I'm trying to create a port forwarding set up, which currently is working when accessing from an IP in the 192.168.x.x range, but not working when trying to access from a public IP.
I'm issuing a curl command to fetch a website. This works from the local IP, but not when coming from a public IP.
The setup is:
Apple AirPort -> OldLAN (192.168.x.x) -> RB4011 (192.168.0.102) -> NewLan (10.2.x.x)
When I issue the curl command from a PC on the OldLAN, I can access the NewLAN and fetch data from the server.
When I issue the same curl command from outside, through the Apple AirPort, the connection comes through to the RB4011, however no data is returned from the NewLAN server.
To rule out the AirPort I have also tried connecting the RB4011 directly to the internet, which gives the same result - not possible to connect.
I see the following in the log file:
Access from Private IP in the 192.168.x.x range:
Access from a Public IP:13:22:40 firewall,info [httpnat] dstnat: in:outside out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.0.20:57585->192.168.0.102:80, len 64
13:22:40 firewall,info [http] forward: in:outside out:dmzbridge, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.0.20:57585->10.2.0.10:80, NAT 192.168.0.20:57585->(192.168.0.102:80->10.2.0.10:80), len 64
Only apparent difference is the "len 64" when it's working and "len 60" when it's not working (?).13:26:27 firewall,info [httpnat] dstnat: in:outside out:(unknown 0), src-mac 24:a0:74:73:a7:e8, proto TCP (SYN), 206.189.180.4:34026->192.168.0.102:80, len 60
13:26:27 firewall,info [http] forward: in:outside out:dmzbridge, src-mac 24:a0:74:73:a7:e8, proto TCP (SYN), 206.189.180.4:34026->10.2.0.10:80, NAT 206.189.180.4:34026->(192.168.0.102:80->10.2.0.10:80), len 60
Have tried to enable logging on the different rules, but not been able to get a hit on what the difference is between the two connections.
Below is my current config:
Code: Select all
# apr/13/2021 13:45:44 by RouterOS 6.48.1
# software id = IJJI-4YGG
#
# model = RB4011iGS+
# serial number = xxxxxx
/interface bridge
add comment="Admin bridge" name=admbridge
add comment=DMZ name=dmzbridge protocol-mode=none
add comment="IoT Bridge" name=iotbridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=lanbridge
/interface ethernet
set [ find default-name=ether10 ] comment="Admin port" name=admin poe-out=off
set [ find default-name=ether2 ] comment=DMZ name=dmz1
set [ find default-name=ether3 ] comment=DMZ name=dmz2
set [ find default-name=ether4 ] comment="IoT Interface" name=iot1
set [ find default-name=ether1 ] comment="Wan Interface" name=outside
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DMZ
add name=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan_dhcp_pool ranges=10.1.0.10-10.1.0.254
add name=dmz_dhcp_pool ranges=10.2.0.200-10.2.0.250
add name=iot_dhcp_pool ranges=10.3.0.200-10.3.0.250
/ip dhcp-server
add address-pool=lan_dhcp_pool disabled=no interface=lanbridge name=\
lan_dhcp_server
add address-pool=lan_dhcp_pool disabled=no interface=admbridge name=\
admin_dhcp_server
add address-pool=dmz_dhcp_pool disabled=no interface=dmzbridge name=\
dmz_dhcp_server
add address-pool=iot_dhcp_pool disabled=no interface=iotbridge name=\
iot_dhcp_server
/interface bridge port
add bridge=dmzbridge comment=dmz interface=dmz1
add bridge=dmzbridge comment=dmz interface=dmz2
add bridge=iotbridge comment=defconf interface=iot1
add bridge=lanbridge comment=defconf interface=ether5
add bridge=lanbridge comment=defconf interface=ether6
add bridge=lanbridge comment=defconf interface=ether7
add bridge=lanbridge comment=defconf interface=ether8
add bridge=lanbridge comment=defconf interface=ether9
add bridge=admbridge comment=defconf interface=admin
add bridge=lanbridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=lanbridge list=LAN
add comment=defconf interface=outside list=WAN
add interface=dmzbridge list=LAN
/ip address
add address=10.1.0.1/24 comment="LAN Bridge" interface=lanbridge network=\
10.1.0.0
add address=10.2.0.1/24 comment="DMZ Bridge" interface=dmzbridge network=\
10.2.0.0
add address=10.3.0.1/24 comment="IOT bridge" interface=iotbridge network=\
10.3.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=outside
/ip dhcp-server network
add address=10.1.0.0/24 comment="LAN DHCP" dns-server=\
192.168.0.y,192.168.0.x domain=example.com gateway=10.1.0.1 netmask=24
add address=10.2.0.0/24 comment="DMZ DHCP" domain=example.com gateway=10.2.0.1 \
netmask=24
add address=10.3.0.0/24 comment="IOT DHCP" dns-server=\
192.168.0.x,192.168.0.y domain=example.com gateway=10.3.0.1 netmask=24
/ip dns static
add address=10.4.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.1.0.10-10.1.0.254 list=allowed_to_router
add address=10.4.0.10-10.4.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=accept chain=input comment="Accept Established, Related" \
connection-state=established,related
add action=drop chain=input comment="Drop all invalid packets from WAN" \
connection-state=invalid log=yes log-prefix="[drop invalid] "
add action=jump chain=forward comment="DDOS protection" connection-state=new \
jump-target=detect-ddos log-prefix="[ddos jump] "
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related log-prefix="[fasttrack] "
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment=HTTP dst-port=80 in-interface=outside \
log=yes log-prefix="[http] " protocol=tcp
add action=accept chain=forward comment=HTTPS dst-port=443 in-interface=\
outside protocol=tcp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access" src-address-list=\
allowed_to_router
add action=drop chain=input comment="drop all not coming from admbridge"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop Invalid Forward" \
connection-state=invalid log=yes log-prefix="[invalid fwd]"
add action=accept chain=forward comment="Screen sharing from LAN to DMZ" \
dst-port=5900 in-interface=lanbridge log-prefix=screen_sharing protocol=\
tcp
add action=accept chain=forward in-interface=dmzbridge out-interface=\
lanbridge protocol=tcp src-port=5900
add action=accept chain=forward comment="MariaDB Lan to DMZ" \
connection-state=established,related,new,untracked dst-port=3306 \
protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"[drop inv wan]"
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=lanbridge log=yes \
log-prefix="[!public_from_LAN]" out-interface=!lanbridge
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from IOT" dst-address-list=\
not_in_internet in-interface=iotbridge log=yes log-prefix=\
"[!public_from_IOT] " out-interface=!iotbridge
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from DMZ" disabled=yes \
dst-address-list=not_in_internet in-interface=dmzbridge log=yes \
log-prefix=!public_from_DMZ out-interface=!dmzbridge
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from ADM" disabled=yes \
dst-address-list=not_in_internet in-interface=admbridge log=yes \
log-prefix=!public_from_ADM out-interface=!admbridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATed" connection-nat-state=!dstnat \
connection-state=new in-interface=outside log=yes log-prefix="[!NAT] "
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=outside \
log=yes log-prefix="[!public]" src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=lanbridge \
log=yes log-prefix="[LAN_!LAN]" src-address=!10.1.0.0/24
add action=drop chain=forward comment=\
"Drop packets from DMZ which does not have DMZ IP" in-interface=dmzbridge \
log=yes log-prefix="[DMZ_!DMZ]" src-address=!10.2.0.0/24
add action=drop chain=forward comment=\
"Drop packets from IOT which does not have IOT IP" in-interface=iotbridge \
log=yes log-prefix="[IOT_!IOT]" src-address=!10.3.0.0/24
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
/ip firewall mangle
add action=log chain=prerouting connection-state=new disabled=yes dst-port=80 \
log=yes log-prefix="[port80] " protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none log-prefix="[masq]" out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=10.2.0.10 \
out-interface=lanbridge protocol=tcp src-address=10.1.0.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes \
log-prefix="[httpnat] " protocol=tcp to-addresses=10.2.0.10
add action=dst-nat chain=dstnat dst-port=443 in-interface=outside protocol=\
tcp to-addresses=10.2.0.10 to-ports=443
add action=src-nat chain=srcnat out-interface=outside src-address=10.1.0.0/24 \
to-addresses=84.x.y.z
add action=src-nat chain=srcnat log=yes log-prefix="[srcnat]" out-interface=\
outside src-address=10.2.0.0/24 to-addresses=84.x.y.z
add action=src-nat chain=srcnat out-interface=outside src-address=10.3.0.0/24 \
to-addresses=84.x.y.z
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target log=yes \
log-prefix="[ddos attacker] " src-address-list=ddos-attackers
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.0.0/24 port=8080
set ssh port=22
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=RB4011
/system ntp client
set enabled=yes server-dns-names=0.dk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no