Multiple DMZ servers

kgoodyer · September 25, 2017, 12:52pm

Bit of a RouterBoard newbie, just taken over management of this network, so didn’t do original install.

I have 5 specific hosts on my LAN (10.1.0.0) that are all NAT 1:1 routed to a range of 5 public IP addresses on a full class C (XXX.XXX.196.0) WAN. Four of them work perfectly, I can access them on ports 22,80,443 perfectly from the outside world. However the first one is behaving a little oddly. Only port 22 (SSH) is available from the outside world. It ‘feels’ like things are being blocked by the firewall, but I can’t figure out why it would only affect one Host.

As far as I can tell they are all configured EXACTLY the same. What is confusing me is why would I be able to access it through port 22 but be blocked on port 80 / 443 (or any other port i try to open).
I should have added, I can access them ALL perfectly, on all ports using their internal IP private addresses or external public IP addresses. It is only from the ‘real’ outside world I am having issues with ONE specific host.

Best Regards

Keith

pe1chl · September 25, 2017, 1:13pm

Type: /ip firewall export
and paste the result in a reply

kgoodyer · September 25, 2017, 2:40pm

Ok I think I am starting to get an idea of what is going on.

This router has access to a public /28 subnet, (XXX.XXX.196.96 to XXX.XXX.196.111) and the next gateway is on XXX.XXX.196.1

All the outbound traffic seems to present itself on XXX.XXX.196.96 - which is the ‘Network’ address of the /28.

The addresses have been set up as:-
XXX.XXX.196.96/24
XXX.XXX.196.97/24
XXX.XXX.196.98/24
XXX.XXX.196.99/24
XXX.XXX.196.100/24

I am thinking that maybe these should have been set up as /32 or /28 's - and should there even be an address entry for .96?

Getting my head round this RouterOS architecture is a bit daunting, but we are getting there.

/ip firewall filter
add action=jump chain=input comment="Jump common_firewall" jump-target=common_firewall
add action=drop chain=input comment="Drop internal IPs coming from external interface" in-interface=ether1 src-address=10.0.0.0/8
add action=accept chain=input comment="Accept from internal IPs" src-address=10.0.0.0/8
add action=accept chain=input comment="Accept PPTP" dst-port=1723 protocol=tcp
add action=drop chain=common_firewall comment="Drop new sessions without SYN" connection-state="" protocol=tcp tcp-flags=!,syn
add action=accept chain=common_firewall comment="Accept established sessions" connection-state=""
add action=accept chain=common_firewall comment="Accept related sessions" connection-state=""
add action=drop chain=common_firewall comment="Drop invalid sessions" connection-state=""
add action=accept chain=common_firewall comment="Accept ICMP echo reply" icmp-options=0:0-255 protocol=icmp
add action=accept chain=common_firewall comment="Accept ICMP destination unreachable" icmp-options=3:0-255 protocol=icmp
add action=accept chain=common_firewall comment="Accept ICMP source quench" icmp-options=4:0-255 protocol=icmp
add action=accept chain=common_firewall comment="Accept ICMP echo request" icmp-options=8:0-255 protocol=icmp
add action=accept chain=common_firewall comment="Accept ICMP time exceeded" icmp-options=11:0-255 protocol=icmp
add action=accept chain=common_firewall comment="Accept ICMP parameter problem" icmp-options=12:0-255 protocol=icmp
add action=accept chain=input comment="Accept IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="Accept IPsec AH" protocol=ipsec-ah
add action=accept chain=input comment="Accept IPsec IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=input comment="Accept SSH" dst-port=22 protocol=tcp
add action=accept chain=input comment="Accept HTTPS" dst-port=443 protocol=tcp
add action=accept chain=input comment="Accept Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123 protocol=udp
add action=accept chain=input comment="Accept DNS answers" protocol=udp src-port=53
add action=drop chain=input
add action=accept chain=forward comment="Accept outbound to external interface" out-interface=ether1
add action=accept chain=forward comment="Accept from internal IPs" src-address=10.0.0.0/8
add action=accept chain=forward comment="Accept to internal IPs" dst-address=10.0.0.0/8
add action=accept chain=forward comment="Accept to public IPs" dst-address=XXX.XXX.196.96/28 

add action=jump chain=forward comment="Jump common_firewall" jump-target=common_firewall
add action=drop chain=forward

/ip firewall nat
add action=accept chain=srcnat comment="Bypass NAT for all internal traffic including VPN" dst-address=10.0.0.0/8 src-address=10.1.0.0/16
add action=netmap chain=srcnat comment="Server1" src-address=10.1.2.81 to-addresses=XXX.XXX.196.97
add action=netmap chain=dstnat dst-address=XXX.XXX.196.97 to-addresses=10.1.2.81
add action=netmap chain=srcnat comment="Server2" src-address=10.1.2.152 to-addresses=XXX.XXX.196.98
add action=netmap chain=dstnat dst-address=XXX.XXX.196.98 to-addresses=10.1.2.152
add action=netmap chain=srcnat comment="Server3" src-address=10.1.2.222 to-addresses=XXX.XXX.196.99
add action=netmap chain=dstnat dst-address=XXX.XXX.196.99 to-addresses=10.1.2.222
add action=netmap chain=srcnat comment="Server4" src-address=10.1.2.222 to-addresses=XXX.XXX.196.100
add action=netmap chain=dstnat dst-address=XXX.XXX.196.100 to-addresses=10.1.2.222
add action=masquerade chain=srcnat comment="Masquerade all other outgoing connections" out-interface=ether1 src-address=10.1.0.0/16
add action=dst-nat chain=dstnat dst-port=4202 in-interface=ether1 protocol=tcp to-addresses=10.1.2.146 to-ports=4200
add action=dst-nat chain=dstnat dst-port=4201 in-interface=ether1 protocol=tcp to-addresses=10.1.2.147 to-ports=4200

Thanks

Keith

pe1chl · September 25, 2017, 4:29pm

Well that firewall does not look very sound, I don’t know if this is how you got it handed over or if it has been modified already…
You should know that “input” refers to input to the router itself, it is not used for traffic forwarded to systems on the internal
network. For that, “forward” is used. Note that this is different from other manufacturer’s firewalls, and it is the same as
for the “iptables” firewall in Linux (which is what it really is).
So in “input”, only allow what you want to accept to the router, and in “forward” accept what you want to send to internal systems.
Also note there is a “default allow all” at the end of each table, so you need to explicity put a “default deny all” there when that
is what you want (and usually you do).
Of course start out with an explicit “allow” with log option and check if you see what you expect and are not locking yourself out.
(you can use “safe mode” to prevent that)

Of course when you get XXX.XXX.196.96/28 from your ISP, the address XXX.XXX.196.96 is invalid. You cannot forward it. However,
this can sometimes be worked around by specifying a larger network (/24 in this case), maybe that has been attempted here.
However, that only works when the other side’s equipment forwards this traffic without noticing it is a network address.

It is not clear why these addresses have been setup at all, that is not required, unless the other side does not have some address
as the default gateway for your network and just sends everything L2 to the router (so it sends ARP for all your addresses).