Rookie Error - Lost management access while attempting to set up blackhole routing

jdub88 · October 17, 2020, 1:36pm

Hi All!

So, I seem to have broken something here on my hAP Lite My router is still passing traffic (via vpn) but I can’t access the management anymore. I initially followed the published nordvpn tutorial and my last goal is to ensure no traffic can pass when the VPN is down

I’d been following the guidance here: http://forum.mikrotik.com/t/blackhole-unreachable-with-ipsec-policies/131549/33 - I believe my config is using the source NAT method

The relevant bits of config:

/ip dns static
add address=192.168.100.1 name=router.lan

/ip firewall address-list
add address=192.168.100.0/24 list=local

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local

/interface bridge
add name=blackhole

/ip route
add distance=1 gateway=blackhole routing-mark=via-vpn

And what broke things:

[admin@MikroTik] > /ip firewall mangle add action=mark-routing src-address-list=local new-routing-mark=via-vpn
chain: output

So, clearly I have misunderstood something. I guess I applied this to the wrong chain, and because my management IP is in the address list I want to NAT, I’ve screwed it up?

Regular traffic is passing through just fine.

What did I do wrong here?

Is there a way I can recover this, or do I need to factory reset? Thankfully, I ran export before applying!

Thanks!!

StubArea51 · October 17, 2020, 1:39pm

If you can plug into it locally, use mac-telnet with winbox which will bypass all L3 and login to the router

jdub88 · October 17, 2020, 3:58pm

Thanks for the fast response! I’ve not set up Winbox and figured it would probably be quicker to just wipe it and restore the config (which I also seemed to make a mess of, with duplicate configs etc when I was pasting my prior export..any best practice there appreciated!)

So, I am back to where I was, but I am still not sure why the blackhole config I added, stopped me getting access

PS - I have since learned about safe mode!!

jdub88 · October 17, 2020, 4:39pm

In case it helps, here is my sanitised export. My goals with the config here are pretty simple:

Route all traffic via VPN (working, all good)
Drop all traffic if the VPN fails/hangs/otherwise not available

Thanks

[admin@MikroTik] > export hide-sensitive  
# oct/17/2020 17:27:55 by RouterOS 6.47.4
# software id = MJL8-P3C1
#
# model = RB941-2nD
/interface bridge
add name=blackhole
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-128 hash-algorithm=sha256 name=NordVPN
/ip ipsec peer
add address=xxxxx.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 name=NordVPN
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=ether2 network=192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.100.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=xxxxxxx
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=blackhole routing-mark=via-vpn
[admin@MikroTik] >

sindy · October 17, 2020, 4:43pm

You’ve answered yourself already: because you’ve put the rule to mangle chain output, which handles packets sent by the router itself. As the router’s own IP address is also covered by the subnet you’ve set as address in the address-list, whatever the router wants to send anywhere, including your management laptop, also gets the routing-mark and gets sent nowhere via the blackhole interface. Place the rule to mangle chain prerouting where it belongs and you should be OK. Packets for the router (which also pass through chain prerouting) are not affected by any routing-mark, and packets from the router are not handled by prerouting.

jdub88 · October 17, 2020, 5:26pm

Fantastic, thankyou! I was tinkering with safe mode and it seemed to be OK with prerouting, but now I’ve committed the change and it works well. Plus now when the VPN drops and I try a new ping/new website it will fail and I see the traffic hitting the blackhole. I seem to recall in another thread, you suggested setting the blackhole route distance to 20. Any merit of doing that in this usecase?

Well, hopefully this will help someone else in the future. The best way to learn, is to break it first and then do it properly! (except in production, of course )

sindy · October 17, 2020, 5:42pm

Well, there’s a type=blackhole route, and there’s a route with gateway=bridge-interface-named-blackhole, and each of these is used with a different VPN type. The type=blackhole one with some high value of distance makes sense when the traffic is routed through a VPN using some other route, i.e. if the VPN provides a virtual interface (L2TP, SSTP, …); the one with gateway=bridge-interface-named-blackhole is necessary for bare IPsec which needs the traffic to be routed via some interface (no matter which one) so that the IPsec policy’s traffic selector could match it.

jdub88 · October 17, 2020, 7:02pm

Ah, got it! Thanks (once again) for the great help and info