No traffic on WAN interface after upgrade to 7.5

NicholasYK · September 16, 2022, 7:10am

Hello,

After upgrading working configuration from branch 6 (don’t remember exactly version, last updated somewhere in 2020) to version 7.5 stable lost traffic on WAN interface.

From LAN I can ping router, access it with ssh and winbox. Also works L2TP/IPsec VPN from Internet to LAN, I can use it to access router from Internet.

DST-NAT, ping and ssh from Internet don’t work. SRC-NAT from LAN also don’t work.

From Mikrotik I can ping LAN bridge interface but not WAN interface.

The configuration is below:

# sep/15/2022 22:16:47 by RouterOS 7.5
# software id = 9KUN-MDHQ
#
# model = RouterBOARD 750G r3
# serial number = 
/interface bridge
add admin-mac=6C:3B:6B:C9:53:84 auto-mac=no fast-forward=no name=bridge1
add name=ipsec-bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireguard
add disabled=yes listen-port=52939 mtu=1420 name=wireguard1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=abc.r-networks.ru
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des \
    hash-algorithm=sha256 name=profile_1
add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add address=0.0.0.0/32 comment="l2tp/ipsec ipv4" disabled=yes name=peer3 \
    passive=yes profile=profile_1 send-initial-contact=no
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2 \
    send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 name=IKEv2 pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.251.2-192.168.251.15
add name=ipsec-pool ranges=192.168.251.18,192.168.251.31
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=yes \
    interface=bridge1 name=defconf
/ip ipsec mode-config
add address-pool=ipsec-pool address-prefix-length=32 name=IKEv2-cfg \
    split-include=192.168.251.16/28,192.168.128.0/24
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.128.2 local-address=192.168.251.1 name=l2tp-ipsec \
    remote-address=vpn-pool use-encryption=required wins-server=192.168.128.2
/routing ospf instance
add disabled=yes name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing bgp template
set default disabled=yes output.network=bgp-networks routing-table=main
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2-master
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap1,mschap2 default-profile=\
    l2tp-ipsec enabled=yes use-ipsec=yes
/interface list member
add interface=ether2-master list=mactel
add interface=ether2-master list=mac-winbox
/interface ovpn-server server
set auth=sha1 certificate=*4 cipher=blowfish128,aes192,aes256
/interface wireguard peers
add allowed-address=192.168.0.0/24,192.168.249.1/32 comment="xxxx1" \
    disabled=yes endpoint-address=xxxx.ddns.net endpoint-port=52939 \
    interface=wireguard1 persistent-keepalive=25s public-key=\
    "xxxx"
add allowed-address=192.168.249.2/32 comment="xxxx2" disabled=\
    yes interface=wireguard1 public-key=\
    "xxxx"
/ip address
add address=192.168.128.254/24 comment=defconf interface=bridge1 network=\
    192.168.128.0
add address=93.186.57.86/30 interface=ether1 network=93.186.57.84
add address=192.168.251.17/28 interface=ipsec-bridge network=192.168.251.16
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.128.0/24 comment=defconf gateway=192.168.128.254 netmask=\
    24
/ip dns
set servers=192.168.128.2,8.8.8.8
/ip dns static
add address=192.168.128.254 name=router
/ip firewall address-list
add address=192.168.0.0/24 disabled=yes list=external
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="ipsec in" in-interface=ether1 \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="ipsec out" in-interface=ether1 \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept Established" connection-state=\
    established,related,new,untracked
add action=accept chain=input comment=wan-ssh connection-state="" dst-port=22 \
    in-interface=ether1 log=yes log-prefix=wan-ssh protocol=tcp
add action=accept chain=input comment=l2tp/ipsec dst-port=500,1701,4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment=l2tp/ipsec in-interface=ether1 \
    protocol=ipsec-esp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=tcp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=udp
add action=accept chain=input comment=wireguard dst-port=52939 in-interface=\
    ether1 protocol=udp
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    src-nat out-interface=ether1 src-address=192.168.128.0/24 to-addresses=\
    93.186.57.86
add action=dst-nat chain=dstnat comment=tinc disabled=yes dst-port=655 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.128.2 to-ports=655
add action=dst-nat chain=dstnat comment=tinc disabled=yes dst-port=655 \
    in-interface=ether1 protocol=udp to-addresses=192.168.128.2 to-ports=655
add action=dst-nat chain=dstnat comment=ssh-dc1 dst-port=8122 in-interface=\
    ether1 log=yes log-prefix=abc-ssh-dc1 protocol=tcp to-addresses=\
    192.168.128.2 to-ports=22
add action=dst-nat chain=dstnat comment="wireguard on wg-gate" disabled=yes \
    dst-address-type="" dst-port=52939 in-interface=ether1 log-prefix=\
    wg-forward protocol=udp to-addresses=192.168.128.253 to-ports=51820
/ip ipsec identity
add generate-policy=port-strict peer=peer3 remote-id=ignore
add auth-method=digital-signature certificate=abc-ikev2 generate-policy=\
    port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
    ikev2-policies
/ip ipsec policy
add action=discard comment="Drop any L2TP unencrypted incoming traffic" \
    dst-address=0.0.0.0/0 protocol=udp src-address=93.186.57.86/32 src-port=\
    1701
add comment="ipsec ikev2" dst-address=192.168.251.0/28 group=ikev2-policies \
    proposal=IKEv2 src-address=0.0.0.0/0 template=yes
add comment="ikev2 test" dst-address=0.0.0.0/0 peer=IKEv2-peer proposal=IKEv2 \
    src-address=93.186.57.86/32 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=93.186.57.85
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=abc-https disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote strong-crypto=\
    yes
/ppp secret
add comment="xxxx3" name=user1 profile=l2tp-ipsec routes=\
    192.168.0.0/24 service=l2tp
add comment="xxxx4" name=user2 profile=l2tp-ipsec service=l2tp
add comment="xxxx4" name=user3 profile=l2tp-ipsec service=l2tp
add comment="xxxx5" name=user4 profile=l2tp-ipsec \
    service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=abc.r-networks.ru
/system logging
add disabled=yes prefix=l2tp topics=l2tp
add prefix=ipsec topics=ipsec
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.128.2
/system resource irq rps
set ether1 disabled=no
set ether2-master disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=*F00A79 filter-ip-protocol=icmp

Please, help!

P.S. Wireguard config was made for 7.5 version and disabled now.

Sob · September 19, 2022, 10:42pm

Only problem I see is this rule:

/ip firewall filter
add action=accept chain=input comment="Accept Established" connection-state=established,related,new,untracked

where “new” makes the router wide open, any connection to any service from anywhere should be allowed. I don’t know if you kept real public address, but if you did, then the problem should be elsewhere, because I can’t even ping it.

anav · September 19, 2022, 11:18pm

Not suprizing one gets errors in such a disorganized mess of firewall rules, at least keep the chains contiguous!!!

NicholasYK · September 20, 2022, 6:17am

Only problem I see is this rule:
/ip firewall filter
add action=accept chain=input comment="Accept Established" connection-state=established,related,new,untracked
where “new” makes the router wide open, any connection to any service from anywhere should be allowed. I don’t know if you kept real public address, but if you did, then the problem should be elsewhere, because I can’t even ping it.

You are right, the “new” is a trace of desperate “experiments” to solve the problem
The public address is real and, yes, it can’t be pinged. It can’t be pinged from router also. The only one what works from internet is L2TP/IPsec

The router has long life history, some services died and rules for them were not deleted but were disabled.

BartoszP · September 20, 2022, 6:23am

Does it work again when you restore it to version used before upgrade? Do you have backup?

NicholasYK · September 20, 2022, 9:11am

Did not restore to previous version, looking for possibility to fix 7.5 version for now.

Sob · September 20, 2022, 7:00pm

One more thing I see, your last IPSec policy (“ikev2 test”) is for traffic between your public address and 0.0.0.0/0 (= any address), so it will basically block all traffic to and from your public address.

NicholasYK · September 21, 2022, 6:11am

Thanks, I’ll test in the evening

johnson73 · September 21, 2022, 1:12pm

After fixing your firewall filter, this should be more correct..
For proper firewall operation, it is recommended to use the method described here - https://forum.mikrotik.com/viewtopic.php?t=180838

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=wan-ssh connection-state="" dst-port=22 \
    in-interface=ether1 log=yes log-prefix=wan-ssh protocol=tcp
add action=accept chain=input comment=l2tp/ipsec dst-port=500,1701,4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment=l2tp/ipsec in-interface=ether1 \
    protocol=ipsec-esp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=tcp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=udp
add action=accept chain=input comment=wireguard dst-port=52939 in-interface=\
    ether1 protocol=udp
add action=drop chain=input in-interface=ether1

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1

NicholasYK · September 22, 2022, 6:46am

Sob, thank you, everything works now!

Johnson73, thanks for advice.