Mikrotik Blocking Remote Access Randomly

GreaterTX · October 14, 2020, 9:34pm

So for some reason the Mikrotik Router seems to randomly be blocking remote access to some port forwarded devices. It’ll work just fine for days on end sometimes then abruptly drop any incoming connections.

This happens both with;

Camera system with remote web / remote app ability
Unifi Access Points stop communicating with the off-site controller and show as offline (But there is no firewall configuration that needs to be done on the remote site where the Mikrotik is, so not sure how this relates but this also happens while the camera system goes offline)

The network works completely normally on the LAN side, when I go on site I can get on the internet with everything just fine, use wireless access etc…

I’m running 6.47.4

How I have it setup;

Firewall > NAT I have a DST_NAT action with donate for the chain, the destination address is the WAN IP, protocol TCP Destination Port is the port to be forwarded

I’ve checked both

https://www.balticnetworkstraining.com/mikrotik-port-forwarding/

and

Port mapping/forwarding
If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping.2Fforwarding

Neither variant seems to resolve it, rebooting the router doesn’t change anything.

Abruptly all of the sudden it’ll eventually start working again…

What gives? What else can I provide to help you guys diagnose it

I can remotely access the router with zero issue with the configuration I have so I know that works.
Filter Rules.png
NAT Rules.png

GreaterTX · October 15, 2020, 5:33pm

So once again out of nowhere at around the same time after no matter how many modifications I made with no success… it randomly started allowing traffic again at night, then this morning at roughly the same time it started blocking it again

This is freaking infuriating

anav · October 15, 2020, 6:54pm

Post your entire config
/export hide-sensitive file=anynameyouwish

GreaterTX · October 15, 2020, 8:42pm

# oct/15/2020 13:39:09 by RouterOS 6.47.4
# software id = WY2W-HYQH
#
# model = RouterBOARD 941-2nD
# serial number = 8B1008860D52
/interface bridge
add admin-mac=CC:2D:E0:79:D5:02 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country="united states" disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=\
    SFP-Mikrotik station-roaming=enabled wireless-protocol=802.11
/interface l2tp-server
add name=l2tp-in1 user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.192.0.200-10.192.0.230
add name=vpn-pool ranges=10.192.100.100-10.192.100.110
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=10.192.100.1 name="VPN IPSec" remote-address=vpn-pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile="VPN IPSec" enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.192.0.1/24 comment=defconf interface=ether2 network=10.192.0.0
add address=WANIP97/29 interface=ether1 network=WANIP96
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.192.0.0/24 comment=defconf gateway=10.192.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.192.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=80,443,8291 protocol=tcp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp src-address-list=""
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=36700 in-interface=ether1 protocol=\
    tcp to-addresses=10.192.0.8 to-ports=36700
add action=dst-nat chain=dstnat dst-port=5201 in-interface=ether1 protocol=\
    tcp to-addresses=10.192.0.216 to-ports=5201
add action=dst-nat chain=dstnat comment="Hikvision Client" dst-address=\
    WANIP97 dst-port=8000 protocol=tcp to-addresses=10.192.0.8 \
    to-ports=8000
/ip route
add distance=1 gateway=WANIP102
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=edrick profile="VPN IPSec" service=l2tp
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · October 15, 2020, 11:24pm

(1) I find it confusing you have the bridge handing out DHCP and you have ethernet 2 part of the bridge, but look at your ip address!!!,
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
/ip address
add address=10.192.0.1/24 comment=defconf interface=ether2 network=10.192.0.0

I would guess that that should be bridge not ether2
/ip address
add address=10.192.0.1/24 comment=defconf interface=bridge network=10.192.0.0

(2) As far as firewall rules go you have some weird ones in the input chain…
However I am not an expert on VPN so I will assume they are fine.
For clarity sake I would put all the input chain rules first and then display the forward chain rules.

GreaterTX · October 16, 2020, 7:03am

I’ll check out what you say

Just an update with no changes on my part the camera system and access points are back online in unifi controller

I suspect once again tomorrow around the same time they’ll be off again, but not at the exact time just roughy and with no interruption to LAN traffic (cameras still record and WiFi clients can still connect to the internet)

But remote connectivity blocked, other than winbox / direct access to the router via web those work

GreaterTX · October 19, 2020, 6:18am

As you can see it continues to go offline at roughly the same time every day

Any additional suggestions

GreaterTX · October 20, 2020, 12:24am

I’ve also made the modification you suggeted about bridge vs ether2, in either case it shouldn’t have mattered as the other 3 ports on the mikrotik are un-used,

Ether1 is the WAN and ether2 goes to the switch.

I would assume the problem lay somewhere in the firewall configuration so perhaps someone who has an idea firewall wise what could be kluding it up. But the weird thing like I said is it’ll work all by its self hours later, then crap out at roughly the same time every day pretty much. But device access and LAN traffic isnt affected the local network continues to run fine

TahirKhan · October 27, 2020, 4:00pm

Hi,
I’m experiencing the same issue in about 10 sites.
I have RB 2011 and 4011 in these sites.
When I change the port number then remote services for CcTV works for a while. It blocks and unblocks randomly. In the last weeks my devices that are blocked did not unblock.
I checked with the ISP. Vox is the ISP in these sites.
They don’t see a problem On their side as they are forwarding all traffic to my MikroTik.
Please advise as soon as you find a fix.

Thank you.

TahirKhan · October 27, 2020, 4:01pm

Hi,
I’m experiencing the same issue in about 10 sites.
I have RB 2011 and 4011 in these sites.
When I change the port number then remote services for CcTV works for a while. It blocks and unblocks randomly. In the last weeks my devices that are blocked did not unblock.
I checked with the ISP. Vox is the ISP in these sites.
They don’t see a problem On their side as they are forwarding all traffic to my MikroTik.
Please advise as soon as you find a fix.

Thank you.