VPN Netwatch Problem

FOV · January 8, 2008, 12:41pm

Dear All,

I have 2 MKT working perfectlly in test mode, with a VPN already established, sharing files, VOIP and everything.

The problem is that I’m trying to ping from one MKT to other, trhough the VPN and the ping do not response.

Example:

LAN1 — MKT1 —WAN1—>>><<<—WAN2 —MKT2 —LAN2

LAN1: 10.1.1.0/24
LAN2: 10.3.1.0/24

Ping from LAN1 to LAN2 PERFECTLY

**C:\Documents and Settings\Dirhel Argentina>ipconfig

Windows IP Configuration

Ethernet adapter Conexiones de red inalámbrica:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1

C:\Documents and Settings\Dirhel Argentina>ping 10.3.1.4
Haciendo ping a 10.3.1.4 con 32 bytes de datos:

Respuesta desde 10.3.1.4: bytes=32 tiempo=273ms TTL=62
Respuesta desde 10.3.1.4: bytes=32 tiempo=268ms TTL=62
Respuesta desde 10.3.1.4: bytes=32 tiempo=270ms TTL=62
Respuesta desde 10.3.1.4: bytes=32 tiempo=268ms TTL=62

Estadísticas de ping para 10.3.1.4:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 268ms, Máximo = 273ms, Media = 269ms**

As U can see, works OK

BUT if I try to ping from One MKT to any machine to the other side of the VPN, DO NOT WORK

Any Idea?

REGARDS,

Fernando

sergejs · January 8, 2008, 2:16pm

So, if ping from LAN1 to LAN2 is working (from 10.1.1.1 to 10.3.1.4) is working.
It means that routing is working over VPN tunnel.

Make sure there is not firewall on the MikroTik router and local network computers.

BUT if I try to ping from One MKT to any machine to the other side of the VPN, DO NOT WORK
Is it possible to ping the same host, but from second MikroTik rotuer ?

FOV · January 10, 2008, 1:57pm

Hi serjejs, thx for your time.

I review all firewall rules, and I could not be able to find a problematic rule.

Is rare, the the netwotch is not working, because for the MKT the VPN is allways out of service.

All the systems are working perfectly, but from one MKT to the other trhough the VPN, are unreachable.

Let me show you the Filter table:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Knock Security Port
chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=Knock address-list-timeout=15s

1 chain=input protocol=tcp dst-port=7331 src-address-list=Knock action=add-src-to-address-list address-list=Safe address-list-timeout=15m

2 ;;; Port scanners to list
chain=input protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

3 ;;; SYN/FIN scan
chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

4 ;;; SYN/RST scan
chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

5 ;;; FIN/PSH/URG scan
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

6 ;;; NMAP FIN Stealth scan
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

7 ;;; NMAP NULL scan
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

8 ;;; ALL/ALL scan
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=Port Scanners address-list-timeout=2w

9 ;;; Dropping Port Scanners
chain=input src-address-list=Port Scanners action=drop

10 ;;; Dropping DoS Scanners
chain=input protocol=tcp connection-limit=2,32 src-address-list=DoS Scanners action=drop

11 ;;; Denial of Service Hackers to list
chain=input protocol=tcp connection-limit=10,32 src-address-list=!local-addr action=add-src-to-address-list address-list=DoS Scanners
address-list-timeout=1d

12 ;;; MS Virus
chain=forward protocol=tcp dst-port=445 action=drop

13 chain=forward protocol=udp dst-port=445 action=drop

14 ;;; Accept established connections
chain=input connection-state=established action=accept

15 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop

16 ;;; UDP
chain=input protocol=udp action=accept

17 ;;; Allow limited pings
chain=input protocol=icmp limit=5/5s,2 action=accept

18 ;;; Drop excess pings
chain=input protocol=icmp action=drop

19 ;;; Dropping packets not destined to the router itself, including all broadcast traffic
chain=input dst-address-type=!local action=drop

20 ;;; Servicio de DHCP Aceptado
chain=input src-address=0.0.0.0 dst-address=255.255.255.255 protocol=udp dst-port=67-68 action=accept

21 chain=input src-address=0.0.0.0 protocol=udp dst-port=67-68 dst-address-type=local action=accept

22 ;;; Tr fico Local dirigido al Router
chain=input dst-address-type=local src-address-list=local-addr action=accept

23 ;;; FTP (20/21 TCP) - Desde Afuera
chain=input protocol=tcp src-port=1024-65535 dst-port=20-21 action=drop

24 ;;; SSH for management purposes - Desde Afuera
chain=input protocol=tcp dst-port=22 src-address-list=Safe action=accept

25 X ;;; Telnet for management purposes - Desde Afuera
chain=input protocol=tcp dst-port=23 src-address-list=Safe action=accept

26 ;;; Webox for management purposes - Desde Afuera
chain=input protocol=tcp dst-port=80 src-address-list=Safe action=drop

27 ;;; Winbox for management purposes - Desde Afuera
chain=input protocol=tcp dst-port=8291 src-address-list=Safe action=accept

28 ;;; Acceso Via PPTP
chain=input protocol=gre action=accept

29 chain=input protocol=tcp dst-port=1723 action=accept

30 ;;; Acceso Via VPN
chain=input protocol=ipsec-esp action=accept

31 ;;; VPN
chain=input src-address=65.167.92.190 protocol=udp dst-port=500 action=accept

32 X ;;; Log and Drop All other External Services
chain=input action=log log-prefix=“Drop Externo:”

33 ;;; Log and Drop All other External Services
chain=input action=drop

34 ;;; Accept established connections
chain=forward connection-state=established action=accept

35 ;;; Accept related connections
chain=forward connection-state=related action=accept

36 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=forward dst-address-type=broadcast,multicast action=drop

37 ;;; Auth Services Rejected
chain=forward protocol=tcp dst-port=113 action=reject reject-with=icmp-network-unreachable

38 X ;;; Bloqueamos NET BIOS
chain=forward protocol=udp dst-port=137-138 src-address-list=local-addr action=drop

39 ;;; DHCP Habilitado
chain=forward connection-mark=DHCP_CON action=accept

40 ;;; DNS
chain=forward connection-mark=DNS_CON action=accept

41 ;;; Servicio de VoIp
chain=forward connection-mark=VOIP_CON action=accept

42 chain=forward protocol=udp dst-port=5000-50000 action=accept

43 ;;; FTP (20/21 TCP)
chain=forward connection-mark=FTP_CON src-address-list=local-addr action=accept

44 ;;; Winbox (8291/TCP)
chain=forward connection-mark=WBOX_CON action=accept

45 ;;; ICMP - Interno
chain=forward protocol=icmp src-address-list=local-addr action=accept

46 ;;; Trafico Web
chain=forward connection-mark=HTTP_CON action=accept

47 ;;; MSN (1763/TCP)
chain=forward connection-mark=MSN_CON action=drop

48 ;;; POP3 (110/TCP)
chain=forward protocol=tcp dst-port=110 action=accept

49 ;;; SNMP (161/UDP)
chain=forward protocol=udp dst-port=161 action=accept

50 ;;; NBT (137-139 / TCP)
chain=forward connection-mark=NBT_CON action=accept

51 ;;; NTP (123/UDP)
chain=forward connection-mark=NTP_CON action=accept

52 ;;; KNOCK (1337 - 7331 / TCP)
chain=forward connection-mark=KNOCK_CON action=accept

53 ;;; CASHCODE SERVER (31155 / TCP)
chain=forward protocol=tcp connection-mark=CASHCODE_CON action=accept

54 ;;; Tr fico a otras redes por PPTP
chain=forward connection-mark=PPTP_CON action=accept

55 ;;; Trafico P2P
chain=forward connection-mark=P2P_CON action=reject reject-with=icmp-network-unreachable

56 ;;; anti-spam policy
chain=forward protocol=tcp src-port=1024-65535 dst-port=25 action=jump jump-target=smtp-first-drop

57 chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp address-list-timeout=8h

58 chain=smtp-first-drop src-address-list=approved-smtp action=return

59 chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=8h

60 chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

61 ;;; Tr fico entre Redes Confiables - OK
chain=forward src-address-list=safe-addr dst-address-list=safe-addr action=accept

62 ;;; MAIL (25 - 110 / TCP)
chain=forward connection-mark=MAIL_CON action=accept

63 ;;; Log and Drop All other Local Services
chain=forward action=log log-prefix=“WEB:”

64 chain=forward action=drop

Thanks a lot for your help.

Regards,