Port/Filter rules help. No packets making it back to the Internet clents. MTU issue?

k3wf3w · January 13, 2025, 7:55pm

Hello everyone,

I am having some issues forwarding/opening ports with a RB5009UG+S+ on RouterOS 7.16.2.

In summary, I swaped out an Ubnt ER-X, with the MikroTik configured as below.
I had a SoftEther server running on the local lan, and had configured NAT rules to forward the relevant ports to the local server, but was never able to connect with SoftEther clients from the internet.

So I abandoned that, and tried to setup a RoadWarrior Wireguard configuration (on the non-standard port 13269), as you can see in my config dump below. With this configuration the Wireguard server on the MikroTik receives the packets (I can see the packet counts increment with the connection attempt from the internet side client) and the Mikrotik server receives the internet clients public IP address and port number, and lists it in the client list information, but no packets are received back to the internet client.

For troubleshooting I tried to set up remote administration of the MikroTik, as it seemed to be the most basic way to verify connectivity from the internet, but even that was not successful. Again, I would see the packets hit the filter rules and increment, but nothing is received by the internet side client.

I have done quite a few hours of troubleshooting trying to resolve this on my own, but I am stuck. Any help would be appreciated.

The MTik is connected to the ISP modem, which is in bridged mode, so the MTik grabs a public IP on IF1 as expected.

After my research, I am wondering if this is a possible MTU issue, as the packets seem to be received, but no packets seem to make it back to the clients on the internet side. But, I am just speculating, as I am beyond my level of expertiese at this point.

I have masked anything sensitive with [~]REDACTED[~]

# 2025-01-13 12:08:44 by RouterOS 7.16.2

# software id = L6BJ-GMP9

#

# model = RB5009UG+S+

# serial number = [~]REDACTED[~]

/interface bridge

add admin-mac=[~]REDACTED[~] auto-mac=no comment=defconf name=bridge port-cost-mode=short

/interface ethernet

set [ find default-name=ether1 ] mac-address=[~]REDACTED[~]

/interface wireguard

add listen-port=13269 mtu=1420 name=wireguard1

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/ip pool

add name=default-dhcp ranges=192.168.1.100-192.168.1.149

/ip dhcp-server

add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf

/interface bridge port

add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10

add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10

/ip firewall connection tracking

set udp-timeout=10s

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

add interface=wireguard1 list=LAN

/interface wireguard peers

add allowed-address=10.0.0.2/32 interface=wireguard1 name=peer3 preshared-key="[~]REDACTED[~]" public-key=\

    "[~]REDACTED[~]"

/ip address

add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0

add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0

/ip dhcp-client

add comment=defconf interface=ether1

/ip dhcp-server lease

add address=192.168.1.69 comment=[~]REDACTED[~] mac-address=[~]REDACTED[~]

add address=192.168.1.105 comment=[~]REDACTED[~] mac-address=[~]REDACTED[~]

add address=192.168.1.129 comment=[~]REDACTED[~] mac-address=[~]REDACTED[~]

/ip dhcp-server network

add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=192.168.1.1 comment=defconf name=router.lan type=A

/ip firewall address-list

add address=[~]REDACTED[~] list=RemoteAccessList

/ip firewall filter

add action=accept chain=input comment="allow WireGuard traffic" src-address=10.0.0.0/24

add action=accept chain=input comment="allow WireGuard" dst-port=13269 protocol=udp

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=RemoteAccessList

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat comment="forward SoftEther 5569" dst-port=5569 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.105 to-ports=5569

/ip ipsec profile

set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ipv6 firewall address-list

add address=::/128 comment="defconf: unspecified address" list=bad_ipv6

add address=::1/128 comment="defconf: lo" list=bad_ipv6

add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6

add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6

add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6

add address=100::/64 comment="defconf: discard only " list=bad_ipv6

add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6

add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6

add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10

add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6

add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=forward comment="defconf: accept HIP" protocol=139

add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system clock

set time-zone-name=America/Edmonton

/system identity

set name=[~]REDACTED[~]

/system note

set show-at-login=no

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

anav · January 13, 2025, 10:06pm

Looks good so far…

ADDITION
/interface list
add name=TRUSTED
/interface list member
add interface=LAN list=TRUSTED
add interface=wireguard list=TRUSTED

\
firewall rules: Think about these three rules, the first two are rendered useless by the last rule.
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=RemoteAccessList
add action=accept chain=input comment=“allow WireGuard traffic” src-address=10.0.0.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

More effective is to combine wireguard and access list to only ADMIN IPs with full access to the router.
The LAN only needs access to DNS services and maybe NTP services…
YOu have given all LAN members access to the router for all services, we will fix that!!
We will use your remote access list idea ( why hidden not sure??) and if any of those are public IPs will smack you upside the head for the security faux pas.
…

/ip firewall address-list
add address=10.0.0.2 list=AdminAccess comment=“remote admin laptop wg”
add address=10.0.0.3 list=AdminAccess comment=“remote admin smartphone wg” { yet to be created }
add address=192.168.1.X list=AdminAccess comment=“local admin desktop - static dhcp lease”
add address=192.168.1.AB list=AdminAccess comment=“local admin smartphone-wifi - static dhcp lease”
etc. as required

/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
{ admin rules }
add action=accept chain=input comment=“WG handshake” dst-port=13269 protocol=udp
add action=accept chain=input comment=“allow admin access” in-interface-list=TRUSTED src-address-list=AdminAccess
add action-accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action-accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { put this rule in last after all th others are in place }
++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“wireguard to LAN” in-interface=wireguard1 dst-address=192.168.1.0/24
add action=drop chain=forward comment=“drop all else”

change:
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Change or add:
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

k3wf3w · January 13, 2025, 10:18pm

Thank you so much for your insight!
I will implement your changes, do some testing, and report back with a new config dump.

anav · January 14, 2025, 2:50am

Only implement what you understand, feel free to ask questions…

k3wf3w · January 14, 2025, 4:01am

Only implement what you understand, feel free to ask questions…

Thank you for your patience and willingness to help/explain, I do have a few questions/comments, that you can hopefully help me wrap my head around…

ADDITION
/interface list
add name=TRUSTED
/interface list member
add interface=LAN list=TRUSTED
add interface=wireguard list=TRUSTED

It looks like the above creates an interface list named TRUSTED, and then adds the interfaces LAN and wireguard (or wireguard1) as I have it defined in my config?

When I try to add LAN to the TRUSTED list, I get the error ‘input does not match any value of interface’. Would I just use bridge instead of LAN, as it has all the LAN interfaces included? Or am I misunderstanding?

firewall rules: Think about these three rules, the first two are rendered useless by the last rule.
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=RemoteAccessList
add action=accept chain=input comment=“allow WireGuard traffic” src-address=10.0.0.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

I must not understand how these filter rules are applied. I thought because they preceed the drop rule, they would allow the trafic to pass.

Also how does !LAN (not LAN) work in this case, if I can’t add LAN to the TRUSTED list?

…and if any of those are public IPs will smack you upside the head for the security faux pas.

Yes, I understand the security concern here, the rule was just for testing, and was not going to be part of the production config. I was just trying to establish some kind of base line by having at least a simple WinBox connection made from an Internet client. Since I couldn’t get either of my other VPN options functional (which is how I would typically administer an edge device), I thought it would help me narrow down the problem. But, if you want, you can still smack me up side the head. I probably deserve it for other reasons.

add action=accept chain=input comment=“allow admin access” in-interface-list=TRUSTED src-address-list=AdminAccess
add action-accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action-accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp

Here, it looks like we are allowing the predefined ip addresses in the AdminAccess list to all services running on the MTik, and then allowing the users to only access DNS services. This might be a dumb question, but because the MTik is also providing DHCP, would we not allow UDP port 67 to the input chain as well? Or will DHCP work under the connection-state=established,related,untracked filter?

And again LAN is referenced for the in-interface-list would I just use bridge instead?

Thank you again for your enlightenment.