Firewall filter after update blocks my l2tp

pacmen · January 23, 2018, 5:01am

hey to very one,
ive update my router and a new default firewall filter was added,

13    chain=input action=drop in-interface-list=!LAN log=yes log-prefix=""

This rule blocks my l2tp connection when im trying to dial-in, messages blocked even when i put it on the bottom of the filter list.
when ever i disable it the tunnel works fine but immediately get ssh attacks.

update the log of this rule looks like this.

06:25:36 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:39 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:42 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:45 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:48 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:51 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:53 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 216.98.153.227:139->141.226.254.92:139, len 40 
06:25:54 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:57 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21850->141.226.254.92:1701, len 97 
06:25:57 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21850->141.226.254.92:1701, len 64 
06:26:07 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 119.10.28.193:52319->141.226.254.92:1433, len 40 
06:26:10 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 178.78.88.130:23712->141.226.254.92:25516, len 126 
06:26:27 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 141.226.154.129:34310->141.226.254.92:23, len 44 
06:26:29 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10048, len 40 
06:26:42 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto 2, 30.0.0.1->224.0.0.1, len 36 
06:26:49 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10022, len 40 
06:27:27 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10388, len 40 
06:27:39 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10326, len 40 
06:27:56 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 217.23.7.119:6000->141.226.254.92:139, len 40 
06:27:58 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 163.131.47.220:26423->141.226.254.92:23, len 40 
06:28:02 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 181.139.184.99:37234->141.226.254.92:23, len 40 
06:28:04 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:07 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:10 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:10 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:13 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:13 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:16 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:16 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:19 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:22 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:23 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:24 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 181.214.87.50:43459->141.226.254.92:3389, len 40 
06:28:25 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:28 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:29 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 85.93.20.34:52242->141.226.254.92:43387, len 40 
06:28:31 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:34 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21909->141.226.254.92:1701, len 64 
06:28:34 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21909->141.226.254.92:1701, len 97 
06:28:47 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto 2, 30.0.0.1->224.0.0.1, len 36 
06:29:01 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 77.72.82.98:48597->141.226.254.92:8080, len 40 
06:29:41 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (ACK,PSH), 172.217.16.206:443->141.226.254.92:51656, len 107 
06:29:44 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (ACK,PSH), 216.58.214.65:443->141.226.254.92:46462, len 107 
06:29:44 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (ACK,PSH), 172.217.22.1:443->141.226.254.92:51407, len 107

some one can better explain this rule for me or give me an idea for work-around?

Complete view on my firewall rules

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 1    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 2    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

 3    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 4    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

 5 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

 7    chain=input action=accept protocol=ipsec-ah log=no log-prefix="" 

 8    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 9    chain=input action=accept protocol=tcp dst-port=500 log=no log-prefix="" 

10    chain=input action=accept protocol=tcp dst-port=1701 log=no log-prefix="" 

11    ;;; L2TP\IPsec
      chain=input action=accept protocol=tcp dst-port=4500 log=no log-prefix="" 

12    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

13    chain=input action=drop in-interface-list=!LAN log=yes log-prefix="" 

14    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

Anumrak · January 23, 2018, 7:48am

Don’t know about this rule, probably it’s a bug, depends of ROS version. About ssh attack: assign defined IP addresses in IP - Services and System - Users. Or use nonstandart port.

pacmen · January 23, 2018, 1:00pm

I don’t have any ssh service open, I want to know why this rule also block ssh attacks.

Another thing is whenever I disable this rule and connect with the tunnel, and enable this rule again while I connected to with the tunnel this rule doesn’t block the connection.

It’s block the connection only when I’m trying to connect.

freemannnn · January 23, 2018, 1:12pm

same ruled appear in my router when i reset it with default configuration (6.41).
add your internet connection and l2tp to /interface list for easiest management of your wan connections.

https://wiki.mikrotik.com/wiki/Manual:Interface/List

pacmen · January 23, 2018, 7:03pm

It still doesn’t work.
I added the tunnel interface to the Lan list

the rule logs looks like this.

06:25:36 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:39 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:42 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:45 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:48 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:51 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:53 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 216.98.153.227:139->141.226.254.92:139, len 40 
06:25:54 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21815->141.226.254.92:500, len 472 
06:25:57 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21850->141.226.254.92:1701, len 97 
06:25:57 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21850->141.226.254.92:1701, len 64 
06:26:07 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 119.10.28.193:52319->141.226.254.92:1433, len 40 
06:26:10 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 178.78.88.130:23712->141.226.254.92:25516, len 126 
06:26:27 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 141.226.154.129:34310->141.226.254.92:23, len 44 
06:26:29 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10048, len 40 
06:26:42 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto 2, 30.0.0.1->224.0.0.1, len 36 
06:26:49 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10022, len 40 
06:27:27 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10388, len 40 
06:27:39 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 207.154.214.77:49468->141.226.254.92:10326, len 40 
06:27:56 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 217.23.7.119:6000->141.226.254.92:139, len 40 
06:27:58 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 163.131.47.220:26423->141.226.254.92:23, len 40 
06:28:02 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 181.139.184.99:37234->141.226.254.92:23, len 40 
06:28:04 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:07 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:10 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:10 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:13 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:13 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:16 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:16 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:19 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:22 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:23 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 84.111.139.99:47978->141.226.254.92:22000, len 60 
06:28:24 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 181.214.87.50:43459->141.226.254.92:3389, len 40 
06:28:25 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:28 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:29 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 85.93.20.34:52242->141.226.254.92:43387, len 40 
06:28:31 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21868->141.226.254.92:500, len 472 
06:28:34 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21909->141.226.254.92:1701, len 64 
06:28:34 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto UDP, 2.55.28.71:21909->141.226.254.92:1701, len 97 
06:28:47 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto 2, 30.0.0.1->224.0.0.1, len 36 
06:29:01 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (SYN), 77.72.82.98:48597->141.226.254.92:8080, len 40 
06:29:41 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (ACK,PSH), 172.217.16.206:443->141.226.254.92:51656, len 107 
06:29:44 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (ACK,PSH), 216.58.214.65:443->141.226.254.92:46462, len 107 
06:29:44 firewall,info input: in:Port 1 - Wan out:(unknown 0), src-mac 00:00:00:02:02:01, proto TCP (ACK,PSH), 172.217.22.1:443->141.226.254.92:51407, len 107

sindy · January 24, 2018, 9:28pm

Pacmen,

the rule as you’ve quoted it in the beginning of the topic drops any packet that has been received on any interface other than those listed in an interface list named “LAN”. Such rule should be normally the last one in the chain, whereas rules which precede it in the chain constitute exceptions to it.

So I’d rather assume that there was an exception rule for the L2TP sessions which has dissapeared. So the remedy is to recreate it; for a plain L2TP, if I’m not mistaken, you need to set

/ip firewall filter add chain=input protocol=udp dst-port=1701 connection-state=new action=accept

anywhere before the “action=drop” rule above.

For L2TP/IPsec, you need to set

/ip firewall filter add chain=input protocol=udp dst-port=500,1701,4500 connection-state=new action=accept

So if still in command line, use

/ip firewall filter print

to see the number of your “drop” rule in the leftmost column, and when adding one of the rules above, add “place-before=N” to the list of parameters, where N is the number of that “drop” rule. Or merely put there “place-before=0” to put the new rule right at the top of the list, it will work but if doing that regularly, your rules will be arranged in a messy and thus hard to read way.

Now there probably already is some rule like

chain=input connection-state=related,established action=accept

before the “drop” rule, because as you wrote, once the session gets established when you disable the “drop” rule, re-enablin it does not break the session. This is because the session gets connection-tracked and the accept rule above lets in all packets belonging to already established connections.

pacmen · January 25, 2018, 4:33am

i truly truly have no idea how to start to thank you, im breaking my mined so much time to make this work.

the main issue here is that your establishment rule including connection state new.

my rules

 9    chain=input action=accept protocol=tcp dst-port=500 log=no log-prefix="" 

10    chain=input action=accept protocol=tcp dst-port=1701 log=no log-prefix="" 

11    ;;; L2TP\IPsec
      chain=input action=accept protocol=tcp dst-port=4500 log=no log-prefix=""

and your beautiful one

/ip firewall filter add chain=input protocol=udp dst-port=500,1701,4500 connection-state=new action=accept

thank you so much!

sindy · January 25, 2018, 5:31am

The connection-state=new was not the key here, the protocol=udp instead of your protocol=tcp was.

You may remove those three rules with protocol=tcp you’ve listed (just disable them first to check that you really can) to get back some 0.001% of CPU load wasted on them.

pacmen · January 25, 2018, 6:45am

You right!
I removed them right away.
Many thanks again!