I am running RouterOS 6.21 with a basic 1 external interface configuration. Right now I have the firewall configured to allow the following protocols in to my mail server:
Imaps:993
Submission:587
SMTP:25
Imaps and Submission are allowed from anywhere, but SMTP is only allowed from my mail filter provider. The problem I am having is that I can connect to Imaps and Submission from some IP addresses, but not from others.
Here is my firewall config.
/ip firewall filter
add action=drop chain=input comment="default configuration" connection-state=invalid
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add chain=forward comment="Allow inside traffic to go out" in-interface=bridge-local
add chain=forward comment="Accept submission" in-interface=ether-10-outside port=587 protocol=tcp
add chain=forward comment="Accept imaps" in-interface=ether-10-outside port=993 protocol=tcp
add chain=forward comment="Accept ssh to gort" in-interface=ether-10-outside port=9922 protocol=tcp
add chain=forward comment="Accept dns" in-interface=ether-10-outside port=53 protocol=tcp
add chain=forward comment="Accept dns" in-interface=ether-10-outside port=53 protocol=udp
add chain=forward comment="Accept mail from Red Condor" in-interface=ether-10-outside port=25 protocol=tcp src-address-list=RedCondor
add chain=input comment="Full access to SUPPORT address list" in-interface=bridge-local src-address-list=support
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=input comment="default configuration" in-interface=ether-10-outside
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether-10-outside
add action=dst-nat chain=dstnat comment="Nat dns outside to dns inside " dst-address=XX.YY.40.123 dst-port=53 protocol=udp to-addresses=192.168.2.45 to-ports=53
add action=dst-nat chain=dstnat comment="Nat dns outside to dns inside " dst-address=XX.YY.40.123 dst-port=53 protocol=tcp to-addresses=192.168.2.45 to-ports=53
add action=dst-nat chain=dstnat comment="Nat imaps outside to mail inside" dst-address=XX.YY.40.123 dst-port=993 protocol=tcp to-addresses=192.168.2.26 to-ports=993
add action=dst-nat chain=dstnat comment="Nat submission outside to mail inside" dst-address=XX.YY.40.123 dst-port=587 protocol=tcp to-addresses=192.168.2.26 to-ports=587
add action=dst-nat chain=dstnat comment="Nat 9922 outside to 22 on gort inside" dst-address=XX.YY.40.123 dst-port=ZZ22 protocol=tcp to-addresses=192.168.2.42 to-ports=22
add action=dst-nat chain=dstnat comment="SMTP in from Red Condor" dst-address=XX.YY.40.123 dst-port=25 protocol=tcp src-address=AA,BB.200.0/21 to-addresses=192.168.2.26 to-ports=25
From my ISP I can connect to Imaps with openssl:
$ openssl s_client -connect XX.YY.40.123:993
CONNECTED(00000003)
depth=0 /C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=FTP Team/CN=synology.com/Email=product@synology.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=FTP Team/CN=synology.com/Email=product@synology.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=FTP Team/CN=synology.com/Email=product@synology.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=FTP Team/CN=synology.com/Email=product@synology.com
i:/C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=Certificate Authority/CN=Synology Inc. CA/Email=product@synology.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLTCCApagAwIBAgIHFEKAWHKg0DANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UE
BhMCVFcxDzhueIUhiuhIBlRhaXdhbjEPMA0GA1UEBwwGVGFpcGVpMRYwFAYDVQQK
DA1TeW5vbG9neSBJbmMuMR4wHAYDUUGIUGIuyjJ0aWZpY2F0ZSBBdXRob3JpdHkx
...
So it can connect and talk to my synology mail server, but only from my ISP at present.
From anywhere else I have tried I get a timeout with an error=60 from openssl.
My synology mail server is configured to accept any connection to Imaps and Submission, and from inside my firewall the mail server works fine. Smtp seems to be working perfectly, its just Imaps and Submission that are giving me fits. The DNS and SSH are also working just fine. FWIW, I have had this working on on my previous firewall for a few years, but I recently upgraded my synology box and moved to a RB2011UiAS-IN Mikrotik firewall.
I’ll happily post more info if needed. I’m just stumped on this issue at present.
Thanks,
James “Zeke” Dehnert
–
mailto:jdehnert@dehnert.com James “Zeke” Dehnert
-= Eschew Obfuscation =-
“Life is racing. Everything else is just waiting”