Looking for help routing connection A to connection B

RouterOS General
1

Hello…

I’m having a problem I’m hoping you can help me sort out. Things were working fine, up until I replaced a server on a client network, then things went wonky.

This is for a CCR1016-12G, Factory Firmware 3.09. Current Firmware 7.18.

Port 1 is the interface to WAN
Port 3 is my office network (172.16.0.x)
Port 4 is a client network (192.168.1.x)

Previously, I had configured and been able to communicate from my network to the client network to pull nightly backups and manage computers/resources on their network remotely. After changing out one of the servers, that changed - although the server was put at the same IP as the replaced unit. Machines on the inside of the client office are able to connect to the internet, and to the new fileserver.

When I returned to the office I was no longer able to ping the fileserver - or other machines on their network. Hmmm… I looked at updates/upgrades and performed them on the router - no change in behavior. However, I noted an interested quirk: The fileserver and other machines (although not all) had 00:00:00:00:00:00:00:00 MAC addresses now, even after a second reboot of the Mikrotik.

Any thoughts on (a) what may have changed; (b) the oddity of the missing MAC addresses (is this related to being unable to talk to the devices on their network?)

I’ve provided the output from /ip firewall filter for your consideration… Entry 19 is the affected network on the client end,

Thank you in advance for your help. Sadly, I suffered a couple of strokes in the last couple of years and while I still (partially) work in the industry, frankly my brain’s a little scrambled.

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=input action=accept protocol=icmp log-prefix=“”

2 chain=input action=accept connection-state=established log-prefix=“”

3 chain=input action=accept connection-state=related log-prefix=“”

4 chain=input action=drop in-interface=ether1-gateway log-prefix=“”

5 chain=forward action=accept connection-state=established log-prefix=“”

6 chain=forward action=accept connection-state=related log-prefix=“”

7 chain=forward action=drop connection-state=invalid log-prefix=“”

8 chain=forward action=accept connection-state=established in-interface=ether1-gateway log-prefix=“”

9 ;;; Accept Established / Related Input
chain=input connection-state=established,related

10 ;;; Allow Management Input
chain=input action=accept src-address=172.16.0.0/16 log=no log-prefix=“”

11 ;;; Drop Input
chain=input action=drop log=yes log-prefix=“Input Drop”

12 ;;; Fast Track Established / Related Forward
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

13 ;;; Accept Established / Related Forward
chain=forward connection-state=established,related

14 ;;; Allow client LAN traffic out WAN
chain=forward action=accept src-address=192.168.1.0/24 out-interface=ether1-gateway log=no log-prefix=“”

15 ;;; Allow client LAN traffic out WAN
chain=forward src-address=192.168.10.0/24 out-interface=ether1-gateway

16 ;;; Allow client LAN traffic out WAN
chain=forward src-address=192.168.0.0/24 out-interface=ether1-gateway

17 ;;; Allow client LAN traffic out WAN
chain=forward src-address=172.16.0.0/16 out-interface=ether1-gateway

18 ;;; Drop Bogon Forward → Ether1
chain=forward action=drop src-address-list=Bogon in-interface=ether1-gateway log=yes log-prefix=“Bogon Forward Drop”

19 ;;; Berglund ↔ TechLab
chain=forward action=accept src-address=172.16.0.0/16 dst-address=192.168.1.0/24 log=no log-prefix=“”

20 ;;; Allow client LAN traffic out WAN
chain=forward action=accept src-address=192.168.2.0/24 out-interface=ether1-gateway log=no log-prefix=“”

2

As always would need to see a full config
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys)

When first reading it sounded like there was a firewall on the server… or something on it that accepts only same subnet and nothing else.

3

Thank you for your kind reply. Much appreciated. The endpoint I’m trying to reach is a TrueNAS Core 13.0 u6.7. It has no firewall and is just a NAS.

Here’s the information you requested from the Mikrotik, appropriately named “anynameyouwish” LOL
anynameyouwish.rsc (8.35 KB)
:

4

Not used to such archaic settings, almost stone age LOL.
Looks like you have 4 IP addresses for LAN ports, should I assume they all have ip pools, dhcp server and dhcp server networks ??

One error off the bat is the fact that your WAN port is ether1
This is the conflict:
add address=192.168.0.2/24 comment=“Port 1” interface=ether1-gateway network=
192.168.0.0
AND
/ip dhcp-client
add interface**=ether1-gateway**

Its one or the other not both!! I suspect you should DISABLE the /ip dhcp client

5
  1. I would simplify firewall rules with order within chains and keep chains together as depicted below.

2., You have a nomenclature issue in firewall forward chain referencing 192.168.0.0/24 to go out internet. No such subnet exists on your router. I can only assume you meant 192.168.88.0/24 (ether 12), as all the other four LAN subnets are given access to WAN. If not then its an old entry that should simply be removed. I will include ether12 on the LAN interface list on the assumption it should get internet. If not, remove it from interface list member.

  1. I find it very strange that you call ether12, ether-12-MANAGE and yet, the subnet you give access to the router, presumably for configuration purpose is ETHER4 ( 172.16.0.0/16) ???

  2. Okay I noticed that ether12 was disabled so will ignore ether 12. You should really clean up a config and get rid of noise.


    /interface list
    add name=WAN
    add name=LAN
    add name=TRUSTED
    /interface list member
    add interface=ether1-gateway list=WAN
    add interface=ether2-TechLab list=LAN
    add interface=ether3-Berglund list=LAN
    add interface=ether4-TechLabNew list=LAN
    add interface=ether5-Drake list=LAN
    add interface=ether4-TechLabNew list=TRUSTED
    /ip firewall filter
    { default rules to keep }
    add action=accept chain=input connection-state=established,related,untracked
    add action=drop chain=input connection-state=invalid
    add action=accept chain=input protocol=icmp
    (admin rules)
    add action=accept chain=input comment=“Allow Management Input” in-interface-list=TRUSTED src-address=172.16.0.0/16
    add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
    add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
    add action=drop chain=input comment=“Drop all else” { insert this rule here last so as to not lock yourself out }
    +++++++++++++++++++++++++++++++++++++++++++++
    { default rules to keep
    add action=fasttrack chain=forward connection-stated=established,related
    add action=accept chain=forward connection-state=established,related,untracked
    add action=drop chain=forward connection-state=invalid
    (admin rules)
    add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
    add action=accept chain=forward comment=“admin to LANS” in-interface-list=TRUSTED out-interface-list=LAN
    add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
    add actinon=drop chain=forward comment=“drop all else”

    Note1: You could limit the forward rule to just the tech lab and not all the LANs ( but admin usually wants full access ) Like so.
    add action=accept chain=forward comment=“admin to techlab” in-interface-list=TRUSTED dst-address=192.168.1.0/24

As for bogons one must be careful if they overlap with your subnets. In this case there is much overlap.
However it is relatively safe if you insist to do this but better done in the raw chain.
Note your WANIP is in the realm of the bogon so you would have effectively blocked traffic headed for your router…

Adjusted to avoid WAN IP of 192.168.0.2 !!! or the 192.168.0.0/24 subnet for that matter
/ip firewall address-list
add address=192.168.1.0/24 list=external-Bogon
add address=192.168.2.0/23list=external-Bogon
add address=192.168.4.0/22 list=external-Bogon
add address=192.168.8.0/21 list=external-Bogon
add address=192.168.16.0/20 list=external-Bogon
add address=192.168.32.0/19 list=external-Bogon
add address=192.168.64.0/18 list=external-Bogon
add address=192.168.128.0/17 list=external-Bogon
add address=10.0.0.0/8 list=external-Bogon
add address=172.16.0.0/12 list=external-Bogon
add address=127.0.0.0/8 list=external-Bogon
add address=0.0.0.0/8 list=external-Bogon
add address=169.254.0.0/16 list=external-Bogon
add address=192.168.1.0/24 list=MyLAN
add address=192.168.2.0/24 list=MyLAN
add address=192.168.10.0/24 list=MyLAN
add address=172.16.0.0/16 list=MyLAN
++++++++++++++++++++++++++++++++
add address=192.168.0.2 list=MyWAN

/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN src-address-list=external-Bogon
comment=“drop non-legit src-addresses hitting WAN side”
add action=drop chain=prerouting in-interface-list=LAN src-address-list=!MyLAN
comment=“drop non-legit traffic coming from LAN”
add action=drop chain=prerouting in-interface-list=WAN dst-address-list=!MyWAN

6

Wow! Impressive response!

I wasn’t expecting such help, I must say.

I went through the first few items and completed those, now I’m on to the big chunk that you created. Frankly, I’m more than a little concerned that I’m going to screw things up. I’m further concerned that any changes in that list likely means that I’m going to need to remove some old rules in order to clean things up from when this was created - back in 2019 when I first bought the router and started learning about Mikrotik and programming up a router. Needless to say, I really didn’t know what I was doing then, and am only a little better today. Except for the broken brain. LOL

It seems that the best time for me to take this project on will be Friday night through Sunday night, so I’m not disrupting the client and, if I really mess things up, I’d have a window of a couple of days to solve the problem.

Usually, I use the web interface to manage this router - which I haven’t had to do in 5 years. Forgive me if I ask a couple of seemingly stupid questions after I try to research the answers on my own first (RTFM is very important to me). I’ll keep you informed on how things go and probably post another config file when I feel like things have moved forward - assuming I still have a path to the internet. Hahaha.

Again, thank you VERY much for your time, knowledge, patience and guidance.

7

Hello, Anav -

Per your documentation I performed the changes you suggested. After doing so, I lost all communications with the outside world on the 172.16 network, and could not communicate with things on the other client networks (192.168.1.x network, for example). I’m glad I made a backup before taking on this mission… LOL

Here’s the anynameyouwish2.rsc file after making the changes.

Please advise any problems/changes.

Thank you in advance.
anynameyouwish2.rsc (9.31 KB)

8

  1. I see four subnets vice two. One each on etherports 2,3, 4,5 ( just talking to myself LOL )

  2. Change this to TRUSTED
    /ip neighbor discovery-settings
    set discover-interface-list=TRUSTED

  3. Set this to loose.
    /ip settings
    set max-neighbor-entries=8192 rp-filter=loose

  4. I only see three pools and three dhcp servers so one of the subnets above is a bit different from the others???
    Ether2 is the strange duck okay.

  5. Okay, confusing but I see 3 pools, 3dhcp servers and 3 dhcp-server-network for the three ports 3,4,5
    WHY am I seeing a dhcp server for ether2?? ( but no pool and no dhcp-server network) ERROR

/ip dhcp-server
add add-arp=yes address-pool=*4 always-broadcast=yes interface=ether2-TechLab
lease-time=10m name=TEST

suggest remove this line completely.

  1. This network is not used and thus remove this old default static DNS entry.
    /ip dns static
    add address=192.168.88.1 name=router type=A

  2. Modify firewall rules. Keep order within chains…
    -confirm all three ports berglund, Drake and newtech need internet access!!

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow Management Input”
in-interface-list=TRUSTED src-address=172.16.0.0/16
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop all else”
++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“admin to LANs” in-interface-list=
TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

From this set of rules all three subnets will have internet access.
From this set of rules only the newtechlab subnet will be able to configure the router and see the other LAN devices/users.

If there is any blocking then I have configured the raw rules incorrectly.
Easily tested by disabling the raw rules, one by one, to test ( if and which one(s) affect) expected connectivity.

  1. This rule references an address list item that is missing
    add action=drop chain=prerouting dst-address-list=!MyWAN in-interface-list=WAN
    since its a fixed on only IP we can modify to
    add action=drop chain=prerouting dst-address=!192.168.0.2 in-interface-list=WAN

Reboot the router after many changes as well.

9

Ugh. Not going well.

Attached is revision 3 of the config. I “think” I’ve followed your instructions to the letter, but still not happening.

With these settings, from the 172.16 side I am unable to get to the internet after reboot. Sorry, I forgot to try hitting one of the machines on the Berglund network. Reloaded the original configuration so I could get back on the internet and post this message. To answer one of your questions, ether2-TechLab was a /24 network for testing before moving to a /16 (TechLabNew) .

I’m going to try sending you a private message to discuss an option and see what you think…
anynameyouwish3.rsc (9.91 KB)

10

sure you can contact me at discord anav_ds

11

Hello Anav -
Sorry I didn’t get hold of you on Discord - been a bad weekend. I did, however, spend a bunch of time reading MikroTik documentation and decided to go back to the drawing board. Problem is, I have a client I MUST get operational for backups ASAP, so I re-loaded the original configuration since it gives me internet access and some access to the network at their location.

Interesting thing, I was looking at /ip / ARP list and I noted the router saw machines on their network – which I was able to ping from my workstation, through the router! Yeah! Tells me that there’s a problem with the fileserver, not (necessarily) a router issue. Since I’m not seeing the static address put on the fileserver in that list, I’m going over tomorrow to check the situation out and see what’s going on. Odd, since the fileserver is accessible from their local network, unless something bad has happened along the way.

I did some reconfiguration of the original file to experiment with a firewall entry to accept input from 172.16.0.0/16 to 192.168.1.0/24 but that didn’t seem to help. I’m putting the most current version I’ve edited here (for further discussion maybe), will physically check things out tomorrow and if I find a problem on their end then I can test the ANAVersion we were working on afterwards. Let you know how it works out.

BTW: Nova Scotia. You have no idea how jealous I am. Wish I was there!
anynameyouwishv2.rsc (8.5 KB)

12

Yes, good idea to check out that fileserver and after we can sort out the router. The grass is always greener, Im sure there are redeeming qualities of where you live…

13

Trying to connect with you via Discord to continue this conversation - does this link work for you? It didn’t seem to find anav_ds, so I’m trying it this way.
delete me

14

delete