open 80 port from VPN to lan

dakotabcn · October 19, 2018, 4:31pm

Hello
I have this situation
VPN client have IP 192.168.35.1
Webserver have IP 192.168.10.10
i have this rule
add action=accept chain=forward comment=“open port 80 for User10” dst-address=192.168.10.10 dst-port=80 log=yes protocol=tcp src-address=192.168.35.1
i have other rule for RDP Port for all users from VPN PPTP conections
and works fine
I can not find the reason why one rule fails and the other does not, i not have dnat
This is mi config

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“VPN 1723” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“GRE VPN” dst-port=47 protocol=tcp
add action=accept chain=forward comment=“open port 80 for User10” dst-address=192.168.10.10 dst-port=80 log=yes protocol=tcp src-address=192.168.35.1
add action=accept chain=forward comment=“RDP VIA VPN” dst-port=3389 protocol=tcp src-address=192.168.35.0/24
add action=drop chain=forward comment=“VPN A LOCAL BLOQUEADO” dst-address=192.168.10.0/24 log=yes src-address=192.168.35.0/24
add action=drop chain=forward comment=“TRAFICO DE VPN A DMZ BLOQUEADO” dst-address=192.168.120.0/24 src-address=192.168.35.0/24
add action=drop chain=forward comment=“TRAFICO DMZ A LAN BLOQUEADO” dst-address=192.168.10.0/24 src-address=192.168.120.0/24
add action=drop chain=forward comment=“TRAFICO DE DMZ A VPN BLOQUEADO” dst-address=192.168.35.0/24 src-address=192.168.120.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

regards

sindy · October 20, 2018, 4:55pm

I would put an action=log rule as the very first one in the chain=forward of /ip firewall filter with protocol=tcp dst-port=80 src-address=192.168.35.0/24, try to connect from the VPN client to the server, and see whether the SYN packet is logged or not. You may e.g. find that it actually comes from a different IP address.

dakotabcn · October 22, 2018, 9:14am

Hello Sindy
I put the rule as you told me and I made the request through my computer (I connect VPN via this user)
The IP that comes out in the LOG when I do the SYN is the ip that is assigned to this VPN connection, but I still get an error, I begin to suspect that the problem is in the web server, if it receives requests that are not the same Rejects (from the local network works well), I changed the rule by putting / 24 in source and destination and neither. I tried to do a NAT and neither
The funny thing is that the rule for the 3389 is IDENTICAL and works even with this connection
Disable the DROP rule from VPN to LAN and neither .. I am very confused, in the local network the IP PBX web server works, but not through the microtik
I sent an email to the SAT of the IP PBX to check that there are no IP restrictions in the web manager, because more things do not occur to me anymore