Community discussions

MikroTik App
 
ljwobker
just joined
Topic Author
Posts: 6
Joined: Fri Jul 30, 2021 9:33 pm

help chasing down a timing-related firewall issue?

Mon Aug 16, 2021 8:49 pm

I've got a setup with a small set of firewall rules to permit inbound connections on a set of TCP ports, which are bound/listened to by the routerOS HTTPS and SSH services.
I've changed the input ports from their defaults (to provide at least smoke-screen level security), and added INPUT chain firewall rules to permit connections from the WAN-side interface.

I've also built a single DST-NAT pinhole to allow outside hosts to connect via SSH to a raspberry pi on the inside(LAN) network.

All of these forwarding rules worked when I was done with the setup, I could connect from an outside host to the mikrotik via HTTP(webFig) and SSH. I could also connect from an outside host to the raspberry pi via the pinhole/NAT rule. This worked for "at least a little while" - I won't bother lying and making up how long it was when I went back, it might have been an hour or it might have been a few hours -- but when I went back none of those connections were working. Thinking I'd screwed something up, I just rebooted the system, and after it booted back up the pinholes and external access worked again. I left later that afternoon, and by the time I got back home those forwarding rules had quit working again.

This smells to me like it's timing related, possibly where an initial connection is allowed but once that times out, future connections are blocked somehow? I'm sort of at a loss on what to look for here. I've got lots of experience with the networking side in general, but I'm new to the routerOS environment so I'm not totally sure what I should be looking for. The stuff that really matters at the moment is the "inside to outside" connectivity and it all works fine, but when I get back on site I'd like to have some idea of what specific things to try and/or look at.

Help? ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help chasing down a timing-related firewall issue?

Mon Aug 16, 2021 8:52 pm

Sure, use VPN or port knocking to access the router on the Input chain. I dont recommend, condone or help on anything else.
As far as port forwarding, would have to see the config for that

/export hide-sensitive file=anynameyouwish
 
ljwobker
just joined
Topic Author
Posts: 6
Joined: Fri Jul 30, 2021 9:33 pm

Re: help chasing down a timing-related firewall issue?

Tue Aug 17, 2021 5:51 am

LOL. I wasn’t asking for your approval on my security policies, I was asking for help in what to look for/at. Perhaps someone else has a lower standard of paranoia and will provide some ideas on how to troubleshoot the actual problem? If someone can defeat SSH with a nonstandard username and a long password of randomized characters, I guess they can have access to the router that services nothing terribly important for as long as it takes me to hard-reset it and rebuild the config.

And even if we ignore the input chain stuff, surely you aren’t going to tell me that doing a destination NAT pinhole is somehow morally objectionable? Because that also quits working after a while and I’m deeply suspicious it’s for the same reason :)
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: help chasing down a timing-related firewall issue?

Tue Aug 17, 2021 6:38 am

Actually Anav did provide useful information. He asked you to export your config and post it. Otherwise we're only guessing.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: help chasing down a timing-related firewall issue?

Tue Aug 17, 2021 7:49 am

Logging ?
Perhaps you can activate logging (persistent so its not cleared at reboot) on your policies, NAT etc,etc.
Something might be popup that is indicative.

The very first thing in self-troubleshooting for me is : logging

Who is online

Users browsing this forum: h1ghrise, lifeboy, phascogale, RobertsN and 61 guests