Trying to get a basic configuration going

I spent three hours last night fiddling with my new RB750GL, trying to get it fully configured to replace my previous pfSense installation (an ALIX 2C3).
So far I’m very happy with the hardware (already ordered a RB250 switch), and am gradually getting used to the software and CLI interface.

My WAN IP (ether1) is a static, 173.11.229.165/29. Default gateway is .166.
My LAN IP (ether2) is 192.168.2.1/24, and I have clients on the “local” LAN. .100 through .150 is setup as a DHCP pool, and others are various static IPs.

Basic NAT is working fine so far. What I’m having trouble with is port forwarding. I spent three hours working on this last night and have googled until
my fingers are blue, and figure it’s time to just ask.

I need to forward:
(external) 173.11.229.165 port 2222 to (internal) 192.168.2.15 port 22
(external) 173.11.229.165 port 9091 to (internal) 192.168.2.15 port 9091 (there’s no line for this in the config right now)

All clients on the “inside” should have unrestricted access through the NAT to the outside. Ping, DNS, IPSEC, etc, should all work.

“/ip route print”:

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          173.11.229.166            1
 1 ADC  173.11.229.160/29  173.11.229.165  ether1                    0
 2 ADC  192.168.2.0/24     192.168.2.1     ether2                    0

“/ip firewall filter print”:

 0   ;;; accept established connection packets
     chain=input action=accept connection-state=established 
 1   ;;; accept related connection packets
     chain=input action=accept connection-state=related 
 2   ;;; drop invalid packets
     chain=input action=drop connection-state=invalid 
 3   ;;; Allow Broadcast Traffic
     chain=input action=accept dst-address-type=broadcast 
 4   ;;; jump to chain ICMP
     chain=input action=jump jump-target=ICMP protocol=icmp 
 5   ;;; jump to chain services
     chain=input action=jump jump-target=services 
 6   ;;; 0:0 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 
 7   ;;; 3:3 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5 
 8   ;;; 3:4 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5 
 9   ;;; 8:0 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 
10   ;;; 11:0 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 
11   ;;; Drop everything else
     chain=ICMP action=drop protocol=icmp 
12   ;;; accept localhost
     chain=services action=accept dst-address=127.0.0.1 
     src-address-list=127.0.0.1 
13   ;;; allow DNS request
     chain=services action=accept protocol=tcp dst-port=53 
14   ;;; Allow DNS request
     chain=services action=accept protocol=udp dst-port=53 
15   ;;; UPnP
     chain=services action=accept protocol=udp dst-port=1900 
16   ;;; UPnP
     chain=services action=accept protocol=tcp dst-port=2828 
17   ;;; allow DHCP
     chain=services action=accept protocol=udp dst-port=67-68

“/ip firewall nat print”:

 0   chain=dstnat action=dst-nat to-addresses=192.168.2.15 to-ports=22 
     protocol=tcp dst-address-type=local dst-port=2222 
 1   chain=srcnat action=masquerade

I’ve figured out that I need to allow incoming TCP port 2222 in the “firewall filter” section before I can redirect it in the “firewall nat” section,
but nothing seems to be working. Any general suggestions for improvements would be appreciated.

Thanks in advance.

Do you have any rules in your forward chain? I’m only seeing them for the input chain in the rules you posted.

Also I believe your NAT rule is wrong.

0   chain=dstnat action=dst-nat to-addresses=192.168.2.15 to-ports=22
     protocol=tcp dst-address-type=local dst-port=2222

By the time dstnat happens, the address really is no longer a “local” one. Remove the dst-address-type and either use an in-interface or the public IP of the router as the dst-address. That should hopefully get the rule working.

Here is the packet flow for the relevant sections and chains:

• packet comes into router WAN interface and is put into the prerouting mangle and filter chains. If you don’t drop the packet here it’ll move on further down this list. You’re not dropping the packet
• destination NAT happens and the packet is rewritten for a destination of 192.168.1.5.
• the router checks whether the destination IP is an IP address on a router interface. Before destination NAT it would have been and the packet would have been put into the ‘input’ chain, but after destination NAT the destination is another host and not the router, so the packet is put into the ‘forward’ chain.

You don’t have any filters in the ‘forward’ or later chains, so the packet would be permitted. The router is NOT firewalling that traffic. If traffic isn’t making it to the host either your testing is wrong, or there’s something else wrong (host doesn’t know to talk back to the router, bad default routing, that kind of thing).

Thanks for the suggestions. It looks like I’ve got it working - at least my SSH forwarding from port 222x to 22 on whatever machine is functioning.
The rest will have to wait until I can get home and test.

Here’s my current “/ip firewall export” - I’d appreciate any tuning, tips, or suggestions for putting things in a more efficient order. Thank you.

[admin@RB750GL] > /ip firewall export
# jul/20/2011 14:36:30 by RouterOS 5.5
# software id = P8II-RHY1
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no dst-port=2223 in-interface=ether1 \
    protocol=tcp
add action=accept chain=input disabled=no dst-port=2222 in-interface=ether1 \
    protocol=tcp
add action=accept chain=input disabled=no dst-port=9091 in-interface=ether1 \
    protocol=tcp
add action=accept chain=input disabled=no dst-port=31337 in-interface=ether1 \
    protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="accept established connection packets" \
    connection-state=established disabled=no
add action=accept chain=input comment="accept related connection packets" \
    connection-state=related disabled=no
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid disabled=no
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no \
    dst-address-type=broadcast
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
    jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" disabled=no \
    jump-target=services
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
    icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
    icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
    icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no \
    protocol=icmp
add action=accept chain=services comment="accept localhost" disabled=no \
    dst-address=127.0.0.1 src-address-list=127.0.0.1
add action=accept chain=services comment="allow DNS request" disabled=no \
    dst-port=53 protocol=tcp
add action=accept chain=services comment="Allow DNS request" disabled=no \
    dst-port=53 protocol=udp
add action=accept chain=services comment=UPnP disabled=no dst-port=1900 \
    protocol=udp
add action=accept chain=services comment=UPnP disabled=no dst-port=2828 \
    protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=no dst-port=\
    67-68 protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=2222 protocol=tcp to-addresses=192.168.2.15 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=2223 protocol=tcp to-addresses=192.168.2.25 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=9091 protocol=tcp to-addresses=192.168.2.15 to-ports=9091
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=31337 protocol=tcp to-addresses=192.168.2.15 to-ports=31337
add action=masquerade chain=srcnat disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Simple question: are you trusting all machines on the LAN, and do you provide any services on the router directly to WAN clients (can Internet machines SSH to your router, use it for DNS, that kind of thing)? Basically: is this a SOHO router?

If yes, the below is shorter, simpler, and more secure:

/ip firewall filter
add action=accept chain=input comment="allow established" connection-state=established disabled=no
add action=accept chain=input comment="allow related" connection-state=related disabled=no
add action=drop chain=input comment="drop invalid traffic" connection-state=invalid disabled=no
add action=accept chain=input comment="allow everything from LAN" disabled=no in-interface=ether2
add action=drop chain=input comment="drop everything else" disabled=no

add action=accept chain=forward comment="forward established traffic" connection-state=established disabled=no
add action=accept chain=forward comment="forward related traffic" connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid traffic" connection-state=invalid disabled=no
add action=accept chain=forward comment="forward traffic from LAN to WAN" disabled=no out-interface=ether1
add action=accept chain=forward comment="allow public services to 192.168.2.15" dst-address=192.168.2.15 protocol=tcp dst-port=22,9091
add action=accept chain=forward comment="allow public services to 192.168.2.25"dst-address=192.168.2.25 protocol=tcp dst-port=22
add action=drop chain=forward comment="drop everything else" disabled=no

Right now you’re only protecting the input chain, which is traffic TO the router. You’re not protecting the hosts behind the router, on your LAN, connected to ether2: that traffic goes THROUGH the router (not TO the router), and is in the forward chain.

You could get more fine grained on the input chain and allow some services like DNS for all LAN users, and allow unfiltered access to just one management host. One idiosyncrasy is that you can’t filter DHCP either way - that service grabs raw sockets and takes the traffic before it ever hits the firewall. So you can’t block/permit DHCP.

Yes. What I’ve got is a block of 5 static IPs from Comcast (173.11.229.16x).
On one of those static IPs (173.11.229.161) sits my “colo box” (moved from a datacenter to hosting-at-home) that offers all my public services (SMTP, HTTP, DNS, etc).
Another of those static IPs (173.11.229.165) is the external interface (ether1) of my RB750GL, behind which sit all of my “personal” (trusted) machines, WiFi AP, etc.
The desktops and everything else behind the RB750 (using 192.168.2.x off ether2) need to be able to get out for whatever they want to do, but nothing needs to get back in,
other than a very small set of ports (SSH and a couple of forwarded ports for things like BitTorrent and Transmission’s web GUI).

I think I’ve got everything I need so far - and I’ve gotten a lot more familiar with the way RouterOS does stuff and wrangling things via the CLI. It’s not IOS, but it’s pretty nice.

Edit: and here’s my current config, for reference:

[admin@RB750GL] /ip firewall filter> /ip firewall export
# jul/20/2011 15:36:54 by RouterOS 5.5
# software id = P8II-RHY1
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="allow established" connection-state=\
    established disabled=no
add action=accept chain=input comment="allow related" connection-state=\
    related disabled=no
add action=drop chain=input comment="drop invalid traffic" connection-state=\
    invalid disabled=no
add action=accept chain=input comment="allow everything from LAN" disabled=no \
    in-interface=ether2
add action=accept chain=input comment="SSH to router itself" disabled=no \
    dst-port=22 protocol=tcp
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=forward comment="forward established traffic" \
    connection-state=established disabled=no
add action=accept chain=forward comment="forward related traffic" \
    connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid traffic" \
    connection-state=invalid disabled=no
add action=accept chain=forward comment="forward traffic from LAN to WAN" \
    disabled=no out-interface=ether1
add action=accept chain=forward comment=\
    "allow public services to 192.168.2.15" disabled=no dst-address=\
    192.168.2.15 dst-port=22,9091,31337 protocol=tcp
add action=accept chain=forward comment=\
    "allow public services to 192.168.2.25" disabled=no dst-address=\
    192.168.2.25 dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop everything else" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=no
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=2222 protocol=tcp to-addresses=192.168.2.15 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=2223 protocol=tcp to-addresses=192.168.2.25 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=9091 protocol=tcp to-addresses=192.168.2.15 to-ports=9091
add action=dst-nat chain=dstnat disabled=no dst-address=173.11.229.165 \
    dst-port=31337 protocol=tcp to-addresses=192.168.2.15 to-ports=31337
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes

Thank you very much for your help.

That looks good.

And while it’s not IOS (I’m a Cisco guy by day) it has some very nifty tricks up its sleeve you cannot do on IOS. For example, we disallow customers routers on some network segments where we provide services for people. Used to be all Cisco 7ks and 6ks. Now it’s RouterOS on those segments because unlike IOS it can rewrite TTL values in IP headers. So we can rewrite to 1 on all packets sent into the network. Normal hosts just work, but routers would decrease the TTL to 0 and discard the packet. Can’t do that on Cisco.

Right tool for the right job and all, and RouterOS is a fantastic tool for many, many jobs.