Mikrotik Firewall/Routing Issues with a somewhat complex setup

RouterOS General
1

Hi,

I am a very happy Mikrotik RB2011UiAS-2HnD-IN owner, but I think I have reached my limit trying to troubleshoot what seems to be a firewall miss configuration.

I was hoping someone on this forum could spot the “obvious” stupid mistake I made :confused:

  1. The symptoms:
    Everything works, but I am getting sometimes weird behaviour when trying to go on the internet when I have to refresh my Web page a few times for it to load… it would hang there… I would refresh and it would then work instantly. I have also a lot of DROPPED firewall rules that I do not really understand why they occur. I suspect that there is an issue between my Mikrotik Router and my ASUS Wifi router and that I may not have configured my firewall correctly or my routes.

  2. My Setup Overview:
    Internet
    |
    @86.144.X.X
    Mikrotik Router (192.168.0.0/24)
    @192.168.0.254
    |
    @192.168.0.1
    ASUS WIFI Router (192.168.1.0/24)
    @192.168.1.1
    |
    Wifi Clients

3.My Setup in more details:
If I do a google: “what is my ip”, I get @86.144.X.X
I have also noticed there is another IP automatically defined on my Mikrotik router routes (172.16.14.X) which is obviously completely different from @86.144.X.X,I am not sure what it is… maybe the gateway for my ISP?

INTERNET
|
|
MIKROTIK ROUTER:
@192.168.0.254, WIFI disabled, DHCP server Disabled
Routes Defined:
a) (Dynamic/Automatic rule) 0.0.0.0/0: Gateway @172.16.X.X reachable pppoe-out1, Type Unicast, Distance 1, Scope 30, Target Scope 10
b) (Dynamic/Automatic rule) @172.16.X.X/32, Gateway pppoe-out1 reachable, type Unicast, Scope 10, Target Scope 10, pref. source @86.144.X.X
c) (Dynamic/Automatic rule) @192.168.0.0/24, Gateway bridge-local reachable, type Unicast, Scope 10, Target Scope 10, Pref. Source @192.168.0.254
d) (Rule I created manually) @192.168.1.0/24, Gateway 192.168.0.1, Type Unicast, Distance 1, Scope 30, Target Scope 10
|
|
ASUS WIFI ROUTER
@192.168.0.1
Gateway: @192.168.0.254
NAT Disabled
(I disabled NAT and explicitly defined a route on my Mikrotik router because I am running a TAP in between those 2 routers and I need to know which IP from the ASUS WIFI router the traffic belongs to)
I have enabled the Firewall on this router, with DOS protection and log any packet drops.
I cannot see any drop packets on the ASUS and therefore believes the issues I am getting are with my Mikrotik Firewall rules

  1. Mikrotik Firewal rules:
    Below are the rule I have enabled
    a) Chain: Input, Connection State: Established, Action: Accept
    b) Chain: Input, Connection State: Related, Action: Accept
    c) Chain: input, In. Interface: bridge-local, Action: Accept (Note: I added this rule because I was getting a lot of drop packets and if I remember well I was having issue connecting to my Mikrotik router from my ASUS WIFI Network)
    d) Chain: input, Connection State: Invalid, Action: Drop, Log enabled (Note: Only getting a few hits)

[I have also 3 rules to stop port scan and stop DOS I found on this forum, I am not listing them here because they do not have any hits so I dont believe they can be the source of the problem. I am not sure if that means they are in the wrong place and I should maybe move those rules to the top]

e) Chain: input, Action: Drop, Log Enabled (Note: I am getting a lot of hits! I suspect this is maybe where the problem is)
f) Chain: forward, Connection State: Established, Action: Accept (Note: Most of the traffic goes through this rule it seems… gigabytes!)
g) Chain: forward, Connection State: Related, Action: Accept
h) Chain: forward, In. Interface: Bridge-Local, Action: Accept
i) Chain: forward, Connection State: Invalid, Action: Drop, Log enabled (No Hit at all)
j) Chain: forward, Action: Drop (No hit at all)

When looking at my Mikrotik logs I am getting a lot of DROP from rule e) such as:
(dozens of those every minutes or so, I think this is traffic from gmail! why does it get dropped…)
DROP_IN_Last. input: in:pppoe-out1 out:(none), proto TCP (ACK,PSH), 64.233.167.108:993->86.144.X.X:53353, len 177

(every minutes or so)
DROP_IN_Last. input: in:pppoe-out1 out:(none), proto 2, 0.0.0.0->224.0.0.1, len 36

(every minutes or so)
DROP_IN_Last. input: in:ether1-gateway out:(none), src-mac 84:26:XX:XX:XX:XX, proto 2, 0.0.0.0->224.0.0.1, len 36

(every minutes or so)
DROP_IN_Invalid. input: in:pppoe-out1 out:(none), proto TCP (RST), 108.160.173.65:443->86.144.X.X:50552, len 40

I have the feeling I haven’t configured my Firewall correctly… but I don’t really know what I have done wrong! :confused:

If anyone could help that would be great.
Thanks.
B.

2

The more complex a configuration and the longer one had that configuration with periodic upgrades is the more chances that a mishap can lead to having to reformat the router. I am dealing with that right now, and the amount of hours at minimum wage I have put into diagnosis I could have bought another router…if it wasn’t for the sake of learning. Have you considered reformatting?

If you don’t mind, could you share these: (I have also 3 rules to stop port scan and stop DOS).

3

Hi,
Sure here are the 3 rules I omitted above and are in between rule d) and e)
I got those rules from this Forum.

  1. Chain: Input, Protocol: TCP, Weight Threshold: 21, Delay Threshold: 00:00:03, Low Port Weight: 3, High Port Weight: 1, Action: Drop, Log enabled (This is to stop Port Scans)

  2. Chain: input, Protocol: TCP, SRC. Address List: Blacklist, Connection Limit: 100, Netmask: 0, Rate: 3, Burst 32, Action: Tarpit, Log Enabled (This is to Stop DOS)

  3. Chain: input, Protocol: TCP, Connection Limit: 100, Netmask: 0, Rate: 10, Burst 32, Action: Add SRC to Address List, Log Enabled, Address List: Blacklist, Timemout: 24h (This is part of the DOS protection)

Because I am not getting any hit on those rules I don’t think they are part of the problem.

I could indeed reformat everything…

The only other thing I have changed on this router is that I have disabled all the Discovery Interfaces in “Neighbors”, this was generating a lot of noise on my network and I read somewhere it was not needed.

What did you think about my other firewall rules? they all looked OK? No obvious mistakes/misconfiguration?

Thanks.
B.

4

Thanks for sharing those firewall rules…not sure I understand them though. I made note of them.

Firewall rule (e) chain: input > action: drop…that’s normal…you should get lots of “hits.”

Do you have the Asus in bridge mode?

I had a setup where a Mikrotik RB450G is my master router to which I connect an Apple Extreme for my personal private network 10.0.x.x (Ether2) and a Cisco/Linksys wireless access point for my private guess network 172.18.x.x (Ether5). Each of these private network router is set to bridge mode. The RB450G does DNS resolution.

Your setup seems similar somewhat; however, It seems you have three private networks on your MIkrotik…192.168.0.0/24, 192.168.0.1/24, 172.16.14.xx…Check IP >Addresses…remove the 172.16.14.xx if not needed. Be sure the Ether port with the 192.168.1.1 resolve DNS via Cache. In IP >DNS, set Google as DNS server [8.8.8.8] and check the box ( Allow Remote Request).

5

Rule 1 is suppose to protect against Port Scans by clocking those attempts
Rule 2 and 3 works together to slow DOS attack, from what I understand it doesn’t block them but slow them down, the idea is that all those connections will not have has much impact

I can’t remember where I got them from exactly, but it was after searching for Mikrotik Firewall HowTo

Regarding my Wireless Router, it isn’t in a bridge mode. It is in Router mode (Default).
The reason is because on most Wireless routers (I tried the latest Linksys, Asus, Netgear) they use NAT in bridge mode, and because I am running a TAP I must not have NAT. In “router” mode you can disable NAT (I think you can’t on the latest Linksys I tried on, sent it back and replaced it with the ASUS), but you also need to be on different network subnets.

I used to have an Apple Extreme and had no problems! Reading through many forums I think Apple is not using Standard NAT so it was possible to disable NAT in Bridge mode or at least still see individual IP source somehow. Don’t quote me on this, it has been months since I read about it and after hours of scouring the net I can’t remember everything exactly :slight_smile:.
What I remember is that it used to work fine with Apple, but that was because of a non standard Apple design (what a surprise). And I wanted to change my Wireless router for different reasons (traffic control and shapping plus many other things) so I had to adapt and search for a new solution.

I think I will follow your advise as soon as I can face reconfiguring everything and restart from scratch :slight_smile:
As nobody else shouted about the firewall rules I listed here, I am assuming they are probably not the source of the problem.