Upnp ext and int interfaces not working? Is Upnp bad?

eightace · September 25, 2013, 9:25pm

My setup is that I have two PPPoE connections one each from two modems. They connect to ether1 and ether3 and my LAN is connected to ether2.

I have one IPV4 address only which my ISP routes all my traffic to down the two lines.

On my LAN I have a NAS which has web services on ports 80, 8080 and 8081 etc but I cannot access these from outside the LAN. I am using dynamic Upnp rules which takes traffic to 0.0.0.0 on port 80 and forwards it to port 80 on my NAS. It doesn’t work however.

I have PPPoE 1 and PPPoE 2 as well as ether 1 and ether 3 set as external interfaces-is that ok? Can I just have one external interface? Should I ditch Upnp altogether?

Thanks

Sent from my iPad using Tapatalk HD

Kreacher · September 26, 2013, 3:11am

Hello eightace,

I would be setting up the MikroTik Router as the following:

netfilter as SPI
one rule that netfilter should be used first of all other rules
nat rule as NAT
create a DMZ on the MikroTik router, that is accessible from the outside (over the internet) and from the LAN side
then connect the NAS to the MikroTik router and give them a fixed (static) IP address inside the DMZ

And then you should use a VPN connection from outside to the MikroTik router to access the NAS inside of your
network, easily and secure, opening ports and using upnp are very risky in my eyes and nothing for home usage!

Please take care for this set up you will need the following things

an static public IP address or an IP address over DynDNS or No.IP like you want

So now you can choose one internet connection for the vpn and the other for mailing and surfing
alternatively you can also use another routing method likes a failover set up or policy based routing
to get the most of both internet connections, but this is more owed to your side.

eightace · September 28, 2013, 7:58pm

Thanks for taking the time to reply Kreacher.
I am a long way behind most of the folk on here and using a Mikrotik out of necessity rather than choice but thoroughly enjoying learning about networking from the problems I come up against.

Can you explain a bit more about netfilter as SPI - I can't find much about it with a search.

My firewall rules are just copied and pasted from a suggested config I found on this forum

[admin@SikroTik] > /ip firewall export

jan/09/1970 04:42:18 by RouterOS 6.4

software id = HX24-0DAA

/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you
_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=
"MC, Class D, IANA # Check if you need this subnet before enable it"
disabled=yes list=bogons
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input in-interface=ether3
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=input comment=
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list"
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner
address-list-timeout=1w chain=input comment="Port Scanner Detect"
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list"
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow"
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=
bogons
add action=add-src-to-address-list address-list=spammers
address-list-timeout=3h chain=forward comment=
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587
protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=
established protocol=tcp
add chain=input comment="Accept to related connections" connection-state=
related protocol=tcp
add chain=input comment="Full access to SUPPORT address list"
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0
limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=
icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP
protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=A&A1
protocol=udp
add action=drop chain=input dst-port=53 in-interface=all-ppp protocol=udp
add action=drop chain=input dst-port=53 in-interface=all-ppp protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=A&A1
protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=A&A2
protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=A&A2
protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=ONE nth=2,1
src-address=192.168.1.0/24
add action=mark-packet chain=prerouting new-packet-mark=TWO nth=2,2
src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=ONE packet-mark=ONE
passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=TWO packet-mark=TWO
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=A&A1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=A&A2 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=all-ppp to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=81.187.xx.xx dst-port=9091
protocol=tcp to-addresses=192.168.1.89 to-ports=9091
add action=dst-nat chain=dstnat dst-address=81.187.xx.xx dst-port=15000
in-interface=all-ppp protocol=tcp to-addresses=192.168.1.89 to-ports=
15000
add action=dst-nat chain=dstnat dst-address=81.187.xx.xx dst-port=1412
in-interface=all-ppp protocol=tcp to-addresses=192.168.1.89 to-ports=1412
add action=dst-nat chain=dstnat dst-address=81.187.xx.xx dst-port=15004
in-interface=all-ppp protocol=udp to-addresses=192.168.1.89 to-ports=
15004
add action=dst-nat chain=dstnat dst-address=81.187.xx.xx dst-port=1412
in-interface=all-ppp protocol=udp to-addresses=192.168.1.89 to-ports=1412
add action=dst-nat chain=dstnat dst-address=81.187.xx.xx dst-port=51413
protocol=tcp to-addresses=192.168.1.89 to-ports=51413
[admin@SikroTik] >