Community discussions

MikroTik App
 
iegg
just joined
Topic Author
Posts: 18
Joined: Thu May 27, 2021 10:13 pm

Double NAT + Firewall forward block => no internet access

Wed Jun 16, 2021 3:54 pm

HI all,

I've got a MikroTik CRS326-24G-2S+RM behind my ISP router. The ISP router cannot be set to bridge mode, only DMZ mode where all incoming traffic to the WAN interface of the isp router is forwarded to the Mikrotik router WAN interface. So far so good, everything works. However as soon as I activate the Mikrotik firewall which I configured to block all incoming forwards, I do not have internet access anymore. If I remove the block forward rule, everything works. Is there anything special I need to configure when using double NAT? I really do not like the idea of leaving my firewall open for incoming forwards.

Thanks for your help guys.
Cheers!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double NAT + Firewall forward block => no internet access

Thu Jun 17, 2021 1:57 pm

/export hide-sensitive file=anynameyouwish
 
User avatar
diego73
newbie
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: Double NAT + Firewall forward block => no internet access

Thu Jun 17, 2021 2:35 pm

from your pc or final device:

tracert 1.1.1.1

and please paste result
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Double NAT + Firewall forward block => no internet access  [SOLVED]

Thu Jun 17, 2021 4:10 pm

block all incoming forwards
You have to allow for returning connections, if you block all incoming connections you are also blocking your wanted connections. Below is the default firewall rules and other necessary settings for it to work. You will see the section for Forward that allows Established & Related. This is what you are missing. You should modify your settings and/or the firewall rules to fit your needs. All Mikrotik Routers have this or similar as default and the reason yours does not is because it is a Switch (the "S" in CRS denotes this.) If your Internet speeds are much more than DSL speeds, you may have problems reaching those speeds.
/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"

/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

/ip firewall {
	filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
	filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
	filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
	filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
	filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
	filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
	filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
 
iegg
just joined
Topic Author
Posts: 18
Joined: Thu May 27, 2021 10:13 pm

Re: Double NAT + Firewall forward block => no internet access

Tue Jul 27, 2021 10:13 pm

Hi all,

Sorry for the late reply.
I now tested now 2frogs' solution. Indeed the problem was that my fw filter rules did not include accept 'related,established' forward connections. After including them, everything works as expected.
Thanks 2frogs and everybody else for your help, much appreciated!

Just out of curiosity: What das connection-state 'untracked' mean? I did not enable for the forward accept rule, but everything still works fine.

Cheers!

Who is online

Users browsing this forum: alotofbacardi, anton425425, baragoon, Bing [Bot], jacobbailey, Pincha3 and 82 guests