Firewall Rules PPPoE vs ethernet-port

RouterOS General
1

Hey,

we run multiple sites which are all set-up coherent (mikrotik as gateway, internet dialed up over pppoe on the mikrotik). All sites are connectec site-to-site via IPSec/L2TP. For this i need mainly two firewall rules:

/ip firewall filter
add action=accept chain=input comment="IPSec & L2TP" dst-port=500,1701 in-interface=pppoe-out1 protocol=udp

/ip firewall nat
add action=accept chain=srcnat comment=IPSec dst-address=192.168.101.0/24 src-address=192.168.15.0/24

However, we do have a new site I want to connect to. In this setup, the internet dial up is happening on a router I don’t have any access to - so I don’t have any PPPoE-Connection on the Mikrotik. Everything is working fine except the site-to-site connection. In this setup the first rule is slightly different and not working:

/ip firewall filter
add action=accept chain=forward comment="IPSec & L2TP" dst-port=500,1701 in-interface=ether5-gateway protocol=udp

As in-interface I configured an ethernet-port and not an PPPoE-connection. The rule isn’t working and I figured already out that it might be related to the ethernet-port. I would have some basic questions to it:

  1. Why are firewall rules on ethernet-ports not working (I considered the difference between chain=forward and chain=input)?
  2. How do I get the connection working? Can i wrap the ethernet-port in some kind of surrogate-pppoe?

Thank you very much in advance :slight_smile:

2

Are you absolutely positive that the “black box router” is transparent regarding udp ports 500 and 1701?

Generally firewall rules don’t care about different ports other than using them as additional match criterion.

3

I thought already about it and tested it out. For that I use a firewall-rule on the Mikrotik:

/ip firewall filter
add action=drop chain=input comment="Drop everything else"

This is the last Firewall-Rule. If the previous posted rule does not work the connection isn’t working. If i disable the rule the:

  • L2TP/IPSec connection is working


  • udp-port scan on the ports 500 & 1701 indicate that the ports are opened.

EDIT: here is the complete firewall configuration:

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="ALWAYS ACTIVE!" src-address=10.14.0.0/24
add action=accept chain=input src-address=192.168.14.0/24
add action=accept chain=forward comment="IPSec & L2TP" dst-port=500,1701 in-interface=ether5-gateway protocol=udp
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=accept chain=srcnat comment=IPSec dst-address=192.168.101.0/24 src-address=192.168.14.0/24
add action=masquerade chain=srcnat comment="NAT PPPOE" out-interface=ether5-gateway
4

Just noticed: on the “non-standard” router the accept filter rule is in chain=forward … should be in chain=input if IPsec is terminated on router itself.

5

Thank you for your input. Tried also with chain=input - doesn’t work either. I’m under the impression I didn’t explain the setup good enough:
MT <------------------> Internet <------------------> Blackbox Router (enabled routing) <------------> MT
<L2TP/IPSec -------------------------------------------------------------------------------------------L2TP/IPSec>

6

By router I meant the RB, so the firewall rules should be for chain=input.

Another minor detail: firewall rule

add action=accept chain=input comment="Allow Established connections" connection-state=established

is most often set with connection-state=established**,related**

7

Just a technical one, for L2TP over IPsec, access to UDP port 1701 need not be permitted on intermediate routers because the L2TP transport packets towards port 1701 are transported encrypted, i.e. either inside plain ESP packets or inside ESP payload encapsulated into UDP packets to port 4500.

So on the intermediate routers, the client must be allowed to establish UDP connection to port 500 on server address. If both the client and the server run directly on public adresses and there is no NAT between them, ESP must be permitted between them as well; if at least one of them is running behind a NAT, the client must be allowed to access port 4500 on server address in addition to port 500.

On the server, the situation is different - access to port 1701 has to be permitted in the input chain, but although a common permissive rule is often used for all three ports (500,1701,4500), the 1701 should actually have a dedicated rule with an additional match condition, ipsec-policy=in,ipsec. The reason is that some VPN clients are configured to fall back to plain L2TP with no IPsec encapsulation, and if access to UDP port 1701 is permitted without checking that the packet comes through the tunnel, you can end up with a plaintext L2TP connection.

8

Thank you very much for your detailed reply. I adjusted the configuration of the firewall according to your input and the wiki. I tried to cover all possible IPSec setups with this configartion. Therefore, esp, port 500, port 4500 and port 1701 are configured. The setup described is between MT’s without nat-traversal (directly establish internet connection):

/ip firewall filter
add action=accept chain=input comment="IPSec & L2TP | esp protocol" in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input comment="IPSec & L2TP | 500 (IPSec Port)" dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="IPSec & L2TP | 4500 (NAT Traversal Port)" dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="IPSec & L2TP | 1701 (L2TP Port)" dst-port=1701 in-interface=pppoe-out1 ipsec-policy=in,ipsec protocol=udp

/ip firewall nat
add action=accept chain=srcnat comment="IPSec & L2TP" dst-address=192.168.100.0/24 src-address=192.168.101.0/24

Unfortunately, the setup isn’t working. With this configuration, the L2TP-Connetion isn’t established. This is the error log:
initiate new phase (Identity Protection): 172.0.0.1[500]<=>172.0.0.2[500]
phase1 negotation failed due to send error. 172.0.0.1[500]<=>172.0.0.2[500] xxxxxxxxxx
As soon as I remove IPSec policy matcher (in-interface=pppoe-out1) the connection is up and running. Example:

/ip firewall filter
add action=accept chain=input comment="IPSec & L2TP | 1701 (L2TP Port)" dst-port=1701 in-interface=pppoe-out1 protocol=udp

Thank you very much in advance!

9

The log shows that IPsec negotiation has failed. I’m not sure why, as your log is too brief. However, the client falls back to L2TP without an IPsec SA to encrypt it, which is why the tunnel gets up if you remove the restriction to IPsec-encrypted connections from the rule.

So the next step is to find out why IPsec fails.

10

Thank you for your help!
I looked into detail and didn’t find any solution due to the lack of sufficient log infos. However, I eliminated the L2TP and everything is set up as pure IPSec now. Also the NAT-Traversal is working fine and stable with the IPSec connection.
The reason for L2TP/IPSec was that some sites only have a dynamic wan address. This is now settled with IPSec Policy templates. Just in case someone runs into the same problem here is the configuration:

Client with dynamic IP:

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=profile_nat-traversal
/ip ipsec peer
add address=94.198.xxx.xx/32 comment="local dummy address due to dynamic ISP-IP" local-address=172.16.0.1 name=peer_fh profile=profile_nat-traversal
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8h
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=proposal_custom
/ip ipsec identity
add auth-method=pre-shared-key-xauth peer=peer_fh xauth-login=fh_chalet
/ip ipsec policy
add comment="with DummyIP" dst-address=192.168.101.0/24 proposal=proposal_custom sa-dst-address=94.198.xxx.xx sa-src-address=172.16.0.1 src-address=192.168.15.0/24 tunnel=yes

/ip address
add address=172.16.0.1 comment="IPSec DummyIP - not pppoe-out Interface" interface=sfp1-gateway network=172.16.0.1

/ip firewall nat
add action=accept chain=srcnat comment=IPSec dst-address=192.168.101.0/24 src-address=192.168.15.0/24

Server with static ip:

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=profile_nat-traversal
/ip ipsec peer
add comment="dynamic" local-address=94.198.xxx.xx name=peer_dynamic-ip passive=yes profile=profile_nat-traversal send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8h
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=proposal_custom
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-override peer=peer_dynamic-ip xauth-login=fh_chalet
/ip ipsec policy
add comment="Template" dst-address=192.168.15.0/24 proposal=proposal_custom src-address=192.168.101.0/24 template=yes

/ip firewall filter
add action=accept chain=input comment="IPSec & L2TP | 500 (IPSec Port)" dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="IPSec & L2TP | 4500 (NAT Traversal Port)" dst-port=4500 in-interface=pppoe-out1 protocol=udp

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.15.0/24 src-address=192.168.101.0/24