MikroTik

I have a customer who Ive setup a pptp server on a mk x86 sw router. All works fine, the mk has a dhcp pool for the lan side network and traffic flows between the internal lan and the pptp client.

However. The customer has two devices on the internal lan that aren't anything to do with the mk router or the ip range its on. Lets say that the MK is on 192.168.10.1/24 and these two devices are on 10.0.0.1/24 and 10.0.0.2/24.

When the bridge is enabled (pptp client connection or not), the devices on the 10.0.0.0 range are getting ip address conflicts. When I disable the bridge, the conflicts go away. The customer traced the mac address of the conflict back to the MK lan nic.

I am not seeing this, merely going on what the customer says, however its black and white that when the bridge is up, it breaks the 10.0.0.0/24 devices and when disabled they work.

**Update** - The mac address the customer gave me is the mac address of the bridge so it is the bridge causing the issue.

How can I block traffic going through the bridge. No amount of 10.0.0.0/24 filtering in the firewall selection appears to block traffic. If I do a torch on the bridge I can see the 10.0.0.0/24 traffic going through it. I see there are bridge filters but the ip options are greyed out?

Any suggestions.

post an export.

post an export.

Cheers. How much do you want. This is the PPP and Bridge stuff

/interface bridge
add arp=proxy-arp disabled=yes name=pptp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether2 ] name=ether2-Lan
/ip pool
add name=VPN ranges=192.168.10.250-192.168.10.252
/ppp profile
add bridge=pptp change-tcp-mss=yes dns-server=192.168.10.20 local-address=192.168.10.1 name=pptp remote-address=VPN use-encryption=yes
/interface bridge port
add bridge=pptp disabled=yes interface=ether2-Lan
/interface pptp-server server
set default-profile=pptp enabled=yes
/ip address
add address=192.168.10.1 interface=ether2-Lan network=192.168.10.0

Wanted the full export...

Is ROS installed on bare metal, or are we speaking about a VM?

Did you restore a .backup file on this server at any prior stage?

Can you provide a diagram of the customer network addressing? (hand drawn is fine)

Wanted the full export...

Is ROS installed on bare metal, or are we speaking about a VM?

Did you restore a .backup file on this server at any prior stage?

Can you provide a diagram of the customer network addressing? (hand drawn is fine)

Thanks. I have kept the original internal ip range in this export as it might explain things, so in my previous mail I suggest the internal range was 192.168.10.0/24 but it really is 11.200.0.0/8. The non routed ip traffic that I am having clashes with is 10.0.0.0/24. There is no routing between these two network. the 10.0.0.0/24 range is purely for two internal devices to talk to each other, which they cant unless the bridge is up.

The Server is bare metal, running on an Intel Server board with 2 onboard intel nics

The server is mainly there for port forwarding / publishing. The customer uses another firewall for the client internet exit.

And yes the 11.0.0.0 isn't a private range. It was the customers choice from 15 years ago. I don't have control over that.

You can see the entry add action=drop chain=forward comment="Drop 10.0.0.0 range from the MK Interface" src-address=10.0.0.0/8 which I tried to use to block 10.0.0.0/8 traffic going to the bridge.
[admin@MikroTik] > export
# jul/26/2017 15:35:56 by RouterOS 6.33.3
#
/interface bridge
add arp=proxy-arp disabled=yes name=pptp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether2 ] name=ether2-Lan
/ip pool
add name=VPN ranges=11.200.254.240-11.200.254.245
/ppp profile
add bridge=pptp change-tcp-mss=yes dns-server=11.200.0.20 local-address=11.200.0.14 name=pptp remote-address=VPN use-encryption=yes
/system logging action
set 1 disk-file-count=7
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
#error exporting /dude
/interface bridge port
add bridge=pptp disabled=yes interface=ether2-Lan
/interface pptp-server server
set default-profile=pptp enabled=yes
/ip address
add address=11.200.0.14/8 interface=ether2-Lan network=11.0.0.0
add address=x.x.x.229/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.230/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.231/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.232/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.235/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.233/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.234/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.236/24 interface=ether1-Wan network=x.x.x.0
add address=x.x.x.237/24 interface=ether1-Wan network=x.x.x.0
/ip dns
set servers=11.200.0.20
/ip firewall address-list
add address=11.200.0.20 list=DNSServers
add address=x.x.x.195 list=VPNAllowed
add address=x.x.x.2 list=VPNAllowed
add address=11.200.0.11 list="Port Forward Servers"
add address=11.200.0.109 list="Port Forward Servers"
add address=11.200.0.19 list="Port Forward Servers"
add address=11.200.0.28 list="Port Forward Servers"
add address=11.200.0.27 list="Port Forward Servers"
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Drop 10.0.0.0 range from the MK Interface" src-address=10.0.0.0/8
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=\
21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add chain=input dst-port=8291 protocol=tcp src-address=x.x.x.195
add chain=input dst-port=8291 protocol=tcp src-address=11.0.0.0/8
add action=drop chain=input comment=\
"Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" \
dst-port=8291 in-interface=ether1-Wan protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" \
connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add chain=input comment="Accept to established connections" connection-state=established
add chain=input comment="Accept to related connections" connection-state=related
add chain=input comment="Full access to SUPPORT address list" src-address-list=support
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add chain=input comment="Allow - VPN PPTP from selected IP" dst-port=1723 protocol=tcp src-address-list=VPNAllowed
add chain=input comment="Allow - VPN GRE from selected IP" protocol=gre src-address-list=VPNAllowed
add chain=forward comment="Allow - DNS Servers" dst-port=53 protocol=udp src-address-list=DNSServers
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add chain=forward port=3389 protocol=tcp src-address=11.200.0.50
add chain=forward comment="Allow - Port Forward Servers 80/443" port=80,443 protocol=tcp src-address-list="Port Forward Servers"
add chain=forward comment="Allow VPN to Site Traffic" dst-address=11.0.0.0/8 src-address=11.0.0.0/8
add chain=forward comment="Allow - Default http/https" disabled=yes dst-port=80,443 protocol=tcp src-address=11.0.0.0/8
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=forward src-address=11.0.0.0/8
add action=drop chain=input in-interface=ether1-Wan log=yes
add chain=forward port=3389 protocol=tcp src-address=11.200.0.11
/ip firewall nat
add action=dst-nat chain=dstnat comment="Incomming - AIMSRV - 80" dst-address=x.x.x.233 dst-port=80 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.11 to-ports=80
add action=dst-nat chain=dstnat comment="Incomming - AIMSRV - 443" dst-address=x.x.x.233 dst-port=443 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.11 to-ports=443
add action=dst-nat chain=dstnat comment="Incomming - ADFS - 80" dst-address=x.x.x.229 dst-port=80 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.109 to-ports=80
add action=dst-nat chain=dstnat comment="Incomming - ADFS - 443" dst-address=x.x.x.229 dst-port=443 in-interface=ether1-Wan log=yes \
protocol=tcp to-addresses=11.200.0.109 to-ports=443
add action=dst-nat chain=dstnat comment="Incomming - FIREFLY - 80" dst-address=x.x.x.237 dst-port=80 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.19 to-ports=80
add action=dst-nat chain=dstnat comment="Incomming - FIREFLY - 443" dst-address=x.x.x.237 dst-port=443 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.19 to-ports=443
add action=dst-nat chain=dstnat comment="Incomming - LIBRARY - 80" dst-address=x.x.x.231 dst-port=80 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.28 to-ports=80
add action=dst-nat chain=dstnat comment="Incomming - LIBRARY - 443" dst-address=x.x.x.231 dst-port=443 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.28 to-ports=443
add action=dst-nat chain=dstnat comment="Incomming - RDS1 - 443" dst-address=x.x.x.232 dst-port=443 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.27 to-ports=443
add action=dst-nat chain=dstnat comment="Incomming - RDS1 - 80" dst-address=x.x.x.232 dst-port=80 in-interface=ether1-Wan protocol=tcp \
to-addresses=11.200.0.27 to-ports=80
add action=dst-nat chain=dstnat comment="Incomming - Win2k12dpm 3389 from Supplier" dst-address=x.x.x.232 dst-port=3389 in-interface=ether1-Wan \
protocol=tcp src-address=x.x.x.195 to-addresses=11.200.0.50 to-ports=3389
add action=masquerade chain=srcnat out-interface=ether1-Wan
/ip route
add distance=1 gateway=x.x.x.238
/ppp secret
add name=vpnusers1 password="password1" profile=pptp service=pptp
add name=vpnuser2 password=password2 profile=pptp service=pptp
/system clock
set time-zone-autodetect=no
/system logging
add action=disk topics=firewall
/tool user-manager database
set db-path=user-manager
[admin@MikroTik] >

I cannot guess how this setup could end with duplicated IPs, but after seeing 11.200... I understand the scenario and your will to simply filter it out and be done with it.

You can filter directly in the bridge, make sure you select mac protocol 800 (ip), that will enable using IP addresses as criteria for the bridge filter.

I cannot guess how this setup could end with duplicated IPs, but after seeing 11.200... I understand the scenario and your will to simply filter it out and be done with it.

You can filter directly in the bridge, make sure you select mac protocol 800 (ip), that will enable using IP addresses as criteria for the bridge filter.

Its driving me bananas.

Can you suggest a bridge filter. I'm trying lots of things but I can still see the 10.0.0.0 addresses appears in the bridge when I torch?

Ive also tried input instead of forward and Ive tried various in bridge / out bridge, in int / out int?

/interface bridge filter
# bad packet mark
add action=drop chain=forward in-bridge=pptpbridge ingress-priority=0 mac-protocol=ip packet-mark="" src-address=10.0.0.250/32
# bad packet mark
add action=drop chain=forward ingress-priority=0 mac-protocol=ip packet-mark="" src-address=10.0.0.250/32
# bad packet mark
add action=drop chain=forward ingress-priority=0 mac-protocol=ip packet-mark="" src-address=10.0.0.110/32
# bad packet mark
add action=drop chain=forward ingress-priority=0 mac-protocol=ip packet-mark="" src-address=10.0.0.124/32

Code: Select all

/interface bridge filter
add action=drop chain=input in-bridge=pptp mac-protocol=ip src-address=10.0.0.0/8
add action=drop chain=output dst-address=10.0.0.0/8 mac-protocol=ip out-bridge=pptp
add action=drop chain=forward in-bridge=pptp mac-protocol=ip src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.0.0.0/8 mac-protocol=ip out-bridge=pptp

The first rule is catching stuff straight away.. I'm sure I had something similar, but obvious similar was not good enough!!!!

Still not solved the issue. Its weird, bridge on, no 10.0.0.0 traffic, bridge off, flowing 10.0.0.0 traffic. Ive had to go back to routed vpn and disable the bridge, its the only way I can get these devices to stay up. Ill have to visit the site and see what else is going on outside of the MK.

Thanks for your help, the bridge rules certainly did the job of blocking traffic.

Cheers

Tim

Wouldn't they have another bridged tunnel elsewhere that may be causing a loop?

Wouldn't they have another bridged tunnel elsewhere that may be causing a loop?

Possible. They have a ruckus wireless network that could have some kind of bridge in it. The workstations going out via a SonicWALL appliance that I don't have access to. That is purely for web traffic and filtering but it might have other options enabled.

We've done as much as we can with the MK. Thanks for all you great advice and helping me out.

Tim