Problem on 6.37.5 version

pamir199191 · February 21, 2019, 6:13am

Good day,
When I turned on the input and output rules on firewall, the ipsec
clients cant connect with proxy on port 3128 to any sites. Proxy is on Lan interface of MikroTik. Ping is going, port 3128 is responding too, but sites are not opened. After disabling input and output filters with drop action, it is working fine.

The proxy traffic is depends to forward rules, why input output rules
are blocked him? Is it any bug? Can you suggest me please any stable
version at the moment?

Also please see the input and output traffic from logs (Screenshot 1).
1.155.2.155 - MikroTik WAN-IP
192.168.43.252 - Branch user IP over IPSec
192.168.207.2 - Branch user IP over IPSec

See forward traffic from client to proxy and vice versa. (Screenshot 2)
1.1.1.1 Proxy Server IP
192.168.37.5 Branch user IP over IPSec

anav · February 21, 2019, 4:09pm

Please post config
/export hide-sensitive file=yourconfig

not even clear what the topology is or what device you are talking about.
also why are you so far behind in firmware updates?

pamir199191 · February 22, 2019, 3:51am

I upgraded to 6.40.6 with 6.41 firmware. The problem is the same.
Topology on screenshot 2.

After activating the input and output drop rules rules, proxy sites are not opened.

0 ;;; IPSec rule on WAN
chain=input action=accept src-address=1.1.1.2 dst-address=1.1.1.1 log=no log-prefix=“”

1 chain=output action=accept src-address=1.1.1.1 dst-address=1.1.1.2 log=no log-prefix=“”

2 ;;; Access to Proxy Server
chain=forward action=accept src-address=2.2.2.1 dst-address=5.5.5.2 log=no log-prefix=“”

3 chain=forward action=accept src-address=5.5.5.2 dst-address=2.2.2.1 log=no log-prefix=“”

4 chain=input action=drop log=no log-prefix=“”

5 chain=output action=drop log=no log-prefix=“”

6 chain=forward action=drop log=no log-prefix=“”

Topology
Screenshot 3.png

BartoszP · February 22, 2019, 7:48pm

Do you really use these public IPs in your configuration?

pamir199191 · February 25, 2019, 3:01am

No, there are uses other ips.

pamir199191 · February 25, 2019, 8:56am

After creating output filter rule from 2.2.2.2 to 2.2.2.1 on MikroTik CCR1036 it is working.

From 5.5.5.2 to 2.2.2.1 after the above filter rule adding, it is now working.

As you know the traffic is depend on forward filter rule from 5.5.5.2 to 2.2.2.1 on MikroTik CCR1036, but without output rule it is not working. Why? Is it bug?