Community discussions

MikroTik App
 
jabbc
just joined
Topic Author
Posts: 4
Joined: Tue May 19, 2020 10:19 pm

CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Wed May 20, 2020 5:50 pm

Hello,

I'm new to Mikrotik and I'm using a CCR1036-12G-4S v6.45.6 to provide internet services to a few home users.

2 users have difficulty establishing VPN connections from their Sophos client (on PC) at home to their Sophos firewall server at the office.

I'm using pppoe to connect multiple users on my Mikrotik NAS which connects to my core router where my ISP connects to. Users can browse fine just these 2 users can't connect to their Sophos VPN servers. They can however, connect to their servers using other mobile networks as hotspot.

I thought since I was providing a transparent internet service to the clients I'm basically a pipe through the internet for them and shouldn't interrupt their protocols just as I don't interrupt their browsing.

I read online about opening ports 50,51.1701,1723,500,4500 which I have done but complaint still persists.

Please what can I do to resolve this?

I'll appreciate your help. Thanks.
 
anav
Forum Guru
Forum Guru
Posts: 4159
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Wed May 20, 2020 7:21 pm

Very strange, I would have thought no changes were needed to even default firewall rules on a hex, in terms of PC clients going out what is internet traffic to a server.
Suggest maybe you have a firewall rule blocking it??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
jabbc
just joined
Topic Author
Posts: 4
Joined: Tue May 19, 2020 10:19 pm

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Wed May 20, 2020 7:29 pm

Also found it strange when the first complaint came in. Dismissed it until the second request came in from another user in another location trying to connect to a sophos server.

The only firewall rules I had were for NAT and blocking port 25. Client claims they are trying to connect over port 500 for ike connections hence my reason for delibrately opening earler said ports.

Still no luck
 
User avatar
ingdaka
Member
Member
Posts: 332
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Wed May 20, 2020 8:39 pm

Please check PPPoE server profile for TCP MSS which option is checked
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE | RIPE NCC Certified Professional
 
jabbc
just joined
Topic Author
Posts: 4
Joined: Tue May 19, 2020 10:19 pm

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Fri May 22, 2020 11:52 pm

TCP MSS is on default option.
 
jabbc
just joined
Topic Author
Posts: 4
Joined: Tue May 19, 2020 10:19 pm

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Sun May 24, 2020 10:16 pm

Tested with the client and discovered that connections to the sophos server complete on another IP address going through my core router directly, i.e, bypassing the Mikrotik router.

Changed the IP address on the Mikrotik but it is still the same situation.

So something is blocking the pppoe clients coming through the Mikrotik router (before going out through the core router) from connecting using the NAT IP address on the Mikrotik router

What could possibly be wrong (knowing everything else seems to be fine apart from this sophos vpn connection)?

Could it be an IP blacklist?
 
sindy
Forum Guru
Forum Guru
Posts: 5007
Joined: Mon Dec 04, 2017 9:19 pm

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Sun May 24, 2020 10:43 pm

First of all, could it be that those two clients are using L2TP or PPTP, both connect to the same VPN server, and you NAT both of them to the same public IP address? If so, it cannot work due to the NAT, as in both cases, the server to which they connect is unable to distinguish the connections from one another. The thing is that
  • GRE used by PPTP has no notion of ports so the only differentiator of one connection from the other are the IP addresses, and since both the the IP of the server and public IP you assign the clients' connections are identical for both connections, not only that the server cannot distinguish the two GRE connections from one another, but also the NAT handling on your machine cannot allow more than one such GRE tunnel through as it would be unable to forward the packets from the server to the client for the same reason.
  • L2TP/IPsec uses UDP so your NAT serves each connection with a different port at your public IP, but if both clients are the Microsoft Windows' embedded ones, both use the same port at their side in the L2TP payload encrypted inside the IPsec transport packet, and L2TP uses transport, rather than tunnel, mode of encapsulation, so the original IP headers of the payload packets are not transported. So although the transport packets arrive to the server from different ports on your public IP, after unpacking, they still bear your public IP as source but the original client-side port which is the same for both.
So for both cases, there is no other solution at your level but to use several public IPs to serve these types of VPN (one per each client of any given server). To make things worse, even if you do have multiple public IPs available, there is no embedded functionality which would automatically choose a different public address to these connections - if you restrict the to-ports to a single value and you do have a range in to-addresses, the second connection is not let through rather than getting another address from the range. So you need a script which tracks this type of connections and modifies the rule.
If you only have a single IP address, the clients have to change the VPN type to some other one supported by Sophos. Bare IPsec in tunnel mode and OpenVPN have no problem with multiple clients behind the same NAT.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: alenthelong, ErfanDL, eworm, myrlvc, panosmen and 102 guests