Community discussions

MikroTik App
 
ryn22
just joined
Topic Author
Posts: 3
Joined: Thu Sep 02, 2021 1:06 pm

CCR1016-12G Network issues

Thu Sep 02, 2021 1:36 pm

Hello everyone!

I'm fairly new to mikrotik (basic administering and debugging) and I've inherited this CCR1016-12G with a weird configuration.

There are 2 important bridges setup :
br-wan - goes to the internet
br-lan-srv - goes to LAN
I'm facing strange network issues:
- some machines cannot go out to the internet without having the public IP installed on the machine (configuring the public IP in the network settings), this completely bypasses Mikrotik firewall, no logs for the NAT rule (which is correctly setup)
- all network device go out to the internet with the IP of Mikrotik. When changing the bridge out interfaces from br-wan to br-lan-srv all network devices go out with the NAT'ed external IP's but lose DNS.
# sep/02/2021 12:08:06 by RouterOS 6.47.7
# software id = VZ99-XQJJ
#
# model = CCR1016-12G
# serial number = 742E0603F0CC
/interface bridge
add fast-forward=no name=br-lan-srv
add name=br-lan-usr
add name=br-man
add arp=local-proxy-arp name=br-wan
add name=br-wlan-container
add name=br-wlan-guest
add name=br-wlan-usr
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps

/interface vlan
add interface=br-wlan-guest name=vlan-wlan-guest-91 vlan-id=91
add interface=br-wlan-usr name=vlan-wlan-usr-90 vlan-id=90
add interface=br-lan-usr name=wlan-guest-vlan1008 vlan-id=1008
/ip pool
add name=pool-ipv4-usr ranges=192.168.6.100-192.168.6.250
add name=pool-ipv4-man ranges=192.168.4.200-192.168.4.250
add name=pool-ipv4-wlan-guest ranges=10.10.7.10-10.10.7.250
add name=pool-ipv4-wlan-usr ranges=192.168.7.10-192.168.7.250
add name=vpn ranges=192.168.89.2-192.168.89.255

/ip dhcp-server
add address-pool=pool-ipv4-usr disabled=no interface=br-lan-usr lease-time=8h \
    name=dhcp-ipv4-usr
add address-pool=pool-ipv4-man disabled=no interface=br-man lease-time=8h \
    name=dhcp-ipv4-man
add address-pool=pool-ipv4-wlan-guest disabled=no interface=br-wlan-guest \
    lease-time=15m name=dhcp-ipv4-wlan-guest
add address-pool=pool-ipv4-wlan-usr disabled=no interface=br-wlan-usr \
    lease-time=8h name=dhcp-ipv4-wlan-usr
    interface bridge port
add bridge=br-wan hw=no interface=ether2
add bridge=br-lan-srv hw=no interface=ether3
add bridge=br-wan hw=no interface=ether4
add bridge=br-wan hw=no interface=ether5
add bridge=br-wan hw=no interface=ether6
add bridge=br-wan hw=no interface=ether7
add bridge=br-wan hw=no interface=ether8
add bridge=br-wan hw=no interface=ether9
add bridge=br-wan hw=no interface=ether12
add bridge=br-wan hw=no interface=ether11
add bridge=br-wlan-container interface=vlan-wlan-guest-91
add bridge=br-wlan-container interface=vlan-wlan-usr-90
add bridge=br-wan interface=ether1
add bridge=br-wan interface=ether10

/ip address
add address=public_ip.254/24 comment="br-wan - ISP" interface=br-wan network=\
    public_ip.0
add address=192.168.6.254/24 comment="br-usr - USER SUBNET" interface=\
    br-lan-usr network=192.168.6.0
add address=192.168.4.254/24 comment="br-man - MANAGEMENT SUBNET" interface=\
    br-lan-srv network=192.168.4.0
add address=192.168.5.254/24 comment="br-lan-srv - SERVER SUBNET" interface=\
    br-lan-srv network=192.168.5.0
add address=10.10.7.254/24 comment="Guest subnet gateway" interface=\
    br-wlan-guest network=10.10.7.0
add address=public_ip.253/24 comment="USED FOR VPN TUNNELS" disabled=yes \
    interface=ether10 network=public_ip.0
add address=192.168.5.5/24 interface=br-lan-srv network=192.168.5.0
/ip arp
add address=public_ip.35 interface=br-wan

/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=br-wan
/ip dhcp-server config
set store-leases-disk=8h
/ip dhcp-server network
add address=10.10.7.0/24 dns-server=10.10.7.254 domain=guest.company.com \
    gateway=10.10.7.254 netmask=24 ntp-server=10.10.7.254
add address=192.168.4.0/24 dns-server=192.168.4.254 domain=honeybeez.mgt \
    gateway=192.168.4.254 netmask=24 ntp-server=192.168.4.254
add address=192.168.6.0/24 dns-server=192.168.6.254 domain=company.local \
    gateway=192.168.6.254 netmask=24 ntp-server=192.168.6.254
add address=192.168.7.0/24 dns-server=192.168.7.254 domain=company.local \
    gateway=192.168.7.254 netmask=24 ntp-server=192.168.7.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=5m cache-size=10240KiB \
    max-concurrent-queries=500 max-concurrent-tcp-sessions=100 servers=\
    8.8.8.8,1.1.1.1
    
    /ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input connection-state=established,related,new \
    src-address-list=fw-list-dc
add action=jump chain=input comment="Jump for wan input flow" \
    in-interface-list=if-list-wan jump-target=wan_open
add action=drop chain=input comment="Drop Invalid INPUT" connection-state=\
    invalid
add action=drop chain=input comment="Drop WAN private ip's" \
    in-interface-list=if-list-wan src-address-list=fw-list-lan
add action=add-src-to-address-list address-list=fw-list-tcp-syn-flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 in-interface-list=\
    if-list-wan log=yes log-prefix="[TCP_SYN_FLOOD]" protocol=tcp tcp-flags=\
    syn
add action=tarpit chain=input comment="Drop to syn flood list" \
    connection-limit=3,32 protocol=tcp src-address-list=\
    fw-list-tcp-syn-flooder
add action=add-src-to-address-list address-list=fw-list-port-scanner \
    address-list-timeout=10m chain=input comment="Port Scanner Detect" log=\
    yes log-prefix="[PORT_SCANNER]" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=fw-list-port-scanner
add action=jump chain=input comment="Jump for icmp input flow" \
    in-interface-list=if-list-wan jump-target=icmp protocol=icmp
add action=accept chain=input comment="DNS allow" disabled=yes dst-port=53 \
    protocol=tcp src-address-list=fw-list-lan
add action=accept chain=input comment="DNS allow" disabled=yes dst-port=53 \
    protocol=udp src-address-list=fw-list-lan
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow input DNS for IPSec " \
    connection-state=new dst-port=53 ipsec-policy=in,ipsec protocol=udp \
    src-address-list=fw-list-lan
add action=accept chain=input dst-address=public_ip.254 dst-port=500,4500 \
    log=yes protocol=udp
add action=accept chain=input disabled=yes dst-address=62.8.223.144 dst-port=\
    500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec ESP inbound" dst-address=\
    public_ip.254 protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec ESP inbound" disabled=yes \
    dst-address=62.8.223.144 protocol=ipsec-esp
add action=accept chain=input comment="allow input from non-wan interfaces" \
    connection-state=new in-interface-list=!if-list-wan
add action=accept chain=input comment="allow input established / related " \
    connection-state=established,related
add action=drop chain=input comment="DROP ANYTHING ELSE" log-prefix=input
add action=drop chain=forward comment="Allow forward connections to management\
    \_network only from fw-list-allow-man" in-interface-list=!if-list-wan \
    log=yes log-prefix="[MAN]" out-interface=br-man src-address-list=\
    !fw-list-allow-man
add action=reject chain=forward comment="WAN block forbidden destinations" \
    dst-address-list=fw-list-forbidden-wan log-prefix="[FORBIDDEN]" protocol=\
    tcp reject-with=tcp-reset
add action=jump chain=forward connection-state=new in-interface-list=\
    if-list-wan jump-target=detect-ddos log-prefix="FWD DD" src-address-list=\
    !fw-list-dc
add action=tarpit chain=forward connection-limit=3,32 dst-address-list=\
    fw-list-ddosed log=yes log-prefix="[DDoS TCP]" protocol=tcp \
    src-address-list=fw-list-ddoser
add action=drop chain=forward connection-limit=0,32 dst-address-list=\
    fw-list-ddosed log=yes log-prefix="[DDoS]" src-address-list=\
    fw-list-ddoser
add action=accept chain=forward comment="allow outbound traffic to internet" \
    out-interface-list=if-list-wan
add action=accept chain=forward comment=\
    "allow forward established / related " connection-state=\
    established,related
add action=return chain=detect-ddos dst-limit=50,75,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=fw-list-ddosed \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=fw-list-ddoser \
    address-list-timeout=10m chain=detect-ddos
add action=accept chain=forward comment="allow forward srcnat / dstnat" \
    connection-nat-state=srcnat,dstnat
add action=drop chain=forward comment="DROP ANYTHING ELSE" log=yes \
    log-prefix="[forward]"
add action=jump chain=forward in-interface-list=if-list-wan jump-target=icmp \
    protocol=icmp
add action=accept chain=icmp comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=30,50:packet protocol=icmp
add action=accept chain=icmp comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=icmp comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=icmp comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=icmp \
    protocol=icmp
add action=jump chain=vpn-in comment="Jump for icmp output" jump-target=icmp \
    protocol=icmp
add action=accept chain=input ipsec-policy=in,ipsec
add action=accept chain=forward connection-state=new disabled=yes \
    out-interface=br-lan-srv
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "mark dns packets in order to redirect them to active directory server" \
    dst-port=53 layer7-protocol=ad_domains new-packet-mark=srvdc3 \
    passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=\
    "mark dns packets in order to redirect them to active directory server" \
    dst-port=53 layer7-protocol=st.company.lan new-packet-mark=\
    st.company.lan passthrough=yes protocol=udp
add action=change-mss chain=forward comment="PMTU/MSS " new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn
    
    /ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=\
    "Allow internet connection for srv inside network" out-interface=br-wan \
    src-address=192.168.5.0/24
    ** list of src nat and dst nat for machines to have a public ip NAT**
    add action=masquerade chain=srcnat comment=\
    "HAIRPIN NAT / NAT REFLECTION / U-TURN" dst-address=192.168.5.0/24 \
    log-prefix=test1 src-address=192.168.5.0/24
    
    /ip route
add distance=1 gateway=public_ip.1
add disabled=yes distance=1 dst-address=62.8.223.0/24 gateway=62.8.223.1
add disabled=yes distance=1 dst-address=public_ip.0/24 gateway=ether2
add distance=1 dst-address=public_ip.223/32 type=blackhole
add distance=1 dst-address=192.168.5.0/24 gateway=br-lan-srv pref-src=\
    192.168.5.5
    
I have been trying to debug this for months now, and I finally came here, because there's clearly something in the configuration that I'm not seeing (or know of).
I am sincerely out of ideas.

Thank you for your time!
Kind regards,
Ryn22
 
ryn22
just joined
Topic Author
Posts: 3
Joined: Thu Sep 02, 2021 1:06 pm

Re: CCR1016-12G Network issues

Mon Sep 20, 2021 10:32 am

Up!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CCR1016-12G Network issues

Mon Sep 20, 2021 11:13 am

- some machines cannot go out to the internet without having the public IP installed on the machine (configuring the public IP in the network settings), this completely bypasses Mikrotik firewall, no logs for the NAT rule (which is correctly setup)
Ports ether1, 3, 4, 5, 6, 7, 8, 9, 10, 11 and 12 are all bridged together (in br-wan). Bridge is something like a switch. Mikrotik's WAN address is bound to bridge interface (more about bridge personalities), which means all of these ports have to be used for connecting devices with public IP addresses directly to WAN.

Since those ports are bridged/switched, none of /ip firewall settings apply. Hence no NAT, no firewall protection, no mangling (e.g. directing DNS queries towards internal servers).

- all network device go out to the internet with the IP of Mikrotik. When changing the bridge out interfaces from br-wan to br-lan-srv all network devices go out with the NAT'ed external IP's but lose DNS.
I'm not sure I follow the problem description above. Perhaps the answer to the first question sheds some light on why router performs in certain way. If not, rephrase the question (perhaps giving a bit more context would help).
 
ryn22
just joined
Topic Author
Posts: 3
Joined: Thu Sep 02, 2021 1:06 pm

Re: CCR1016-12G Network issues

Mon Sep 20, 2021 2:16 pm

- all network device go out to the internet with the IP of Mikrotik. When changing the bridge out interfaces from br-wan to br-lan-srv all network devices go out with the NAT'ed external IP's but lose DNS.
I'm not sure I follow the problem description above. Perhaps the answer to the first question sheds some light on why router performs in certain way. If not, rephrase the question (perhaps giving a bit more context would help).
Hello mkx,

Thank you for answering. I dont know what i will do about this since i dont have a network map and the Mikrotik is in another country.

To clarify about the second issue:
in /ip firewall nat the rule:
add action=masquerade chain=srcnat comment=\
"Allow internet connection for srv inside network" out-interface=br-wan \
src-address=192.168.5.0/24
Here when changing this out interface from br-wan to br-lan-srv , the mikrotik and all the rules in /ip firewall seem to be applied. Instead of having a windows machine with the external IP of mikrotik x.x.x.254, it goes out with the specified external ip x.x.x.60 but it cannot resolve any DNS, the DNS server is configured to be the Mikrotik which has configured the 1.1.1.1 and 8.8.8.8 DNS servers.
If I didn't manage to explain this properly, please tell me.
Thank you very much for your time!

Kind regards,
Ryn

Who is online

Users browsing this forum: chechito, joshnielsen, phascogale and 63 guests