Firewall config

omberli · March 8, 2021, 4:15pm

Hi.
I have a Ubiquiti CloudKey running behind a Mikrotik firewall. Works well.
Firewall is set to forward tcp ports 8080, 8443 and 8880, as well as udp 3478 to the CloudKey’s local ip (192.168.1.49)

Need to move the CloudKey to my local LAN, where I also have a Mikrotik Router. Have tried to set up the same port forwarding, but external requests to the IP fails. The CloudKey has the same local IP as in the previous setup. The router in my local LAN also handles traffic to my mail server (192.168.1.10).

I have not been able to figure out why the router in my local LAN seems to block the traffic. Hope someone will help. Thanks!
The configs for the working firewall (240) and the one that fails (195) are attached as txt files. Any ideas what I’m doing wrong?

Thanks!
Olaf
195.txt (4.54 KB)
240.txt (2.49 KB)

anav · March 8, 2021, 5:57pm

Norway, wow luv watching Jakob run!!!

IM confused by your network.
Do you mean now you used to have this.
MODEM---->Router MT1 ----->LAN(server)
and now have
MODEM ---->Router MT1 ---->Router MT2 -----> LAN(server)

Jotne · March 8, 2021, 8:26pm

As anav say, its not clear what you have and what you like to setup. Try to avoid double nat.
Make a drawing and post you complete configuration /export hide-sensitive

Da kan vi kanskje hjelpe deg

omberli · March 8, 2021, 11:34pm

Thanks for comments!
Sorry about confusing description.

There are two completely different and separate networks.

Old network has the x.x.x.240 public IP address, a RB433 routerboard and the CloudKey on the LAN side of the 433 board (Ether2). This setup works well, but the network will be closed / dismounted soon.

The new network has a public IP of y.y.y.195 and a RB951 unit as a router. The CloudKey will be moved from old network to new network. CloudKey works as expected when I try to connect to it from a PC in the local LAN, but not from the WAN side (the Internet). New network also has a mail server and some PCs. (they work well)

Have attached new config files and a simple drawing of the two (separate) networks
Networks.pdf (68.1 KB)
new.txt (7.19 KB)
old.txt (4.36 KB)

anav · March 9, 2021, 12:10am

(1) Dont see any point in these and would remove them!
/ip firewall address-list
add address=66.23.227.156 list=Attack-IPs
…
add address=185.234.219.0/24 list=Attack-IPs

(2) Input chain firewall rules need work, actually not too bad now that I see some more lower down,keeping them together makes config reading so much easier!!!
Only comment is to ensure they are enabled not disabled…

/ip firewall filter
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes

(3) not sure of the purpose of this route…has nothing to do with going out the router…
/ip route
add distance=1 gateway=192.168.1.1

(4) mac server should be set to none, mac winbox server is fine.

(5) I see nothing that should prevent traffic. The problem is that if users on the same LAn wish to get to the server from the LAN you will need to setup hairpin nat (loopback).
Much easier just to put the server on its own subnet for example and then the current rules would work.

mkx · March 9, 2021, 6:21am

Does change of public IP address involve change of ISP? Since most of forwarded ports are non-standard, it could well be that the new ISP blocks them.

The export shows pretty incomplete firewall rules compared to the default rules, e.g. it’s missing rule

add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked

which should be right after the “fast-track” rule. Fast-track rule doesn’t deal with 100% of packets, some are passed on to other rules to make connection-tracking state current. If you don’t have a matching “non-fasttracking” rule, connections might get dropped.
I suggest you to have a look at default setup (execute /system default-configuration print from a really wide terminal window) and put back rules missing … while taking care of rule order. I also suggest you to upgrade ROS version to latest “long-term”, which is 6.47.9 at the time of writing this post … and do it before updating firewall configuration to make sure you see the latest (and greatest) default configuration.

Other than that, you may want to adjust your NAT rules to reflect rules from firewall list … e.g. use in-interface-list=WAN instead of in-interface=ether1.

omberli · March 9, 2021, 8:42am

Thanks for your responses. I’ll work my way through the comments and see if I’m able to get this thing working… Just a few comments…

anav:
(1) The Attack-IPs address list was created in an attempt to block intruder attempts to my mail server. Happened quite often. It worked well on a previous router (ZyXel), but maybe not on Mikrotik…
Will remove it

(2) ip firewall filter
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes
These were set to disabled for testing purposes. Guess they should not be disabled…?

(3) Yes, seems strange. Don’t know where it came from.

(4) Don’t know where this setting came from (default setting?). Will set it to none

(5) Have seen the hairpin as a challenge. Tried to set it up (for my mail server) a couple of times without success.
If setting the controller on a separate subnet - should I just add another local IP-range to the LAN/bridge interface, or do I need to have the different subnets on separate, physical ports? (disclosing my limited TCP/IP knowledge now…)

mkx:
The change of IP does not mean a new ISP (just moved to a different, physical location and have just one public IP. Previously I had a /25 network). The access should have no blockings, but will check. Also upgrade and take a close look at default settings.

Thanks!