Windows short name resolution with bridge and firewall

HerrBrand · February 4, 2019, 1:25pm

Hello

We’ve a small network with one server, three clients, Internet router (separate), no domain, no DNS. All devices are connected by a bridge on the firewall. As soon as the IP firewall (set use-ip-firewall=yes) for the bridge is enabled, it’s no longer possible to ping the hosts by name. It doesn’t matter which rules on the firewall are set, I’ve tried with allow all, without rules, without drops, the result is still the same, ping by hostname doesn’t work if IP firewall is enabled.

One of the clients responds with IPv6 packets, that works, no matter which rules are enabled, also for IPv6, it works.
I’m trying since many hours, but I can’t find a solution. Actually I use the local hosts file, but it should work without.

Does anybody know how to configure the firewall to allow the Windows short name resolution?

Router OS 6.43.8

Thank you

pcunite · February 5, 2019, 3:28am

Output your configuration via /export compact hide-sensitive file=MyFile.rsc and paste the file data in the forum wrapped in code tags.

HerrBrand · February 5, 2019, 7:18am

Hi

Here’s the configuration of the firewall. It looks like it has something to do with LLMNR packets to the multicast IP 224.0.0.252. The packet sniffer logs the hostname request, but there’s no answer. As soon as I disable IP Firewall for bridge, it works. I don’t understand why it doesn’t work with firewall enabled and “allow anything rules”.

# feb/05/2019 08:09:48 by RouterOS 6.43.8
# software id = 3X9Y-DC0E
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F081F3047
/interface bridge
add comment="Bridge fuer Trafficcontrol Grafenau Desigo nach Internet" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-full,100M-full,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.112.80-192.168.112.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.0.10/24 comment=defconf interface=combo1 network=\
    192.168.0.0
add address=192.168.111.10/24 interface=ether7 network=192.168.111.0
add address=192.168.111.11/24 interface=ether7 network=192.168.111.0
add address=192.168.112.10/24 interface=bridge1 network=192.168.112.0
add address=192.168.112.11/24 interface=bridge1 network=192.168.112.0
/ip dhcp-server network
add address=192.168.112.0/24 gateway=192.168.112.10
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=46.14.239.86 comment="Public IP DSL Desigo Grafenau" list=allow
add address=wiki.mikrotik.com list=test
add address=159.148.147.205 list=test
add address=8.8.8.8 comment="Google DNS" list=allow
add address=www.heise.de list=test
add address=194.138.37.194 comment="Siemens Remote Service" list=allow
add address=34.247.78.205 comment="Siemens Navigator" list=allow
add address=34.248.100.77 comment="Siemens Navigator" list=allow
add address=52.210.211.182 comment="Siemens Navigator" list=allow
add address=52.30.142.210 comment="Siemens Navigator" list=allow
add address=import.nav2cloud.bt.siemens.coud comment="Siemens Navigator" \
    list=allow
/ip firewall filter
add action=accept chain=forward comment=icmp protocol=icmp
add action=accept chain=forward comment="udp/67 (DHCP)" disabled=yes port=67 \
    protocol=udp
add action=accept chain=forward comment="udp/53 (DNS)" port=53 protocol=udp
add action=accept chain=forward comment="tcp/53 (DNS)" port=53 protocol=tcp
add action=accept chain=forward comment="udp/137 (NetBIOS name resolution)" \
    port=137 protocol=udp
add action=accept chain=forward comment="udp/5535 (LLMNR Multicast IP)" \
    dst-address=224.0.0.252 port=5355 protocol=udp
add action=accept chain=forward comment="tcp/25 (SMTP)" port=25 protocol=tcp
add action=accept chain=forward comment="tcp/465 (SMTP)" port=465 protocol=\
    tcp
add action=accept chain=forward comment="tcp/587 (SMTP)" port=587 protocol=\
    tcp
add action=accept chain=forward comment="tcp/110 (POP)" port=110 protocol=tcp
add action=accept chain=forward comment="tcp/995 (POPS)" port=995 protocol=\
    tcp
add action=accept chain=forward comment="tcp/143 (IMAP)" port=143 protocol=\
    tcp
add action=accept chain=forward comment="tcp/993 (IMAPS)" port=993 protocol=\
    tcp
add action=accept chain=forward comment="tcp/445 (SMB)" port=445 protocol=tcp
add action=accept chain=forward comment="tcp/3389 (RDP)" port=3389 protocol=\
    tcp
add action=accept chain=forward comment="Adresslist allow - Destination" \
    dst-address-list=allow in-interface=bridge1 out-interface=ether7
add action=accept chain=forward comment="Adresslist allow - Source" \
    in-interface=ether7 out-interface=bridge1 src-address-list=allow
add action=accept chain=forward comment="Adresslist allow - Destination" \
    dst-address-list=allow out-interface=bridge1
add action=accept chain=forward comment="Adresslist allow - Source" \
    out-interface=bridge1 src-address-list=allow
add action=accept chain=forward dst-address-type="" protocol=igmp
add action=accept chain=forward comment="Adresslist test - Source" disabled=\
    yes src-address-list=test
add action=accept chain=forward comment="Adresslist test - Destination" \
    disabled=yes dst-address-list=test
add action=accept chain=forward comment=DURCHZUG disabled=yes
add action=accept chain=forward comment="Desigo CC Server YMDL015165" \
    dst-address=192.168.112.20
add action=accept chain=forward comment="Desigo CC Server YMDL015165" \
    src-address=192.168.112.20
add action=accept chain=input comment="Management Firewall" dst-address=\
    192.168.112.0/24 in-interface=bridge1
add action=accept chain=input comment="Management Firewall" dst-address=\
    192.168.0.0/24
add action=accept chain=forward comment="Management DSL Router" dst-address=\
    192.168.112.1
add action=drop chain=forward dst-port="" in-interface=bridge1 protocol=tcp
add action=drop chain=forward
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.112.1
/ipv6 firewall filter
add action=drop chain=forward disabled=yes
/lcd
set color-scheme=dark
/lcd pin
set pin-number=6301
/system clock
set time-zone-name=Europe/Zurich
/system ntp client
set enabled=yes primary-ntp=46.22.26.12 secondary-ntp=82.220.91.173
/tool sniffer
set filter-interface=ether4
#error exporting /tool user-manager database

pcunite · February 5, 2019, 3:53pm

What’s the hardware topology? Your export is of a CCR1009, is it the last hop? No, it is connected to a router you say. So, what is providing DNS for your workstations? Let me see the configuration for whatever is providing DNS too.

We need to know, you need to know, packet flow. When you ping from the command line on a workstation, what is the packet flow from that workstation to the other workstation? That will help.

tippenring · February 5, 2019, 4:18pm

Is there some reason you want to force bridge traffic to be processed by the firewall rules? Based on your description of the network, I doubt you want to do that.

I expect you probably just want to apply the firewall rules to traffic that will be crossing trust levels, such as private to public interfaces–in other words, routed traffic. If that’s the case, then you should not configure the bridge to use the firewall.

pcunite · February 5, 2019, 4:25pm

+1 Agree.

HerrBrand · February 6, 2019, 8:06am

Hello

The goal is to allow only traffic to specific destinations on the Internet. I don’t have the possibility to change the architecture or the Internet router. So I thought I could use the firewall as bridge to control the traffic at this point.

As first, there was another network architecture with two LANs 192.168.111.0/24 and .112.0/24. So I configured the firewall as described by tippenring, with the two LANs and public and private Interfaces. When it was finished, the architecture has changed to only one LAN 192.168.112.0/24. So I’ve changed the configuration but I haven’t yet clean up the config with the two LANs. I thought you never know… As next, I’ll clean up the config to only one LAN.

To control the traffic inside one LAN, is it the right approach to set up one common bridge for all devices and to enable the IP firewall or is there a better way?

mkx · February 6, 2019, 9:07am

The problem with controlling traffic within single subnet is that all traffic has to be forced to pass some filtering device (i.e. router’s bridge where you can apply filtering rules). Which, in principle, goes against the basic idea of a subnet where devices are supposed to connect each other directly. If there is third-party L2 equipment (ethernet switches) in play, then forcing all traffic through central point is next to impossible.

If traffic between certain types of devices has to be controlled, it is common to create subnets (either physically separate networks or, more commonly, VLANs using managed switches), which ensure that traffic between those types of devices passes “control point”.

This single control point can control all kind of passing traffic, and internet (WAN) is just one of possible “subnets”.

HerrBrand · February 11, 2019, 12:51pm

Hello

Thank you for your quick answers and support, it’s solved. As mentioned, as first we had an environment with two subnets. As the firewall configuration was done, the environment has changed to only one subnet and I had to adapt the config to bridge with enabled firewall. Everything was working except of the windows short name resolution.

Today, I’ve cleaned up the config. As soon as I disabled the IP addresses of the second subnet on ether 7 (the earlier uplink port), the name resolution was working… Also after I’ve re-enabld the IP addresses on ether 7, the windows short name resolution is still working.

It looks as were there an issue on the firewall in my case which could only be solved with disable / enable IP address, this also recalculated the routes.

I notice: Be careful with changes on IP address / routes level, do a proper clean up.