Community discussions

 
josh80
just joined
Topic Author
Posts: 2
Joined: Wed Mar 25, 2015 8:56 pm

Trying routerOS from pfsense

Wed Mar 25, 2015 9:29 pm

So I've been a pfsense user for about 2 years. I'm in the process of moving so I bought a little Routerboard (RB951G-2HND) and it seems to work pretty well. Unfortunately I was thrown in the fire without my firesuit (ordered from Amazon). Now I'm trying to get this working good enough to use my SIP phone so I can at least get work done, then I'm going to go back and read up on this in more detail and try to become the pro I want to be. It's a fun router to use, but its confusing if you don't know what you are jumping into.

So here's what I'm trying to do so I can at least use this enough that I won't lose my job while trying to figure this new toy out. ;)

I have a Cisco 7960 SIP phone. I connect to work via their external IP (w.o.r.k). I also have my external home IP (h.o.m.e). On pfsense I plug it in and "it just works". I didn't have to do any port forwarding or anything that I can remember, and a little Google searching seems to confirm this. I did add a rule to forward all ports from w.o.r.k to my phone's IP because I just don't trust the admin to not change a setting someday that might break things. I need my phone to work virtually 100% of the time. So here I am at my "second home" with this Routerboard and I can make outgoing calls, but incoming calls go straight to my voicemail. I figured this out when I missed several meetings because people didn't call me after I emailed them and told them to call me back. Whoops!

So what I was trying to do was forward all traffic that arrives from w.o.r.k to h.o.m.e and forward it to my internal phone's IP. I set it statically to 192.168.88.2. I went through the phone and all the settings seems to be set right. I even connected the phone directly to the internet and it works properly. So I'm 99% sure my problem is a firewall rule or NAT translation that I need to fix. I've done about 3 hour's worth of Googling and I see examples of how to forward specific ports and specific protocols, but I want to forward by incoming IP. I'm trying to do it this way because, based on what I've been told from my asterisk server admin (they are learning this trial-by-fire too) the asterisk server needs to be able to ping my phone and talk on various ports. Obviously port 5060 is the most important, but I figure if I forward all ports and all protocols from IP w.o.r.k then I should be covered.

So under firewall / NAT I added the following:

/ip export

<bunch of stuff>
add action=dst-nat chain=dstnat dst-address=w.o.r.k to-address=\192.168.88.2

Now based on what I'm reading, the routerboard responds to pings normally via... some rule. I want to block all pings from all external IPs by default (for security reasons, no need to let people KNOW for certainty a device is attached at that IP), then I want ping from w.o.r.k to go through and be forwarded to the phone (I figure this should be included in the NAT forwarding rule, so no additional work should be necessary). Unfortunately, in my testing I've learned that even if I disable the default firewall filter rule 0, pings still get replied to. I tried to forward the pings to my phone's internal IP, but pings from the internet still get answered when the phone is unplugged (wth!?). Then I disabled the rule completely, and pings still kept responding (wth!?).

So am I just crazy or what am I doing wrong?

Right now I've somehow really fubared this stuff and my phone can't make any calls, outgoing or incoming. So I'm about to wipe out my added rules because I clearly am not making the situation any better. ;)

Thanks for any help or ideas you can provide.
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Trying routerOS from pfsense

Thu Mar 26, 2015 6:13 pm

It's a long post...
Anyway the first thing I would do is to capture the traffic from the IP phone. Try to understand how the phone establishes the connection to the Softswitch. I also have a company IP phone at my home, it is behind a MikroTik router which does NAT and Firewall. I didn't have to do anything special to set it up, no additional rule was needed, the phone establishes a secure connection to the Softswitch by itself, and because it is initiated behind the NAT, than it all works. If the communication protocol between the phone and the Softswitch is designed with NAT in mind, traversing a NAT router, shouldn't be a problem.


Boyan
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Trying routerOS from pfsense

Thu Mar 26, 2015 11:34 pm

Almost 100% guaranteed to be this:
Go into IP > Firewall > Services and disable SIP.

Mikrotik inspects SIP by default, and something about Linux's SIP helper has only ever done the opposite of help in my experience. :?

Don't worry about port forwarding yet.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Trying routerOS from pfsense

Fri Mar 27, 2015 12:00 am

Now based on what I'm reading, the routerboard responds to pings normally via... some rule. I want to block all pings from all external IPs by default (for security reasons, no need to let people KNOW for certainty a device is attached at that IP), then I want ping from w.o.r.k to go through and be forwarded to the phone (I figure this should be included in the NAT forwarding rule, so no additional work should be necessary). Unfortunately, in my testing I've learned that even if I disable the default firewall filter rule 0, pings still get replied to. I tried to forward the pings to my phone's internal IP, but pings from the internet still get answered when the phone is unplugged (wth!?). Then I disabled the rule completely, and pings still kept responding (wth!?).

So am I just crazy or what am I doing wrong?
This is long - but I hope it helps you get started with the firewall feature in Mikrotik.
(It's amazingly flexible)

The first habit to establish with MT firewall is not to do "blocking" type of behavior anywhere except filter table.
NAT's job is just to map addresses properly, not to do any filtering.
So don't make a nat rule that says map port udp:X to internal IP for w.o.r.k. While this does what you want, ater on during troubleshooting, if you think you're being blocked for some type of traffic, you're probably going to look at the filter table.

So make the NAT rules without any regard for security policies.
The easiest way to make NAT pinhole rules is this:
chain = dstnat
in-interface = wan-interface (whatever it is - ether1, pppoe-client1, etc)
protocol = tcp (or udp, or one rule for each if both are needed)
dst. port = outside port to be forwarded
action = dst-nat
to addresses = internal.ip
to ports = internal port (optional if you're not changing the port)

Add one such rule for every pinhole that you want. If you want to map multiple ports to the same internal server on the same protocol, without changing the ports, you can list them all on one rule
e.g.: dst. port=80,443,8080-8088,60000

Unless you're going to need to hit these public ports from the LAN side of the router, I would just use the in-interface=WAN criteria to match pinholes. If your IP is dynamic, then this is pretty much all you can do anyway.

If you want to do something sneaky like make w.o.r.k. ICMP map to the phone, add a dst-nat rule which matches ICMP and src-address=w.o.r.k action=dst-nat , to-addresses=phone.ip - but REMEMBER that you've done this because later on, if you're trying to ping the phone from work, but their IP changed unbeknownst to you, then your pings from w1.o1.r1.k1 will be hitting the Mikrotik and not the phone as you're expecting them to.....

Now that you've made NAT pinholes, if you want to limit the access to them, then you use the filter table.

Any ports that are forwarded to internal hosts will be governed by the "forward" chain.
Any services on the Mikrotik itself will be governed by the "input" chain. - Note that this chain applies to ALL interfaces, so if you just block * on the input chain, you're going to lock yourself out, so make sure there's a rule that allows everything on the LAN interface.

Here is a good basic firewall configuration to get started with, and should handle most people's home needs:
/ip firewall address-list
add list=Whitelist address=w.o.r.k.
/ip firewall filter
add chain=input comment="Permit existing connections" connection-state=established,related
add chain=input comment="Allow all ICMP" protocol=icmp
add chain=input comment="Allow whitelisted sources" src-address-list=Whitelist
add action=drop chain=input comment="WAN - default deny" in-interface=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
Note that I explicitly ALLOW icmp! Hackers, worms, botnets, etc are NOT fooled by no reply from PING packets, so don't break strange things on your Internet by blocking all ICMP. IPv6 won't even work if you just drop ICMP like this.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
josh80
just joined
Topic Author
Posts: 2
Joined: Wed Mar 25, 2015 8:56 pm

Re: Trying routerOS from pfsense

Fri Apr 24, 2015 5:02 pm

I probably should have updated this sooner, but work got really busy suddenly so I haven't even had time to do my own stuff.

So I did eventually get the phone working. After another 4 hours or so of experimenting with filter rules and nat I decided to wipe out all the stuff I had done. I checked the SIP helper and it was disabled already. I called up a friend that doesn't work where I work and asked him about SIP. He came over and in 10 minutes we had the phone working. There was a setting that was misconfigured (information was provided incorrectly by my admin).

So for the last 3 or so weeks my phone has worked. For the record, I have no filter rules or NAT rules setup to make the phone work. As my friend said, "it should be plug and play from home", and it is. If I were running a phone server I'd need to add forwarded ports. I'd also need to add forwarded ports (along with changing settings for my account on our Asterisk server) if some ports were blocked by my ISP.

@Zerobyte

Thanks for the reply. I was totally unaware of ipv6 being broken by blocking icmp. Somehow I've managed to miss this info. I don't use ipv6 yet, so I'm guessing that's why. I've decided to not block icmp per your recommendation since I'd rather not break things I might forget I broke in a year or whenever my ISP comes out with ipv6 support.

So far my experience with this box at the 1 month mark has been fairly positive. The only "problem" I could claim to have is that the VPN performance is... less than stellar. I'm not able to hit even 15Mb/sec throughput with aes128. It's not the end of the world though, and I've since moved the VPN client back to my laptop so I could get my typical 50-80Mb/sec. Copying files from work at 15Mb/sec max can suck sometimes. :P

Thanks to everyone involved for the help and nudges in the right direction.
 
EDinATL
just joined
Posts: 10
Joined: Tue Jun 02, 2015 7:40 am

Re: Trying routerOS from pfsense

Tue Jul 12, 2016 8:47 pm

Came to this thread based on a fantasy I had and googled about running pfSense on MT hardware.  As for that last observation about the VPN/crypto performance, yeah that sounds about right.  When I set up an old WRT54G for VPN similarly, I was only able to get 2Mbps, and I've been meaning to get around to setting up some OpenVPN stuff on that same MT unit you mention.  15Mbps sounds about right for the processing power of those MT units (600MHz, vs 200 on the old linksys).  Glad you found your way into Mikrotik!  I used to run my own FreeBSD based firewall and I never wanted to live without it, but I broke down and bought an Asus and put tomato by shibby on it.  That lasted about 6 months before I found Mikrotik and I've never been the same since!  I do wish I could justify a whole x86 system so I can use pfSense but the low power consumption and flexibility of the MT unit has kept me very satisfied.  

Who is online

Users browsing this forum: No registered users and 15 guests