What is performing firewall on mikrotik with zero firewall rules?

uberwebguru · May 1, 2022, 9:35am

I am noticing some very weird thing with the firewall of mikrotik CCR2004
I setup a destination so i can access private ip via a public

when am on the wifi connected to ISP, i can reach this public ip and access the private ip behind it fine; it is a webserver and i can see default web page fine
but i am unable to view this on another device on internet
for example i jump into a VM from digitalocean and am unable to reach this web server by ip. Funny thing is i can ping the ip fine, but i cant telnet port 80 or curl the endpoint
which i was able to do from my home wifi network

I have zero rule under firewall, i disabled all rules
and this is what am experiencing

What is blocking these access from internet? I have no rules in firewall?

uberwebguru · May 1, 2022, 9:40am

Or is it the NAT rule used for the destination NAT the one doing this?

Sob · May 1, 2022, 10:30am

Aren’t you here long enough to understand that it helps to post some technical info? At least that dstnat rule, info about the public address, whether the router itself has it, of if it’s somewhere else and the router is behind NAT, … stuff like that.

uberwebguru · May 1, 2022, 3:01pm

Here is what i have for NAT rules
All firewall rules disabled

private ip of webserver is 10.101.0.101 and public IP to do destination NAT is 101.x.x.1
here is a copy of some piece of config

/ip address
add address=101.x.x.29/27 comment="ccr2004 ip" \
    interface=sfp-sfpplus12 network=101.x.x.0
add address=101.x.x.1 comment="webserver" \
    interface=bridge1 network=101.x.x.1

/ip firewall nat
add action=masquerade chain=srcnat comment="nat vlans to Internet" \
    out-interface=bridge
add action=dst-nat chain=dstnat comment=\
    "webserver 101.x.x.1" dst-address=\
    101.x.x.1 to-addresses=10.101.0.101

Issue is i can ping the public IP from everywhere on internet but can not access webserver from internet except from my home internet only
What is blocking access from everywhere else?

Sob · May 1, 2022, 3:48pm

Well, dstnat is fine, anything going to 101.x.x.1 will be redirected to 10.101.0.101.

But I’m not sure about the rest. Based on the masquerade rule, your WAN interface is “bridge”, but there’s no address on that. Is perhaps sfp-sfpplus12 part of this bridge? But if it is, and you have 101.x.x.29/27 there, then what is 101.x.x.1 from same subnet(?) doing on another interface “bridge1”. If it really is from that subnet, how would it be even reachable from internet? When you’re pinging 101.x.x.1 from internet, are you absolutely sure that it’s this address on this router?

uberwebguru · May 1, 2022, 7:04pm

Everything else works except the issue am referring to, so yes it is part of the bridge. 101.x.x.1 is ofcourse in the same 101.x.x.0/27 block
I only posted part of the config
Rather than trying to think about the config, lets focus on the problem as mentioning here
What is causing this weird thing?

Sob · May 1, 2022, 7:58pm

Since dstnat rule is already correct, it must be something else. And unusual addressing would be suspicious even if it wasn’t the only other part of your config I can see.

uberwebguru · May 1, 2022, 11:31pm

Issue solved

Apparently my static IP block on ISP gateway was on private subnet, i called them to explain this weird issue and they changed it to public subnet and everything is now working fine now
one of the weirdest thing for me to troubleshoot. Wasn’t aware a static ip can have private subnet setting on ISP gateway
Issues was not mikrotik config at all
Happy all solved now

thanks for the help at least