Community discussions

 
Docop
just joined
Topic Author
Posts: 19
Joined: Thu May 23, 2019 3:56 pm

rb4011 voip box problem

Mon May 27, 2019 6:56 pm

I try many aspect, i try to only go with the nat, than add firewall filter after, remove the drop rules.. I've read and think i understand the wiki too as :
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT . But so far i can only have 1 port foward that work to an internal web login page. But i can't have the voip phone to work and to send mail over port 25 from an ipcam device.
Running :
/tool sniffer quick interface=ether2-Wan ip-protocol=tcp port=5060 don't report anything.. But i do see in firewall/connection i see Orig packet going, but 0 in Repl.bytes.

But again, the router was leave on the night, i woke up, plug back in the voip box, after like 3 minute, it pop up online and i did make a call, then as soon i hangup, the box disconnect and cannot connect back. I don't get it.. Let say the voip phone box is a main issues, yes the email box on port 25 don't work and get problem with a softvpn service like 5$per month that work everwhere, but not when connected to any ethernet port of the mikrotik. I try to put all in foward.. all in input, nothing the the filter, only masquarade in nat... i can't get it.
Here a full list export. I have many put in disable to try out.. :
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \
    country=canada disabled=no frequency=auto mode=ap-bridge ssid=rrrr \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] country=canada disabled=no mode=ap-bridge ssid=zzz \
    wireless-protocol=802.11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=RouterOS
/ip pool
add name=dhcp ranges=192.168.0.60-192.168.0.80
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=vpn-pool ranges=192.168.5.10-192.168.5.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add dns-server=192.168.5.250 local-address=192.168.5.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=wlan2 list=LAN
add interface=ether1 list=WAN
add interface=wlan1 list=LAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 default-profile=\
    vpn-profile enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 disabled=yes interface=ether1 network=192.168.88.0
add address=192.168.88.1/24 disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.1.120/24 interface=ether1 network=192.168.1.0
add address=192.168.88.2/24 interface=ether2 network=192.168.88.0
add address=192.168.0.2/24 disabled=yes interface=ether3 network=192.168.0.0
add address=192.168.0.1/24 disabled=yes interface=ether2 network=192.168.0.0
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip dns
set servers=192.168.1.1
/ip firewall filter
add action=accept chain=input comment=\
    "r-defconf: accept input established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Voip disabled=yes dst-port=5060-5061 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="r-defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="Allow LAN access to the router itself" \
    connection-state=new in-interface=ether1
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input comment=softVPN dst-port=1195 protocol=tcp
add action=accept chain=input comment=softVPN dst-port=1196,1197 protocol=tcp
add action=accept chain=input comment=L2TP/IPSEC disabled=yes protocol=ipsec-esp
add action=drop chain=input comment="ipCam mail" disabled=yes dst-port=25 protocol=\
    tcp
add action=accept chain=input comment="L2TP VPN /udp)" disabled=yes dst-port=500,4500 \
    protocol=udp
add action=accept chain=input dst-port=25,443,465,587 protocol=tcp
add action=accept chain=forward comment="allow dst-nat connections from WAN" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow LAN DNS queries - UDP" dst-port=465 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=465 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Keep Off uncrypted: L2TP" dst-port=1701 \
    protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept forward estab,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="softVPN fw" dst-port=1195 protocol=tcp
add action=accept chain=forward comment="softVPN fw" dst-port=1195 protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

00000
add action=accept chain=input comment="Top:" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid comment="c: drop invalid"
add action=accept chain=input protocol=icmp comment="c: accept ICMP" connection-state=new
add action=drop chain=input in-interface-list=WAN comment="c: drop all not coming from LAN"
add action=accept chain=input comment="Allow LAN access to the router itself" connection-state=new in-interface=ether1
add action=accept chain=input comment="S: OpenVPN" protocol=tcp dst-port=1194
add action=accept chain=input comment="ss: softVPN" protocol=tcp dst-port=1197-2100
add action=accept chain=input comment="softVPN ud" protocol=udp dst-port=1197-2100
add action=accept chain=input protocol=tcp dst-port=5060-5061 comment="Voip"

add action=accept chain=input protocol=tcp dst-port=25 comment="ipCam mail"
add action=accept chain=input protocol=tcp dst-port=465 comment="UPS box notification mail Not working either"
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=udp comment="allow L2TP VPN /udp"
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp comment="v: L2TP/IPSEC"
add action=accept chain=input dst-port=1701 protocol=udp comment="Keep Off uncrypted: L2TP"
add action=drop chain=input comment="Drop all input"
add action=accept chain=forward comment="c3: accept established,related, untracked" connection-state=established,related,untracked

add action=accept chain=forward in-interface-list=WAN connection-nat-state=dstnat connection-
state=established,related comment="packet fowarded accept from nat rule"
add action=accept chain=forward ipsec-policy=in,ipsec comment="FuturVp in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="FuturVp out ipsec policy"
add action=fasttrack-connection chain=forward comment="df: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="Plex- TCP or32400" dst-port=3005,8324,32469 protocol=tcp disabled=yes
add action=accept chain=forward comment="Plex Ports - udP" dst-port=1900,5353,32412-32414 protocol=udp disabled=yes

add action=drop chain=forward comment="c3: drop invalid" connection-state=invalid
add action=drop chain=forward comment="c3: drop all from inet WAN if not in DSTNATed list" 
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN


/ip firewall nat
add action=masquerade chain=srcnat comment="Main1: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
    "Solua tester masquerade connections towards misconfigured device" dst-address=\
    192.168.0.30
add action=dst-nat chain=dstnat comment=\
    "ouvre port inet9130 vers port 80interne lan - syntax ok" dst-address=\
    192.168.1.120 dst-port=9130 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.128 to-ports=80
add action=dst-nat chain=dstnat comment="voip-redirect test" dst-address=\
    192.168.1.120 dst-port=5060-5061 in-interface=ether1 protocol=udp to-addresses=\
    192.168.0.30 to-ports=5060-5061
add action=dst-nat chain=dstnat comment=softv dst-address=192.168.1.120 dst-port=\
    1196-1201 in-interface=ether1 protocol=tcp to-addresses=192.168.0.146 to-ports=\
    1196-1201
add action=dst-nat chain=dstnat comment="access tel" disabled=yes dst-address=\
    192.168.1.120 dst-port=5060-5061 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=5060-5061
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.0.30 dst-port=\
    5060-5061 out-interface-list=WAN protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=\
    "ouvre port inetdirect9130 vers port 80interne lan - syntax ok" disabled=yes dst-address=externalInternetip dst-port=9130 protocol=tcp to-addresses=192.168.0.128 to-ports=80
add action=dst-nat chain=dstnat comment="Create an incoming port map rule-syntaxok" \
    disabled=yes dst-port=25 protocol=tcp to-addresses=192.168.0.52 to-ports=25
add action=dst-nat chain=dstnat comment=out disabled=yes dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.52 to-ports=25
add action=dst-nat chain=dstnat comment="avec interface" disabled=yes dst-port=25 in-interface=ether1 protocol=tcp to-addresses=192.168.0.52 to-ports=25
add action=masquerade chain=srcnat comment="masq. rbMaison vpn traffic" src-address=192.168.89.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=12700-65500 in-interface=bridge1 protocol=udp to-addresses=192.168.0.30
add action=dst-nat chain=dstnat comment="62 softVpn" disabled=yes dst-address-type=local dst-port=1197-1200 protocol=tcp to-addresses=192.168.0.146 to-ports=1197-1200
add action=dst-nat chain=dstnat comment=softVpn11 dst-address-type=local dst-port=1196 protocol=tcp to-addresses=192.168.0.146 to-ports=1196
add action=masquerade chain=srcnat comment="Pc Softvpn" disabled=yes src-address=192.168.0.146
add action=dst-nat chain=dstnat comment="61to softVpn" disabled=yes dst-address=192.168.1.120 dst-port=1197-1200 protocol=udp to-addresses=192.168.0.146 to-ports=1197-1200
add action=dst-nat chain=dstnat comment="6to softVpn" disabled=yes dst-port=1197-1200 in-interface=ether1 protocol=udp to-addresses=192.168.0.146 to-ports=1197-1200
add action=netmap chain=dstnat comment="netmap softVpn" disabled=yes dst-port=1197-1200 in-interface=ether1 protocol=tcp to-addresses=192.168.0.146 to-ports=1197-1200
add action=dst-nat chain=dstnat comment="dst-nat voip" disabled=yes dst-address=192.168.1.120 dst-port=5060-5061 protocol=tcp to-addresses=192.168.0.30 to-ports=5060-5061
add action=dst-nat chain=dstnat comment="62 softVpn" disabled=yes dst-address-type=!local dst-port=1197-1200 protocol=tcp to-addresses=192.168.0.146 to-ports=1197-1200
add action=dst-nat chain=dstnat comment="voip box" disabled=yes dst-port=12700-65500 in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=5060-5061
add action=dst-nat chain=dstnat comment="ipcam email" disabled=yes dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.128 to-ports=25
add action=dst-nat chain=dstnat comment="Create an incoming port map rule-syntaxok wiki" disabled=yes dst-port=25 protocol=tcp to-addresses=192.168.0.128 to-ports=25
add action=dst-nat chain=dstnat comment="Email server port forwarding" dst-address=192.168.1.120 dst-port=25 protocol=tcp to-addresses=192.168.0.128 to-ports=25
add action=dst-nat chain=dstnat comment="Email server port forwarding -interface" dst-address=192.168.1.120 dst-port=25 in-interface=ether1 protocol=tcp to-addresses=192.168.0.128 to-ports=25
add action=dst-nat chain=dstnat comment="x config voip" dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30
add action=dst-nat chain=dstnat comment="x config voip1" dst-port=5061 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
set dccp disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/ppp secret
add disabled=yes name=vpn service=ovpn
add name=user profile=vpn-profile service=ovpn
is leaving rule filter in place, but disable do cause problem?
And here what i found on forum that should be very basic.. but don't work either.
/ip firewall filter
add action=drop chain=input comment="Block invalid input connections" \
    connection-state=invalid
add action=drop chain=forward comment="Block invalid forward connections" \
    connection-state=invalid
add chain=forward comment="Plex- TCP" dst-port=3005,8324,32469 protocol=tcp
add chain=forward comment="Plex- udP" dst-port=1900,5353,32412-32414 protocol=udp
add chain=forward dst-port=32400 protocol=tcp comment="x pr opening port" disabled=yes
add chain=forward dst-port=5060 protocol=tcp
add chain=forward dst-port=5061 protocol=tcp
add chain=forward dst-port=1194 protocol=tcp
add chain=forward dst-port=1196-1200 protocol=tcp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="Allow Established and Related Input Connections" connection-state=established,related
add chain=forward comment="Allow Established and Related Forward Connections" connection-state=established,related
add action=drop chain=input comment="default confg drp no src-list" in-interface=ether1
add action=drop chain=forward comment="x Disallow Forward Connections from Outside unless listed as an DST Nat." connection-nat-state=!dstnat connection-state=new in-interface=ether1

/ip firewall nat
add action=masquerade chain=srcnat comment="x default configuration" out-interface=ether1
add action=masquerade chain=srcnat dst-address=192.168.0.30 comment="Solua tester masquerade connections towards misconfigured device" disabled=yes
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.88.169 comment="x configuration" disabled=yes
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 comment="x config voip"
add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 comment="x config voip1"
The best script i end up making as per my understanding and over wiki, forum is this one, but not best either.:
/ip firewall filter
add action=accept chain=input comment="Top:" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid comment="c: drop invalid"
add action=accept chain=input protocol=icmp comment="c: accept ICMP" connection-state=new
add action=drop chain=input in-interface-list=WAN comment="c: drop all not coming from LAN"
add action=accept chain=input comment="Allow LAN access to the router itself" connection-state=new in-interface=ether1
add action=accept chain=input comment="S: OpenVPN" protocol=tcp dst-port=1194
add action=accept chain=input comment="ss: softVPN" protocol=tcp dst-port=1197-2100
add action=accept chain=input comment="softVPN ud" protocol=udp dst-port=1197-2100
add action=accept chain=input protocol=tcp dst-port=5060-5061 comment="Voip"
add action=accept chain=input protocol=tcp dst-port=25 comment="ipCam mail"
add action=accept chain=input protocol=tcp dst-port=465 comment="UPS box notification mail Not working either"
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=udp comment="allow L2TP VPN /udp"
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp comment="v: L2TP/IPSEC"
add action=accept chain=input dst-port=1701 protocol=udp comment="Keep Off uncrypted: L2TP"
add action=drop chain=input comment="Drop all input"
add action=accept chain=forward comment="c3: accept established,related, untracked" connection-state=established,related,untracked

add action=accept chain=forward in-interface-list=WAN connection-nat-state=dstnat connection-
state=established,related comment="packet fowarded accept from nat rule"
add action=accept chain=forward ipsec-policy=in,ipsec comment="FuturVp in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="FuturVp out ipsec policy"
add action=fasttrack-connection chain=forward comment="df: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="Plex- TCP or32400" dst-port=3005,8324,32469 protocol=tcp disabled=yes
add action=accept chain=forward comment="Plex Ports - udP" dst-port=1900,5353,32412-32414 protocol=udp disabled=yes
add action=drop chain=forward comment="c3: drop invalid" connection-state=invalid
add action=drop chain=forward comment="c3: drop all from inet WAN if not in DSTNATed list" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="x default configuration Outinterface LIST same as out interface only need to check" out-interface=ether1 disabled=yes
add action=masquerade chain=srcnat comment="Main1: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. rbMaison vpn traffic" src-address=192.168.89.0/24
add chain=dstnat dst-port=5060-5061 action=dst-nat protocol=tcp to-addresses=192.168.0.30 to-port=5060-5061
add action=dst-nat chain=dstnat dst-port=12700-65500 in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=5060-5061 comment="Try to open all for voip box"

add chain=dstnat in-interface-list=WAN dst-port=25 action=dst-nat protocol=tcp to-addresses=192.168.0.128 to-ports=25 comment="ipcam email"
add action=dst-nat chain=dstnat comment="Create an incoming port map rule-syntaxok wiki" dst-port=25 protocol=tcp to-addresses=192.168.0.128 to-ports=25 disabled=yes
add chain=dstnat dst-address-type=local protocol=tcp dst-port=1197-1200 action=dst-nat to-addresses=192.168.0.146 to-ports=1197-1200 comment="softVpn"
So i don't know if the rb4011 do work fine or not. At least 1 port forward was working yesterday, i can ping all device. So is any working setting can i used to test out ?

Who is online

Users browsing this forum: No registered users and 27 guests