RouterOS - No Firewall - Pure Router

MarkFarr · February 15, 2013, 7:10pm

Hello,

I am new to this community, so please excuse if this is an easy question.

I want to use the Mikrotik RouterOS platform as a pure routing platform, with no firewall capabilities. I am looking to route all IP traffic between two different subnets.

I have a virtual machine with two interfaces that have been correctly identified by the OS - ether1/ether2
I have properly assigned an IP address to each interface:

ether1 - 192.168.210.101
ether2 - 192.168.21.1
I have setup a default gateway under the IP → Routes.

I am able to ping from machines to machines in the opposite subnet successfully in both directions (ether1 ↔ ether2)

I am able to pass traffic from ether1 to ether2.

My problem is that I cannot pass traffic back from ether2 to ether1. Whenever I try to do a connection, it times out, and when I do a port scan, my result is always “Filtered”.

As far as I can tell, the Firewall is disabled.

Can someone please provide me some instructions on how I can make this platform run as a pure router?

Thank you,
Mark.

MarkFarr · February 15, 2013, 7:13pm

reading through the forums, I had seen someone ask for this output to help troubleshoot. I hope this helps.

[admin@MikroTik] > /export compact
# feb/15/2013 14:11:54 by RouterOS 6.0rc9
# software id = 1RJH-9XPL
#
/interface ethernet
set 0 speed=1Gbps
set 1 speed=1Gbps
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=
    paypal-secure-response=no permissions=owner signup-allowed=no time-zone=-00:0
/ip accounting
set account-local-traffic=yes enabled=yes
/ip address
add address=192.168.210.101/24 interface=ether1 network=192.168.210.0
add address=192.168.21.1/24 interface=ether2 network=192.168.21.0
/ip dns
set servers=192.168.210.110,192.168.210.111,192.168.21.118
/ip settings
set accept-redirects=yes tcp-syncookies=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.210.1
#error exporting /routing rip
/snmp
set enabled=yes trap-community=public
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=192.168.210.1
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add

cupis · February 15, 2013, 9:24pm

Can you confirm that the devices in each subnet are using the Mikrotik as their default gateway?

You also almost certainly do not want accept-redirects on, so run:

/ip settings set accept-redirects=no

samsung172 · February 15, 2013, 9:41pm

You actually don’t have a route at your router. Just your subnets.
(or is the 6.x config fooling me? It don’t give the 0.0.0.0/0)

MarkFarr · February 16, 2013, 3:27am

Thanks for taking the time to reply to my thread.

I have disabled redirects as per your advice. I was just trying it out to see if that was my issue when I did the configuration dump.

the default routes for the subnets seem to be created dynamically by the RouterOS. I am seeing routes with the following syntax.

192.168.210.0/24 | ether1 reachable | 192.168.210.101
192.168.21.0/24 | ether2 reachable | 192.168.21.1

I seem to be routing packets just fine, because I can ping boxes from 192.168.21.0 and 192.168.210.0 subnets respectively and vice versa. Upon further testing, it looks like the RouterOS is treating ether2 as a WAN port still, as if it was a firewall.

As far as I can tell, the firewall is disabled, but the RouterOS is still “filtering” requests from the 192.168.21.0/24 subnet to the 192.168.210.0/24 subnet.

Is this expected behavior?

CelticComms · February 16, 2013, 4:26am

Look in the filters section of IP Firewall for entries in the forwarding chain. With no entries RouterOS will route anything to anywhere. I suspect that you have entries which are restricting the routing function. Also remember that the target must also know a route back to the ping originator. If there is not a default route to provide that return oath then it needs to be an explicit route.

MarkFarr · February 16, 2013, 4:49am

I went in through the terminal and did a dump of the filter section. I don’t see any rules listed.

[admin@MikroTik] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
[admin@MikroTik] /ip firewall filter>

And this is my routing table:

[admin@MikroTik] /ip route> print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.210.1             1
 1 ADC  192.168.21.0/24    192.168.21.1    ether2                    0
 2 ADC  192.168.210.0/24   192.168.210.101 ether1                    0
[admin@MikroTik] /ip route>

I can also ping from 21.0 subnet:

C:\Users\Administrator.TEST3\Desktop\PortQryV2>ping 192.168.210.121

Pinging 192.168.210.121 with 32 bytes of data:
Reply from 192.168.210.121: bytes=32 time<1ms TTL=126
Reply from 192.168.210.121: bytes=32 time<1ms TTL=127
Reply from 192.168.210.121: bytes=32 time<1ms TTL=126
Reply from 192.168.210.121: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.210.121:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

but a port query fails to the same IP address

C:\Users\Administrator.TEST3\Desktop\PortQryV2>PortQry.exe -n scom02.test.domain -e 5723

Querying target system called:
 scom02.test.domain

Attempting to resolve name to IP address...
Name resolved to 192.168.210.121

querying...

TCP port 5723 (unknown service): FILTERED

C:\Users\Administrator.TEST3\Desktop\PortQryV2>

This is a mystery to me.

cupis · February 16, 2013, 10:50am

Does 192.168.210.121 have a firewall which could be blocking the traffic?

MarkFarr · February 19, 2013, 3:26am

No… 192.168.210.121 is not running any kind of firewall software. Windows Firewall has been disabled by Group Policy.

Latest update, I have not tinkered with it much since the weekend, but I have noticed that communication is intermittent to the 210.0 subnet. On my continuous port scans, I am getting mostly filtered results, however I did get one “LISTENING” result. Weird thing is I had not made any configuration changes to the router, and was just doing one port scan after another, and eventually one got through.

I will have to continue to try and figure this one out.

CelticComms · February 19, 2013, 5:30pm

This smells like a System Center issue…

Try using Torch in Winbox and look at ether1 (i.e. the interface that the router connects to the 5723 on). Click on all the option boxes including port and set the timeout to longer than the default 3 seconds - say 30 seconds.

Now try your ping test - you should see the ICMP traffic both tx and rx on Ether1. Now try your port test. If you see tx destined for port 5723 on the target and little/no rx then the problem is on the System Center side of things - the router is forwarding as expected.

MarkFarr · February 20, 2013, 2:28am

Thank you again for your reply.

I think I figured the source of my anguish, and it has nothing to do with RouterOS. it has to do with my firewall, which is pfSense firewall.

I have all my hosts on the 192.168.210.x network pointed to pfSense as its default gateway. Instead of creating routes to the 192.168.21.x subnet on every host on the network, I created one default route back from the firewall. Once I took the firewall out of the picture by creating a route directly from the host, everything worked smoothly, and no ports were getting filtered.

On 192.168.210.121

route add 192.168.21.0 mask 255.255.255.0 192.168.210.101

THANK YOU to everyone on this forum for your support, I will now go and try and figure out what is going on with my firewall.