Community discussions

MikroTik App
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

no access out of firewall

Mon Apr 12, 2021 4:29 pm

Board RB3011UiAS
version 6.48.1 (stable)
CPU load 23 - 34%
DHCP - about 120 hosts
and bout 90 sstp clients
usual NAT rules:
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat src-address=192.168.0.0/24
nothing special
The problem is that for some local hosts NAT doesn't work (LAN works fine and host can ping router), those hosts can't get out till I do ping from router to hosts. After ping host get internet access o_0
No errors or warnings in log.
Your ideas? why is it happen? What should I check?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: no access out of firewall

Mon Apr 12, 2021 4:34 pm

Smells like ARP problem but it's hard to tell without seeing full router config (text export) and some chart explaining network topology (seems it's not entirely trivial).
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

Re: no access out of firewall

Mon Apr 12, 2021 4:52 pm

config
Last edited by Akuras on Tue Apr 13, 2021 9:37 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: no access out of firewall

Mon Apr 12, 2021 5:02 pm

One thing I'd change is this:

/interface detect-internet
set detect-interface-list=all

I'm yet to hear about anything useful about this setting enabled, but there are reports it can break random things.

Other than that, your firewall is messy and I certainly hope all of those PCs with exposed RDP services have good firewalls (which they probably don't).
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

Re: no access out of firewall

Mon Apr 12, 2021 5:08 pm

ok, I ll change it
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

Re: no access out of firewall

Tue Apr 13, 2021 10:45 am

any other ideas and thoughts?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: no access out of firewall

Tue Apr 13, 2021 5:09 pm

Without a config, who can say??
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

Re: no access out of firewall

Wed Apr 14, 2021 12:16 pm

Without a config, who can say??
what part of config ?
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: no access out of firewall

Wed Apr 14, 2021 12:19 pm

what part of config ?
To be sure it covers it all...everything:
/export hide-sensitive file=anynameyoulike

You can remove MAC addresses manually
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

Re: no access out of firewall

Wed Apr 14, 2021 1:39 pm

what part of config ?
To be sure it covers it all...everything:
/export hide-sensitive file=anynameyoulike

You can remove MAC addresses manually
sorry for waiting


# apr/14/2021 13:12:19 by RouterOS 6.48.1
# software id = 1K8I-BBUF
#
# model = RouterBOARD 3011UiAS
/interface bridge
add admin-mac=6C:3B:6B:37:E1:9D auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=1.SINET speed=100Mbps
set [ find default-name=ether2 ] name=2.CORBINA speed=100Mbps
set [ find default-name=ether3 ] loop-protect=on speed=100Mbps
set [ find default-name=ether4 ] loop-protect=on speed=100Mbps
set [ find default-name=ether5 ] loop-protect=on speed=100Mbps
set [ find default-name=ether6 ] loop-protect=on speed=100Mbps
set [ find default-name=ether7 ] loop-protect=on speed=100Mbps
set [ find default-name=ether8 ] loop-protect=on speed=100Mbps
set [ find default-name=ether9 ] loop-protect=on speed=100Mbps
set [ find default-name=ether10 ] loop-protect=on speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=server1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue tree
add max-limit=200M name=QoS_global parent=global priority=1
add comment="Priority 1 traffic [DNS, ICMP]" name=prio_1 packet-mark=prio_1 parent=QoS_global priority=1 queue=ethernet-default
add comment="Priority 2 traffic [VoIP]" name=prio_2 packet-mark=prio_2 parent=QoS_global priority=2 queue=ethernet-default
add comment="Priority 5 traffic" name=prio_5 packet-mark=no-mark parent=QoS_global priority=5 queue=ethernet-default
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=1.SINET list=WAN
add interface=2.CORBINA list=WAN
/interface ovpn-server server
set auth=sha1 cipher=aes256 require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=SERV default-profile=default-encryption enabled=yes force-aes=yes pfs=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=1.SINET
add comment=defconf disabled=no interface=2.CORBINA
/ip dhcp-server lease
add address=192.168.88.102 client-id=1:a0:48:1c:89:1:75 mac-address=A0:48:1C:89:01:75 server=server1
add address=192.168.88.60 client-id=1:c8:1f:66:14:e8:fc mac-address=C8:1F:66:14:E8:FC server=server1
add address=192.168.88.88 client-id=1:c8:1f:66:14:22:c0 mac-address=C8:1F:66:14:22:C0 server=server1
add address=192.168.88.9 client-id=1:0:11:32:ac:14:cc mac-address=00:11:32:AC:14:CC server=server1
add address=192.168.88.125 client-id=1:18:3:73:22:cc:13 mac-address=18:03:73:22:CC:13 server=server1
add address=192.168.88.63 client-id=1:18:3:73:cb:f5:b1 mac-address=18:03:73:CB:F5:B1 server=server1
add address=192.168.88.71 client-id=1:90:b1:1c:74:37:74 mac-address=90:B1:1C:74:37:74 server=server1
add address=192.168.88.219 client-id=1:78:45:c4:41:30:24 mac-address=78:45:C4:41:30:24 server=server1
add address=192.168.88.155 client-id=1:c8:1f:66:e:32:62 mac-address=C8:1F:66:0E:32:62 server=server1
add address=192.168.88.117 client-id=1:10:60:4b:8a:48:9a mac-address=10:60:4B:8A:48:9A server=server1
add address=192.168.88.197 client-id=1:d4:85:64:b4:88:46 mac-address=D4:85:64:B4:88:46 server=server1
add address=192.168.88.209 client-id=1:d4:be:d9:8f:15:32 mac-address=D4:BE:D9:8F:15:32 server=server1
add address=192.168.88.188 client-id=1:10:60:4b:87:97:c4 mac-address=10:60:4B:87:97:C4 server=server1
add address=192.168.88.205 client-id=1:2c:44:fd:39:5b:47 mac-address=2C:44:FD:39:5B:47 server=server1
add address=192.168.88.243 client-id=1:b4:b5:2f:c3:17:ea mac-address=B4:B5:2F:C3:17:EA server=server1
add address=192.168.88.220 client-id=1:18:3:73:cc:35:7d mac-address=18:03:73:CC:35:7D server=server1
add address=192.168.88.135 client-id=1:6c:3b:e5:24:9f:4d mac-address=6C:3B:E5:24:9F:4D server=server1
add address=192.168.88.167 client-id=1:f8:b1:56:d4:a0:8e mac-address=F8:B1:56:D4:A0:8E server=server1
add address=192.168.88.166 client-id=1:34:17:eb:c0:6d:c9 mac-address=34:17:EB:C0:6D:C9 server=server1
add address=192.168.88.108 client-id=1:78:ac:c0:bf:9b:30 mac-address=78:AC:C0:BF:9B:30 server=server1
add address=192.168.88.73 client-id=1:18:3:73:cd:c9:41 mac-address=18:03:73:CD:C9:41 server=server1
add address=192.168.88.177 client-id=1:10:60:4b:8d:78:f8 mac-address=10:60:4B:8D:78:F8 server=server1
add address=192.168.88.48 client-id=1:9c:8e:99:e3:a0:e0 mac-address=9C:8E:99:E3:A0:E0 server=server1
add address=192.168.88.198 client-id=1:18:3:73:18:c3:ab mac-address=18:03:73:18:C3:AB server=server1
add address=192.168.88.93 client-id=1:d0:67:e5:1a:1f:c9 mac-address=D0:67:E5:1A:1F:C9 server=server1
add address=192.168.88.58 client-id=1:2c:41:38:96:f0:f1 mac-address=2C:41:38:96:F0:F1 server=server1
add address=192.168.88.28 client-id=1:f0:79:59:94:ba:6c mac-address=F0:79:59:94:BA:6C server=server1
add address=192.168.88.199 client-id=1:44:8a:5b:24:5e:74 mac-address=44:8A:5B:24:5E:74 server=server1
add address=192.168.88.64 client-id=1:30:85:a9:9c:a6:83 mac-address=30:85:A9:9C:A6:83 server=server1
add address=192.168.88.140 client-id=1:30:5a:3a:6:c1:eb mac-address=30:5A:3A:06:C1:EB server=server1
add address=192.168.88.144 client-id=1:2c:41:38:8a:e9:cf mac-address=2C:41:38:8A:E9:CF server=server1
add address=192.168.88.69 client-id=1:9c:5c:8e:76:67:ed mac-address=9C:5C:8E:76:67:ED server=server1
add address=192.168.88.23 client-id=1:d0:67:e5:1a:da:5f mac-address=D0:67:E5:1A:DA:5F server=server1
add address=192.168.88.86 client-id=1:8:2e:5f:1d:b3:38 mac-address=08:2E:5F:1D:B3:38 server=server1
add address=192.168.88.103 client-id=1:d4:be:d9:8e:62:d1 mac-address=D4:BE:D9:8E:62:D1 server=server1
add address=192.168.88.16 client-id=1:9c:93:4e:42:17:7a mac-address=9C:93:4E:42:17:7A server=server1
add address=192.168.88.211 client-id=1:10:60:4b:77:1d:a mac-address=10:60:4B:77:1D:0A server=server1
add address=192.168.88.92 client-id=1:d4:be:d9:da:3f:eb mac-address=D4:BE:D9:DA:3F:EB server=server1
add address=192.168.88.222 client-id=1:6c:3b:e5:24:d2:b9 mac-address=6C:3B:E5:24:D2:B9 server=server1
add address=192.168.88.196 client-id=1:64:31:50:21:6e:db mac-address=64:31:50:21:6E:DB server=server1
add address=192.168.88.189 client-id=1:6c:3b:e5:25:e8:3 mac-address=6C:3B:E5:25:E8:03 server=server1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=***** in-interface-list=WAN protocol=tcp src-address-list=secip
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" disabled=yes dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=47 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=WAN protocol=icmp
add action=accept chain=input dst-port=37777 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=443 in-interface=1.SINET protocol=tcp
add action=accept chain=input dst-port=443 in-interface=2.CORBINA protocol=tcp
add action=accept chain=input dst-port=10000-20000 protocol=tcp
add action=accept chain=input dst-port=5060-5090 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-packet chain=prerouting comment="[ priority 1 ]" new-packet-mark=prio_1 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting new-packet-mark=prio_1 passthrough=yes port=53 protocol=tcp
add action=mark-packet chain=prerouting new-packet-mark=prio_1 passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting new-packet-mark=prio_1 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting comment="-=[ priority-2-VoIP ]=-" dscp=40 new-packet-mark=prio_2 passthrough=yes
add action=mark-packet chain=prerouting dscp=46 new-packet-mark=prio_2 passthrough=yes
add action=mark-packet chain=prerouting new-packet-mark=prio_2 passthrough=yes port=5060,5061,10000-20000 protocol=udp src-address=194.88.218.117
add action=mark-packet chain=prerouting dst-address=194.88.218.117 new-packet-mark=prio_2 passthrough=yes port=5060,5061,10000-20000 protocol=udp
add action=set-priority chain=prerouting comment="[ WMM-priority-1 ]" new-priority=7 passthrough=yes protocol=icmp
add action=set-priority chain=prerouting new-priority=7 passthrough=yes port=53 protocol=tcp
add action=set-priority chain=prerouting new-priority=7 passthrough=yes port=53 protocol=udp
add action=set-priority chain=prerouting new-priority=7 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=set-priority chain=prerouting comment="-=[ WMM-priority-2-VoIP ]=-" dscp=40 new-priority=6 passthrough=yes
add action=set-priority chain=prerouting dscp=46 new-priority=6 passthrough=yes
add action=set-priority chain=prerouting new-priority=6 passthrough=yes port=5060,5061,10000-20000 protocol=udp src-address=194.88.218.117
add action=set-priority chain=prerouting dst-address=194.88.218.117 new-priority=6 passthrough=yes port=5060,5061,10000-20000 protocol=udp
add action=mark-routing chain=prerouting comment="COBINA OUT traffic" disabled=yes new-routing-mark=corbout passthrough=yes src-address=192.168.88.8
add action=mark-routing chain=prerouting comment="SINET OUT traffic" disabled=yes new-routing-mark=SINOUT passthrough=yes src-address=192.168.88.102
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=SINOUT passthrough=yes src-address=192.168.88.247
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface="1. vpn.sysadm.ws"
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=5000 in-interface-list=WAN protocol=tcp src-address-list=secip to-addresses=192.168.88.9
add action=dst-nat chain=dstnat dst-port=4021 in-interface-list=WAN protocol=tcp src-address-list=secip to-addresses=192.168.88.9
add action=dst-nat chain=dstnat dst-port=55536-55635 in-interface-list=WAN protocol=tcp src-address-list=secip to-addresses=192.168.88.9
add action=accept chain=srcnat disabled=yes out-interface=*F01D3B
add action=netmap chain=dstnat dst-port=4488 in-interface=1.SINET protocol=tcp to-addresses=192.168.88.102 to-ports=3389
add action=netmap chain=dstnat dst-port=4488 in-interface=2.CORBINA protocol=tcp to-addresses=192.168.88.102 to-ports=3389
add action=dst-nat chain=dstnat dst-port=4003 protocol=tcp to-addresses=192.168.88.3 to-ports=8291
add action=dst-nat chain=dstnat dst-port=18291 protocol=tcp to-addresses=192.168.88.4 to-ports=8291
add action=dst-nat chain=dstnat dst-port=37777 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.50 to-ports=37777
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=2 gateway=91.210.249.1 routing-mark=corbout
add distance=1 gateway=91.210.249.1
add distance=2 gateway=213.139.212.1
add check-gateway=ping disabled=yes distance=1 gateway=8.8.4.4
add check-gateway=ping disabled=yes distance=3 gateway=8.8.8.8
add disabled=yes distance=2 dst-address=1.1.1.1/32 gateway=91.210.249.1 scope=10
add disabled=yes distance=1 dst-address=8.8.8.8/32 gateway=91.211.122.1 scope=10
add disabled=yes distance=1 dst-address=10.0.10.0/24 gateway="1. vpn.sysadm.ws"
add distance=1 dst-address=192.168.8.0/24 gateway=192.168.0.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=461
set ssh disabled=yes
set winbox port=*****
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe
/system logging
set 0 topics=info,!dhcp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: no access out of firewall

Wed Apr 14, 2021 3:46 pm

(1) Change this to NONE. No one knows what exactly this setting does and is known to cause issues.
/interface detect-internet
set detect-interface-list=all

(2) INput Chain - What is the purpose of this rule?? I dont see the firewall address list in your config?? (nothing should be allowed into your router from the internet except vlan stuff!!)
/ip firewall filter
add action=accept chain=input dst-port=***** in-interface-list=WAN protocol=tcp src-address-list=secip ?????????

(3) INput Chain. SAME ISSUE!!! What is the purpose of these rules ??????????? They need to be removed.
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=47 protocol=tcp
add action=accept chain=input dst-port=37777 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=443 in-interface=1.SINET protocol=tcp
add action=accept chain=input dst-port=443 in-interface=2.CORBINA protocol=tcp
add action=accept chain=input dst-port=10000-20000 protocol=tcp
add action=accept chain=input dst-port=5060-5090 protocol=udp

(3) What is the purpose of your mangling rules in plain english, I'm no expert but I rarely see people mangling DNS traffic for example......

(4) NAT Rules. There are two basic approaches to NAT for dual WANs....... (Not talking about the legit separate vpn rule you have but the plain standard rules)
a. ONE RULE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
or
b. TWO RULES
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether2

c. Finally its important to know if the WANIPs are dynamic or static. For example lets say ether2 was a fixed static WANIP as technically there is a more correct way to assign Source NAT for fixed WANIPs.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=src-nat chain=srcnat to-addresses=fixedWANIP out-interface=ether2

(5) Destination NAT Rules. I like the fact you use source address in most of the rules, as that narrows down access and makes the ports INVISIBLE to scans from the internet.
etherport the traffic came in on and should send it out the same port. (Havent cross-checked routing and mangling though).

I am not sure this is the purpose of NETMAP??? Why not just use DST NAT???
add action=netmap chain=dstnat dst-port=4488 in-interface=1.SINET protocol=tcp to-addresses=192.168.88.102 to-ports=3389
add action=netmap chain=dstnat dst-port=4488 in-interface=2.CORBINA protocol=tcp to-addresses=192.168.88.102 to-ports=3389

These are missing the in-interface??????
add action=dst-nat chain=dstnat dst-port=4003 protocol=tcp to-addresses=192.168.88.3 to-ports=8291
add action=dst-nat chain=dstnat dst-port=18291 protocol=tcp to-addresses=192.168.88.4 to-ports=8291
 
Akuras
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 1:47 pm

Re: no access out of firewall

Thu Jul 22, 2021 5:30 pm

the reason is that IP scan tool shows 2 mac instead of 1 (PC has 1 ethernet)
Have no Idea what the hell is the 2nd mac :/
Such problem is actual for about 5-7 local hosts.

lookup says it's Cisco mac. But we don't have Cisco devices in our office ))

update: trying to setup blocking DHCP with a bridge firewall

update2: it was hardware port issue. in RB3011UiAS, not some HAP lite omg! ((

Who is online

Users browsing this forum: mkx and 96 guests