TS Server and Game server set in dmz

Neo · May 31, 2017, 11:02am

Hi
I am new to the hole mikrotik thing, but i love my new CRS125-24G-1S-RM.

I have to networks on it. the normal 192.168.0.1 for the home network and wifi and 11.11.0.1 for the dmz network where my hp server 2016 are on.
I have a mail server and web sites running on the server without any problems.

But when i run teamspeak server i cant connect from my exsternal ip, neither can i connect to my game server.
I think its a port issue and that my DMZ is not a real dmz. Any suggestion to how to fix it?

Neo

Sob · May 31, 2017, 1:06pm

Not enough info. Tell us what exactly you did (sharing config usually works well), where are you connecting from (internet/LAN), etc…

Neo · May 31, 2017, 1:24pm

I am sorry. i posted some screen shoots, i can get to the game server and TS by using the local ip on the my HP server thats runs the apps. But i cant connect from outside my lan using the wan adress.
Skjermbilde 2017-05-31 kl. 15.20.40.png

Sob · May 31, 2017, 2:37pm

It’s better to post text export (“/export” command in terminal), it’s more readable.

For start, your firewall doesn’t do anything useful, your rules:

#0 - Allows any input from list OurLocalLan.
#1 - Drops any input from list OurLocalLan. So it does nothing, because everything it could possibly drop will always be accepted by #0.
#2 - Allows any tcp input from anywhere to destination in list DMZ. Most likely does nothing, because if DMZ list contains DMZ addresses (11.x.x.x), none of it will end up in input chain. And it’s useless, because default action is accept, so if there are no futher rules, everything will be allowed anyway.

Since you forward all tcp to server, you’re safe here, no one can connect to e.g. WinBox from outside. But if you have remote DNS requests enabled, you are open resolver. And forwarding is unrestricted in any direction.

Next your dstnat rules:

#1 - Forwards any tcp traffic from public address to server.
#2 - Forwards udp port 28015 from public address to server. Works only from WAN.
#3 - Forwards udp port 9987 from public address to server. Works only from WAN.
#4 - Forwards tcp port 10011 from public address to server. Works only from WAN. Useless, because #1 will catch it first.

Start by removing to-ports=0-65535 from rules. I’m not sure if it can have any unexpected effects, but if you just want to keep port number, you don’t need this option at all (it’s useless also in rule #2, because it’s the same as dst-port). Rules #2-#4 have in-interface=ether1, so they will only work from outside, not if you’d connect to public address from LAN (that might not be a problem).

According to nmap test from outside, rule #1 works. Rule #4 have no chance to do anything. But both udp ports in rules #2 and #3 show as closed. If they work directly on 11.11.0.253, then check firewall there, if it allows access from anywhere. And btw, 11.x.x.x is public range, it’s wrong to use it for internal network.

Neo · May 31, 2017, 3:43pm

Thanks for your imput, i am new to this setup and mikrotik so i just reading from the net and try my best to figur it out.
i will do a hole lot of changes know and hope for the best.
i get can connect to TS and the game server from both lan so its not the server firewall

Neo · May 31, 2017, 6:07pm

Thanks for all your help.

I configured it from scratch with a hole new set up that i read from a mikrotik teacher.
I learned a lot from it and now everything is good
Neo

idlemind · May 31, 2017, 8:20pm

Good to hear. Side-note, don’t use 11.0.0.0/8 internally. That network is assigned to the DoD. It likely won’t ever cause a conflict resulting in a client not being able to connect but it could. It’s best to stick with RFC1918 space, there is plenty to pick from!

Neo · June 1, 2017, 11:08pm

Hi
Yes i changed it to 192.168.100.1 for and 192.168.200.1 for server.

Still got problems for reach my rust server from outside on port 28017
This is my new setupMy config

jun/01/2017 12:35:21 by RouterOS 6.37.5

software id = F1NT-425C

/ip firewall address-list
add address=192.168.100.0/24 list=lan1
add address=192.168.200.0/24 list=Servernet/dmz
/ip firewall filter
add action=accept chain=input dst-address-list=lan1
add action=accept chain=input dst-address-list=Servernet/dmz
add action=drop chain=input
add action=accept chain=forward connection-nat-state="" connection-state=new
in-interface=bridge1
add action=accept chain=forward connection-nat-state="" connection-state=new
in-interface=bridge2
add action=accept chain=forward connection-nat-state="" connection-state=
established
add action=accept chain=forward connection-nat-state="" connection-state=
related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=accept chain=dstnat comment="Keep tcp/22 for ssh on the router"
dst-port=22 in-interface=ether1 protocol=tcp
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host"
in-interface=ether1 to-addresses=192.168.200.250

null31 · June 2, 2017, 12:09am

Hi, you have some problems with your firewall rules.
To work the SSH in the router from external access, you need to allow and place before of drop all rule.
Accept input rules with Dst-address for to connect in both networks should be a chain=forward. If is to allow them to connect into router then will be Src-address and not Dst-address.

Do you can’t specify a range to do DMZ?
I guess is better a range than the all ports.

This should works fine.

/ip firewall filter
	add action=accept chain=input protocol=tcp connection-state=established
	add action=accept chain=input protocol=icmp in-interface=ether1 //this is optional, only if you want to allow pings from internet
	add action=accept chain=input protocol=tcp dst-port=22 in-interface=ether1
	add action=accept chain=input src-address-list=lan1
	add action=accept chain=input src-address-list=Servernet/dmz
	add action=drop chain=input
	add action=accept chain=forward connection-state=established,related
/ip firewall nat
	add action=masquerade chain=srcnat out-interface=ether1
	add action=dst-nat chain=dstnat protocol=tcp dst-port=1024-65535 \
	comment="And the rest goes to the DMZ host" in-interface=ether1 to-addresses=192.168.200.250 to-ports=1024-65535
	add action=dst-nat chain=dstnat protocol=udp dst-port=1024-65535 \
	comment="And the rest goes to the DMZ host" in-interface=ether1 to-addresses=192.168.200.250 to-ports=1024-65535

Sob · June 2, 2017, 12:19am

Check the server. You forward everything except tcp/22 to server and firewall filter does not block it, because even though you fixed(*) input chain (traffic to router itself), forward chain (traffic to other devices passing through router) still doesn’t do anything useful. You do have four rules that accept something, but then default action - which is also accept - kicks in and allows everything else, so you might as well have empty forward chain to get same result.

(*) It no longer allows too much, but now it allows too little. You want “accept established & related” as first rule in input chain, to make connections from router to outside work (DNS requests, upgrade checks, …).

Neo · June 2, 2017, 1:21am

Hi
Thanks for helping out, i was going to add more rules but i had not get so far since my server did not respond. The firewall on the server let the game port thrue. i can play the game on the local lan also. I made some more changes hoping maybe you can help me edit them.

My new config

jun/02/2017 03:10:08 by RouterOS 6.37.5

software id = F1NT-425C

/ip firewall address-list
add address=192.168.100.0/24 list=lan1
add address=192.168.200.0/24 list=Servernet
/ip firewall filter
add action=accept chain=input connection-nat-state="" connection-state=
established,related
add action=accept chain=input dst-address-list=lan1
add action=accept chain=input dst-address-list=Servernet
add action=drop chain=input
add action=accept chain=forward connection-nat-state="" connection-state=new
in-interface=bridge1
add action=accept chain=forward connection-nat-state="" connection-state=new
in-interface=bridge2
add action=accept chain=forward connection-nat-state="" connection-state=
established
add action=accept chain=forward connection-nat-state="" connection-state=
related
add action=accept chain=forward
/ip firewall nat
add action=accept chain=dstnat comment="Keep tcp/22 for ssh on the router"
dst-port=22 in-interface=ether1 protocol=tcp
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host"
in-interface=ether1 to-addresses=192.168.200.250
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host"
dst-port=80-65535 in-interface=ether1 protocol=tcp to-addresses=
192.168.200.250 to-ports=80-65535
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host"
dst-port=80-65535 in-interface=ether1 protocol=udp to-addresses=
192.168.200.250 to-ports=80-65535

Neo · June 2, 2017, 4:53pm

Hi
After going at it all day i solve the problem with a nat edit. I am going to configure my firewall better but i am happy people can play on my server again
Thanks for all you help solving the problem
Best regards
The mikrotik newbee

Sob · June 2, 2017, 5:40pm

I’m curious, what exactly you did?