servers=\$piholeDNS\
    \n    } on-error={}\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2022-02-25 start-time=00:00:00
/system watchdog
set watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=TRUST
/tool netwatch
add disabled=no host=1.1.1.1 interval=1m timeout=1s type=simple

In my configcode you can see I have some VLANs set up and usually everything is working fine as intended.
But one thing i can’t get to work:
My homeserver is a UnRaid machine (10.0.0.2), here i have some docker containers serving some software. One container is Traefik, my reverse proxy. With Traefik I try to get a certificate for my domain example.com (changed for privacy), done through a DNS Challenge for wildcard certificates.
But since a few weeks, my certificates aren’t renewed and i can’t, for the life of me, figure out why (maybe after some updates?)

What i have so far:
Checking the error that Traefik is giving me:

time="2023-10-03T12:26:32+02:00" level=error msg="Unable to obtain ACME certificate for domains \"example.com\": unable to generate a certificate for the domains [example.com]: error: one or more domains had a problem:\n[example.com] [example.com] acme: error presenting token: godaddy: could not find zone for domain \"example.com\" (_acme-challenge.example.com.): could not find the start of authority for _acme-challenge.example.com.: read udp 10.0.0.2:44473->8.8.8.8:53: i/o timeout\n" rule="Host(`example.com`)" providerName=godaddy_acme.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=web-secure-plex@file

Ok, so this error tells me, that it can’t find the zone for my domain, so i checked the DNS settings at my registrars sites and everything there seems fine. Checking my domain on sites like https://www.nslookup.io/ does not give me any errors or hints where to look at.

So let’s do some digging, doing this on my main pc (10.0.10.10):

dig example.com @1.1.1.1

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13785
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                        IN      A

;; ANSWER SECTION:
example.com.         3600    IN      A       <MY CORRECT IP ADDRESS>

;; Query time: 22 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Oct 03 12:36:30 CEST 2023
;; MSG SIZE  rcvd: 59

Ok seems good so far, next:

dig soa example.com @1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out

Aha! Why is this now giving me a time out? seems like i have some udp ports blocked in my firewall? i don’t know unfortunately.
Here is the same command, going through my phones hotspot:

dig soa example.com @1.1.1.1

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> soa example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29437
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com .                        IN      SOA

;; ANSWER SECTION:
example.com .         3600    IN      SOA     ns71.domaincontrol.com. dns.jomax.net. 2023100202 28800 7200 604800 600

;; Query time: 61 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Oct 03 12:39:43 CEST 2023
;; MSG SIZE  rcvd: 114

This seems to work fine. So what is causing the issue in my network?
Usually i have AdGuard running on my UnRaid Server, but i also tried giving the whole network different DNS Servers (1.1.1.1, 8.8.8., but now change on the problem.
As i said, everything else works just fine.
Can anybode help me here?

rextended · October 3, 2023, 1:00pm

Why you try to force us to use pastebin to read something that you also can put here without using 3rd party spam?

IloDys · October 3, 2023, 1:06pm

My bad… I just didn’t want to overload the post with too much code. I edited the original post and put the code directly into the post.

Kentzo · October 3, 2023, 5:32pm

Consider altering your firewall to REJECT (with appropriate ICMP codes), rather than DROP, packets that originate from you LAN. Should ease further debugging.

IloDys · October 4, 2023, 10:30am

There was no change in rejecting any packets instead of dropping unwanted packets. And even if i log all dropped/rejected packets, i couldn’t find anything useful for my problem.

So i tried to take my mikrotik out of my whole network, which means my networked looked like this:
ISP > (DSL) Fritzbox 7490 > Everything else (for the time being Unraid and my PC).
Et Voila, i could get certificates for my domains, and i could get an SOA answer with the dig command.
So it definitly has something to do with my mikrotik setup. But again, what causes the problem?
There is nothing blocked, at least i can’t find anything that is blocked.

Kentzo · October 4, 2023, 5:17pm

I do not see anything obviously wrong in your config, with respect to this issue.

Have you considered that Fritzbox doing something shady? I have never handled this device, but some googling landed:

I would sniff the traffic out of Mikrotik’s WAN port to see that DNS record appropriately leave it. If so, then look into Frtizbox

IloDys · October 7, 2023, 8:55am

Just for anyone who might have the same problem as me, I found the solution.
It had nothing to do with my Mikrotik setup, nor with my DNS settings or my Domain provider.
The issue was caused by my Fritzbox.
Ironically everything works fine if used as a full modem+router. But if used just as a modem with pppoe-passthrough, then it internally blocks some DNS query. Don’t ask me how or why, but I found someone with the exact same problem (it’s in german):
https://community.ui.com/questions/DNS-SOA-lookups-fail-need-help-to-find-the-cause/466d54ab-e41a-494a-8172-2992ad33b89c

So I just replaced my Fritzbox with a draytek modem and everything works as I want it to work.