Community discussions

MikroTik App
 
n5mbm
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 5:51 pm

Need help making a RB2011 pass outside IP address info to local LAN addresses

Sat Aug 18, 2018 6:11 pm

I have a RB2011UiAS-RM That has been configured for years and has been working well. However, I have a pesky little problem with some Linux based Asterisk servers on my local LAN needing to know what the outside IP address is of connections coming in...

I have a static outside IP address with a simple 192.168.1.x local LAN address scheme.

The Linux servers on my local LAN report something like “Remote connection from 192.168.1.1” (my gateway local LAN address) when I want it to report the actual real world outside IP address coming in so I know where it actually came from in my logs and proper operation...

I have googled until my eyes bled and I still have no clue how to “pass” the correct info to my LAN based Linux servers...

I am using mulitple Raspberry Pi Linux Asterisk boxes connected to ham radios that talk all over the globe. And those Asterisk boxes really want to hear where those outside IP addresses are coming from because that tells them what “nodes” are talking to it. For them to only hear my local 192.168.1.1 gateway address is unacceptable for them to know who they are really talking to...

I am hoping there is a simple configuration line in my filter rules I have inadvertently missed to make this work properly...

Any help would be appreciated!

Bill - N5MBM
www.n5mbm.net
 
mkx
Forum Guru
Forum Guru
Posts: 3943
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sat Aug 18, 2018 11:40 pm

My guess is that there's some error in NAT rules, proper DST-NAT rules pass remote IP unchanged to internal host. But we'll never know unless you post configuration export from RB2011 with sensitive data obfuscated.
BR,
Metod
 
n5mbm
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 5:51 pm

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sun Aug 19, 2018 12:13 am

I'm not sure how to do what you ask for... I am using Winbox to access my router and I don't see an option to output my config to something that is readabl and editable - (that doesn't mean it isn't there, I just don't know where it is...).

I wouldn't be surprised if it is something that is fat fingered or misconfigured.

Bill
 
mkx
Forum Guru
Forum Guru
Posts: 3943
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sun Aug 19, 2018 12:25 am

I'm not using Winbox, so I can't give you direct advice. Console comand
/ip firewall export hide-sensitive
will export only firewall configuration.
BR,
Metod
 
n5mbm
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 5:51 pm

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sun Aug 19, 2018 3:23 pm

Thanks, I ran the command and WOW, that's a lot of info!

But here ya go....

Bill - N5MBM
You do not have the required permissions to view the files attached to this post.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sun Aug 19, 2018 4:51 pm

Some bad news - your configuration deserves some fixes due to security reasons (and some simplifications to make it more readable, too.)

First of all,
add action=accept chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=invalid in-interface=\
    all-ethernet
makes no sense (please note the line begins with "allow", but there is "drop" in comment - solely this fact indicates that this line is nonsense), it should be:
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
This will block any incoming unwanted traffic on ether1, and it will make your configuration's "blacklist" and "attack" filters unnecessary. Now your current config is not effectively filtering incoming traffic and for example you winbox (tcp8291) port is fully accessible from the internet.

Using "blacklist" in your configuration is obscure, your router must be secured to be immune of attack from any IP, not only from a few blacklisted. (You have "china" blacklist, but not "DPKR" blacklist, do you really believe that there are no rogue hackers/bots in DPKR ? Obviously there are millions rogue IPs worldwide, it is not possible to blacklist them all.)

So, it is necessary to secure your firewall rules first.
Secondly, it will be possible to delete all the "blacklists", which are quite ineffective, and only makes you configuration unnecessarily complicated and hard to read.
Then it would be possible to repair your NAT problem.

And some good news - the line which causes the issue you are asking for solution is
add action=masquerade chain=srcnat comment="Masquerade inbound" to-addresses=192.168.1.61
(this line causes all traffic to 192.168.1.61 to be masqueraded, so it seems to be from 192.168.1.1 ), but this line is the smallest problem in your configuration. Let's fix the security and readability issues first.

Additional (randomly picked) errors and weird lines:
add action=dst-nat chain=dstnat comment="Email IMAP listener port" dst-address=209.112.233.252 dst-port=143 protocol=tcp to-addresses=192.168.1.67 \
allows port tcp/143 for unsecured/unencrypted IMAP. Are you sure you want to use unsecured IMAP on port 143 instead of secured 993 port ? (google "IMAP uses port 143, but SSL/TLS encrypted IMAP uses port 993")
 
n5mbm
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 5:51 pm

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sun Aug 19, 2018 10:52 pm

Thanks for your help szt!

I fixed the first line you mentioned with the first fix that you posted and everything is still up and running and nothing seems to be “broke” for the time being... So I am happy...

Honestly, I am not a MikroTik guy. I was trained on Cisco and Nortel gear – but that was a long time ago and my router skills aren't what they used to be – (I'm retired!).

All that stuff with black lists and stuff was my desperate attempt at shutting the door on a BUNCH of traffic from overseas into my mail server several years ago. I was literally getting hammered SO hard that it was totally taking up my 8mbps internet connection. Strangling it to the point that even simple web cruising from here was a real pain in the assets....

So I made an admittedly clumsy attempt at blocking traffic from entire regions of the world – especially those that filled up my logs with failed attempts to login.

I am ALWAYS up for a much more simpler solution! Thank you!

As to you second posting about “the solution”, I am not following you on this...
“add action=masquerade chain=srcnat comment="Masquerade inbound" to-addresses=192.168.1.61“

I have several VOIP servers that need to see the real world IP addresses coming in on my internet lan port... not just 192.168.1.61.

Also I had to leave port 143 open to be able to send email to gmail users after some issues we gave up and left that port open.

Thank you again for your help!

Bill – N5MBM
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Sun Aug 19, 2018 11:45 pm

Thanks for your explanation and report, so let's correct another bugs in your config.
add action=accept chain=input comment="defconf: drop all from WAN" in-interface=all-ethernet
is another buggy rule - first of all, like some rule mentioned in my previous post, this rule has also comment (drop) which does not corelate with the rule's action (accept).

This rule accepts all input traffic from all ethernets (included ether1, which is WAN for you). And it is the third line in your input chain, just before any drop rule. So, it allows literally all incoming traffic from the internet. So, rule
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
should be moved upwards just before mentioned rule, to take a chance to have some effect. (Please note that when Mikrotik processes the rules, it stops processing on first matching rule. Generally, any such benevolent ("accept all" type) rule should not be at the top of firewall chain.

To make your config more readable:

I understand that some of the "blacklist" are now obsolete, could you please delete all the obsolete lines from your config (but safely-only those you are 100% sure that they are obsolete now) ?
Could you please correct all the firewall rules comments to corelate the comments to the firewall rules itself ? (or add "???" to the comment string when unsure about the rule meaning) ?

Then please export actual config and post it here again.

About the
add action=masquerade chain=srcnat comment="Masquerade inbound" to-addresses=192.168.1.61“"
rule:

You have this line in your exported config (line 111), what is the intended meaning of this line (how do you understand this rule)? Or, theoretically, what do you expect to happen if you delete this line?

About port 143-IMAP protocol is protocol for reading email, not for email delivery. Additionally, gmail does not nowadays support unsecured IMAP at port 143 (see https://support.google.com/mail/answer/7126229?hl=en, it supports only 993), there is no link between gmail and unencrypted IMAP. So, gmail can not be the reason to keep port 143 open. Unencrypted service (e.g.IMAP) is such security risk that it deserves further investigation why is it necessary.
 
n5mbm
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 5:51 pm

Re: Need help making a RB2011 pass outside IP address info to local LAN addresses

Mon Aug 20, 2018 1:34 am

I changed the masquerade - if I remove it completely my internal network can't resolve my own domains network addresses from the internet.

I also moved some of the disabled entries. They are now down at the bottom of things to make it more readable.

I hesitate to take out some of the country list blacklists as I am still seeing traffic hit the front end of the router from time to time... But not much lately.

Here's the updated config output - please tell me what you think...

Bill - N5MBM
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 142 guests