Good day,
When I turned on the input and output rules on firewall, the ipsec
clients cant connect with proxy on port 3128 to any sites. Proxy is on Lan interface of MikroTik. Ping is going, port 3128 is responding too, but sites are not opened. After disabling input and output filters with drop action, it is working fine.
The proxy traffic is depends to forward rules, why input output rules
are blocked him? Is it any bug? Can you suggest me please any stable
version at the moment?
Also please see the input and output traffic from logs (Screenshot 1).
1.155.2.155 - MikroTik WAN-IP
192.168.43.252 - Branch user IP over IPSec
192.168.207.2 - Branch user IP over IPSec
See forward traffic from client to proxy and vice versa. (Screenshot 2)
1.1.1.1 Proxy Server IP
192.168.37.5 Branch user IP over IPSec
-
-
pamir199191
just joined
- Posts: 13
- Joined:
Problem on 6.37.5 version
You do not have the required permissions to view the files attached to this post.
Re: Problem on 6.37.5 version
Please post config
/export hide-sensitive file=yourconfig
not even clear what the topology is or what device you are talking about.
also why are you so far behind in firmware updates?
/export hide-sensitive file=yourconfig
not even clear what the topology is or what device you are talking about.
also why are you so far behind in firmware updates?
-
-
pamir199191
just joined
- Posts: 13
- Joined:
Re: Problem on 6.37.5 version
I upgraded to 6.40.6 with 6.41 firmware. The problem is the same.
Topology on screenshot 2.
After activating the input and output drop rules rules, proxy sites are not opened.
0 ;;; IPSec rule on WAN
chain=input action=accept src-address=1.1.1.2 dst-address=1.1.1.1 log=no log-prefix=""
1 chain=output action=accept src-address=1.1.1.1 dst-address=1.1.1.2 log=no log-prefix=""
2 ;;; Access to Proxy Server
chain=forward action=accept src-address=2.2.2.1 dst-address=5.5.5.2 log=no log-prefix=""
3 chain=forward action=accept src-address=5.5.5.2 dst-address=2.2.2.1 log=no log-prefix=""
4 chain=input action=drop log=no log-prefix=""
5 chain=output action=drop log=no log-prefix=""
6 chain=forward action=drop log=no log-prefix=""
Topology
Topology on screenshot 2.
After activating the input and output drop rules rules, proxy sites are not opened.
0 ;;; IPSec rule on WAN
chain=input action=accept src-address=1.1.1.2 dst-address=1.1.1.1 log=no log-prefix=""
1 chain=output action=accept src-address=1.1.1.1 dst-address=1.1.1.2 log=no log-prefix=""
2 ;;; Access to Proxy Server
chain=forward action=accept src-address=2.2.2.1 dst-address=5.5.5.2 log=no log-prefix=""
3 chain=forward action=accept src-address=5.5.5.2 dst-address=2.2.2.1 log=no log-prefix=""
4 chain=input action=drop log=no log-prefix=""
5 chain=output action=drop log=no log-prefix=""
6 chain=forward action=drop log=no log-prefix=""
Topology
You do not have the required permissions to view the files attached to this post.
Re: Problem on 6.37.5 version
Do you really use these public IPs in your configuration?
-
-
pamir199191
just joined
- Posts: 13
- Joined:
Re: Problem on 6.37.5 version
No, there are uses other ips.
-
-
pamir199191
just joined
- Posts: 13
- Joined:
Re: Problem on 6.37.5 version
After creating output filter rule from 2.2.2.2 to 2.2.2.1 on MikroTik CCR1036 it is working.
From 5.5.5.2 to 2.2.2.1 after the above filter rule adding, it is now working.
As you know the traffic is depend on forward filter rule from 5.5.5.2 to 2.2.2.1 on MikroTik CCR1036, but without output rule it is not working. Why? Is it bug?
From 5.5.5.2 to 2.2.2.1 after the above filter rule adding, it is now working.
As you know the traffic is depend on forward filter rule from 5.5.5.2 to 2.2.2.1 on MikroTik CCR1036, but without output rule it is not working. Why? Is it bug?
Who is online
Users browsing this forum: Amazon [Bot] and 131 guests