Community discussions

MikroTik App
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Reject the connection to a local machine from outside.

Thu Sep 09, 2021 6:21 pm

Hello,

I cannot prevent access from outside to a machine that is on the network.
From my smartphone I always have access (4G).
Is there something I don't understand here?

Then I just wanted to give access to this machine but from a specific range ip.
* ether1 are WAN

add action=drop chain=input comment="NO SERVER ACCESS" dst-address=\
192.168.2.113 in-interface=ether1 log=yes log-prefix=NAS-DROP port=\
53200,22 protocol=tcp

Thanks to those who can help me.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:00 pm

If i am not mistaken "chain=input" ist wrong !
If you set it to "chain=foward" it will work
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:03 pm

I also try, and again at the moment. But the router does not intercept and allows the connection to pass to the server.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:11 pm

Usually it isn't possible to access Clients behind a Router over the Internet ....
Except if you NAT and Open your firewall !


Do you have a Synology or Qnap with Online account ?!
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:20 pm

I have a Synology with the security rules and the blacklist mode. But I no longer support the 15,000 messages per day which indicates that the NAS is blocking people. So I want to block by the router any attempt to access the NAS to silence the notifications and especially that they forget me.
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:22 pm

I have the impression that my firewall does not stop anything at all, if I do the test on a home automation server, it also lets pass.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:26 pm

I think we need a diagramm of your Network
And the config / Export of the Mikrotik-Device
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:33 pm

Quickly delete the EMAIL part of your export !!!
or completly ... you have a lot of sensitive Info's in your export
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:34 pm

Done
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 7:53 pm

ok i just tested with the highest rule on the home automation server and it is blocked. But not the synology. He answers whatever happens.
humm, the home automation server is well intercepted by smartphone applications, but by the web (chrome) it always passes. I'm going crazy.
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:12 pm

ok, all the tests show that the firewall rule is working. But only from the applications (smartphone) that request the connection.
If I use Chrome to access its services, the router lets through without any problem. It's still a clear progression;)
Last edited by domodial on Thu Sep 09, 2021 8:13 pm, edited 1 time in total.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:13 pm

So...

Are you sure your NAS ist .113 and not .133?
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:15 pm

Yes the nas is .113
.133 this is the Unifi Controler (no gateway on)
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:16 pm

I found this on your Export :
add action=dst-nat chain=dstnat comment=NAS dst-port=53200 in-interface=ether1 protocol=tcp to-addresses=192.168.2.133 to-ports=53200
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:22 pm

I just blocked but I still have access. It is indeed something that was useless. But it always goes :(
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:26 pm

but, overall I realize that the smartphone applications that request access, are blocked! and chrome always passes, isn't that a protocol problem? I find nothing
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:30 pm

I checked your Config and couldn't find anything accepting and/or fowarding WAN to LAN on port 22 and 53200.

You will have to Track Traffic to identify the Problem.
If you don't want to use Wireshark and CO..

Go in Winbox under /ip firewall connections
Start a conection to your NAS via LTE and look what appends !
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:31 pm

but, overall I realize that the smartphone applications that request access, are blocked! and chrome always passes, isn't that a protocol problem? I find nothing
Do you have VPN active ?
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:52 pm

No, the VPN on my smartphone is on demand.
I am using OpenVPN connect.
As well as the VPN directly with the router, but it is not activated on the smartphone.
All this is why I ask for help because it is incomprehensible to me.
Everything works fine with me, but when I wanted to restrict a machine, it indicates that something is not working.
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Thu Sep 09, 2021 8:54 pm

I will resume this madness tomorrow, I am exhausted from this day on a simple Block.
Thank you for the help and if you can help me I won't refuse tomorrow;)
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 8:49 am

Hello,

I think I can see the situation a little better.
I have explicitly registered for a test, the public IP address and the port in the synology app (result blocked) and I did the same in Chrome (Result blocked).

If I try with a domain name server in which port 53200 is configured (reverse proxy).

Mikrotik does not block the request.
The Reverse proxy is not on the NAS. It works fine on another machine, and the configuration at my registar is OK as everything is working fine.

The Nginx machine is on 192.168.2.109 so I think we need to block the request here as well.
An opinion ?

Now my tests to stop resolving 53200 on the domain is not working :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 5:51 pm

Post your lastest config please a fresh pair of eyes may help.

/export hide-sensitive file=anynameyouwish
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 9:40 pm

Domodial.

I edited your last post as you used <<quote>> instead of <<code>> tag and therefore your config was 1 meter long on my screen.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 11:14 pm

Its still 1m long on my screen??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 11:29 pm

(1) These look like port forwarding rules that should in the IP NAT settings, not Forward Chain Filter rules.
/ip firewall filter
add action=accept chain=forward comment="NAS MOBILE ACCESS" dst-address=\
192.168.2.113 dst-port=53200,21 in-interface=ether1 in-interface-list=all \
log=yes log-prefix=NAS-MOBILE protocol=tcp src-address-list=SFR-MOBILE2
add action=drop chain=forward comment="NO NAS ACCESS" dst-address=\
192.168.2.113 dst-port=53200,22,21 in-interface=ether1 in-interface-list=\
all log=yes log-prefix=NAS-DROP protocol=tcp

(2) One only requires a general forward chain filter rule to allow any port forwarded (dstnat) traffic.
You already have that covered by this rule:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


(3) This rule as stated is a big Security Infraction
Your allowing anybody on the WAN or LAN access to the router via winbox.
You need to limit this at least to LAN users and preferably by firewall address list to statically set admin devices.
add action=accept chain=input comment="allow WINBOX remote" dst-port=8291 \
protocol=tcp
in-interface-list=MGMT source-address-list=adminaccess

where MGMT interface list members includes all interfaces the admin may be coming from
where firewall address list consists of admin desktop, laptop, ipad, smartphone etc........ statically set by dhcp lease or vpn configuration.

(4) RULE ORDER, part of your problem is the disorganized mess in the filter firewall chain.
Please take the time to put all input chain rules together in the proper order and the same with the forward chain,
then issues will be more easily seen! but only after cleaning up as outlined below........so you dont get a headache.

In summary, my recommendation is to
a. keep needed VPN rules
b. jump rules for hotspot
c. rationalize access to the router for admin/config purposes
d. keep all default rules.
e. keep nat rules in dst nat etc.
e. GET RID OF ALL THE NOISE AND GARBAGE POLLUTING YOUR CONFIG (meaning all the youtube crap you have ingested -everything else).


PS. change winbox port to non-default and dont post it in your config anwywhere either.
Last edited by anav on Fri Sep 10, 2021 11:33 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 11:32 pm

Domodial.

I edited your last post as you used <<quote>> instead of <<code>> tag and therefore your config was 1 meter long on my screen.
for a forum bug the [ code ] sections must be placed at least 3 new line away.

I use "board style: Canvas"

example no new line between (or 1 or 2 lines):
code 1
code 2


example 3 new line between:
code 1

code 2

the same problem happen when "search" evidence some keyword near the start of the code block
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Reject the connection to a local machine from outside.

Fri Sep 10, 2021 11:41 pm

Domodial...

Paste this on terminal (use 1.1.1.1 is faster, 8.8.8.8 for failover; 1.1.1.1 is not valid for NTP; Your logging section have all disabled):
/ip dns
set servers=1.1.1.1,8.8.8.8
/system logging
set [find] disabled=no
/system ntp client
set primary-ntp=51.68.44.27 secondary-ntp=162.159.200.1


on the email I send you before, I write to check before post... your mail is again visible...
Modify your previous topic if the moderator have not already do that.
/system logging action
add email-to=xxxxxxxxxxxx@xxxxxxxxxxx.xxxxxxxxx name=email target=email
/tool e-mail
set address=x.x.x.x from=xxxxxxxxxxxx@xxxxxxxxxxx.xxxxxxxxx port=587 start-tls=yes user=xxxxxxxxxxxx@xxxxxxxxxxx.xxxxxxxxx
 
User avatar
domodial
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Mon Aug 24, 2020 7:27 pm

Re: Reject the connection to a local machine from outside.

Sat Sep 11, 2021 8:30 am

Thank you for your help at critical times of late.
So I cleaned up here.

  • Remove any rules I don't understand
  • Rationalize access to the router for admin / config purposes in local MGT (all ethers.)
  • Change of passwords
  • Adjustment of ntp and DNS server.

When I change the windows port in services and I transfer the port to the firewall rule, I can no longer enter the router from the ip address by winbox but only from the mac address.
I just realized that the call to winbox is now Ip.adress:port

Thank you for opinion

Now I can no longer connect with the Mikrotik application remotely with the smartphone because the IP address changes with each connection here...
The restrictive rule allow WINBOX ( in-interface-list=MGMT source-address-list=adminaccess) remote prevents anything anyway.

Thank you for opinion

I finally told the android application to connect in vpn. And there is really good security now.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Reject the connection to a local machine from outside.

Sun Sep 12, 2021 12:09 am

I will concur that using the Mikrotik application on the smartphone with VPN (in my case IKEv2) was very challenging.
I then decided to use wireguard and i put another MT router (RB450G) behind my main router (using normal firmware), so that I could play with wireguard (beta on RB450G).
I connected my smartphone to wireguard very easily and that is what I recommend once RoS 7.1 is released.

In the meantime there is a relatively easy way that is just as good as port knocking or perhaps better but most importantly MUCH easier and that is to get a free account
at Winbox Remote. One basically implements one input chain rule and one SSTP client rule and you are done. Ignore the USER they provide to access router stats on the dashboard its not required and not giving a third party any access to the router config.

As for as any issues you encountered when changing the configuration.
Cannot help if the requirements are not known.
Typically this would entail either adding an ipsec interface as a interface list member of the interface MNMT or perhaps another rule altogether, would have to look at the config and understand the issue to fix. For example on ikev2 one assigns the connection an IP address, so that can be added to the firewall address list.

Who is online

Users browsing this forum: akakua, Google [Bot], ItchyAnkle, Lumpy, menyarito and 91 guests