Community discussions

MUM Europe 2020
 
idlebyte
just joined
Topic Author
Posts: 12
Joined: Fri Oct 19, 2012 9:31 am

Couple Questions

Thu Nov 01, 2012 12:34 pm

I've searched until 50-60 tabs were open and tried everything on each. I'm lost on this.
In the attached picture everything is working except for the inbound traffic on three ports from the local-wan connection. All outbound traffic is being nat'd out the vpn just fine and is going very fast. I've even got a few routes setup to route nntp and WoW(Game) out the local interface instead of the VPN. All very nice. But Since installing Microtik/RouterOS I've been unable to get any packets to route inbound as desired. I've previously configured a Buffalo, Linksys, and ISA servers all with relative ease so I know I'm not crazy...

I'm not including current nat/firewall rules on purpose as it's a mess of rules (mostly disabled) from attempts to route the ports. With exception to vpn default routes the disabled rules mean router is mostly default. I've tried just about every method to NAT traffic from sfp1-gateway not from 192.168.11.0/24 on port 25 to 192.168.11.35 (Exchange Server). I've even setup up rules to output log before accepting and dst-nating the traffic. The packet counts go up and the log shows data entering the router. But the server never sees it. My only conclusion at this point is that the PPTP vpn connection may be adding extra bolts needing turning to make this work, but I'm unsure.

Question 1: Can the VPN connection cause odd interactions with NAT rules using dst-net to forward inbound port 25 to a local machine and allowing the returning traffic to be ack'd.
2: On a clean router OS install, what filter/nat/mangle rules are needed to route (and allow return) of traffic on port 25 to an internal IP.
3: (unrelated) What rules should be in place to continue to allow outbound masquarading of traffic over the vpn without allowing un-established inbound connections from the VPN. This is just to ensure vypervpn services aren't attempting connection without permission.
4: Without using Routes (by ip), can traffic be routed out specific interfaces based on port/protocol? (Considering the vpn connection, etc..)

I know this is a lot but I'm almost burnt out from reading and trying and reading and trying and reading and trying...

Many thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
jeremyh
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue Jul 10, 2012 1:21 pm

Re: Couple Questions

Tue Nov 13, 2012 5:58 pm

I'm not including current nat/firewall rules on purpose as it's a mess of rules (mostly disabled) from attempts to route the ports.
I suspect that to get any kind of reasonable answer, you will need to post the output of /ip firewall, /ip route, /ip address etc.. Can you not just edit out your disabled rules??
Question 1: Can the VPN connection cause odd interactions with NAT rules using dst-net to forward inbound port 25 to a local machine and allowing the returning traffic to be ack'd.
2: On a clean router OS install, what filter/nat/mangle rules are needed to route (and allow return) of traffic on port 25 to an internal IP.
3: (unrelated) What rules should be in place to continue to allow outbound masquarading of traffic over the vpn without allowing un-established inbound connections from the VPN. This is just to ensure vypervpn services aren't attempting connection without permission.
4: Without using Routes (by ip), can traffic be routed out specific interfaces based on port/protocol? (Considering the vpn connection, etc..)
I'm pretty unqualified to be answering but I'll give it a crack - I know what it's like to post and get no replies ;-)

1. I run a router with two WAN IP addresses, working as both a VPN client (PPTP and IPSec) and server (PPTP) - and I also have a local exchange server. No issues, and pretty straightforward setup.

2. Technically I don't think you need filter or mangle rules in place at all, just the following:


/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT masquerade rule" disabled=out-interface=WAN-pppoe

add action=dst-nat chain=dstnat comment="Forward port 25 (SMTP) to exch server" disabled=no dst-address={WAN-IP} dst-port=25 protocol=tcp to-addresses=192.168.11.35 to-ports=25

AFAIK the 'return' path is all just sorted out/handled inherently by the masquerade NAT function. Do you have connection tracking turned on? I believe you need to enable it for NAT to work:

/ip firewall connection tracking set enabled=yes

3. Some rule that just drops inbound packets on that interface with no connection state, or something.. like the default:

/ip firewall filter add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no protocol=tcp

4. Good question.. I think maybe you can identify the connection/packet with mangle and then apply a routing mark - then in /ip route rule, you can probably apply a routing rule based on the mark. Just speculation though. There will be some way to do it.

Who is online

Users browsing this forum: No registered users and 20 guests