I’m going to try to clearly explain the situations then you can tell me if I’m crazy or not.
PC -------> Site 1 <--[link 1]---> Site 2 <--[link 2]-----> Site 3 <------- Device
I don’t want any subnets on site 3 reaching anything on site 2 or site 1. I do want site 1 and 2 to reach all devices at site 3. so some simple firewall rules at site 2 router (on interface facing link 2)
1 ;;; Allow inbound established in
chain=forward action=accept connection-state=established,related
fragment=no src-address-list=src_drop_traffic in-interface=hcn-bridge
log=no log-prefix=“keeper”
So I want established or related connections coming from site 1 and site 2 to reach site 3.. This works if I am at site 2.. all PC’s at site 2 can reach site 3 and connection tracking info is added to tracking table appropriately on router at site 2. none of site 3 stuff can reach site 1 or 2 stuff.. so far so good!
HOWEVER when a PC at site 1 tries to reach site 3 all traffic coming from site 3 in response to the site 1 request gets DROPPED.. I finally figured out that this is BECAUSE an established or related tracking entry is NOT added on site 2’s router for stuff coming from site 1.
I know I must be missing something.. I hope it’s a clear example.. possible bug?
Try this:
In IP > Firewall > Connections, click the Tracking button and change enabled to yes. Default is auto. Connection tracking is only required for NAT, seems Mikrotiks track connections anyway but perhaps not for some scenarios such as your site-through-site connection.
Connection Tracking also only gets applied to packets that go through the pre-routing or output chains. If you’re using an IPSec VPN between sites, then it does go through pre-routing.
For other VPNs, maybe not if the VPN interfaces are bridged and the site2 site Mikrotik does bridge routing. Bridges don’t go through the pre-routing chain unless you’ve enabled use-ip-firewall. Go to Bridge, then click the Settings button and enable use-ip-firewall.
Well this brings in an interesting dynamic because the LINK 1 is an MPLS/VPLS connection - but a routed one. I’m not so sure that connection tracking is only for NAT.. the nature of the tracking is I believe also useful for a stateful firewall - which is what I’m trying to accomplish - by tracking state of connection I should be able to block all incoming from a subnet EXCEPT on connections that originate from inside the LAN - and how can we know what connection come from inside the line except they are tracked? I could be wrong, but this is my understanding.
so ultimately the question is why packets coming through routed VPLS are not getting connection tracked on R2?
Here’s a better overall picture of what we’re looking at. I wonder if because it is a VPLS that is the cause of it not going and getting the connection tracked.
See attached image
[darn phpBB keeps rotating the image to make it difficult to read.. hopefully you can see it clearly] and won’t let me resize it
So anything in LAN2 can reach the device at 10.0.3.2
nothing in the 10.0.3.X range can reach LAN 1 or LAN 2.. fantastic! that works
nothing in LAN 1 - can communicate with anything in 10.0.3.X… NOT because packets don’t reach 10.0.3.XX devices but when the 10.0.3.XXX devices respond back - their responses get dropped at R2 firewall rules. The established/related rule is not working for devices ONLY in LAN1.. BUT works great for devices in LAN2.
So the question is - how can we get LAN1 traffic to work to devices in 10.0.3.XXX..
Turned connection tracking on R2 from AUTO to YES.. no change
Tried Mangling packets on R2 from in interface vpls to try to push them into connection tracking (via prerouting chain).. no change
Mesh just seems like an unelegant solution when routing should work just fine.
none of the interfaces are bridged.. purely trying to do a routed solution here.
