I have in my local network a SVN server, answering on ip:port 192.168.5.244:3690
I am connected to the internet with a static IP, and reachable through a DNS record, so I can access from my svn client with svn://mysvn.mynetwork.sample (this is obviously not the real stuff but just to demonstrate the issue)
So to give this access I have configured a dst-nat rule, sending the port 3690 to the appropriate IP.
This is working fine, but only if I connect from OUTSIDE network, not from the LAN.
from LAN, if I use svn://192.168.5.244, it's working,
but if I use svn://mysvn.mynetwork.sample it's not, (server never answer)
trying to sniff the traffic this is what I have when I'm trying to access the repo from inside (not working):
Code: Select all
[admin@MikroTik] > /tool sniffer quick ip-protocol=tcp ip-address=192.168.5.244 port=3690
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
bridge 6.247 1 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51717 192.168.5.244:3690 ip:tcp 66 1 no
bridge 7.247 2 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51717 192.168.5.244:3690 ip:tcp 66 1 no
bridge 9.246 3 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51717 192.168.5.244:3690 ip:tcp 66 1 no
bridge 13.247 4 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51717 192.168.5.244:3690 ip:tcp 66 1 no
bridge 21.247 5 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51717 192.168.5.244:3690 ip:tcp 66 1 no
bridge 27.249 6 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51719 192.168.5.244:3690 ip:tcp 66 1 no
bridge 28.249 7 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51719 192.168.5.244:3690 ip:tcp 66 1 no
bridge 30.248 8 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51719 192.168.5.244:3690 ip:tcp 66 1 no
bridge 34.249 9 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 192.168.5.250:51719 192.168.5.244:3690 ip:tcp 66 1 no
Code: Select all
eth5_LAN 11.221 667 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59653 ip:tcp 97 0 n
bridge 11.221 668 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59653 ip:tcp 97 0 n
bridge 11.235 669 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 37.165.87.244:59644 192.168.5.244:3690 ip:tcp 108 1 n
eth5_LAN 11.236 670 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59644 ip:tcp 523 0 n
bridge 11.236 671 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59644 ip:tcp 523 0 n
bridge 11.318 672 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 37.165.87.244:59644 192.168.5.244:3690 ip:tcp 54 1 n
eth5_LAN 11.319 673 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59644 ip:tcp 60 0 n
bridge 11.319 674 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59644 ip:tcp 60 0 n
bridge 11.319 675 -> B8:69:F4:E8:23:1E 00:11:32:B0:EE:58 37.165.87.244:59653 192.168.5.244:3690 ip:tcp 143 1 n
eth5_LAN 11.322 676 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59653 ip:tcp 1434 0 n
bridge 11.322 677 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59653 ip:tcp 1434 0 n
eth5_LAN 11.322 678 <- 00:11:32:B0:EE:58 B8:69:F4:E8:23:1E 192.168.5.244:3690 37.165.87.244:59653 ip:tcp 214 0 n
Here is the current config :
Code: Select all
# jan/12/2022 17:05:40 by RouterOS 6.49.2
# software id = UMPL-TUUI
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09AA07E0
/interface bridge
add admin-mac=B8:69:F4:E8:23:1E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1OVH speed=100Mbps
set [ find default-name=ether2 ] name=eth2BTF speed=100Mbps
set [ find default-name=ether3 ] name=eth3 speed=100Mbps
set [ find default-name=ether5 ] name=eth5_LAN speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1OVH name=pppoe-OVH \
use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.5.100-192.168.5.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=eth5_LAN
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=eth1OVH list=WAN
add interface=pppoe-OVH list=WAN
add interface=eth2BTF list=WAN
add interface=eth3 list=WAN
/ip address
add address=192.168.5.1/24 interface=bridge network=192.168.5.0
add address=yyy.yyy.yyy.182/29 interface=bridge network=yyy.yyy.yyy.176
/ip dhcp-client
add comment=defconf interface=eth1OVH
add disabled=no interface=eth2BTF
/ip dhcp-server lease
add address=192.168.5.248 mac-address=F4:6D:04:05:BD:A0 server=defconf
add address=192.168.5.250 client-id=1:68:5:ca:24:61:94 mac-address=\
68:05:CA:24:61:94 server=defconf
add address=192.168.5.244 client-id=1:0:11:32:b0:ee:58 mac-address=\
00:11:32:B0:EE:58 server=defconf
add address=192.168.5.242 client-id=\
ff:54:a5:99:af:0:1:0:1:29:5b:6f:bb:0:23:54:a5:99:af mac-address=\
00:23:54:A5:99:AF server=defconf
add address=192.168.5.241 client-id=\
ff:85:9b:79:28:0:1:0:1:25:13:db:9a:0:21:85:9b:79:28 mac-address=\
00:21:85:9B:79:28 server=defconf
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.0/24 list=Connected
add address=192.168.5.0/24 list=Connected
add address=xxx.xxx.xxx.246 list=Connected
add address=192.168.5.0/24 list=LAN
add address=yyy.yyy.yyy.176/29 list=Connected
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow Firewall access from LAN subnet" \
src-address=192.168.5.0/24
add action=drop chain=input comment=\
"Drop all attempt to FTP,SSH,Winbox from outside" dst-port=\
8291,8728,21,22,161 protocol=tcp
add action=accept chain=input dst-port=31500-31600 log=yes log-prefix=RDP_ACC \
protocol=tcp
add action=accept chain=input comment="accept Bloc /29" dst-address=\
yyy.yyy.yyy.176/29 in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix=DROP1
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=DROPWAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Forward packets to PUBLIC IP Range" \
dst-address=yyy.yyy.yyy.176/29 in-interface=all-ppp
add action=accept chain=forward comment="Forward SVN port to TIGROU" \
connection-state=new dst-address=192.168.5.244 in-interface=all-ppp port=\
3690 protocol=tcp
add action=accept chain=forward connection-state=new disabled=yes \
in-interface=bridge out-interface=pppoe-OVH
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=DROP_FWD_INVALID
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=DROP4
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected \
src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
pppoe-OVH new-connection-mark=OVH->ROS passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
eth2BTF new-connection-mark=BOUY->ROS passthrough=no
add action=mark-routing chain=output connection-mark=OVH->ROS \
new-routing-mark=OVH_Route passthrough=no
add action=mark-routing chain=output connection-mark=BOUY->ROS \
new-routing-mark=BOUY_Route passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=pppoe-OVH new-connection-mark=OVH->LANs
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=eth2BTF new-connection-mark=BOUY->LANs
add action=mark-routing chain=prerouting connection-mark=OVH->LANs \
new-routing-mark=OVH_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=BOUY->LANs \
new-routing-mark=BOUY_Route src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=!Connected dst-address-type=!local new-connection-mark=\
LAN->WAN src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load Balancing here" \
connection-mark=LAN->WAN new-routing-mark=OVH_Route passthrough=yes \
src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
new-connection-mark=Sticky_OVH routing-mark=OVH_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
new-connection-mark=Sticky_BOUY routing-mark=BOUY_Route
add action=mark-routing chain=prerouting connection-mark=Sticky_OVH \
new-routing-mark=OVH_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_BOUY \
new-routing-mark=BOUY_Route src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth2BTF
add action=masquerade chain=srcnat out-interface=pppoe-OVH
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=yyy.yyy.yyy.176/29
add action=dst-nat chain=dstnat dst-port=3690 protocol=tcp to-addresses=\
192.168.5.244 to-ports=3690
add action=dst-nat chain=dstnat disabled=yes dst-port=9765 protocol=tcp \
to-addresses=192.168.5.244 to-ports=8432
add action=dst-nat chain=dstnat dst-port=31500-31600 protocol=tcp \
to-addresses=192.168.5.249 to-ports=31500-31600
/ip route
add distance=1 gateway=zzz.zzz.zzz.19 routing-mark=OVH_Route
add distance=1 gateway=192.168.1.254 routing-mark=BOUY_Route
add distance=1 gateway=zzz.zzz.zzz.19
add distance=2 gateway=192.168.1.254
add disabled=yes distance=1 dst-address=yyy.yyy.yyy.176/29 gateway=pppoe-OVH
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=eth5_LAN type=internal
add interface=pppoe-OVH type=external
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=pppoe-OVH name=LB1 on-event=":log warning \"LB Debug: OVH Overlo\
aded, switching to BOUYGUES\";\r\
\n/ip firewall mangle set [find comment=\"Load Balancing here\"] new-routi\
ng-mark=BOUY_Route" threshold=350288000 traffic=received
add interface=pppoe-OVH name=LB2 on-event=":log warning \"LB Debug: switching \
back to OVH as it is less emcumbered now\";\r\
\n/ip firewall mangle set [find comment=\"Load Balancing here\"] new-routi\
ng-mark=OVH_Route" threshold=100288000 traffic=received trigger=below