Mikrotik DNS problem (with internal mail and BIND server)

ludus · June 9, 2014, 9:58am

I want to replace previous firewall/gateway appliance (Endian UTM Appliance) with RB1100AHx2.
I have internal mail server (Zimbra Collaboration Server) and internal BIND server
which holds forward and reverse zone for private domain (eg. firmname.local)
Outbound email flow is going through our ISP’s mail proxy with TLS authentication.
RB1100AHx2 is configured (hopefully) in the same manner as Endian UTM was.

The problem is this: when i attach network cables (lan and wan cables) to RB1100AHx2, everything else works, except outgoing email flow (incoming email flow is ok).
The mail.log indicates it’s DNS problem: “..status=deferred (Host or domain name not found. Name service error for name=mailproxy.ourisp.com type=MX: Host not found, try again)”.

Endian UTM Appliance and RB1100AHx2 are standing next to each other. When i plug the network cables (lan and wan cable) to RB1100AHx2, outgoing email flow is interrupted (all emails are being deffered).
As soon as i plug the network cables back to Endian UTM, all deffered emails are sent and outgoing email flow starts to work as is should.

I presume i need some rules related to DNS traffic on my RB1100AHx2. Any ideas what should i do here? Thanks.

docmarius · June 9, 2014, 5:23pm

It may sound stereotype, but post your firewall configuration…

ludus · June 10, 2014, 6:46pm

[Deleted] - Double post

ludus · June 10, 2014, 6:53pm

This is my firewall configuration:

# jun/10/2014 19:26:34 by RouterOS 5.26
# software id = XXXX-YYYY
#
/ip firewall layer7-protocol

add name=facebook regexp="^.+(facebook.com).*\$"


/ip firewall address-list

add address=172.23.24.0/24 disabled=no list=local-subnet

add address=192.168.0.0/16 disabled=no list=rfc-s

add address=172.16.0.0/12 disabled=no list=rfc-s

add address=10.0.0.0/8 disabled=no list=rfc-s

add address=0.0.0.0/8 disabled=no list=rfc-s

add address=224.0.0.0/3 disabled=no list=rfc-s

add address=127.0.0.0/8 disabled=no list=rfc-s


/ip firewall connection tracking

set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
	

/ip firewall filter

add action=accept chain=forward comment="ACCEPT ALL from LOCAL SUBNET" \
    disabled=no src-address-list=local-subnet

add action=drop chain=forward comment="DROP ALL from RFC-S" disabled=no \
    src-address-list=rfc-s

add action=accept chain=forward comment=SMTP disabled=no dst-port=25 \
    in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=input comment="PPTP TCP" disabled=no dst-port=1723 \
    in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=input comment="PPTP GRE" disabled=no in-interface=\
    pppoe-out1-adsl protocol=gre

add action=accept chain=input comment=WinBox disabled=no dst-port=8291 \
    in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=input comment="SSH Mikrotik" disabled=no dst-port=\
    22 in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=forward comment="DATASRV FTP 1" disabled=no dst-port=\
    20-21 in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=forward comment="DATASRV FTP 2" disabled=no dst-port=\
    51423-61524 in-interface=pppoe-out1-adsl protocol=tcp

add action=drop chain=forward comment="Facebook BLOCK" disabled=no \
    layer7-protocol=facebook protocol=tcp

add action=accept chain=input comment="allow PING" disabled=no \
    protocol=icmp
	
add action=accept chain=input comment="allow ESTABLISHED" \
    connection-state=established disabled=no in-interface=pppoe-out1-adsl

add action=accept chain=input comment="allow RELATED" \
    connection-state=related disabled=no in-interface=pppoe-out1-adsl

add action=drop chain=input comment="DROP ALL" disabled=no \
    in-interface=pppoe-out1-adsl
	

	

/ip firewall nat

add action=masquerade chain=srcnat comment="nr0 - MASQUERADING" \
    disabled=no out-interface=pppoe-out1-adsl

add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=25 \
    in-interface=pppoe-out1-adsl protocol=tcp to-addresses=172.23.24.4 \
    to-ports=25

add action=dst-nat chain=dstnat comment="DATASRV FTP 1" disabled=no dst-port=\
    20-21 in-interface=pppoe-out1-adsl protocol=tcp to-addresses=\
    172.23.24.5 to-ports=20-21

add action=dst-nat chain=dstnat comment="DATASRV FTP 2" disabled=no dst-port=\
    51423-61524 in-interface=pppoe-out1-adsl protocol=tcp to-addresses=\
    172.23.24.5 to-ports=51423-61524




/ip firewall service-port

set ftp disabled=no ports=21

set tftp disabled=no ports=69

set irc disabled=no ports=6667

set h323 disabled=no

set sip disabled=no ports=5060,5061 sip-direct-media=yes

set pptp disabled=no



/ip dhcp-server

add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
    bootp-support=static disabled=no interface=bridge1to12 lease-time=3d \
    name=dhcp1

/ip dhcp-server config

set store-leases-disk=5m

/ip dhcp-server network

add address=172.23.24.0/24 dhcp-option="" dns-server=172.23.24.3 domain=\
    mydomain.local gateway=172.23.24.1 netmask=24 ntp-server="" wins-server=\
    172.22.22.3


/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=208.67.222.222,208.67.220.220

Let me know if you need other information in order to understand the problem…