Mangle Echo Replay From WAN Fail

RouterOS General
1

Recently I had an outage on one of my WAN interfaces, the WAN interface. I have another WAN called PPPoE. I will post half of my RouterOS configuration. There is tones and tones of NAT and firewall rules. But I just left most important and relevant configurations. Is possible that some interfaces names or configurations can have some mistype, because I obfuscated the names. Because are to descriptiveness, same for Public IP dresses.

When I ping from “Internet” to PPPoE public interface I did not receive response. I check Logs and I configure stupid rule to count ICMP packets on PPPoE interface. I’m receiving ECHO but I miss-configured something that can’t reply the packets. Same for OVPN. It works on WAN interface but not working on PPPoE interface. I’m not receiving packets from OVPN Clients trought PPPoE interface. I think there is problem on Mangle configuration.


If someone can give me a clue, thank you very much.



# model = CCR1016-12G

/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridge-datos
/interface ethernet
set [ find default-name=ether1 ] name=OVPN-Server speed=100Mbps
set [ find default-name=ether2 ] name=WAN speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=OVPN-Server keepalive-timeout=\
    60 name=ovpn-server password=***** user=*****

/interface ovpn-server
add name=OVPN-Server user=ovpn-server


add name=dhcp next-pool=dhcp_pool2 ranges=192.168.2.10-192.168.2.235
add name=OVPN ranges=192.168.24.2-192.168.24.9
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-datos lease-time=1d name=\
    dhcp1

/interface bridge port
add bridge=bridge-datos hw=no interface=ether2
add bridge=bridge-datos hw=no interface=ether4
add bridge=bridge-datos hw=no interface=ether6

/ip address
add address=XXX.***.***.***/** comment=Servihosting interface=WAN network=\
    78.136.95.152
add address=192.168.2.1/23 comment="Red Datos" interface=bridge-datos \
    network=192.168.2.0
add address=192.168.24.1/21 comment="NUEVO CAMPING" interface=bridge-datos \
    network=192.168.24.0
/ip dhcp-server network

add address=192.168.2.0/23 dns-server=192.168.10.100,8.8.8.8,8.8.4.4 gateway=\
    192.168.2.1 netmask=22 wins-server=192.168.10.100
add address=192.168.24.0/21 dns-server=8.8.8.8 gateway=192.168.24.1 netmask=\
    21
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=forward in-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=input src-address=192.168.24.0/21
add action=drop chain=input comment="Acceso Winbox 180831" connection-state=\
    new dst-port=8291 in-interface=WAN protocol=tcp src-address-list=\
    !Permitidas
add action=accept chain=input comment="Open VPN" dst-port=28888 \
    in-interface=WAN protocol=tcp
add action=accept chain=input comment="Open VPN" dst-port=28888 \
    in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-port="8043,8085,3587,3588,3589,31001,8081,\
    554,37778,37777,7002,3390,3306,4168-4192" in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port="8043,8085,3587,3588,3589,31001,8081,\
    554,37778,37777,7002,3390,3306,4168-4192" in-interface=pppoe-out1 \
    protocol=tcp
add action=accept chain=forward dst-port=81 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=8510 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=3589 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-port=3399 in-interface=WAN protocol=tcp
add action=accept chain=input   connection-state=related in-interface=WAN
add action=drop   chain=input   src-address=10.10.229.0/24
add action=accept chain=forward dst-address=10.10.253.10 dst-port=8500 \
    protocol=tcp
add action=accept chain=input dst-port=500,4500,1701,1723,47 in-interface=WAN protocol=tcp
add action=accept chain=input comment=L2TP/IPSec protocol=ipsec-esp
add action=accept chain=input dst-port=1723 in-interface=WAN log=yes log-prefix=VPN-MAGIC protocol=tcp
add action=accept chain=forward dst-port=80 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=8080 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=8081 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=8100 in-interface=WAN protocol=tcp
add action=drop chain=forward connection-state=invalid,new in-interface=WAN \
    src-address-list=Projects-Public

add action=drop chain=input comment="DROP INVALID" connection-state=invalid
add action=accept chain=forward comment="ACCEPT FROM ESTABLISHED/RELATED" \
    connection-state=established,related in-interface=WAN
add action=jump chain=input comment="JUMP TO CHAIN SERVICE_PROTECT" dst-port=\
    22 jump-target=service_protect protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=service_protect comment=\
    "BLOCK SSH BRUTALFORCE ATTACK STAGE_3" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=service_protect comment=\
    "BLOCK SSH BRUTALFORCE ATTACK STAGE_2" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=service_protect comment=\
    "BLOCK SSH BRUTALFORCE ATTACK STAGE_1" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=service_protect comment=\
    "BLOCK SSH BRUTALFORCE ATTACK STAGE_0" dst-port=22 protocol=tcp
add action=drop chain=service_protect comment="BLOCK SSH BRUTALFORCE ATTACK" \
    dst-port=22 protocol=tcp src-address-list=ssh_backlist
add action=drop chain=forward comment="Basic configuration" connection-state=\
    established,related,new in-interface=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=gopppoe \
    passthrough=no src-address=192.168.24.0/21
add action=mark-routing chain=prerouting new-routing-mark=gopppoe \
    passthrough=no src-address=192.168.2.0/23

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
    192.168.24.0/21
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
    192.168.2.0/23
add action=accept chain=srcnat disabled=yes dst-address=192.168.2.0/23 \
    src-address=192.168.24.0/21
add action=accept chain=srcnat disabled=yes dst-address=192.168.24.0/21 \
    src-address=192.168.2.0/23
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.11.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.12.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.13.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=10.10.253.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=10.10.250.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=10.10.230.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=10.10.231.0/24

/ip route
add distance=1 gateway=pppoe-out1 routing-mark=gopppoe
add distance=1 dst-address=192.168.2.0/23 gateway=bridge-datos routing-mark=gopppoe
add comment= distance=1 dst-address=192.168.10.0/24 gateway=bridge-datos routing-mark=gopppoe
add comment= distance=1 dst-address=192.168.24.0/21 gateway=bridge-datos routing-mark=gopppoe
add distance=1 gateway=***.***.***.***
2

Tis why a clean and simple set of firewall rules is better in most cases. Much easier to prevent config errors and much easier to find them if they exist.
Consider, the WHY you have so many rules?
Most dont need them.
Use drop all at end of input chain and forward chain DONE for all blocking purposes…!!
Now all you need to do is add ALLOWED TRAFFIC.

https://forum.mikrotik.com/viewtopic.php?t=180838

3

There is no absolutely way to delete one of the firewall or NAT chains. Absolutely I need all of them. All NAT redirections are necessary and my firewall allow then block all. In both WAN, so no it’s not about Firewall. In the firewall table I recently paste on the previous message I just left OPEN all from PPPoE to be sure I’m not blocking echos or OVPN. but it’s not the case, still not working. Thats why I’m here.

Complexity is not synonymous with error.
In fact I have so many because my server-side network is so complex and needs all those rules.

Thank you very much anav for ur fast response.

4

Hi marcus,
No worries, you have legit reasons for many rules great!
I was talking about the usual junk rules people fill up their firewall with based on jumping from you tube video to you tube video.

So I will assume you dont have any icmp blocking or JUMP Rules, DDOS crap, SSH block etc etc.
Strictly basic default rules plus what ever you need for srcnat, dstnat, static routes etc…
not sure what you mean by redirect though.

5

ooops I made the mistake at looking at the gong show in your firewall rules.
Sorry cannot help… The rules below seem to be a complete joke from my vantage point and thus
since you think all is good, I have nothing further to add. Good luck.

The only thing unique in your setup is the the fact you have two WAN inputs and you need some source addresses on your network to use specific WANs or so it seems, with the mangling required.
That has nothing to do withe complete horror show of your firewall rules.
The rest is simple port forwarding which however you seem to have majorily screwed…

/ip firewall filter
add action=accept chain=forward in-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=input src-address=192.168.24.0/21
add action=drop chain=input comment=“Acceso Winbox 180831” connection-state=
new dst-port=8291 in-interface=WAN protocol=tcp src-address-list=
!Permitidas

no better are these…
add action=accept chain=forward dst-port=“8043,8085,3587,3588,3589,31001,8081,
554,37778,37777,7002,3390,3306,4168-4192” in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=“8043,8085,3587,3588,3589,31001,8081,
554,37778,37777,7002,3390,3306,4168-4192” in-interface=pppoe-out1
protocol=tcp
add action=accept chain=forward dst-port=81 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=8510 in-interface=WAN protocol=tcp
add action=accept chain=forward dst-port=3589 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-port=3399 in-interface=WAN protocol=tcp

and this is just complex absurdity with no real purpose.
add action=jump chain=input comment=“JUMP TO CHAIN SERVICE_PROTECT” dst-port=
22 jump-target=service_protect protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=service_protect comment=
“BLOCK SSH BRUTALFORCE ATTACK STAGE_3” connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=service_protect comment=
“BLOCK SSH BRUTALFORCE ATTACK STAGE_2” connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=service_protect comment=
“BLOCK SSH BRUTALFORCE ATTACK STAGE_1” connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=service_protect comment=
“BLOCK SSH BRUTALFORCE ATTACK STAGE_0” dst-port=22 protocol=tcp
add action=drop chain=service_protect comment=“BLOCK SSH BRUTALFORCE ATTACK”
dst-port=22 protocol=tcp src-address-list=ssh_backlist
add action=drop chain=forward comment=“Basic configuration” connection-state=
established,related,new in-interface=WAN

6

I’m not wading through all of that, a couple of obvious issues are using gateway=INTERFACE is only valid for point-to-point links; the mangle rules only apply to outbound packets typically you mark a connection then apply a routing mark based on the connection mark.

7

Do yourself a big favour and delete the whole firewall forward chain and input chain and:

Step1: Put the rules in below.
Step2: Add to the input chain rules, just after the accept ICMP rules, for any VPN type services being provided by the router.
Step3: Add any other LAN traffic required not already covered on the forward chain, after the invalid rule,
Step4: If you need external access to config the router, do it via VPN, such as wireguard.
Step5: Most likely your current source nat rules are good but that is just a guess.
Step6: You need to add all the DESTINATION NAT rules (port forwarding required, NONE of them belong in the forward chain)
Step7. As far as mangle goes, as noted, your config based on the rest is probably wrong or incomplete as well.


/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=Authorized src-address-list=Admin dst-port=xxxxxx protocol=tcp {winbox}
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking LAN issues}
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related {DISABLE IF MANGLING}
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow dst-nat from both WAN and LAN (including port forwarding)” connection-nat-state=dstnat
add action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking LAN issues}
add action=drop chain=forward comment=“drop all else”