Port forwarding problems

sph · July 7, 2022, 12:35pm

Hi everyone,

I have an RB5009 with some vlans configured and want to do some port forwarding. Unfortunately is not working. I have a pretty standard config with some separation of the nsfw vlan:

# jul/07/2022 15:21:38 by RouterOS 7.3
# software id = BRXK-M2RB
#
# model = RB5009UG+S+
# serial number = <CENSORED>
/interface bridge
add admin-mac=DC:2C:6E:66:49:2F auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    <CENSORED>
/interface vlan
add interface=bridge name=vlan10-vm vlan-id=10
add interface=bridge name=vlan15-home vlan-id=15
add interface=bridge name=vlan20-nsfw vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-ethernet ranges=192.168.1.150-192.168.1.254
add name=dhcp-home ranges=192.168.15.150-192.168.15.254
add name=dhcp-nsfw ranges=192.168.20.150-192.168.20.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp-ethernet interface=bridge name=ethernet
add add-arp=yes address-pool=dhcp-home interface=vlan15-home name=home
add add-arp=yes address-pool=dhcp-nsfw interface=vlan20-nsfw name=nsfw
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    identity=<CENSORED> name=zt1 \
    port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=<CENSORED>
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8 pvid=20
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=vlan10-vm
add bridge=bridge interface=vlan15-home
add bridge=bridge interface=vlan20-nsfw
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether6,ether7,ether2 untagged=ether8 \
    vlan-ids=20
add bridge=bridge tagged=bridge,ether6,ether7,ether2 vlan-ids=15
add bridge=bridge tagged=bridge,ether6,ether7,ether2 vlan-ids=10
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=zerotier1 list=LAN
add interface=vlan15-home list=LAN
add interface=vlan20-nsfw list=LAN
add interface=pppoe-out1 list=WAN
add interface=vlan10-vm list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.10.1/24 interface=vlan10-vm network=192.168.10.0
add address=192.168.15.1/24 interface=vlan15-home network=192.168.15.0
add address=192.168.20.1/24 interface=vlan20-nsfw network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
add address=192.168.15.0/24 dns-server=192.168.15.1 gateway=192.168.15.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input in-interface=vlan20-nsfw protocol=tcp
add action=drop chain=forward connection-state=!established,related \
    in-interface=vlan20-nsfw out-interface-list=LAN protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" \
    in-interface-list=LAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=48552 protocol=tcp to-addresses=\
    192.168.10.100 to-ports=48552
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system routerboard settings
set cpu-frequency=1400MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Disabling the following rules does not make any difference:

add action=drop chain=input in-interface=vlan20-nsfw protocol=tcp
add action=drop chain=forward connection-state=!established,related \
    in-interface=vlan20-nsfw out-interface-list=LAN protocol=tcp

Any help is appreciated !

anav · July 7, 2022, 2:49pm

(1) BRIDGE PORT SETTING ISSUES.

a. so ports 2-7,spf1 are all TRUNK PORTS? ( going to devices that can read vlans - smart devices?)
b. WRONG vlans are not ports (etherports and wlans qualify)
add bridge=bridge interface=vlan10-vm
add bridge=bridge interface=vlan15-home
add bridge=bridge interface=vlan20-nsfw

(2) Unless necessary for some reason suggest setting this to none… been known in the past to cause issues.
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=
LAN wan-interface-list=WAN

(3) For interface list members, remove the interface=bridge list=LAN, not required.
All the VLANS are identified which is what you need.

(4) You are confused mixing pre-vlan setup to VLAN SETUP.
vlan10-vm has to be completed… and remove the 192.168.1 stuff from the bridge and move it to vlan10-vm.
FROM
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
TO
/ip address
add address=192.168.1.1/24 comment=defconf interface=vlan10-vm network=
192.168.1.0

(5) Firewall rules need work…get organized input chain rules and then forward chain rules together…

/ip firewall filter
add action=drop chain=input in-interface=vlan20-nsfw protocol=tcp ( WHY IS THIS RULE HERE??)
add action=drop chain=forward connection-state=!established,related \ (WHY IS THIS RULE HERE??)
in-interface=vlan20-nsfw out-interface-list=LAN protocol=tcp

In both cases, better to include a drop rule at end of input chain
add chain=input action=drop
add chain=forward action=drop

BUT FIRST, and prior to the drop rule on the input chain ensure you have access to the router as admin or you will lock yourself out
add chain=input action=accept in-interface=vlan (as appropriate or in-interface-list=LAN) src-address=IP-of-admin-pc ( Or src-address-list=Authorized, where Authorized is a firewall address list of approved IPs, (admin desktop, laptop, ipad, smartphone etc…)
THEN
You will need to add access to the router services for LAN devices that need such things as DNS services prior to the drop rule!
add chain=input action=accept protocol=tcp dst-port=53 in-interface-list=LAN
add chain=input action=accept protocol=udp dst-port=53 in-interface-list=LAN

(6) Also not sure why you added in-interface-list=LAN to the default ICMP rule???
add action=accept chain=input comment=“defconf: accept ICMP” \ (WHY DO you not allow WAN side ICMP???)
in-interface-list=LAN protocol=icmp

(7) Similar to the input chain, just add a drop rule as the last rule to the forward chain,
To do this you can modify the existing last rule into the three rules.

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“allow internet traffic”
add action=accept chain=forward comment=‘allow port forwarding’ connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(8) DST NAT RULE IS MISSING information…
add action=dst-nat chain=dstnat dst-port=48552 protocol=tcp to-addresses=
192.168.10.100 to-ports=48552

where is the source or destination…
READ THIS SOURCE HERE …
https://forum.mikrotik.com/viewtopic.php?t=179343

sph · July 7, 2022, 7:26pm

@anav - thank you for your reply. I will take a look at all the improvements.

At this moment I was able to fix the issue with just a reboot. I was lazy and the forwarding rule was created using the mapping feature in quick set from winbox. I will use the rule from the mikrotik docs next time.

What I have is an rb5009 with two nano hd access points and two wifi networks - both tagged to the AP’s. I want to block one of the wifi networks ( nsfw.lan ) from accessing all the other vlans. I also have an Intel NUC with proxmox and I want to put the vm’s in a separate vlan.

anav · July 7, 2022, 7:34pm

yeah a network diagram would help to understand what is being attempted.