Hi.
I have a Ubiquiti CloudKey running behind a Mikrotik firewall. Works well.
Firewall is set to forward tcp ports 8080, 8443 and 8880, as well as udp 3478 to the CloudKey's local ip (192.168.1.49)
Need to move the CloudKey to my local LAN, where I also have a Mikrotik Router. Have tried to set up the same port forwarding, but external requests to the IP fails. The CloudKey has the same local IP as in the previous setup. The router in my local LAN also handles traffic to my mail server (192.168.1.10).
I have not been able to figure out why the router in my local LAN seems to block the traffic. Hope someone will help. Thanks!
The configs for the working firewall (240) and the one that fails (195) are attached as txt files. Any ideas what I'm doing wrong?
Thanks!
Olaf
Firewall config
You do not have the required permissions to view the files attached to this post.
Re: Firewall config
Norway, wow luv watching Jakob run!!!
IM confused by your network.
Do you mean now you used to have this.
MODEM---->Router MT1 ----->LAN(server)
and now have
MODEM ---->Router MT1 ---->Router MT2 -----> LAN(server)
IM confused by your network.
Do you mean now you used to have this.
MODEM---->Router MT1 ----->LAN(server)
and now have
MODEM ---->Router MT1 ---->Router MT2 -----> LAN(server)
Re: Firewall config
As anav say, its not clear what you have and what you like to setup. Try to avoid double nat.
Make a drawing and post you complete configuration /export hide-sensitive
Da kan vi kanskje hjelpe deg :)
Make a drawing and post you complete configuration /export hide-sensitive
Da kan vi kanskje hjelpe deg :)
Re: Firewall config
Thanks for comments!
Sorry about confusing description.
There are two completely different and separate networks.
Old network has the x.x.x.240 public IP address, a RB433 routerboard and the CloudKey on the LAN side of the 433 board (Ether2). This setup works well, but the network will be closed / dismounted soon.
The new network has a public IP of y.y.y.195 and a RB951 unit as a router. The CloudKey will be moved from old network to new network. CloudKey works as expected when I try to connect to it from a PC in the local LAN, but not from the WAN side (the Internet). New network also has a mail server and some PCs. (they work well)
Have attached new config files and a simple drawing of the two (separate) networks
Sorry about confusing description.
There are two completely different and separate networks.
Old network has the x.x.x.240 public IP address, a RB433 routerboard and the CloudKey on the LAN side of the 433 board (Ether2). This setup works well, but the network will be closed / dismounted soon.
The new network has a public IP of y.y.y.195 and a RB951 unit as a router. The CloudKey will be moved from old network to new network. CloudKey works as expected when I try to connect to it from a PC in the local LAN, but not from the WAN side (the Internet). New network also has a mail server and some PCs. (they work well)
Have attached new config files and a simple drawing of the two (separate) networks
You do not have the required permissions to view the files attached to this post.
Re: Firewall config
(1) Dont see any point in these and would remove them!
/ip firewall address-list
add address=66.23.227.156 list=Attack-IPs
................................................................
add address=185.234.219.0/24 list=Attack-IPs
(2) Input chain firewall rules need work, actually not too bad now that I see some more lower down,,,,,,,,,,,,keeping them together makes config reading so much easier!!!
Only comment is to ensure they are enabled not disabled...........
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
(3) not sure of the purpose of this route.........has nothing to do with going out the router.......
/ip route
add distance=1 gateway=192.168.1.1
(4) mac server should be set to none, mac winbox server is fine.
(5) I see nothing that should prevent traffic. The problem is that if users on the same LAn wish to get to the server from the LAN you will need to setup hairpin nat (loopback).
Much easier just to put the server on its own subnet for example and then the current rules would work.
/ip firewall address-list
add address=66.23.227.156 list=Attack-IPs
................................................................
add address=185.234.219.0/24 list=Attack-IPs
(2) Input chain firewall rules need work, actually not too bad now that I see some more lower down,,,,,,,,,,,,keeping them together makes config reading so much easier!!!
Only comment is to ensure they are enabled not disabled...........
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
(3) not sure of the purpose of this route.........has nothing to do with going out the router.......
/ip route
add distance=1 gateway=192.168.1.1
(4) mac server should be set to none, mac winbox server is fine.
(5) I see nothing that should prevent traffic. The problem is that if users on the same LAn wish to get to the server from the LAN you will need to setup hairpin nat (loopback).
Much easier just to put the server on its own subnet for example and then the current rules would work.
Re: Firewall config
Does change of public IP address involve change of ISP? Since most of forwarded ports are non-standard, it could well be that the new ISP blocks them.
The export shows pretty incomplete firewall rules compared to the default rules, e.g. it's missing rule
which should be right after the "fast-track" rule. Fast-track rule doesn't deal with 100% of packets, some are passed on to other rules to make connection-tracking state current. If you don't have a matching "non-fasttracking" rule, connections might get dropped.
I suggest you to have a look at default setup (execute /system default-configuration print from a really wide terminal window) and put back rules missing ... while taking care of rule order. I also suggest you to upgrade ROS version to latest "long-term", which is 6.47.9 at the time of writing this post ... and do it before updating firewall configuration to make sure you see the latest (and greatest) default configuration.
Other than that, you may want to adjust your NAT rules to reflect rules from firewall list ... e.g. use in-interface-list=WAN instead of in-interface=ether1.
The export shows pretty incomplete firewall rules compared to the default rules, e.g. it's missing rule
Code: Select all
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
I suggest you to have a look at default setup (execute /system default-configuration print from a really wide terminal window) and put back rules missing ... while taking care of rule order. I also suggest you to upgrade ROS version to latest "long-term", which is 6.47.9 at the time of writing this post ... and do it before updating firewall configuration to make sure you see the latest (and greatest) default configuration.
Other than that, you may want to adjust your NAT rules to reflect rules from firewall list ... e.g. use in-interface-list=WAN instead of in-interface=ether1.
Re: Firewall config
Thanks for your responses. I'll work my way through the comments and see if I'm able to get this thing working.... Just a few comments....
anav:
(1) The Attack-IPs address list was created in an attempt to block intruder attempts to my mail server. Happened quite often. It worked well on a previous router (ZyXel), but maybe not on Mikrotik...
Will remove it
(2) ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
These were set to disabled for testing purposes. Guess they should not be disabled....?
(3) Yes, seems strange. Don't know where it came from.
(4) Don't know where this setting came from (default setting?). Will set it to none
(5) Have seen the hairpin as a challenge. Tried to set it up (for my mail server) a couple of times without success.
If setting the controller on a separate subnet - should I just add another local IP-range to the LAN/bridge interface, or do I need to have the different subnets on separate, physical ports? (disclosing my limited TCP/IP knowledge now...)
mkx:
The change of IP does not mean a new ISP (just moved to a different, physical location and have just one public IP. Previously I had a /25 network). The access should have no blockings, but will check. Also upgrade and take a close look at default settings.
Thanks!
anav:
(1) The Attack-IPs address list was created in an attempt to block intruder attempts to my mail server. Happened quite often. It worked well on a previous router (ZyXel), but maybe not on Mikrotik...
Will remove it
(2) ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
These were set to disabled for testing purposes. Guess they should not be disabled....?
(3) Yes, seems strange. Don't know where it came from.
(4) Don't know where this setting came from (default setting?). Will set it to none
(5) Have seen the hairpin as a challenge. Tried to set it up (for my mail server) a couple of times without success.
If setting the controller on a separate subnet - should I just add another local IP-range to the LAN/bridge interface, or do I need to have the different subnets on separate, physical ports? (disclosing my limited TCP/IP knowledge now...)
mkx:
The change of IP does not mean a new ISP (just moved to a different, physical location and have just one public IP. Previously I had a /25 network). The access should have no blockings, but will check. Also upgrade and take a close look at default settings.
Thanks!
Who is online
Users browsing this forum: MarkusT and 77 guests