Port is filtered, how to find out where

kleshki · March 10, 2020, 4:42am

Hi!
Having win server 2019 with kaspersky server on it. The server is accessible with other services like rdp or smb inside 192.168.0.1/24 network, but not on the 13000 kaspersky port (ie. can’t even telnet to it), nmap shows port is filtered, and there’s nothing in windows firewall logs with enabled packet drop logging, so I decided this is mikrotik filtering. But how can I find which rule exactly filters? Only need kaspersky to be accessed inside internal network. Can provide any information needed.

bpwl · March 10, 2020, 9:18am

" so I decided this is mikrotik filtering" I understand that if you don’t find it in one place, you start looking in another place (certainly if you see that other place as a black box).

I see no indication in your description for the Mikrotik to filter port 13000 if it is not in your firewall rules. Even more: “Only need kaspersky to be accessed inside internal network” is that traffic passing over the Mikrotik? " nmap shows port is filtered", means unreachable, no?

RouterOS has the tools to investigate:
What is TORCH telling you about traffic over the interfaces involved? Do you see the session to port 13000?
Use sniffer and Wireshark to digg deeper.

kleshki · March 10, 2020, 11:10am

There are already some rules in firewall added by another person and I’m not sure if any of these can filter the port.

I thought filtered means there’s a service that doesn’t want incoming connections. Netstat in windows shows port is listened and local connection is also ok. Server is connected straight to this Mikrotik so I assume packets are definitely pass it. Torch shows no connection, if I’m trying right - just tried to set 13000 port and started

kleshki · March 16, 2020, 3:41am

Upd
That’s what Wireshark says, when trying to connect to 13000 port of Kaspersky:
124 65.035174 192.168.0.101 192.168.0.100 TCP 66 50297 → 13000 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
125 66.042763 192.168.0.101 192.168.0.100 TCP 66 [TCP Retransmission] 50297 → 13000 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
And three more times retransmission, then connection is over.

bpwl · March 16, 2020, 8:09am

This points direction Kaspersky server and SSL port connection problems. Administrative servers usually have filters on their own, allowing local access only, and requiring special settings and certificates (SSL?) if to be used remotely.
Kaspersky Lab Forum might be the first place to look for an answer. I see similar cases: https://forum.kaspersky.com/index.php?/topic/337987-connection-problem-administration-server-error-code-0x502-solved/

kleshki · March 16, 2020, 8:13am

Also another thing I found, is that on DHCP server page, assigned IP-address has waiting status (though server has static IP itself). Can this affect problem somehow?
upd: Also server has 2 NICs bridged in Windows under 192.168.0.100 ip, if that also can affect problem somehow

anav · March 16, 2020, 6:41pm

Without posting your config, not even looking seriously at the thread.

kleshki · March 17, 2020, 3:23am

Can you please tell what should I exactly post?

anav · March 17, 2020, 5:17pm

Ah okay Sorry,

Go to the terminal window choice in winbox and post in the command
/export hide-sensitive file=anyname

Then go to your FILES choice in winbox and find the exported file and then download it to your desktop.
Then open it with notepad and cut and paste the the contents here but use the code brackets (to the right of Bold, Italic etc, the black square with white square brackets).

Before you hit the submit button make sure that you have removed your WANIP or anything else you dont want to share.

kleshki · March 18, 2020, 3:37am

Here it is

# mar/18/2020 08:30:25 by RouterOS 6.43
# software id = 6TTH-KAVK
#
# model = 2011iL
# serial number = 5BEC04B45E97
/interface bridge
add admin-mac=4C:5E:0C:EC:67:2C auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=ether6-master-local
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether7-slave-local
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether8-slave-local
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether9-slave-local
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether10-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.122
add name=vpn ranges=192.168.0.130-192.168.0.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local name=default
/ppp profile
add change-tcp-mss=yes local-address=192.168.188.1 name=L2tp use-encryption=\
    yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 default-profile=default use-ipsec=yes
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.0.0
add address=... interface=ether1-gateway network=...
add address=192.168.188.1/24 interface=bridge-local network=192.168.188.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server lease
add address=192.168.0.250 always-broadcast=yes client-id=1:4:18:d6:a8:90:b4 \
    mac-address=04:18:D6:A8:90:B4 server=default
add address=192.168.0.249 client-id=1:4:18:d6:a8:95:61 mac-address=\
    04:18:D6:A8:95:61 server=default
add address=192.168.0.55 client-id=1:1c:af:f7:6f:20:9d mac-address=\
    1C:AF:F7:6F:20:9D server=default
add address=192.168.0.22 client-id=1:0:16:e6:87:56:e mac-address=\
    00:16:E6:87:56:0E server=default
add address=192.168.0.106 always-broadcast=yes client-id=1:ac:22:b:26:32:8a \
    mac-address=AC:22:0B:26:32:8A server=default
add address=192.168.0.124 client-id=1:c8:60:0:e0:36:15 mac-address=\
    C8:60:00:E0:36:15 server=default
add address=192.168.0.16 always-broadcast=yes client-id=1:0:1e:58:46:26:16 \
    mac-address=00:1E:58:46:26:16 server=default
add address=192.168.0.30 always-broadcast=yes client-id=1:0:17:9a:c3:24:a \
    mac-address=00:17:9A:C3:24:0A server=default
add address=192.168.0.127 always-broadcast=yes client-id=1:0:19:66:92:37:c4 \
    mac-address=00:19:66:92:37:C4 server=default
add address=192.168.0.10 always-broadcast=yes client-id=1:50:46:5d:b6:9a:7a \
    mac-address=50:46:5D:B6:9A:7A server=default
add address=192.168.0.28 always-broadcast=yes client-id=1:0:21:85:62:f0:b5 \
    mac-address=00:21:85:62:F0:B5 server=default
add address=192.168.0.12 always-broadcast=yes client-id=1:fc:aa:14:31:f9:fd \
    mac-address=FC:AA:14:31:F9:FD server=default
add address=192.168.0.17 always-broadcast=yes client-id=1:78:24:af:89:fb:f5 \
    mac-address=78:24:AF:89:FB:F5 server=default
add address=192.168.0.111 client-id=1:ac:1f:6b:d9:86:0 mac-address=\
    AC:1F:6B:D9:86:00 server=default
add address=192.168.0.100 client-id=1:ac:1f:6b:d9:87:8e mac-address=\
    AC:1F:6B:D9:87:8E server=default
add address=192.168.0.48 client-id=1:0:16:e6:66:1d:6 mac-address=\
    00:16:E6:66:1D:06 server=default
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=\
    ...,8.8.8.8 gateway=192.168.0.1 netmask=24 next-server=\
    192.168.0.100
/ip dns
set servers=...,8.8.8.8
/ip dns static
add address=192.168.0.1 name=router
/ip firewall filter
add action=log chain=forward log=yes port=13000 protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=WHITE_LIST \
    address-list-timeout=10m chain=input in-interface=ether1-gateway \
    packet-size=277 protocol=icmp
add action=reject chain=forward out-interface=ether1-gateway reject-with=\
    icmp-network-unreachable src-address=192.168.188.230
add action=accept chain=input dst-port=1723 in-interface=ether1-gateway \
    protocol=tcp src-address=...
add action=accept chain=input dst-port=1701,500,4500 in-interface=\
    ether1-gateway log=yes log-prefix=L2tp protocol=udp
add action=accept chain=input in-interface=ether1-gateway log=yes log-prefix=\
    ipsec protocol=ipsec-esp
add action=accept chain=input dst-port=8088 in-interface=ether1-gateway \
    protocol=tcp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
add action=accept chain=forward src-address-list="192.168.0.0\\24"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=... dst-port=3389 \
    in-interface=ether1-gateway protocol=tcp src-address=... \
    to-addresses=192.168.0.100 to-ports=3389
add action=netmap chain=dstnat dst-port=8088 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.0.254 to-ports=8088
add action=netmap chain=dstnat dst-port=3389 in-interface=ether1-gateway \
    protocol=tcp src-address-list=WHITE_LIST to-addresses=192.168.0.254 \
    to-ports=3389
add action=netmap chain=dstnat disabled=yes dst-port=5900 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.188.230 to-ports=5900
/ip route
add distance=1 gateway=...
add distance=1 dst-address=192.168.163.0/24 gateway=192.168.255.2
add disabled=yes distance=1 dst-address=192.168.163.0/24 gateway=\
    192.168.0.252
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add disabled=yes local-address=192.168.0.1 name=vpn_omskaya profile=\
    default-encryption remote-address=192.168.0.252 service=pptp
add local-address=192.168.255.1 name=vpn_omskaya2 profile=default-encryption \
    remote-address=192.168.255.2 service=pptp
add name=l2tp_sysadm profile=L2tp remote-address=192.168.188.10 service=l2tp
/system clock
set time-zone-autodetect=no time-zone-name=Etc/GMT-5
/system identity
set name="PKF MikroTik"
/system ntp client
set enabled=yes primary-ntp=128.138.141.172
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

anav · March 18, 2020, 4:15pm

When you upgrade to the latest firmware and repost your config I will have a look.

kleshki · March 20, 2020, 4:29am

That’s what I’ve discovered so far: if i break the bridge (which is switch independent) then connection for any soft is perfect on both interfaces. So now, if I return back to bridge again, what causes the problem? Should I setup LACP or whatever in Mikrotik to get it work, or is it some windows failure?