Community discussions

MikroTik App
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Firewall Problem

Tue May 26, 2020 11:07 am

Hi,

I have a problem with device in my network.

They say me that the problem is tcp 1883 is droped to internet but I can´t see it...
If ai try it outside my network it work perfectly.

This is my firewall:
/ip firewall address-list
add address=10.0.0.20-10.0.0.101 list=Src_Administradores
add address=10.0.0.101-10.0.0.200 list=Src_Servidores_Usuarios
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=10.10.0.200 list=Src_AdministracionClientes
add address=10.10.0.0/20 list=Dst_Clientes
add address=10.10.1.12 list=Src_Administradores
add address=10.10.1.13 list=Src_Administradores
/ip firewall filter
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
    protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
    address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input disabled=yes log=yes log-prefix="DROP BlackList" \
    src-address-list=BLACKLIST
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward comment=\
    "##### Permite el trafico establecido y relacionado #####" \
    connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="##### Filtra Paquetes Invalidos #####" \
    connection-state=invalid log=yes log-prefix="DROP Invalid Packets"
add action=drop chain=input connection-state=invalid log=yes log-prefix=\
    "DROP Invalid In Packets"
add action=accept chain=forward comment="##### Prermite trafico Forward #####" \
    src-address-list=Src_Administradores
add action=accept chain=forward dst-address-list=Dst_Servidores_Usuarios \
    src-address-list=Src_Red_LAN
add action=accept chain=forward src-address-list=Src_Red_LAN
add action=accept chain=forward dst-address-list=Dst_Servidores_Usuarios \
    src-address-list=Src_Servidores_Usuarios
add action=accept chain=forward dst-address-list=Dst_Clientes src-address-list=\
    Src_AdministracionClientes
add action=accept chain=forward src-address-list=Src_AdministracionClientes
add action=accept chain=forward disabled=yes dst-address=10.10.1.200 \
    in-interface=*F00277 out-interface=WAN
add action=accept chain=forward disabled=yes dst-address=10.10.1.201 \
    in-interface=*F00277 out-interface=WAN
add action=accept chain=input comment=\
    "##### Prermite trafico Input ##### - Conexiones PPTP" dst-port=1723 \
    protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_Temporal \
    address-list-timeout=1m chain=input comment=\
    "##### Prermite trafico Input ##### - TocToc" dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_NAS \
    address-list-timeout=1d chain=input dst-port=7000 protocol=tcp \
    src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS \
    address-list-timeout=1d chain=input dst-port=8000 protocol=tcp \
    src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment=\
    "##### Prermite trafico Input ##### - Conexiones L2TP" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="##### Prermite trafico Input ##### " \
    src-address-list=Src_Administradores
add action=accept chain=input comment=\
    "##### Prermite trafico Input #####  Para comunicacion SNMP" dst-port=161 \
    protocol=udp src-address=192.168.2.205
add action=drop chain=input comment="##### BLOQUEO POR DEFECTO #####" \
    log-prefix="INPUT DROP"
add action=drop chain=forward connection-nat-state=!dstnat log=yes log-prefix=\
    "FORWARD DROP"
Something wrong??
If I remove the last forward drop don´t work neither

Thanks
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Firewall Problem

Tue May 26, 2020 11:31 am

If this is all your firewall and if you disable last drop rule, your forward chain is fully open. BTW, last drop rule seems wrong, it drops all not-dstnatted connections coming from any interface, typically you want to drop this only from WAN.
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: Firewall Problem

Fri May 29, 2020 5:52 pm

If this is all your firewall and if you disable last drop rule, your forward chain is fully open. BTW, last drop rule seems wrong, it drops all not-dstnatted connections coming from any interface, typically you want to drop this only from WAN.
Hi,

This is all my firewall. but if I disable last drop rule don´t work neither.
If I deactivate the rule should it work inmediately?

I´ve tried to put my server out of my network and work perfectly.

Support of this server says me "the problem is that outgoing port 1883 is blocked" but I can´t see...

Any idea?

Thanks
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: Firewall Problem

Fri May 29, 2020 6:13 pm

If this is all your firewall and if you disable last drop rule, your forward chain is fully open. BTW, last drop rule seems wrong, it drops all not-dstnatted connections coming from any interface, typically you want to drop this only from WAN.
Hi,

This is all my firewall. but if I disable last drop rule don´t work neither.
If I deactivate the rule should it work inmediately?

I´ve tried to put my server out of my network and work perfectly.

Support of this server says me "the problem is that outgoing port 1883 is blocked" but I can´t see...

Any idea?

Thanks
It Work!!
I have a rule in NAT that masquerade (dstnat) por 1883 to internal IP. But not only from WAN. Now I´ve put In interface WAN. Could it be the problem?

Thanks!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Problem

Fri May 29, 2020 6:42 pm

post complete config and I can have a look
/export hide-sensitive file=anynameyouwish

Who is online

Users browsing this forum: mtkvvv and 23 guests