Long time since I did Mikrotik configuration, and setting up a router/firewall is now a bit challenging.
I have a 951 unit set up as a router between a fiber WAN and a LAN with PC’s, printers and 3 “servers” that should be reached from the WAN side by using MSTSC (Microsoft Terminal Service Client - normally using port 3389.
All servers have IP-addresses that are reserved in the DHCP server in the Mikrotik unit.
To reach the different servers, I want to access them from the outside by using the public IP:port (where port is 3387, 3388 or 3389). The firewall is configured to forward port 3387 to local-ip1:3389, port 3388 to local-ip2:3389 and port 3389 to local-ip3:3389.
For some reason I’m not able to reach any of these servers from the outside.
I also tried to configure winbox access to the router from the WAN side, but this doesn’t work either. Seems like I’ve set up the firewall incorrectly..
Have attached an edited configuration that shows the firewall settings + some more. Hope someone would help finding the problem (and a solution)
Thanks!
-Olaf router.txt (3.28 KB)
Any reason why you are still on 6.42.6 ? Ever considered upgrading to latest 6.49.7 ?
Are you SURE your device is directly accessible from outside ? No other ISP device in between which might filter things ?
From what I can see, it should work (to be safer you could add in-interface-list=WAN to those dst-nat rules and the rule for allowing Winbox)
So I’d double check on that external accessibility.
PS remove serial number from export when posting.
Not that it will directly hurt but it’s better to avoid bad guys trying to bombard your device from the outside if you ever activate IP cloud since then they will find you.
Thanks for your response!
Had to set up the router in a hurry, and found an old unit on the shelf… Will upgrade the OS as soon as I get physical access to the router.
The fiber company say that their unit is in bridge mode (double checked), and I got a fixed, public IP, a gateway IP, a netmask and DNS-server IPs from them.
Access to external services from the PCs in the LAN (browsing and email) works well.
What puzzles me is that not even the Winbox works. I also kept the http access enabled, but no response frim the 951G when trying this access,
Need to double check with the fiber company if there are any “hidde features” that they didn’t tell me about…
-Olaf
I highly recommend changing your firewall concept. You’re kinda mixing accept and drop rules. Remember that any packet that makes it to the end of a chain is accepted. Suggest accept what specifically is desired and drop everything else with these two rules (at the end of the appropriate chain):
add action=drop chain=input comment=\
"Drop any other input packets that get this far"
--and--
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
You are not able to get to the router from the WAN because there is no way to establish a NEW connection from the WAN on port 8291. See these two rules:
add action=accept chain=input comment="Accept Winbox" connection-state=\
established,related,untracked dst-port=8291 log=yes protocol=tcp
--and--
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
The accept does not include NEW, and the drop rule will drop the NEW packet before the Input chain ends.
These are completely un-needed. The MSTSC is going to things other than the router so it will be in the Forward chain.
Thanks for your response!!
Seems like I need to update my router config skills quite a bit…
Have tried to implement your suggestions. Does this seems better? (will not be able to test before doing the changes at customer’s site next week…
-Olaf
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
new,established,related,untracked log=yes
add action=accept chain=input comment=“Accept Winbox” connection-state=
new,established,related,untracked dst-port=8291 log=yes protocol=tcp
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
A short update.
I changed the firewall rules according to the previous post, and accessing the winbox from external sites now works.
The access to mstsc to 3 different internal addresses also works ok.
When looking at a default firewall setup, I notice that there are no “new” state in the Input Chain. Will it be wrong to have the “new” state in addition to the factory default “established”, “related” and “untracked”?? Is the “new” state needed in any way?
