Community discussions

 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Metarouter not passing firewall on ROS 5.12

Sun Jan 29, 2012 4:17 pm

Hello,

I'm making some experiments with Metarouter and trying to find solution which can suit my needs. So what I noticed is that zero packets are going through Metarouter's firewall filter, nat or prerouting any of the chains. That surprised me very much. So my host router config (ether1 is a public interface):
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.1.254/24   192.168.1.0     ether2                                   
 1   192.168.3.7/24     192.168.3.0     ether1                                   
 2   110.32.0.1/24      110.32.0.0      vif1                                     

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.3.254             1
 1 ADC  110.32.0.0/24      110.32.0.1      vif1                      0
 2 ADC  192.168.1.0/24     192.168.1.254   clients                   0
 3 ADC  192.168.3.0/24     192.168.3.7     ether1                    0

[admin@MikroTik] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade 

 1   chain=dstnat action=dst-nat to-addresses=192.168.1.253 to-ports=8291 
     protocol=tcp dst-address=192.168.1.254 dst-port=8111 

[admin@MikroTik] > interface bridge print
Flags: X - disabled, R - running 
 0  R name="clients" mtu=1500 l2mtu=1522 arp=enabled 
      mac-address=00:0C:42:07:D5:E1 protocol-mode=none 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-mess
      forward-delay=15s transmit-hold-count=6 ageing-ti

[admin@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                          BRIDGE                          PRIORITY  PATH-COST    HORIZON
 0    ether2                             clients                             0x80         10       none
 1  D vif2                               clients                             0x80         10       none

[admin@MikroTik] > metarouter interface print
Flags: X - disabled, A - active 
 #   VIRTUAL-MACHINE                     TYPE    STATIC-INTERFACE                     VM-MAC-ADDRESS   
 0 A mr1                                 dynamic                                      02:82:94:5A:3F:DA
 1 A mr1                                 dynamic                                      02:62:8C:BC:81:9A
Next, is Metarouter's config (ether1 is a public interface):
[admin@RouterOS] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                    
 0   110.32.0.2/24      110.32.0.0      ether1                                                                                       
 1   192.168.1.253/24   192.168.1.0     ether2                                                                                       

[admin@RouterOS] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          110.32.0.1                1
 1 ADC  110.32.0.0/24      110.32.0.2      ether1                    0
 2 ADC  192.168.1.0/24     192.168.1.253   ether2                    0

[admin@RouterOS] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=reject reject-with=icmp-admin-prohibited protocol=icmp 

 1   chain=input action=reject reject-with=icmp-network-unreachable protocol=icmp 

 2   chain=output action=reject reject-with=icmp-network-unreachable protocol=icmp 

[admin@RouterOS] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade 
So, masquerade and filtering rules are not working on Metarouter and packet count is 0. Do you have any idea what can be wrong ?
Regards,
alpha
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Metarouter not passing firewall on ROS 5.12

Mon Jan 30, 2012 9:19 am

are packets sent to the guest at all?

i see you have 2 interfaces for metarouter guest, what are these itnerfaces (one of them is a vif, what is the other one)?
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Mon Jan 30, 2012 9:27 am

Hi,

Thanks for replying. First of all, packets are going to Metarouter, because I can see that with torch on Metarouter, furthermore, it's a real config for internet, so I have internet connection if Metarouter is on and no internet if I turn off Metarouter. On my PC I use Metarouter's ether2 IP address as gateway.
About virtual interfaces. With vif1 everything is clear, then please check on host router bridge ports and you will see vif2. Its is bridged with host's ether2 where client PC is physically connected.
I'm running it on RB433, so maybe I could send you backup of the system, so you could reproduce this behaviour if needed ?
Regards,
alpha
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Tue Jan 31, 2012 1:24 pm

It would be very nice if someone could reproduce this behaviour and help me on this. I'm really stuck. I can provide more info if needed.
Regards,
alpha
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Metarouter not passing firewall on ROS 5.12

Tue Jan 31, 2012 2:53 pm

well, i have tried metarouter and everything worked as expected. If you are running bridges, check if you have set for bridge to use ip-firewall (if that is the case)
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Tue Jan 31, 2012 3:02 pm

There is no bridges on Metarouter side, only on host side, but I have no problems with packet flow on host. Well, what can you suggest for me to check ? I'm running out of ideas what can be wrong. The funniest thing is that packets are passing through metarouter and metarouter uses ip route table, but just that packets are not going to the firewall.... You saw my config and at least I think that it is correct...
Regards,
alpha
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Metarouter not passing firewall on ROS 5.12

Tue Jan 31, 2012 3:25 pm

and what is guest router configuration?
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Tue Jan 31, 2012 3:45 pm

Guest router you mean Metarouter running on host ? If so, then I allready gave config here in the first post.
Regards,
alpha
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 9:44 am

maybe do /export compact (or that is already that) and check if you have some dynamic stuff going on there.

edit:
ok, did not expect that, but please fix this and never do something like that again:
[admin@RouterOS] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
0   chain=srcnat action=masquerade
read here:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 10:36 am

Hi,

I agree yes, but its not the case here, because 0 packets are going through this nat rule. Anyway problem is somewhere else. I will try today off course and let you know. I hope that you will help somehow to solve this issue.
Regards,
alpha
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 10:58 am

if packets are reaching guest router then they definitely has to go through firewall, there is no other pass possible, but bridge.

check wiki for packet flow diagram
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

as you can see there are 2 general path available, and if for example, you do not see packets in /ip mangle chain=prerouting then most probably packets are going somewhere else (bridge or not through the router)
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 11:05 am

Yes, I understand that, and I could belive that packets are not reaching router at all, but I can see then with torch tool in the Metarouter itself. That's why I'm confused. If I see with torch that means (I hope) that packets should be processed further and at least they should reach mangle prerouting chain. But they aren't. Well if you could have RB433 I could send full backup and you can see by yourself....
Regards,
alpha
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 12:09 pm

Ok, I've made few tests. Now it looks like it working just perfect except one thing. Which is really strange. Packet counters on Metarouter are increasing on DST-NAT and SRT-NAT with action passthrough, but counters for mangle PREROUTING and POSTROUTING with action passthrough are not incrasing. This is really really strange. According to the flow diagram if packet enter prerouting chain then it should pass mangle and dst-nat in any case. So or just counters are not increasing, or I do not understand something.... :(
Regards,
alpha
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 12:16 pm

well, you can add rule like this (that is if you do not have any rules in prerouting chain)

/ip firewall mangle add chain=prerouting action=accept

that should catch (and accept) all packets that goes through layer3 of the router and do what that chain would do anyway - accept them, just you can see packets now.

Also, you can check if you see created connections in /ip firewall connection

i have very simple configuration with bridge with ip-firewall=yes and mangle sees all the packets that go through.
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: Metarouter not passing firewall on ROS 5.12

Wed Feb 01, 2012 1:37 pm

/ip firewall mangle add chain=prerouting action=accept
The same situation. Packet count 0. But I don't believe that they are not passing. Now I can't do that, but later I'll try to deny all traffic on prerouting and see if I still have connection through the Metarouter. By the way, I'm not using bridge on Metarouter side.
What's the most important that in the first post I described problem and I did absolutely nothing to the configuration, just restarted Metarouter together with main router and packet counts on firewall started to work. Even with that faulty masquerade rule.
Regards,
alpha

Who is online

Users browsing this forum: No registered users and 7 guests