Community discussions

MikroTik App
 
GreaterTX
just joined
Topic Author
Posts: 17
Joined: Mon Feb 25, 2019 6:47 am

Mikrotik Blocking Remote Access Randomly

Thu Oct 15, 2020 12:34 am

So for some reason the Mikrotik Router seems to randomly be blocking remote access to some port forwarded devices. It'll work just fine for days on end sometimes then abruptly drop any incoming connections.

This happens both with;

1) Camera system with remote web / remote app ability
2) Unifi Access Points stop communicating with the off-site controller and show as offline (But there is no firewall configuration that needs to be done on the remote site where the Mikrotik is, so not sure how this relates but this also happens while the camera system goes offline)


The network works completely normally on the LAN side, when I go on site I can get on the internet with everything just fine, use wireless access etc...

I'm running 6.47.4

How I have it setup;

Firewall > NAT I have a DST_NAT action with donate for the chain, the destination address is the WAN IP, protocol TCP Destination Port is the port to be forwarded

I've checked both

https://www.balticnetworkstraining.com/ ... orwarding/

and

Port mapping/forwarding
If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

https://wiki.mikrotik.com/wiki/Manual:I ... forwarding

Neither variant seems to resolve it, rebooting the router doesn't change anything.

Abruptly all of the sudden it'll eventually start working again....

What gives? What else can I provide to help you guys diagnose it

I can remotely access the router with zero issue with the configuration I have so I know that works.
You do not have the required permissions to view the files attached to this post.
 
GreaterTX
just joined
Topic Author
Posts: 17
Joined: Mon Feb 25, 2019 6:47 am

Re: Mikrotik Blocking Remote Access Randomly

Thu Oct 15, 2020 8:33 pm

So once again out of nowhere at around the same time after no matter how many modifications I made with no success.... it randomly started allowing traffic again at night, then this morning at roughly the same time it started blocking it again

This is freaking infuriating
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5298
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Blocking Remote Access Randomly

Thu Oct 15, 2020 9:54 pm

Post your entire config
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
GreaterTX
just joined
Topic Author
Posts: 17
Joined: Mon Feb 25, 2019 6:47 am

Re: Mikrotik Blocking Remote Access Randomly

Thu Oct 15, 2020 11:42 pm

Post your entire config
/export hide-sensitive file=anynameyouwish
# oct/15/2020 13:39:09 by RouterOS 6.47.4
# software id = WY2W-HYQH
#
# model = RouterBOARD 941-2nD
# serial number = 8B1008860D52
/interface bridge
add admin-mac=CC:2D:E0:79:D5:02 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country="united states" disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=\
    SFP-Mikrotik station-roaming=enabled wireless-protocol=802.11
/interface l2tp-server
add name=l2tp-in1 user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.192.0.200-10.192.0.230
add name=vpn-pool ranges=10.192.100.100-10.192.100.110
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=10.192.100.1 name="VPN IPSec" remote-address=vpn-pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile="VPN IPSec" enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.192.0.1/24 comment=defconf interface=ether2 network=10.192.0.0
add address=WANIP97/29 interface=ether1 network=WANIP96
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.192.0.0/24 comment=defconf gateway=10.192.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.192.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=80,443,8291 protocol=tcp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp src-address-list=""
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=36700 in-interface=ether1 protocol=\
    tcp to-addresses=10.192.0.8 to-ports=36700
add action=dst-nat chain=dstnat dst-port=5201 in-interface=ether1 protocol=\
    tcp to-addresses=10.192.0.216 to-ports=5201
add action=dst-nat chain=dstnat comment="Hikvision Client" dst-address=\
    WANIP97 dst-port=8000 protocol=tcp to-addresses=10.192.0.8 \
    to-ports=8000
/ip route
add distance=1 gateway=WANIP102
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=edrick profile="VPN IPSec" service=l2tp
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5298
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Blocking Remote Access Randomly

Fri Oct 16, 2020 2:24 am

(1) I find it confusing you have the bridge handing out DHCP and you have ethernet 2 part of the bridge, but look at your ip address!!!,,,,,,,,,,,
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
/ip address
add address=10.192.0.1/24 comment=defconf interface=ether2 network=10.192.0.0

I would guess that that should be bridge not ether2
/ip address
add address=10.192.0.1/24 comment=defconf interface=bridge network=10.192.0.0


(2) As far as firewall rules go you have some weird ones in the input chain.......
However I am not an expert on VPN so I will assume they are fine.
For clarity sake I would put all the input chain rules first and then display the forward chain rules.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
GreaterTX
just joined
Topic Author
Posts: 17
Joined: Mon Feb 25, 2019 6:47 am

Re: Mikrotik Blocking Remote Access Randomly

Fri Oct 16, 2020 10:03 am

I’ll check out what you say

Just an update with no changes on my part the camera system and access points are back online in unifi controller

I suspect once again tomorrow around the same time they’ll be off again, but not at the exact time just roughy and with no interruption to LAN traffic (cameras still record and WiFi clients can still connect to the internet)

But remote connectivity blocked, other than winbox / direct access to the router via web those work
 
GreaterTX
just joined
Topic Author
Posts: 17
Joined: Mon Feb 25, 2019 6:47 am

Re: Mikrotik Blocking Remote Access Randomly

Mon Oct 19, 2020 9:18 am

As you can see it continues to go offline at roughly the same time every day

Any additional suggestions
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: robsgax and 38 guests