Upgrade broke rules?

RouterOS General
1

2011UiAS
Firmware 6.49.15

I upgraded this box a couple of days ago.

Straight away it seemed like we hit DNS/connection issues.

Looking in the logs I could see that it seemed like we were getting blocked by the default rule:

“Drop all from WAN not DSTNATed”

If I disable it then everything worked OK. Disable and it fails.

I saw this post and tried changing the rules bit:

http://forum.mikrotik.com/t/drop-all-from-wan-not-dstnated/159152/1

I added the filter rules above the old rule and that seemed to work OK but my server now gets hit by a lot of queries that appear to originate from the router IP address - 192.168.10.250, not the attackers remote IP address.

Received disconnect from 192.168.10.250 port 56090:11: Bye Bye [preauth]

I have a geoipblock on the server which now won’t work because the source address is incorrect!

Filter rules - I have removed disabled ones and a couple of extra IPsec Tunnel forwards that just clutter it.

/ip firewall filter
add action=accept chain=input comment="Input Router Admin Access - Remote" dst-address=my.wan.ip.address dst-port=8291 protocol=tcp
add action=drop chain=input comment="Input drop 2224" dst-address=my.wan.ip.address dst-port=2224 protocol=tcp
add action=accept chain=input comment="Input Router Admin Access - Local" dst-address=192.168.10.250 dst-port=2224,8291,80 protocol=tcp src-address-list=Admin
add action=accept chain=input comment="Input Allow IPsec NAT" dst-port=4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Input Allow IKE" dst-port=500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Input Allow ESP" in-interface-list=WAN log-prefix="Firewall filter ESP" protocol=ipsec-esp
add action=accept chain=input comment="Input defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow for Ipsec Tunnel" connection-state=established,related,untracked dst-address=192.168.97.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow for Ipsec tunnel" connection-state=established,related,untracked dst-address=192.168.10.0/24 src-address=192.168.97.0/24
add action=fasttrack-connection chain=forward comment="Forward defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Forward defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Input Allow LAN access to router and internet" in-interface=bridge
add action=accept chain=input comment="Input defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Input defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Input Allow LAN DNS queries - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Input Allow LAN DNS queries - UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Input defconf: drop invalid" connection-state=invalid log-prefix="Input - Invalid"
add action=drop chain=input comment="Input defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=NotLAN
add action=accept chain=forward comment="Forward Allow LAN access to router and Internet" connection-state=established,related in-interface=bridge
add action=drop chain=forward comment="Forward defconf: drop invalid" connection-state=invalid log-prefix="Forward - Invalid"

# Added these two as per the post
add action=accept chain=forward comment="Forward drop all from WAN not DSTNATed - See this  https://forum.mikrotik.com/viewtopic.php\?t=187296#p943179" in-interface-list=LAN log=yes log-prefix="Forward drop LAN to WAN not DSTNATed " out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN out-interface-list=LAN

# This used to be all that was required? 
add action=drop chain=forward comment="Forward defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=WAN-Not-DSTNATed 

add action=drop chain=forward comment="Forward drop all else" log=yes log-prefix="Drop forward all else"

I think these rules are a bit of mess to be honest but it did work fairly happily, and then didn’t! All that happened was an upgrade and reboot.

I can see in my server logs when it suddenly started getting hit with ssh from the router which was after the upgrade.

I have a pretty simple setup - ISP modem in Bridge mode with Mikrotik doing pppoe, a small LAN, and a few port forwards to a server.

Any advice on a tidy up and where to look would be gratefully received!

2

Upgraded from which version to 6.49.15 or from 6.49.15 to which version?

3

From 6.49.14 to 6.49.15

(I also have a HEXs behind the RB that runs openvpn to a vps and that also now fails with DNS lookup errors I can see in the RB logs which is possibly related)

No rules were touched on the upgrade (it worked, why would I!)

4

Hmmm.

I find this place odd. You ask a sensible question and get almost zero help. Some questions seem to get a lot, and then others don’t and it doesn’t make sense. I do a lot of open source help in other places and none of it makes sense here.

The documentation looks great on the surface but is clearly sketchy.

I’ve tried to pay ‘consultants’ to setup up the routers and ended up frustrated as they seem qualified to teach Mikrotik courses, but not actually able to fix stuff. Presumably teaching brings more money than fixing stuff.

There was a clear issue with this firmware - I upgraded, touched nothing, and it broke stuff that has been quite happy for some long while. Do I open a bug with support?

A knock on effect somewhere is it has also played havoc with my otherwise stable VPNs.

My hacks around it are not right, but I do not know what the answers are and either no one here knows or is bothered to help. My setup is not complex by any means but it seems to elude many.

I think I am going to have to give up the fight with these routers and find something else that doesn’t break every 5 minutes.

Grrrrrrrrrrrrrrrr. So frustrating.

5

How about posting full config … and explaining what exactly started to fail? You have some minor mess with FW rules and it’s hard to understand where are they supposed to fit. And you (obviously?) have some NAT rules which I don’t find in the posted config. FW rules for different chains are interleaved making it much harder to read the setup. You may try to sort them (already on your device) before posting any further …

Your issue is not trivial to analyze so I’d say this is the reason for you not getting any help so far. Generally there are two types of issues we’re seeing on this forum: 1) how can I …? and 2) why doesn’t this work? The first category of issues is pretty easy because person trying to help only has to think about how he would solve the task (with minor consideration about the rest of device config). The second category of issues is much harder to help with as it’s very useful (if not required) to thoroughly understand poster’s environment and wishes to give any useful contribution. And your issue is from category #2.

6

I read the original post twice and I understand why there has been no replies: I don’t understand your problem. Very vague and confusingly hopping around theories (DNS issue? connection what issue?) then talking about the “drop all from wan not dstnated” which of why the heck does disabling resolve what/which unknown issue you did not describe yet? you just say: all broken but then everything worked. ok, “all” and “everything”. then you paste some/all of your firewall filter rules, which you already altered/cleaned after the issue first raised (so you already compromised the crime scene and spoiled all traces), sprinkle one line of your log. not even posting the configuration to get an overview for strangers.

to finally complain: weird place here. nobody helps me.

7

As others mentioned, would be helpful to see your full config and a detailed description of exactly what network topology you have and what specific things have stopped working. Regardless of what was working previously, the FW rules need to be cleaned up and ordered, input chain followed by forward chain, etc. It is very possible you are allowing/disallowing traffic unintentionally given the misordered rules.

Given you are seeing unusual traffic apparently originating from the router and have the routers admin port open from WAN I wouldn’t rule out the possibility your router has been compromised.

8

Thanks for the attention and responses.

Strange that no one simply put “we need more information” at the start. I was just asked for the firmware versions…

I have a pretty simple setup.

The router connects to the ISP with PPPoE through a ISP router that is in bridge mode. 1Gb symmetrical fibre connection.

Ethernet 1 connects to the ISP router.
Pppoe dialup give an interface pppoe-out1 across Ethernet 1
Sfp1 with fibre connects to a switch for the LAN
Ethernet 5 is a backup connection to the router in case of emergencies

‘bridge’ is for the general LAN
‘DHCPbridge’ is for Ethernet 5

Several linux desktops, phone etc and a Linux server behind the router.

The Linux server handles local DHCP and DNS. A few ports are forwarded to the server, and there is a media server with a few forwards.

I have 4 ipsec tunnels to some other sites.

Ipv6 via Hurricane Electric as a test for local devices as w have no IPv6 via our ISP.

I have upgraded a number of times without issue.

However, this time my linux server suddenly could not see the remote IP of a ssh connection. They all appeared to come from the router 192.168.10.250 That meant the geoipblocking of attackers failed and I suddenly got a mountain of warnings of connections in my logs. I also found we could not ping outside he local network and had no DNS either.

The filter rules were left this way after an extremely expensive consultant tried to fix another issue I had, and failed. I fixed it myself eventually (guesswork + trail & error). However, I didn’t touch the rules that he left as he said they were OK… and it all worked bar the ipsec issues he was meant to fix.

I only posted the filter rules because no rules had changed between upgrades, but I suddenly could not access sites online. I applied some logging as it looked like a DNS lookup issue, and the filter rule “drop all from WAN not DSTNATed” seemed to be the culprit dropping lots of packets on UDP 53. I had to add the new filter forwarding rules to get it working as you can see - I touched no other rules at all.

I had asked if someone could advise a tidy up as I know they are not very neat :frowning: But if it wasn’t broken don’t fix it. Which it wasn’t until this upgrade.

Note one point I really don’t understand is the interfaces and wonder whether this has any influence. Which interfaces should be in WAN and which is LAN? Are some of the interfaces in WAN that should be in LAN - eg
sfp1 which connects to the internal switch and therefore LAN?
bridge should be LAN as per DHCPBridge?
sit1 is IPv6 and internet?

Should I have the lists eg LAN, WAN, Internet and manually add the interfaces in the correct lists for use in the rules? And how would that affect say the IPsec rules (where we had issues with one particular connection that connects to an almost identical router in my remote office)?

 /interface detect-internet state> print
  # NAME                   STATE    STATE-CHANGE-TIME    CLOUD-RTT           
 0 sfp1-ToSwitch          wan      jun/15/2024 13:39:48
 1 ether1-ToRouter        wan      jun/15/2024 13:39:48
 2 ether2                 no-link  jun/15/2024 13:39:42
 3 ether3                 no-link  jun/15/2024 13:39:42
 4 ether4                 no-link  jun/15/2024 13:39:42
 5 ether5                 no-link  jun/15/2024 13:39:42
 6 ether6                 no-link  jun/15/2024 13:39:42
 7 ether7                 no-link  jun/15/2024 13:39:42
 8 ether8                 no-link  jun/15/2024 13:39:42
 9 ether9                 no-link  jun/15/2024 13:39:42
10 ether10                no-link  jun/15/2024 13:39:42
11 bridge                 wan      jun/15/2024 13:39:48
12 pppoe-out1             internet jun/15/2024 13:39:48 76ms                
13 sit1                   wan      jun/15/2024 13:39:48
14 DHCPBridge             lan      jun/15/2024 13:39:42

Either way, herewith the rules in place - I have tried to tidy up and group input & forward. I just changed a few public IP addresses


# jun/15/2024 13:25:52 by RouterOS 6.49.15
# software id = FSDE-XXW1
#
# model = 2011UiAS
# serial number = 75B90689C77B
/interface bridge
add name=DHCPBridge
add admin-mac=6C:3B:6B:84:2A:CE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ToRouter
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] name=sfp1-ToSwitch
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ToRouter max-mru=1492 \
    max-mtu=1492 name=pppoe-out1 password=adslppp service-name=ISP user=\
    user
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
    my.wan.ip.addr mtu=1280 name=sit1 remote-address=1.2.3.4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp4096 enc-algorithm=aes-256 \
    hash-algorithm=sha512
add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    ike2-256-4096 prf-algorithm=sha256
/ip ipsec peer
add address=x.x.164.73/32 exchange-mode=ike2 name=ike2-Test profile=\
    ike2-256-4096
add address=x.x.143.44/32 exchange-mode=ike2 name=ike2-Cloud profile=\
    ike2-256-4096
add address=x.x.138.58/32 exchange-mode=ike2 name=ike2-Asterisk profile=\
    ike2-256-4096
add address=office.ip.addr/32 exchange-mode=ike2 name=ike2-WorkNew profile=\
    ike2-256-4096
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=\
    aes-256-cbc,aes-256-gcm pfs-group=modp4096
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-sha256 \
    pfs-group=modp4096
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    ike2-256-4096 pfs-group=modp4096
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=DHCPBridge name=defconf
/interface bridge port
add bridge=DHCPBridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1-ToSwitch
/ip firewall connection tracking
set udp-timeout=3m10s
/ip neighbor discovery-settings
set discover-interface-list=*2000012
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-ToRouter list=WAN
add interface=pppoe-out1 list=WAN
add interface=DHCPBridge list=LAN
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=my.wan.ip.addr/32
/ip address
add address=192.168.10.250/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=192.168.88.1/24 comment=ETH5 interface=DHCPBridge network=\
    192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1-ToRouter
add disabled=no interface=ether1-ToRouter
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers="208.67.222.222,208.67.220.220,2001:470:\
    20::2,2620:119:35::35,2620:119:53::53"
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 comment="ES local" list=Admin
add address=185.212.149.203 comment=Blacklists list=Blacklist
add address=office.ip.addr comment="remote" list=Admin
add address=10.0.0.0/24 comment="local" list=Admin
/ip firewall filter
add action=accept chain=input comment="Input Router Admin Access - Remote" \
    dst-address=my.wan.ip.addr dst-port=8291 protocol=tcp
add action=drop chain=input comment="Input drop 2224" dst-address=my.wan.ip.addr \
    dst-port=2224 protocol=tcp
add action=accept chain=input comment="Input Router Admin Access - Local" \
    dst-address=192.168.10.250 dst-port=2224,8291,80 protocol=tcp \
    src-address-list=Admin
add action=accept chain=input comment="Input Allow IPsec NAT" dst-port=4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Input Allow IKE" dst-port=500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Input Allow ESP" in-interface-list=WAN \
    log-prefix="Firewall filter ESP" protocol=ipsec-esp
add action=accept chain=input comment=\
    "Input defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "Input Allow LAN access to router and internet" in-interface=bridge
add action=accept chain=input comment=\
    "Input Allow DHCP Bridge Access to router & internet" in-interface=\
    DHCPBridge
add action=accept chain=input comment="Input defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=input comment=\
    "Input defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=accept chain=input comment="Input Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Input Allow LAN DNS queries - UDP" \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Input defconf: drop invalid" \
    connection-state=invalid log-prefix="Input - Invalid"
add action=drop chain=input comment=\
    "Input defconf: drop all not coming from LAN" in-interface-list=!LAN \
    log-prefix=NotLAN
add action=accept chain=forward comment=\
    "Forward defconf: accept in ipsec policy - use RAW instead" \
    connection-state=established,related disabled=yes ipsec-policy=in,ipsec \
    log-prefix=Ipsec-In
add action=accept chain=forward comment=\
    "Forward defconf: accept out ipsec policy - use RAW instead" \
    connection-state=established,related disabled=yes ipsec-policy=out,ipsec \
    log-prefix=Ipsec-Out
add action=accept chain=forward comment=\
    "Ron - Allow all traffic from Spain via IPSec tunnel to UK" \
    connection-state=established,related,untracked dst-address=10.0.0.0/24 \
    src-address=192.168.10.0/24
add action=accept chain=forward comment=\
    "Ron - Allow all traffic from via IPSec tunnel to Spain" \
    connection-state=established,related,untracked dst-address=\
    192.168.10.0/24 src-address=10.0.0.0/24
add action=accept chain=forward comment=\
    "Ron - Allow all traffic from Spain via IPSec tunnel to FreePBX" \
    connection-state=established,related,untracked dst-address=\
    192.168.98.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment=\
    "Ron - Allow all traffic from FreePBX via IPSec tunnel to Spain" \
    connection-state=established,related,untracked dst-address=\
    192.168.10.0/24 src-address=192.168.98.0/24
add action=accept chain=forward comment=\
    "Ron - Allow all traffic from Spain via IPSec tunnel to Cloud" \
    connection-state=established,related,untracked dst-address=\
    192.168.99.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment=\
    "Ron - Allow all traffic from Cloud via IPSec tunnel to Spain" \
    connection-state=established,related,untracked dst-address=\
    192.168.10.0/24 src-address=192.168.99.0/24
add action=accept chain=forward comment="Allow for Test" connection-state=\
    established,related,untracked dst-address=192.168.97.0/24 src-address=\
    192.168.10.0/24
add action=accept chain=forward comment="Allow for Test" connection-state=\
    established,related,untracked dst-address=192.168.10.0/24 src-address=\
    192.168.97.0/24
add action=fasttrack-connection chain=forward comment=\
    "Forward defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
    "Forward defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Forward Allow Port forwards" \
    connection-nat-state=srcnat disabled=yes
add action=accept chain=forward comment=\
    "Forward Allow LAN access to router and Internet" connection-state=\
    established,related in-interface=bridge
add action=accept chain=forward comment=\
    "Forward Allow LAN access to router and Internet" connection-state=\
    established,related in-interface=DHCPBridge
add action=drop chain=forward comment="Forward defconf: drop invalid" \
    connection-state=invalid log-prefix="Forward - Invalid"
    
# I had to add these to permit traffic - If I disable them then
# the original rule below seems to block traffic
add action=accept chain=forward comment="Forward drop all from WAN not DSTNATe\
    d - See this  https://forum.mikrotik.com/viewtopic.php\?t=187296#p943179" \
    in-interface-list=LAN log=yes log-prefix=\
    "Forward drop LAN to WAN not DSTNATed " out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat \
    in-interface-list=WAN out-interface-list=LAN
    
# Original rule
add action=drop chain=forward comment="Forward defconf: drop all from WAN not \
     DSTNATed - original rule" connection-nat-state=!dstnat connection-state=\
     new in-interface-list=WAN log=yes log-prefix="Forward drop WAN Not \
     DSTNATed"

# Added as per above post
add action=drop chain=forward comment="Forward drop all else" log=yes \
    log-prefix="Drop forward all else"
    
add action=log chain=input connection-state=\
    invalid,established,related,new,untracked disabled=yes log=yes \
    log-prefix=EverythingElseInput
add action=log chain=forward connection-state=\
    invalid,established,related,new,untracked disabled=yes log=yes \
    log-prefix=EverythingElseForward
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU" log-prefix=\
    "Clamp to PMTU forward" new-mss=clamp-to-pmtu out-interface=pppoe-out1 \
    passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment=\
    "Ron - Set MSS Clamp to 1366 for MTU 1406 for IPSec to UK" dst-address=\
    10.0.0.0/24 new-mss=1366 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=1367-65535
add action=change-mss chain=forward comment=\
    "Ron - Set MSS Clamp to 1382 for MTU 1411 for IPSec to FreePBX" \
    dst-address=192.168.98.0/24 new-mss=1382 passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1383-65535
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy OUT" ipsec-policy=\
    out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log-prefix=Masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat comment="SERVER SMTP" dst-address=my.wan.ip.addr \
    dst-port=25 protocol=tcp to-addresses=192.168.10.1 to-ports=25
add action=dst-nat chain=dstnat comment="SERVER SMTPS" dst-address=\
    my.wan.ip.addr dst-port=465 protocol=tcp to-addresses=192.168.10.1 to-ports=\
    465
add action=dst-nat chain=dstnat comment="SERVER HTTP" dst-address=my.wan.ip.addr \
    dst-port=80 protocol=tcp to-addresses=192.168.10.1 to-ports=80
add action=dst-nat chain=dstnat comment="SERVER HTTPS" dst-address=\
    my.wan.ip.addr dst-port=443 protocol=tcp to-addresses=192.168.10.1 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SERVER IMAPS" dst-address=\
    my.wan.ip.addr dst-port=993 protocol=tcp to-addresses=192.168.10.1 to-ports=\
    993
add action=dst-nat chain=dstnat comment="SERVER SSH" dst-address=my.wan.ip.addr \
    dst-port=2222 log-prefix=ssh protocol=tcp to-addresses=192.168.10.1 \
    to-ports=2222
add action=dst-nat chain=dstnat comment="SERVER Proxmox" dst-address=\
    my.wan.ip.addr dst-port=56001 protocol=tcp to-addresses=192.168.10.12 \
    to-ports=8006
add action=dst-nat chain=dstnat comment="SERVER media https" dst-address=\
    my.wan.ip.addr dst-port=8920 protocol=tcp to-addresses=192.168.10.191 \
    to-ports=8920
add action=dst-nat chain=dstnat comment=Jitsi dst-address=my.wan.ip.addr \
    dst-port=8448 protocol=tcp to-addresses=192.168.10.191 to-ports=8448
add action=dst-nat chain=dstnat dst-address=my.wan.ip.addr dst-port=10000-10002 \
    protocol=udp to-addresses=192.168.10.191 to-ports=10000-10002
add action=dst-nat chain=dstnat dst-address=my.wan.ip.addr dst-port=5349 \
    protocol=tcp to-addresses=192.168.10.191 to-ports=5349
add action=dst-nat chain=dstnat dst-address=my.wan.ip.addr dst-port=4443 \
    protocol=tcp src-port="" to-addresses=192.168.10.191 to-ports=4443
add action=log chain=srcnat comment="Logging SRC NAT" disabled=yes log=yes \
    log-prefix=SRC-NAT
add action=log chain=dstnat comment="Logging DST NAT" disabled=yes log=yes \
    log-prefix=DST-NAT
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN log=yes log-prefix=\
    "Blacklist Raw" src-address-list=Blacklist
add action=notrack chain=prerouting comment="Office" dst-address=\
    10.0.0.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting comment="Office" dst-address=\
    192.168.10.0/24 src-address=10.0.0.0/24
add action=notrack chain=prerouting comment="Working for Asterisk" \
    dst-address=192.168.98.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting comment="Working for Asterisk" \
    dst-address=192.168.10.0/24 src-address=192.168.98.0/24
add action=notrack chain=prerouting comment="Working for Cloud" dst-address=\
    192.168.99.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting comment="Working for Cloud" dst-address=\
    192.168.10.0/24 src-address=192.168.99.0/24
add action=notrack chain=prerouting comment="Working for Test" dst-address=\
    192.168.97.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting comment="Working for Test" dst-address=\
    192.168.10.0/24 src-address=192.168.97.0/24
add action=log chain=prerouting disabled=yes log=yes log-prefix=RawPrerouting
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate="Mikrotik ES" match-by=\
    certificate peer=ike2-Asterisk remote-certificate="Asterisk Server"
add auth-method=digital-signature certificate="Mikrotik ES" peer=ike2-WorkNew \
    remote-certificate="Mikrotik UK"
add auth-method=digital-signature certificate="Mikrotik ES" peer=ike2-Cloud \
    remote-certificate="Cloud Server"
add auth-method=digital-signature certificate="Mikrotik ES" match-by=\
    certificate peer=ike2-Test remote-certificate="Test Server"
/ip ipsec policy
add dst-address=192.168.98.0/24 peer=ike2-Asterisk proposal=ike2-256-4096 \
    src-address=192.168.10.0/24 tunnel=yes
add dst-address=10.0.0.0/24 peer=ike2-WorkNew proposal=ike2-256-4096 \
    src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.99.0/24 peer=ike2-Cloud proposal=ike2-256-4096 \
    src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.97.0/24 peer=ike2-Test proposal=ike2-256-4096 \
    src-address=192.168.10.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=0.0.0.0/0
set ssh port=2224
set www-ssl address=0.0.0.0/0
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=2001:470:1f12:3ef::2 advertise=no comment="Client IPv6 address" \
    interface=sit1
add address=2001:470:1f13:3ee::1 comment="Router /64" interface=bridge
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
    pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=5s-30s
/ipv6 route
add comment="Hurricane Routes" distance=1 dst-address=2000::/3 gateway=\
    2001:470:1f12:3ef::1
/lcd
set default-screen=stat-slideshow
/lcd pin
set hide-pin-number=yes pin-number=3713
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/system clock manual
set time-zone=+01:00
/system identity
set name=RouterOS
/system logging
set 3 action=memory
add disabled=yes topics=firewall
add disabled=yes prefix=!packet topics=ipsec
/system ntp client
set enabled=yes primary-ntp=192.168.10.1
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.10.0/24 interface=pppoe-out1
add allow-address=192.168.10.0/24 interface=bridge
add allow-address=192.168.10.0/24 interface=sit1
add allow-address=192.168.10.0/24 interface=sfp1-ToSwitch
/tool graphing resource
add allow-address=192.168.10.0/24
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-direction=rx filter-interface=all filter-ip-address=\
    192.168.98.1/32

Please let me know if more information is required. Any advice appreciated.

I’d happily pay someone if I thought they could fix it… :slight_smile:

9

Only some generic advice, possibly not connected to the issue at hand, but (IMHO) useful to tidy up the configuration a bit.

  1. detect internet: it is possible that it will interfere with something else, the general advice is to disable it and use “static” port categorization, see:
    http://forum.mikrotik.com/t/does-detect-internet-actually-do-anything/143971/1
    http://forum.mikrotik.com/t/does-detect-internet-actually-do-anything/143971/1
    What it seems “suspect” to me is that you have (in /interface detect-internet state) the pppoe-out1 categorized as “internet”, while you have it as “WAN” in /interface list member, see below point #2, it is possible that this creates issues in firewall rules using the interface list.
  2. Then you have:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-ToRouter list=WAN
add interface=pppoe-out1 list=WAN
add interface=DHCPBridge list=LAN

but you have:

/interface bridge
add name=DHCPBridge
add admin-mac=6C:3B:6B:84:2A:CE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ToRouter
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] name=sfp1-ToSwitch

and:

/interface bridge port
add bridge=DHCPBridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1-ToSwitch

What is the rationale behind having two bridges, each one with only one ethernet port? (what they are supposed to bridge?)
Essentially you are using only two interfaces (let’s for the moment set aside ether5, which by the way it is strangely not listed in /interface ethernet and interface sit1, which is related to some kind of tunnel):
sfp1=sfp1-ToSwitch which is definitely LAN
ether1=ether1-ToRouter which is definitely WAN
Personally I would get rid of both bridges and use the underlying ethernet interfaces directly.
3) about ether5:

  • it should be listed in /interface ethernet
  • why - if ether5 is a backup connection to the router - it has a DHCP server running on it (the “main” connection to the router is through ether1 which has a DHCP client running on it)?
  • if it is connected to the router/modem (by itself or through the DHCP bridge) it is essentially “WAN”, but on the other hand it has a typical LAN IP address?
  1. you have something wrong here:

/ip neighbor discovery-settings
set discover-interface-list=*2000012

whenever there is an “*” (asterisk) in a configuration it means that it is a reference to something that existed but that now doesn’t exist anymore or that however RoS cannot find
5) this seems to me like a duplication:

/ip dhcp-client
add comment=defconf interface=ether1-ToRouter
add disabled=no interface=ether1-ToRouter

10

Now, the “main issue” (i am making a separate post so that it can be corrected more easily in case of mistakes when/if anav or some other more expert member happens to see it)
6) the original rule (without comments, reordered, dissected) the chain is the forward one:
action=drop ← “negative” applies to packets that match the following rules:
in-interface-list=WAN ← ONLY those coming from WAN (let’s call this “inbound traffic”)
connection-nat-state=!dstnat ← NOT dst-natted
connection-state=new ← as stated by anav redundant, but actually restricting the width of the rule

Compared to the three rules by anav in the referenced post:
http://forum.mikrotik.com/t/drop-all-from-wan-not-dstnated/159152/1
http://forum.mikrotik.com/t/drop-all-from-wan-not-dstnated/159152/1
action=accept ← “positive”, applies to all packets that match the single rule below:
connection-nat-state=dstnat

action=accept ← “positive” applies to all packets that match the following rules
in-interface-list=LAN ← whatever (no matter if dstnatted or not) that comes from LAN
out-interface-list=WAN ← AND that goes to WAN (let’s call this “outbound traffic”)

action=drop ← “negative”, whatever remains at this last rule is dropped, NO EXCEPTIONS

So we can try to rewrite in plain(er) English:
Original:
Do NOT allow inbound traffic that is NOT dstnatted. (this could mean “allow dstnatted inbound traffic”)

Anav’s set (implying the final drop all else):
Allow all dstnatted traffic (inbound and outbound) and all outbound traffic (dstnatted or not).

It seems to me that the two are perfectly equivalent, but evidently in your current setup there is some traffic that matches the original “negative” rule but that goes through the “positive” set.
From https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
connection-nat-state (srcnat | dstnat; Default: )
Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all.

So, it is more likely that a connection is marked as dstnat (which would “widen” the original rule) the issue is then (IMHO) more likely to be connected to a possible (mis-)classification of the interfaces (as LAN, WAN or something else) or of “inbound” vs. “outbound”. :confused:

In any case, cleaning/fixing the /interface list member and disabling the /interface detect-internet wouldn’t (shouldn’t) make no harm.

11

Thanks for the long and interesting response!

I can clarify a few things for you. Starting with the easy bits :slight_smile:

  1. you have something wrong here:
    /ip neighbor discovery-settings
    set discover-interface-list=*2000012

I went back to some old configs from last year and it was like that. I have set it to ‘all’ for now?


  1. this seems to me like a duplication:
    /ip dhcp-client
    add comment=defconf interface=ether1-ToRouter
    add disabled=no interface=ether1-ToRouter

That is disabled and I think it’s there by default as eth1 would ‘normally’ expect to be a DHCP client to some upstream WAN. It is replaced by the pppoe client. I can remove it?


1+2) Yes I did wonder about that myself. Just had a quick play and broke all their net access :laughing:

OK - first bridges. I kind of did it this way as it defaulted this way.


What is the rationale behind having two bridges, each one with only one ethernet port? (what they are supposed to bridge?)

So it originally has eth1 (as per the above disabled setting) going to an upstream router and then eth 2-5 (?) as a bridge for the LAN IIRC?

I just setup pppoe via eth1 and disabled unused ports
eth1 → pppoe → ISP bridge modem → to world

Then added this to the bridge and disabled ports 2-5
sfp1-ToSwitch → switch → rest of LAN network

I then realised I probably should have one port for emergency access to the router so added DHCPBridge on eth5 with it’s own IP addressing. I think that is effectively how ports 2-5 are setup originally.

So I can safely remove DHCPBridge from the equation if necessary.

The question then is adding interfaces to lists manually which I am sure has something to do with it as you mentioned.

eth1 WAN
bridge LAN or WAN ?
sfp1 LAN?
sit1 is WAN - on my router here it is actually detected as WAN with internet, but this router which is the worst one does not detect it!

If I use detect Internet can I set

Detect Interface list: Static
LAN List: LAN
WAN List: WAN
Internet interface: Dynamic

That should pick up pppoe as internet?

One other odd difference I have also seen that I do not understand:

Bridge Port

In UK:

Interface | Bridge | Role Root | Path Cost
sfp1 | bridge | root port | 220010

In ES

Interface | Bridge | Role Root | Path Cost
sfp1 | bridge | designated port |


As to 6) I am sure that has a bearing but I need to sort out the interfaces first for sure.

Thanks again for your assistance.

12

As I see it (not necessarily right, mind you) in a router there is an “out” or “farther” or “north” and a “in” or “nearer” or “south” side which correspond to “WAN” and “LAN” respectively.
So a default configuration has (usually) a port which is WAN and goes to “next hop” (not necessarily internet) and a single bridge with all the other ports in it to which you connect the devices, which is LAN.
To this you may want to add a single port, taken out of the bridge, i.e. self-standing, that you may use, in case of need, to access the router if - for whatever reasons - normal access through one of the bridge ports doesn’t work, let’s call it “management port”, it is easier if you assign to this port a static IP address, let’s say
Only to give some “logic”, usually the WAN port is the lowest numbered one (ether1) the management port (which is LAN) is the last one (it would normally be ether10 on a 2011) and all other ports are put together in a bridge (which is as well LAN), this way it is (IMHO) easier to visualize the path towards “outside”.
In your case you have:
ether1 - WAN
bridge - LAN
sfp1 - now set as member of bridge “bridge” - LAN
pppoe-out1 - on ether1 - WAN
ether 5 - now set as member of DHCPBridge - LAN
DHCPBridge - IMHO not needed - LAN
So, your current settings:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-ToRouter list=WAN
add interface=pppoe-out1 list=WAN
add interface=DHCPBridge list=LAN

Should be fine, BUT I would DISABLE internet detect:
/interface detect-internet
set detect-interface-list=none

Then:
/ip neighbor discovery-settings
set discover-interface-list=*2000012 LAN

And see what happens.

Then, from the way you have the system configured, the router is not a (useful) DHCP server on the LAN, as it gives addresses only to DHCPBridge that only contains ether5.
I would:
disable the DHCP server
remove the DHCPBridge
assign the IP 192.168.88.1/24 to ether5 directly ← when/if you will need to connect to the router using ether5 you will need to remember to manually set the PC/laptop you use to (say) 192.168.88.100/24, of course

BEFORE fiddling with the DHCPBridge and ether5 make sure that Winbox can connect normally through your LAN/bridge/sfp1 both by IP and by MAC.

The “root” issue could be that for whatever reasons your (allow me) “confused” setup worked on 6.49.14 by “sheer luck” or coincidence and 6.49.15 is a little more “strict” or some “side ways” have been removed from it. but it is strange, as at least the official thread:
http://forum.mikrotik.com/t/v6-49-15-stable-is-released/175500/1
doesn’t report any particular change in 6.49.15, only small fixes.

13

Thanks for the response. Very much appreciated and it makes sense.

I will have a play.


The “root” issue could be that for whatever reasons your (allow me) “confused” setup worked on 6.49.14 by “sheer luck” or coincidence and 6.49.15 is a little more “strict” or some “side ways” have been removed from it. but it is strange, as at least the official thread:

Yes quite possibly - and ironically that is what a highly paid ‘expert’ was meant to fix originally, and failed miserably. He looked through all the basics and said ‘yup all looks good you haven’t done anything really wrong’ at £175 per hour, for something like 6 hours. Go figure. :frowning:

Note the upgrade also broke some of the dtsnat stuff on my router here. I changed the rules as per 6) above but have all sort of associated DNS issues I won’t bore you with. That happened with the upgrade as well. It was NOT an isolated instance.

So it wasn’t JUST the UK office router, but that is far worse than the one here - at least our ipsec/voip is rock solid, ironically.

The upshot of this completely miserable experience is we have decided to move away from Mikrotik.

We have been unable to get anyone sensible to contract to fix the issue - lots of ifs and buts and maybes and high hourly rates, and little else.

The final insult is the little HexS I bought to replace an ancient Pi 2 with openwrt that I used as an openvpn router. It was slow due to the USB network interface, but it was rock solid reliable and uptime measured in years. The HexS is setup REALLY simple. It works. But reliable? Nope - vpn goes belly up regularly and needs a kick in the butt to get it running again.

So we are going to go back to some routers that I know work, and did so for 15 years.

Yup, more expensive - though waaaaaaaaay cheaper taking into account the many hours I have wasted here, but solid and reliable.

The setup we have is not complicated. It should work pretty easily - it’s not like I am completely stupid if I can get my ipsec VPNs up and running with certs et al. in minutes.

Perhaps the docs are just inaccurate. I don’t know. But this has been a VERY poor experience, particularly bearing in mind I would happily pay for someone to take the pain away.

Hey ho. Sometimes you have to know when to give up and move on.

Thanks to those who attempted to assist.

B. Rgds
John

14

I am repeatedly surprised that some people find it necessary to explain themselves so thoroughly. It’s enough to say: “I don’t recognize the problem or can’t solve it. I lack the expertise or time for it. It’s more cost-effective to replace the setup. Thanks.” Instead, they go on at length about how incompetent a consultant was/is, how miserable the software or the manufacturer is, even though the task at hand is as trivial as painting a kindergarten picture book.

:waving_hand::waving_hand:

15

I think that it is understandable that, after having spent some time vainly attempting to solve a problem and having some £ 1,050 less in his pockets, the OP might feel inclined to rant a little bit.