The Clients behind the Sophos UTM all have internet access OK but if I log on to the mikrotik and try and ping 8.8.8.8 it fails, it’s self has no connection. Any ideas?
# aug/23/2016 15:04:36 by RouterOS 6.35
# software id = CPFN-FBMX
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out1 \
password=xxxx use-peer-dns=yes user=xxx
/ip address
add address=81.x.x.14/29 interface=ether2-lan network=81.x.x.8
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip firewall filter
add chain=output disabled=yes
add chain=input dst-port=80 in-interface=pppoe-out1 protocol=tcp src-address=\
84.x.x.160
add chain=input dst-port=22 in-interface=pppoe-out1 protocol=tcp src-address=\
84.x.x.160
add chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp \
src-address=84.x.x.160
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-wan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=xx-router
Addresses:-
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 81.x.x.14/29 81.x.x.8 ether2-lan
1 D 81.x.x.251/32 81.x.x.1 pppoe-out1
Routes:-
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 81.139.0.1 0
2 ADC 81.x.x.1/32 81.x.x.251 pppoe-out1 0
3 ADC 81.x.x.8/29 81.x.x.14 ether2-lan 0
I have not used Mikrotik in this way before, only used it acting as a standard router. Currently I can’t get it to check for package updates so have to manually copy it up and reboot etc.
If you have a spare ethernet interface, then remove it from any bridges/switch groups and put an IP address on that interface (from your LAN’s range)
Then plug that interface into the LAN switch and set the default gateway in the IP > routes menu (dst=0.0.0.0/0 gateway=x.x.x.x)
So there is no way for it to directly access the internet considering it is directly connected to the internet gateway? Can you explain why just so I understand.
I assume that the Internet gateway has public IP addressing, and that the firewall has your only public IP.
If you have more public IP addresses, then you can simply assign an available one to your existing bridge interface and set the default GW to be the Internet gateway IP.
Be sure to construct the firewall rules of your Mikrotik such that the input chain protects the bridge interface from direct access from the Internet.
ether1-wan gets a single dynamic public IP from the ISP. Overlaid on that we are provided with a /29 of public IP’s. One of these /29 IP’s is placed on ether2-lan and another is placed on the WAN side of the Sophos UTM. The UTM uses ether2-lan’s address as it’s default gateway.
In that /29 there are spare public IP’s. The current setup doesn’t use any bridging. Are you able to provide some examples please.
Okay - you started this thread by saying that your Mikrotik is bridging between your modem and your firewall (which I found a bit strange, but didn’t ask questions)
This term is what threw me off on the wrong track. Your Mikrotik is routing and not bridging.
Anyway, I’ve looked back over your firewall rules, and there’s the problem.
In the filter table, your input chain has no rules to accept packets with connetion-stat=established,related
Basically, your firewall ONLY allows the one IP address to access the router on http and ssh.
The firewall is ALSO discarding any reply packets from any host the Mikrotik is trying to communicate with.
Adding an input rule to accept connection-state=established,related should fix your problem
In fact, for performance reasons you should probably make that the first input chain rule and you should not require any other conditions (such as in-interface, etc.)