hAP ac Killing connections from outside

smccloud · September 27, 2017, 12:31pm

I have my hAP ac setup to forward three ports to my home server remote access card (think IP based KVM). The problem is, after a while it kills the connection that is used to send and receive data from it so I have log back in and start it up again. Below is all the relevant info I can think of. Ports 443, 444 & 2068 are the ports that are needed for it.

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
 1    chain=dstnat action=dst-nat to-addresses=172.16.6.4 to-ports=80 protocol=tcp in-interface=ether1 src-port=8100 log=no log-prefix=""
 2    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=9982 protocol=tcp in-interface=ether1 dst-port=9982
 3    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=9981 protocol=tcp in-interface=ether1 dst-port=9981
 4    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=22 protocol=tcp in-interface=ether1 dst-port=5631
 5    chain=dstnat action=dst-nat to-addresses=172.16.6.4 to-ports=80 protocol=tcp in-interface=ether1 dst-port=8100
 6    chain=dstnat action=dst-nat to-addresses=172.16.6.3 to-ports=443 protocol=tcp in-interface=ether1 dst-port=443
 7    chain=dstnat action=dst-nat to-addresses=172.16.6.3 to-ports=444 protocol=tcp in-interface=ether1 dst-port=444
 8    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=45945 protocol=tcp in-interface=ether1 dst-port=45945
 9    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=18081 protocol=tcp in-interface=ether1 dst-port=18081
10    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=18080 protocol=tcp in-interface=ether1 dst-port=18080
11    chain=dstnat action=dst-nat to-addresses=172.16.6.3 to-ports=2068 protocol=tcp in-interface=ether1 dst-port=2068
12    chain=dstnat action=dst-nat to-addresses=172.16.6.2 to-ports=32400 protocol=tcp in-interface=ether1 dst-port=32400

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough
 1    ;;; defconf: accept ICMP chain=input action=accept protocol=icmp log=no log-prefix=""
 2    ;;; defconf: accept established,related chain=input action=accept connection-state=established,related log=no log-prefix=""
 3    ;;; defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
 4    ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related log=no log-prefix=""
 5    ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid log=no log-prefix=""
 6    ;;; defconf:  drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
 7    chain=input protocol=udp port=1701,500,4500
 8    chain=input protocol=ipsec-esp
 9    chain=input action=drop protocol=udp in-interface=ether1 dst-port=53
10    chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53
11    ;;; drop all from WAN chain=input action=drop in-interface=ether1

Any other information needed and/or any ideas?

pcunite · September 27, 2017, 7:56pm

Study this example carefully. You’ll need to add fasttrack and ipsec support to it, if you really need that. Keep your input and forward chains separated to make sense of things. Order is important (for each chain), naturally.

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=drop comment="Drop all other input"

add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Allow Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether-WAN comment="Default masq"
add chain=dstnat action=dst-nat in-interface=ether-WAN protocol=tcp to-addresses=1.2.3.4 dst-port=123 to-ports=123 comment="Sample Port Forward"

smccloud · September 28, 2017, 12:54pm

pcunite:

Study this example carefully. You’ll need to add fasttrack and ipsec support to it, if you really need that. Keep your input and forward chains separated to make sense of things. Order is important (for each chain), naturally.

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=drop comment="Drop all other input"

add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Allow Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether-WAN comment="Default masq"
add chain=dstnat action=dst-nat in-interface=ether-WAN protocol=tcp to-addresses=1.2.3.4 dst-port=123 to-ports=123 comment="Sample Port Forward"

While I probably still need to fix up my rules, assigning my RAC a static IP instead of DHCP seems to have fixed it. No clue why, nor do I care a whole lot why right now either since I can’t modify the rules until I’m home.