When i nat the vpn interfaces, like ether1,pptp and ether2
ether1 = wan
ppp0 = pptp
ether2 = lan
i masquerade wan and pptp interface so that i can nat the internet!!
everything works fine, but when i try to connect any https connection.. it gives me time out!!
plz help
Send the output of “/ip firewall export” here.
Here is the output
/ip firewall address-list
add address=1.0.0.0/8 comment="" disabled=yes list=LAN
add address=10.186.0.0/22 comment="" disabled=yes list=WAN
add address=0.0.0.0 comment="" disabled=yes list=PPP
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=output comment="Proxy HIT" disabled=no dscp=4 new-packet-mark=proxy-hit out-interface=lan \
passthrough=no
add action=mark-packet chain=prerouting comment="Up Traffic" disabled=no in-interface=lan new-packet-mark=upload \
passthrough=yes src-address=1.0.0.0/8
add action=mark-connection chain=forward comment=Conn-Mark disabled=no new-connection-mark=conn passthrough=yes \
src-address=1.0.0.0/8
add action=mark-connection chain=prerouting comment="Connection Mark HTTP" disabled=no dst-port=80 new-connection-mark=\
http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Packet Mark HTTP" connection-mark=http_conn disabled=no \
new-packet-mark=http passthrough=no
add action=mark-connection chain=prerouting comment="Connection Mark HTTPS" disabled=no dst-port=443 \
new-connection-mark=https_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Packet Mark HTTPS" connection-mark=https_conn disabled=no \
new-packet-mark=https passthrough=no
add action=mark-connection chain=prerouting comment="Connection Mark P2P" disabled=no new-connection-mark=p2p_conn p2p=\
all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="Packet Mark P2P" connection-mark=p2p_conn disabled=no new-packet-mark=\
p2p passthrough=no
add action=mark-connection chain=prerouting comment="Connection Mark Other" disabled=no new-connection-mark=other_conn \
passthrough=yes
add action=mark-packet chain=prerouting comment="Packet Mark Other" connection-mark=other_conn disabled=no \
new-packet-mark=other passthrough=no
add action=mark-packet chain=forward comment="Down-Direct Connection PPTP" connection-mark=conn disabled=no \
in-interface=ppp new-packet-mark=ppp-down passthrough=no
add action=mark-packet chain=forward comment="Down-Direct Connection Dodear" connection-mark=conn disabled=no \
in-interface=wan new-packet-mark=wan-down passthrough=no
add action=mark-packet chain=output comment="Down-Via Proxy" disabled=no dst-address=1.0.0.0/8 new-packet-mark=download \
out-interface=lan passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ppp
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
What else do you do with marked HTTPS packets? Is there a reason you mark all these packets?
Your NAT is OK, maybe you should just clarify the third (redirect) rule with in-interface.
I have this exact same problem. VPN client disconnected http and https NAT fast and happiy. VPN client goes up, HTTPS traffic gets a 30/70 chance of success. I do have a rule forwarding inbound new connections on port 443 to my exchange server. but this rule is active when vpn is down and everything works fine so i don’t think it’s related. In fact, this rule stops working when the vpn goes up, so i need to troubleshoot that as well…
-D
/ip firewall export
/ip firewall address-list
add address=192.168.11.35 disabled=no list=emailserver
add address=192.168.11.1 disabled=no list=router
add address=192.168.11.245 disabled=no list=MASTERBLASTER
add address=192.168.11.34 disabled=no list=VDC
add address=192.168.11.36 disabled=no list=NEWVDC
add address=192.168.11.50 disabled=no list=esxhost
add address=10.1.10.1 disabled=no list=“External Cable Modem”
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration - Allow ping from ALL” disabled=no protocol=icmp
add action=log chain=input disabled=no dst-port=22 in-interface=!bridge-local log-prefix=“LOG a Block::” protocol=tcp
add action=log chain=input disabled=no dst-port=23 in-interface=!bridge-local log-prefix=“LOG a Block::” protocol=tcp
add action=accept chain=input disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp
add action=accept chain=input disabled=no dst-port=443 in-interface=sfp1-gateway protocol=tcp
add action=accept chain=input disabled=no dst-port=80 in-interface=sfp1-gateway protocol=tcp
add action=accept chain=input comment=“Allow torrents 25482” connection-state=new disabled=no dst-port=25482 in-interface=!bridge-local protocol=tcp
add action=log chain=input comment=“Prevent inbound connections from vpn and wan-in” connection-state=new disabled=no dst-port=!25482 in-interface=us1.vpn.giganews.com log-prefix=VPN-IN-Block-US1-New:: protocol=tcp
add action=drop chain=input comment=“Prevent inbound connections from vpn and wan-in” connection-state=new disabled=no dst-port=!25482 in-interface=us1.vpn.giganews.com protocol=tcp
add action=drop chain=input connection-state=invalid disabled=no dst-port=!25482 in-interface=us1.vpn.giganews.com protocol=tcp
add action=drop chain=input connection-state=new disabled=no in-interface=hk1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=hk1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=uk1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=uk1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=de1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=de1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=eu1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=eu1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=fr1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=fr1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=us2.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=us2.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=us3.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=us3.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=sfp1-gateway
add action=drop chain=input connection-state=invalid disabled=no in-interface=sfp1-gateway
add action=drop chain=input comment=“Remove-rendered useless??” disabled=no dst-port=22 in-interface=!bridge-local protocol=tcp
add action=drop chain=input disabled=no dst-port=23 in-interface=!bridge-local protocol=tcp
add action=accept chain=input comment=“default configuration - Allow established” connection-state=established disabled=no
add action=accept chain=input comment=“default configuration - Allow related” connection-state=related disabled=no
add action=drop chain=input comment=“default configuration - Drop remaining from web” disabled=no in-interface=sfp1-gateway
add action=drop chain=input comment=“default configuration” disabled=no in-interface=ether1-gateway
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no dst-port=25 in-interface=sfp1-gateway new-connection-mark=smtp-inbound passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=80 in-interface=sfp1-gateway new-connection-mark=smtp-inbound passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=443 in-interface=sfp1-gateway new-connection-mark=smtp-inbound passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment=“forward utorrent port to 11.254 - Will stop counters on Filter Tab” disabled=no in-interface=!bridge-local port=25482 protocol=tcp src-address=!192.168.11.0/24 to-addresses=192.168.11.245 to-ports=25482
add action=dst-nat chain=dstnat comment=“Inbound SMTP to Exchange From MXGuarddog (7 Addresses)” disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=108.166.117.93 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=174.129.28.137 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=64.15.147.141 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=222.229.219.209 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=216.58.39.211 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=184.107.58.155 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=174.142.104.48 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat comment=“Inbound SSL for Exchange” disabled=no dst-port=443 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.11.35 to-ports=443
add action=dst-nat chain=dstnat comment=“Inbound HTTP for Exchange” disabled=no dst-port=80 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.11.35 to-ports=80
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=us1.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=us2.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=hk1.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=uk1.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=fr1.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=eu1.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=us3.vpn.giganews.com
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no out-interface=de1.vpn.giganews.com
add action=log chain=srcnat comment=“default configuration” disabled=no log-prefix=“masq-sfp1?::” out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no