Community discussions

MikroTik App
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Overriding netmap

Fri Jul 16, 2021 5:29 pm

Hello,

I have a RB3011 working well for months with a quite non-standard configuration (it's used as a failover device) with an extended use of netmap function.
I used to use PPTP for maintenance purpose, but my ISP doesn't allow it anymore, so I wanted to switch to L2TP.
Problem : it doesn't work. It seems like the IPSec policy automatically created use a LAN address as the src-address, so it doesn't match the L2TP connection.
If I disable the netmap rule, it works well.

I tried to add an "accept" rule for udp/500 and udp/4500 and to place it before the netmap rule, but it does not change anything.

Here is the configuration :
/interface bridge
add admin-mac=C4:AD:34:D9:16:67 auto-mac=no comment=defconf name=bridge
add arp=proxy-arp name=bridge-voip
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] lifetime=8h
/ip pool
add name=dhcp_pool1 ranges=172.16.1.101-172.16.1.130
add name=pptp-pool ranges=172.16.1.20-172.16.1.30
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-voip name=dhcp-voip
/ppp profile
add local-address=172.16.1.253 name=PPTP only-one=no remote-address=pptp-pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge-voip comment=defconf interface=ether7
add bridge=bridge-voip comment=defconf interface=ether8
add bridge=bridge-voip comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-voip interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch rule
add new-vlan-priority=5 ports=switch1-cpu src-mac-address=\
    C4:AD:34:D9:16:69/FF:FF:FF:FF:FF:FF switch=switch1
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=bridge-voip list=LAN
add list=LAN
/interface pptp-server server
set default-profile=PPTP
/ip address
add address=XX.XX.XX.81/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.82/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.83/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.84/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.85/29 interface=ether1 network=XX.XX.XX.80
add address=YY.YY.YY.97/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.98/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.99/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.100/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.101/29 interface=ether2 network=YY.YY.YY.96
add address=192.168.254.1/24 interface=ether3 network=192.168.254.0
add address=10.0.0.5/29 interface=bridge network=10.0.0.0
add address=172.16.1.253/24 comment="LAN VOIP" interface=bridge-voip network=\
    172.16.1.0
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=80.12.10.152,80.12.10.156 gateway=\
    172.16.1.254
/ip dns
set allow-remote-requests=yes servers=194.2.0.50,194.2.0.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Accept L2TP over IPSec" dst-port=\
    1701,500,4500 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept WebFig HTTPS connexions from WAN" dst-port=8443 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=172.16.1.250 in-interface=bridge new-connection-mark=SSP \
    passthrough=yes src-address=10.0.0.2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=in-BIO passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=in-BIV passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge new-connection-mark=out passthrough=yes
add action=mark-routing chain=prerouting connection-mark=SSP in-interface=\
    bridge new-routing-mark=SSP passthrough=yes
add action=mark-routing chain=prerouting connection-mark=in-BIO \
    dst-address-type=!local in-interface-list=LAN new-routing-mark=BIO \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=in-BIV \
    dst-address-type=!local in-interface-list=LAN new-routing-mark=BIV \
    passthrough=yes
add action=mark-routing chain=output connection-mark=in-BIO new-routing-mark=\
    BIO passthrough=yes
add action=mark-routing chain=output connection-mark=in-BIV new-routing-mark=\
    BIV passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether4
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    src-address=10.0.0.1 to-addresses=XX.XX.XX.81
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    src-address=10.0.0.2 to-addresses=XX.XX.XX.82
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    src-address=10.0.0.3 to-addresses=XX.XX.XX.83
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    src-address=10.0.0.4 to-addresses=XX.XX.XX.84
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    src-address=10.0.0.5 to-addresses=XX.XX.XX.85
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
    src-address=10.0.0.1 to-addresses=YY.YY.YY.97
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
    src-address=10.0.0.2 to-addresses=YY.YY.YY.98
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
    src-address=10.0.0.3 to-addresses=YY.YY.YY.99
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
    src-address=10.0.0.4 to-addresses=YY.YY.YY.100
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
    src-address=10.0.0.5 to-addresses=YY.YY.YY.101
add action=netmap chain=dstnat dst-address=XX.XX.XX.80/29 in-interface=ether1 \
    to-addresses=10.0.0.0/29
add action=netmap chain=dstnat dst-address=YY.YY.YY.96/29 in-interface=ether2 \
    to-addresses=10.0.0.0/29
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add check-gateway=ping distance=1 dst-address=172.16.1.250/32 gateway=\
    YY.YY.YY.102 routing-mark=SSP
add check-gateway=ping distance=1 gateway=XX.XX.XX.86 routing-mark=BIO
add distance=2 routing-mark=BIO type=unreachable
add check-gateway=ping distance=1 gateway=YY.YY.YY.102 routing-mark=BIV
add distance=2 routing-mark=BIV type=unreachable
add check-gateway=ping distance=1 gateway=172.16.1.254 routing-mark=VOIP
add check-gateway=ping comment=BIO distance=1 gateway=XX.XX.XX.86
add check-gateway=ping comment=BIV distance=2 gateway=YY.YY.YY.102
add check-gateway=ping distance=3 gateway=192.168.254.254
add check-gateway=ping distance=1 dst-address=80.12.10.152/32 gateway=\
    172.16.1.254
add check-gateway=ping distance=1 dst-address=80.12.10.156/32 gateway=\
    172.16.1.254
add check-gateway=ping distance=1 dst-address=192.252.164.144/32 gateway=\
    172.16.1.254
add check-gateway=ping distance=1 dst-address=217.167.53.129/32 gateway=\
    172.16.1.254
add check-gateway=ping distance=1 dst-address=217.167.210.132/32 gateway=\
    172.16.1.254
/ip service
set www-ssl certificate=WebFig disabled=no port=443
/lcd
set time-interval=hour
/ppp secret
add local-address=172.16.1.253 name=l2tp_user remote-address=172.16.1.20 service=\
    l2tp

How can I do ?

Thanks,

Joris
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Overriding netmap

Fri Jul 16, 2021 6:04 pm

NAT rules come before any "filter" rule, so to fix this, exclude the ports 500 and 4500 from the netmap rule.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Re: Overriding netmap

Fri Jul 16, 2021 6:31 pm

I won't fit my needs : I want to exclude it just for one dst-address.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Overriding netmap

Fri Jul 16, 2021 6:35 pm

Then add Src. Address = !your-excluded-address to the netmap rule.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Re: Overriding netmap

Fri Jul 16, 2021 6:59 pm

It's not a src-address that I want to exclude but a dst-address.
Here is the rule :
add action=netmap chain=dstnat dst-address=YY.YY.YY.96/29 in-interface=ether2 to-addresses=10.0.0.0/29

I want to exclude IPSec connections for the address YY.YY.YY.101 so I tried to add this rule before :
add action=accept chain=dstnat dst-address=YY.YY.YY.101/32 protocol=udp dst-port=500,4500 in-interface=ether2 

So the IPSec connections should match this rule and not the "netmap" one, but it doesn't work, the counter for this new rule stay at 0.

What am I doing wrong ?

Joris
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Overriding netmap

Fri Jul 16, 2021 7:23 pm

All NAT rules try to match before anything in the filter section, so if any of your NAT rules match your traffic, then it gets "taken away" from any accept rules elsewhere. Try adding Dst. Address = !YY.YY.YY.101 to the NAT rule.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Re: Overriding netmap

Mon Jul 19, 2021 11:45 am

Again, I can't do that because I already have something in the dst-address field :
add action=netmap chain=dstnat dst-address=YY.YY.YY.96/29 in-interface=ether2 to-addresses=10.0.0.0/29
My accept rule was a nat rule :
/ip firewall nat add action=accept chain=dstnat dst-address=YY.YY.YY.101/32 protocol=udp dst-port=500,4500 in-interface=ether2 
And it was before the netmap rule, so I don't understand why it wasn't matching.

Who is online

Users browsing this forum: AshuGite, Bing [Bot], CJWW and 58 guests