Community discussions

 
error0024
just joined
Topic Author
Posts: 9
Joined: Tue Jan 03, 2017 11:42 am

Issues with my setup

Mon Jun 10, 2019 4:48 pm

Hi guys,
I am currently running MikroTik RB4011, with 3 different ISPs.
The setup are as follow since they're all connected via PPPoe, and 1 static with 2 dynamic IPs.

I'm having issue with the NAT somehow. Since my static IP will be outside the NAT, and only to run the servers. While for the dynamic will be used for internet browsing etc.
So the setup is like this :-

Public IP WAN (xx.xx.xx.xx) -> Direct to the server via Ether3
Dynamic IP WAN (xx.xx.xx.xx) -> NAT to all local networks via Ether1-LAN.
Therefore, when I am using the PC within the NAT to connect directly to the Public IP, it's not loading at all.
SCS.jpg
Thanks!
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with my setup

Mon Jun 10, 2019 7:43 pm

I'm not sure what you mean by having the public IP outside NAT, but google this site for "hairpin NAT", client access to public IP handling dst-nat to the server in the same internal subnet from which the client connects is a frequently encountered scenario.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
error0024
just joined
Topic Author
Posts: 9
Joined: Tue Jan 03, 2017 11:42 am

Re: Issues with my setup

Tue Jun 11, 2019 11:13 am

I'm not sure what you mean by having the public IP outside NAT, but google this site for "hairpin NAT", client access to public IP handling dst-nat to the server in the same internal subnet from which the client connects is a frequently encountered scenario.
Hi Sindy,

Thanks for your help on this matter. I've tried applying the hairpin NAT, however it doesn't seem to apply to my current situation. Reason being is that, hairpin nat has to have the server hosted and natted directly only works. However for my side of problem is that, my local network is all natted, while the static IP server is not natted "e.g. directly through the internet".
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with my setup

Tue Jun 11, 2019 11:26 am

Post your configuration, following the anonymisation hint in my automatic signature below, and a description or drawing of the setup - to which port of the Mikrotik the uplink, the server, and the client PC from which you try to access the server are connected. To me, "direct to internet" means that you've used the Mikrotik to bridge the uplink with the interface of a single server, but you've mentioned a single public address and multiple servers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
error0024
just joined
Topic Author
Posts: 9
Joined: Tue Jan 03, 2017 11:42 am

Re: Issues with my setup

Tue Jun 11, 2019 3:15 pm

Post your configuration, following the anonymisation hint in my automatic signature below, and a description or drawing of the setup - to which port of the Mikrotik the uplink, the server, and the client PC from which you try to access the server are connected. To me, "direct to internet" means that you've used the Mikrotik to bridge the uplink with the interface of a single server, but you've mentioned a single public address and multiple servers.
Hi Sindy, Below is the one with the export hide sensitive command issue.

P.S please ignore my ...mistake in the drawing, it should be ether6 instead of 5 for the fixed IP. Thanks!
# jun/11/2019 20:08:30 by RouterOS 6.43.10
# software id = PSI7-EAMH
#
# model = RB4011iGS+
# serial number = AAB00A13E45C
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether6 ] name=Ether6-FixedMaxis100
set [ find default-name=ether8 ] name=Ether8-WAN3-Maxis4G
set [ find default-name=ether9 ] name=Ether9-WAN2-Maxis
set [ find default-name=ether10 ] name=Ether10-WAN1-UniFi
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] name=ether2-LAN2
set [ find default-name=ether3 ] name=ether3-DMZ
set [ find default-name=ether4 ] name=ether4-HPiLo
/interface vlan
add interface=Ether10-WAN1-UniFi name=vlan500 vlan-id=500
add interface=Ether9-WAN2-Maxis name=vlan621 vlan-id=621
add interface=Ether6-FixedMaxis100 name=vlan621-2 vlan-id=621
add name=vlan800 vlan-id=800
/interface pppoe-client
add disabled=no interface=vlan621 name=Maxis service-name=Maxis user=\
    
add add-default-route=yes disabled=no interface=vlan621-2 name=Maxis-Fixed \
    use-peer-dns=yes user=
add disabled=no interface=vlan500 name=UniFi service-name=UniFi use-peer-dns=\
    yes user=
/ip pool
add name=dhcp_pool4 ranges=192.168.1.100-192.168.1.230
add name=ipsec_vpn_pool ranges=192.168.102.2-192.168.102.100
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=ether1-LAN name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether3-DMZ
/ip address
add address=192.168.1.1/24 interface=ether1-LAN network=192.168.1.0
add address=58.71.188.77/30 interface=ether3-DMZ network=58.71.188.76
/ip arp
add address=192.168.1.230 interface=ether1-LAN mac-address=00:0C:29:6A:C7:C6
add address=192.168.1.253 interface=ether1-LAN mac-address=00:0C:29:FA:8F:4C
add address=192.168.1.254 interface=ether1-LAN mac-address=00:01:2E:6C:B8:6B
add address=192.168.1.227 interface=ether1-LAN mac-address=00:0C:29:CD:95:10
/ip dhcp-server lease
add address=192.168.1.230 client-id=1:0:c:29:6a:c7:c6 mac-address=\
    00:0C:29:6A:C7:C6 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 \
    gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers="58.71.132.10,58.71.136.10,1.1.1.1,1.0.0\
    .1,208.188.18.188,1.9.1.9,8.8.8.8,8.8.4.4"
/ip firewall address-list
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=1.1.1.1 list=Allow_DNS
add address=1.0.0.1 list=Allow_DNS
add address=8.8.8.8 list=Allow_DNS
add address=8.8.4.4 list=Allow_DNS
/ip firewall filter
add action=accept chain=forward comment="WHM ---- START" dst-address=\
    58.71.188.78 dst-port=20,25,53,80,110,143,443,465,587,993,995,2087 \
    protocol=tcp
add action=accept chain=forward dst-address=58.71.188.78 dst-port=53 \
    protocol=udp
add action=accept chain=forward protocol=tcp src-address=58.71.188.78
add action=accept chain=forward comment="WHM ----- STOP" protocol=udp \
    src-address=58.71.188.78
add action=accept chain=input dst-port=500,1701,4500 in-interface=Maxis-Fixed \
    protocol=udp
add action=drop chain=input comment="dropping ping" icmp-options=8:0 \
    protocol=icmp
add action=drop chain=forward comment=dropping-ping-through icmp-options=8:0 \
    protocol=icmp
add action=accept chain=forward comment="SIP Connection" dst-address=\
    192.168.1.254 dst-port=5060 in-interface=Maxis-Fixed protocol=udp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=\
    10000-40000 in-interface=Maxis-Fixed protocol=udp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=5060-5061 \
    in-interface=Maxis-Fixed protocol=tcp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=9999 \
    in-interface=Maxis-Fixed protocol=tcp
add action=accept chain=forward dst-address=192.168.1.254 dst-port=5000-5001 \
    in-interface=Maxis-Fixed protocol=tcp
add action=jump chain=forward comment=block-ddos connection-state=new \
    jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.1.254
add action=return chain=detect-ddos src-address=192.168.1.253
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=drop chain=forward comment="forward -> through the router" \
    dst-port=443 protocol=udp
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router" \
    connection-state=new src-address-list=blacklist
add action=drop chain=forward comment=\
    "Drop new connections from blacklisted IP's through router" \
    connection-state=new src-address-list=blacklist
add action=jump chain=forward comment="SYN Flood protect - through" \
    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect - input" \
    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
    tcp-flags=syn
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
    out-interface=UniFi src-address=192.168.1.254
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
    out-interface=Maxis src-address=192.168.1.253
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
    out-interface=Maxis-Fixed src-address=192.168.102.0/24
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=Maxis-Fixed log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=Maxis log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=UniFi log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    Maxis-Fixed log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=UniFi \
    log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=Maxis \
    log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=Maxis-Fixed \
    log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=UniFi \
    log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=Maxis \
    log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=udp comment="deny TFTP - ALL UDP PORTS" dst-port=69 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list NEW" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=forward comment="Drop everything else - Through Router" \
    connection-state="" log-prefix=through_log
add action=drop chain=input comment="Drop everything else - To Router" \
    log-prefix=inbound_log
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TW01 \
    passthrough=yes src-address=192.168.1.254
add action=mark-routing chain=prerouting new-routing-mark=TW02 passthrough=\
    yes src-address=192.168.1.253
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UniFi src-address=\
    192.168.1.254
add action=masquerade chain=srcnat out-interface=Maxis-Fixed src-address=\
    192.168.102.0/24
add action=masquerade chain=srcnat out-interface=Maxis src-address=\
    192.168.1.253
add action=dst-nat chain=dstnat comment="IP Phone Freepbx" dst-port=5000-5001 \
    in-interface=Maxis-Fixed protocol=tcp to-addresses=192.168.1.254 \
    to-ports=5000-5001
add action=dst-nat chain=dstnat dst-port=5060-5061 in-interface=Maxis-Fixed \
    protocol=tcp to-addresses=192.168.1.254 to-ports=5060-5061
add action=dst-nat chain=dstnat dst-port=9999 in-interface=Maxis-Fixed \
    protocol=tcp to-addresses=192.168.1.254 to-ports=9999
add action=dst-nat chain=dstnat dst-port=5060 in-interface=Maxis-Fixed \
    protocol=udp to-addresses=192.168.1.254 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-40000 in-interface=Maxis-Fixed \
    protocol=udp to-addresses=192.168.1.254 to-ports=10000-40000
add action=dst-nat chain=dstnat comment=RDP-2 dst-port=44199 in-interface=\
    UniFi protocol=tcp to-addresses=192.168.1.254 to-ports=44199
add action=dst-nat chain=dstnat dst-port=7777-7790 in-interface=Maxis-Fixed \
    protocol=udp to-addresses=192.168.1.254 to-ports=7777-7780
add action=dst-nat chain=dstnat dst-port=7777-7790 in-interface=Maxis-Fixed \
    protocol=tcp to-addresses=192.168.1.254 to-ports=7777-7780
/ip firewall service-port
set sip disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override \
    passive=yes send-initial-contact=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=UniFi routing-mark=TW01
add check-gateway=ping distance=1 gateway=Maxis routing-mark=TW02
add disabled=yes distance=1 dst-address=58.71.188.78/32 gateway=192.168.1.254
add comment="To access to internal firewall only." distance=1 dst-address=\
    192.168.0.0/24 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24,192.168.102.0/24
set ssh address=192.168.1.0/24,192.168.102.0/24 port=2200
set www-ssl address=192.168.1.0/24,192.168.102.0/24 certificate=Webfig
set api disabled=yes
set winbox address=192.168.1.0/24,192.168.102.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=error0024 profile=ipsec_vpn service=l2tp
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system clock manual
set time-zone=+08:00
/system identity
set name=ros01.home
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=info
add action=disk topics=warning
/system ntp client
set enabled=yes server-dns-names="0.asia.pool.ntp.org,1.asia.pool.ntp.org,2.as\
    ia.pool.ntp.org,3.asia.pool.ntp.org"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
So as per based on my diagram. The local computers etc are behind the PfSense firewall, with 192.168.0.0/24 as the network. So whenever I tried using the computers to access the 58.71.188.78, I can't get through, and I tried monitoring the firewall rules and that comes back to the first picture I've attached in the post.

Hope there's something I can do, since the current ISP2 will be my main internet use for all the computers behind PfSense, while ISP1(Fixed) will solely be used for servers only.
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Issues with my setup

Tue Jun 11, 2019 6:21 pm

I dont see your vlans identified by any dhcp settings?
You seem to use eth ports on the router not identified on the drawing as well (nor indicate which ether port goes to the pfsense).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
error0024
just joined
Topic Author
Posts: 9
Joined: Tue Jan 03, 2017 11:42 am

Re: Issues with my setup

Tue Jun 11, 2019 7:19 pm

I dont see your vlans identified by any dhcp settings?
You seem to use eth ports on the router not identified on the drawing as well (nor indicate which ether port goes to the pfsense).
Hi anav,

As per the drawing, it has mentioned that ether1-LAN is connected to the pfsense.. my apologies if the drawing is not enough. When i've mentioned vlans, it should be only for the PPPOE connections, as it's required by my country's ISP to use these particular vlan to do the connections. Therefore, i only use the ether-ports to seperate them.

Thanks,
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with my setup

Tue Jun 11, 2019 7:25 pm

There definitely is something you can do, we just have to find what it is :)

So the fixed ISP1 is a pppoe client via vlan621-2 via ether6, so it is a tunnel interface which gets added as a default route, and the ISP routes to you packets for the ...78 via that interface.

The picture says ...76 is a host address of ether6, but your configuration says it is actually a network address at ether3 (...76 - network, ..77 - Mikrotik itself, ..78 - server, ..79 - broadcast as it is a /30 network - address=xx.xx.xx.77/30 interface=ether3-DMZ network=xx.xx.xx.76). So there should be no problem to access the server listening at ...78 from machines behind the PFsense (except the firewall rules which I haven't studied yet) as there is no dst-nat for the ...78.

Have you got the whole /30 (..76 to ..79) assigned by the ISP or just the single ...78/32?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with my setup

Wed Jun 12, 2019 12:27 am

Your firewall rules are a nightmare to read but it seems to me that Mikrotik doesn't block access from clients behind the pfsense to the server. Routing seems fine too. So I can only speculate that the pfsense is doing src-nat on connections initiated by hosts in pfsense's LAN (192.168.0.0/24). If it is true, then all these connections are seen at Mikrotik as coming from 192.168.1.254, which means that the mangle rule assigns them a routing-mark TW01, and for that routing mark, there is only a single route, via Unifi. But even in this case, if Unifi is a normal internet connection, the packets should get to the ...78 via internet. The responses may take a shortcut if the address assigned by the Unifi uplink to Mikrotik is a public one, but that should still be fine and the response should get back to the pfsense.

So first, can you access the server from outside your network and only the pfsense's LAN is the problem?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
error0024
just joined
Topic Author
Posts: 9
Joined: Tue Jan 03, 2017 11:42 am

Re: Issues with my setup

Wed Jun 12, 2019 4:15 am

There definitely is something you can do, we just have to find what it is :)

So the fixed ISP1 is a pppoe client via vlan621-2 via ether6, so it is a tunnel interface which gets added as a default route, and the ISP routes to you packets for the ...78 via that interface.

The picture says ...76 is a host address of ether6, but your configuration says it is actually a network address at ether3 (...76 - network, ..77 - Mikrotik itself, ..78 - server, ..79 - broadcast as it is a /30 network - address=xx.xx.xx.77/30 interface=ether3-DMZ network=xx.xx.xx.76). So there should be no problem to access the server listening at ...78 from machines behind the PFsense (except the firewall rules which I haven't studied yet) as there is no dst-nat for the ...78.

Have you got the whole /30 (..76 to ..79) assigned by the ISP or just the single ...78/32?
Hi Sindy, yes i've got the whole /30 assigned by the ISP, therefore i was able to use the range. It's weird though, yes for the current part it should go out the internet and come back as internet connection, however i couldn't actually access the ip address at all.

I've tried using my mobile phone 4G and other way to access and it's working. Do you think it's due to the PfSense firewall issue? ...hmm
 
error0024
just joined
Topic Author
Posts: 9
Joined: Tue Jan 03, 2017 11:42 am

Re: Issues with my setup

Wed Jun 12, 2019 4:16 am

Your firewall rules are a nightmare to read but it seems to me that Mikrotik doesn't block access from clients behind the pfsense to the server. Routing seems fine too. So I can only speculate that the pfsense is doing src-nat on connections initiated by hosts in pfsense's LAN (192.168.0.0/24). If it is true, then all these connections are seen at Mikrotik as coming from 192.168.1.254, which means that the mangle rule assigns them a routing-mark TW01, and for that routing mark, there is only a single route, via Unifi. But even in this case, if Unifi is a normal internet connection, the packets should get to the ...78 via internet. The responses may take a shortcut if the address assigned by the Unifi uplink to Mikrotik is a public one, but that should still be fine and the response should get back to the pfsense.

So first, can you access the server from outside your network and only the pfsense's LAN is the problem?
I've got to agree with the firewall rules....as I've added those anti ddos and tpcsyn protection inside...my apologies :D. Which is why I'm thinking...what is actually going on..
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with my setup

Wed Jun 12, 2019 8:23 am

If you cannot access the server even from outside, pfsense has nothing to do with it. The first thing I'd do in such case would be to make a command line window as wide as your screen allows, run /tool sniffer quick ip-address=the.public.ip.78 in it and try to access the server from outside. You should see the incoming packets at least on the PPPoE interface, maybe also on ether6 and vlan621-2, and also on ether3 if everything is alright at the ISP's and in the Mikrotik. If you cannot see them at all, the ISP is not routing the network to you; if you see them on the PPPoE but not on ether3, it is a Mikrotik setting issue. If you can see the incoming packets on ether3, look at the responses - if they are not there at all, check the network settings of the server, if you see them coming through ether3 but not leaving through PPPoE, it's a Mikrotik setting issue.

I have seen cases where the ISP needed the customer to advertise the public addresses on the PPPoE using RIP.

And if they gave you the whole /30, it is a waste of natural resources to use the other 3 IPs as network address, gateway and broadcast. Once we get through the inability to connect to the server, we can modify the network settings to point-to-point mode without PPPoE so that you could use the other 3 public addresses for other purposes.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 119 guests