Community discussions

MikroTik App
 
marakas
just joined
Topic Author
Posts: 3
Joined: Wed Sep 12, 2018 10:07 am

Mikrotik gateway DMZ settings

Wed Sep 12, 2018 11:00 am

Good day Mikrotik Forum,

I am not a mikrotik user per se, but have been supplied one by my ISP as a gateway to their network. The problem is the ISP maintain admin control over the Mikrotik router and the user has no control over Mikrotik router, firewall or any other settings except the wifi password and network name, for which the client has a user with privilidges limited to adjusting those settings.

The ISP has been unable to setup the router so that all traffic, except for the ports they require, are diverted to a DMZ where my router reside. I suppose I my setup differs from the standard setup they are fimiliar with.

So I asked that they set it up and channel all traffic via DMZ to my router. They however, claim they require the use of ports that nmap identify as follows:

2828/tcp open http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
8291/tcp open unknown
8728/tcp open routeros-api MikroTik RouterOS API

However, the following ports is also open (although they did not request control over these ports):
21/tcp open ftp MikroTik router ftpd 6.42
53/tcp open domain (generic dns response: NOTIMP)
2000/tcp open bandwidth-test MikroTik bandwidth-test server
4415/tcp open http-proxy MikroTik http proxy

I am not sure what they do, if the ISP actually do need them and the people speaking to me simply don't realise it or if they are activated by default.

My network can be shown as follows:
  Internet
   |
   |
 |--------------|             Mobile Phone 1
 | Router 1     |-------------192.168.88.160
 | Mikrotik     |
 | RB951Ui-2HnD |
 | 192.168.88.1 |-------------Mobile Phone 2
 |--------------|             192.168.88.161
   |
   |
 |-----------------------|    NAS/ftp server
 | 192.168.88.150        |----192.168.1.51
 | Router 2              |
 | Firewall/Local Router |
 | 192.168.1.1           |----laptop
 |-----------------------|    192.168.1.52
   |    |    |
   |    |    |
   |    |    |----------------M2M.server
   |    |                     192.168.1.53
   |    |
   |    |---------------------Desktop
   |                          192.168.1.54
   |
   |--------------------------Device
                              192.168.1.56
I kept the phones connected to the Mikrotik router, as it is supplied and set up with a wifi network, and it keeps all the devices connected to Router.2 limited to devices related to the purpose of that local network.

So far it has really been a pain, after many attempts the ISP can't get it right - although they still remain friendly and helpful, but clearly clueless. I have a server that manages the backend for some of my machine-to-machine (M2M) devices, and an app on the phone that can also control these devices. I point these devices to the pubic IP address/web address. After the latest effort by the ISP, some problems has been resolved, only for new problems to appear. Initially, the devices worked perfectly until they get in wifi-range (either wifi on router.1 or Router.2), then the device fails to communicate with the server. Then if they fix that, another problem arises. On and on, a never ending story. After the last efforts by the ISP to configure the router, all M2M device communication received by my M2M server shows up as coming from the IP address 192.168.88.1 and any return messages or ACK from the server to the device gets lost, as the M@M server sends the return messages to 192.168.88.1

Can anybodybody please assist me with the correct NAT rules and filter rules in order to get this setup to function correctly? I searched this forum and the wiki, but is a bit daunting for a newcomer to RouterOS to understand and execute these settings correctly. If there are clear guides for this purpose, it can be sufficient if you just direct me to the right port of call, so to speak. but it would be really helpful if, next time I speak to the friendly folk at my ISP, if I can tell them what should be done so that I can get my system functioning again. I have Winbox read-only access (no telnet/ssh access) to the router, should additional information be required.

Kind regards and thanks in advance.

Marakas
 
marakas
just joined
Topic Author
Posts: 3
Joined: Wed Sep 12, 2018 10:07 am

Re: Mikrotik gateway DMZ settings

Fri Sep 14, 2018 9:14 am

So I added the rules as per this page and added the two rules (lines 4 & 5) to allow my local network and the isp to have access the ports to control the router:
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related"  connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="Accept ISP router control" protocol=tcp src-address-list=ISP-addresses dst-port=8291,2000,8728 log=no
add action=accept chain=input src-address=192.168.88.0/24 log=no
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
Then I have the following two nat rules, to masquerade as the public ip address and to have the traffic diverted to my downstream router, simlar to what DMZ functionality does on other routers:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
add chain=dstnat to-addresses=192.168.88.150 action=dst-nat in-interface=ether1 log=no log-prefix=""
However, now it seems the firewall filter rules is in conflict with the nat rules, which one takes preference?

Any help will be appreciated.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik gateway DMZ settings

Fri Sep 14, 2018 5:46 pm

NAT has precedence as it actually defines which chain of FW rules apply - either forward (if dst-nat matches) or input.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik gateway DMZ settings

Fri Sep 14, 2018 8:08 pm

Rules are processed in order, so you need to exclude ISP's ports from dstnat. You can add this before your existing dstnat rule:
/ip firewall nat
add chain=dstnat protocol=tcp src-address-list=ISP-addresses dst-port=8291,2000,8728 action=accept
Action "accept" means that processing in given chain will stop and following dstnat rule won't apply. And if you do it like this (with src-address-list), you'll have all ports coming to you, including 8291,2000,8728, except when ISP connects to them.
 
marakas
just joined
Topic Author
Posts: 3
Joined: Wed Sep 12, 2018 10:07 am

Re: Mikrotik gateway DMZ settings

Tue Sep 18, 2018 7:56 am

Rules are processed in order, so you need to exclude ISP's ports from dstnat. You can add this before your existing dstnat rule:
/ip firewall nat
add chain=dstnat protocol=tcp src-address-list=ISP-addresses dst-port=8291,2000,8728 action=accept
Action "accept" means that processing in given chain will stop and following dstnat rule won't apply. And if you do it like this (with src-address-list), you'll have all ports coming to you, including 8291,2000,8728, except when ISP connects to them.
Thank you Sob,
I never would have thought of that one and it is more eloquent and efficient than what has been the setup.

Thank you mkx - a short explanation that makes sense for the layman!

I will test the settings today.

Any reason why one would have neighbour discovery enabled, if it is only one RouterOS device on the network? (Receive via some ubiquiti antennae the signal from the wisp, then ethernet cable to the Mikrotik Router) I could read in the wiki what the neighbour discovery do, but I cannot picture that it makes sense if there is only one RouterOS device on the local network.

Kind regards
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik gateway DMZ settings

Tue Sep 18, 2018 8:13 pm

If there's nothing to discover, there's no need to keep it on.

Who is online

Users browsing this forum: BioMax and 28 guests