Need Help With Firewall

tabate47 · Wed Nov 20, 2013 6:18 pm

Issues:

1. Firewall is blocking getting online
2. Hairpin nat not working
3. Firewall is probably not correct

Would like the firewall to:

- block everything that is not allowed
- use the brute force stuff
- separate vlans from router
- forward port 8090, 6767 & 6868 to 192.168.1.26
- allow for pptp vpn
- get hairpin nat working

I have tried to do this but I think some of my logic is off and some of my placement of code is off. If anyone has any input or can point me in the right direction I would really appreciate it. Thank you.

ros code

/interface bridge
add comment="Local Bridge" l2mtu=1598 name=bridge-local
add comment="Vlan1 Bridge" l2mtu=1594 name=bridge-vlan1
add comment="Vlan2 Bridge" l2mtu=1594 name=bridge-vlan2
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local
set 2 name=ether3-vlan1
set 3 name=ether4-vlan2
set 4 name=ether5-trunk
/interface vlan
add interface=bridge-local l2mtu=1594 name=vlan-vlan1-ether5 vlan-id=101
add interface=bridge-local l2mtu=1594 name=vlan-vlan2-ether5 vlan-id=102
/ip pool
add name=pool-local ranges=192.168.1.100-192.168.1.254
add name=pool-vlan1 ranges=192.168.2.2-192.168.2.254
add name=pool-vlan2 ranges=192.168.3.2-192.168.3.254
add name=pool-vpn ranges=192.168.10.1-192.168.10.10
/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=local
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1
add address-pool=pool-vlan2 disabled=no interface=bridge-vlan2 name=vlan2
/ppp profile
set 1 local-address=192.168.1.1 remote-address=pool-vpn
/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether5-trunk
add bridge=bridge-vlan1 interface=ether3-vlan1
add bridge=bridge-vlan1 interface=vlan-vlan1-ether5
add bridge=bridge-vlan2 interface=ether4-vlan2
add bridge=bridge-vlan2 interface=vlan-vlan2-ether5
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge-local
add address=192.168.2.1/24 interface=bridge-vlan1
add address=192.168.3.1/24 interface=bridge-vlan2
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=vpn dst-port=1723 protocol=tcp
add chain=input comment=vpn protocol=gre
add action=drop chain=input comment="default configuration" connection-state=\
    invalid disabled=yes in-interface=ether1-gateway
add action=jump chain=input disabled=yes in-interface=bridge-vlan1 \
    jump-target=input-vlan2
add action=jump chain=input disabled=yes in-interface=bridge-vlan2 \
    jump-target=input-vlan2
add chain=input disabled=yes in-interface=bridge-local
add action=drop chain=input disabled=yes
add chain=forward disabled=yes out-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add chain=input-vlan2 disabled=yes dst-port=53 protocol=tcp
add chain=input-vlan2 disabled=yes dst-port=53 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=67 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=68 protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=8090 \
    in-interface=ether1-gateway protocol=tcp src-port="" to-addresses=\
    192.168.1.26 to-ports=8090
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.26 to-ports=6868
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.1.26 to-ports=6868
add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=\
    192.168.1.26 dst-port=8090 out-interface=ether2-local protocol=tcp \
    src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Hairpin Nat" dst-address-type=local \
    dst-port=8090 protocol=tcp to-addresses=192.168.1.26
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether3-vlan1 disabled=yes
set ether4-vlan2 disabled=yes
set bridge-vlan1 disabled=yes
set bridge-vlan2 disabled=yes
set vlan-vlan1-ether5 disabled=yes
set vlan-vlan2-ether5 disabled=yes

armandfumal · Wed Nov 20, 2013 7:14 pm

Which version are you running ?

check:

What's new in 6.7rc1 (2013-Nov-19 11:17):

*) ipsec - fix policy bypass on IPv6 gre, ipip, eoip tunnels;
*) userman - fix crash on tilera;
*) fixed hairpin nat on bridge with use-ip-firewall=yes;
*) fixed vlan on bridge after reboot having 00:00:00:00:00:00 mac address;
*) address-list - allow manually adding timeoutable entries;
*) address-list - show dynamic entry timeout;

What's new in 6.6 (2013-Nov-07 13:04):

*) winbox - fixed problem where all previous session opened windows were read only;
*) certificate - no more 'reset-certificate-cache' and 'decrypt' commands,
private keys can be decrypted only on 'import', use 'decrypt' before upgrade if needed;
*) fixed arp-reply only with more than one ip address on interface;
*) fixed RB400 not to reboot by watchdog during micro-sd format;
*) web proxy - fix SPDY server push handling;
*) certificate - merged '/certificate ca issued', '/certificate scep client' and
'/certificate templates' into '/certificate';
*) console - :foreach command can iterate over keys and values in an array,
by specifying two counter variables, e.g.:
:foreach k,v in=[/system clock get] do={:put "$k is $v"};
*) added support for new Intel 10Gb ethernet cards (82599);
*) certificates - fixed certificate import;
*) wireless - fixed crash when dfs was enabled on pre-n wireless cards;
*) fixed port flapping on CCR;

What's new in 6.5 (2013-Oct-16 15:32):

*) tftp - added data packet pipelining for read requests;
*) console - exported physical interface configuration uses 'default-name'
instead of item number to match relevant interface;
*) console - report all constituent errors for parameters with multiple
alternative value types;
*) certificates - merge '/certificate ca' into '/certificate', use set-ca-passphrase to maintain CA functionality;
*) lcd - backlight option is replaced with "/lcd backlight" command
*) dhcp server - added option to disable conflict-detection;
*) console - ':return' does not trigger 'on-error=' action of ':do' command;
*) route - fixed crash that could be triggered by change in nexthop
address resolution;
*) route - some imported VPNv4 routes were not using MPLS labels;
*) route - imported VPNv4 routes were not always updated or removed when
the original route changed;
*) winbox - fixed problem where all settings were read only on first open;
*) ovpn server - use only ciphers that are allowed not that client requested;
*) ssh client - fixed public key authentication;
*) ipsec - fix peer mathing with non byte aligned masks;
*) fix routerboot upgrading if RouterOS is partitioned;
*) add support for second serial port on CCR boards;
*) fix serial port baudrate selection on CCR boards;
*) ethernet interface stats that are behind switch chip
show real hw stats instead of just the traffic that goes through cpu;

What's new in 6.4 (2013-Sep-12 13:52):

*) wireless - improved 802.11n wireless retransmission (doesn't effect nstreme/nv2)
*) ovpn - allow to specify server via dns name;
*) winbox - fixed problem where ipv6 routes with non local link address gateway
could not be added;
*) fixed watchdog on mipsle boards;
*) traceroute - added count & max-hops parameters;
*) traceroute - added back use-dns parameter;
*) fixed usb Yota LTE modem hangup;
*) console - make newly added item names always immediately available;
*) graphing - make sure that interface graphs gets preserved across reboots;

What's new in 6.3 (2013-Sep-03 12:25):

*) ssh - fixed denial of service;
*) traceroute - show mpls labels as well;
*) bug fix - sometimes some new interfaces could not be created properly any more (f.e. some pppoe clients could not connect);
*) console - added '/console clear-history' command that clears command-line
history for all users, requires 'policy' policy;
*) sstp - limit packet queue for each device;
*) RB2011L - fixed occasional gigabit switch-chip lockup;
*) user manager - will warn on 1MB and stop before reaching minimum of 500KB disk space;
*) hotspot - do not account traffic to local hotspot pages;
*) ppp, hotspot - added ability to specify where to insert rate limiting queue,
it's parent and type;
*) pptp, l2tp, sstp - allow to specify server via dns name;
*) dhcp - added ability to specify where to insert rate limiting queue;
*) www proxy - support ipv6 parent proxy;
*) webfig - fixed problem when opening quickset page country
was automaticly changed to etsi;
*) traceroute - added mtr like pinging;
*) fix queues - correct queue was not installed when last child removed;
*) fix simple queues - sometimes some simple queues would stop
working after configuration changes;
*) console - fixed issue with local variables having non-empty value
before first assignment;
*) console - fixed command ":global name" without second argument to not
create or change global variable "name", only effect is to make "name"
refer to global variable.
*) console - fixed passing local variables as argument to function;
*) RB1200 - fixed crash when receiving over l2mtu size packets
on some ethernet interfaces;

What's new in 6.2 (2013-Aug-02 10:37):

*) console - added "on-error" argument to ':do' command that is executed
if command raises error;
*) hotspot - fixed chap error after failed http-chap login (broken in v6.1);
*) console - added new ':return' command that interrupts execution of script
and passes argument as return value if script was called as function;
*) routerboot - fixed upgrade from RouterOS (could fail on some units);
*) userman - fixed payment gateway response notify processing;
*) console - resolved issue with 'from-pool' propery in '/ipv6 address';
*) console - array value syntax in expressions '{1;2;3;4}' now can
specify values with word keys as '{a=1;b=2}';
*) console - added 'verbose' argument to '/import' command that enables
line-by-line script import. By default import whole script at once
and don't print it, as it was in version 6.0;
*) console - ':global', ':local' and ':set' commands have new parameter 'do'
that allows assigning block of commands to the variable;
*) console - global variables now are common to all users and are
available to all users with at least "read,write,test,policy" policy;
*) console - fixed parameter passing to scripts. Script parameters can
be accessed without declaring them with ':local' and ':global' commands.
For backwards compatibility global variables are first looked up in
script parametrs;
*) console - '$var 1 2 a="a" b="b"' syntax for passing parameters to commands
stored in a variable. Parameters are accessed as '$1' '$2' '$a' '$b';
*) ipsec - fixed peer address matching;
*) ups - query smart ups capabilities before issuing any commands;
*) improved CCR responsiveness on other interfaces when one interface is under attack;
*) sms tool - added sim-pin setting;
*) dhcp server - framed routes are now also added to the server routing table;
*) dhcpv6 server - added binding-script option;
*) proxy - allow multiple src-address for ipv4 and ipv6;
*) eoip,gre tunnels could occasionally crash multicore router;
*) fixed bug - sometimes some types of interfaces would stop working;
*) ipsec sometimes could crash kernel on CCR;
*) connection tracking sometimes could crash kernel on CCR;
*) ppp,pptp,l2tp,sstp - added default-route-distance parameter;
*) scep - "/cert scep ra" merged into "/cert scep client" without saving ra config;
*) ipsec - fix phase1 autonegotiation on little endian platforms;
*) pppoe server - allow service with empty service-name to accept all pppoe clients;
*) lcd - current-screen option is replaced with "/lcd show" command
*) lcd - current-interface option is replaced with "/lcd interface display" command
*) graphing - make graphs stable on ppp & ovpn interfaces;
*) www, hotspot - fixed problem when www service stopped responding on high load;
*) winbox, webfig: allow to enter space in the text fields;
*) webfig - fixed configuration of VPLS & routing filters;
*) lcd - added option for enabling or disabling the touch screen;
*) lcd - added options for screen switching;
*) lcd - up to 10 non-physical interfaces can now be added to the lcd;
*) lcd - all interface graph screen can now be customized from /lcd interface page;
*) backup - changed default backup file name to <id>-<YY><MM><DD>-<HHMM>.backup
for file browsers to sort them properly;
*) webfig - it did not work in Opera;
*) webfig - made terminal work again;
*) winbox - added ability to fully set up traffic generator in winbox;
*) trafficgen - allow ranges for ip addrs and udp ports;
*) trafficgen - add tcp header support;
*) queue simple - fixed bug - actual queue order sometimes was wrong;
*) queue simple - queue is not invalid when at least one of target interfaces is up;
*) fixed crash when setting master-port on AR8327 switch chips;
*) fixed addresslist - dynamic entries sometimes would still
show up even afther being timed out;
*) added /ip settings allow-hw-fast-path setting to control AR8327N hardware ipv4 fast path;
*) vrrp - allow more than one vrrp on interface;

What's new in 6.1 (2013-Jun-12 11:50):

*) pptp, l2tp - fixed crash when tunnel mru was too big and fragmented ip packet
was received;
*) hotspot - fixed problem when after upgrade hotspot html directory was empty;
*) ipv6 nd - dns dynamic-servers were not included in router advertisements;
*) winbox - fixed problem Switch menu disappeared on RB2011;
*) fixed memory amount issue on RB1100AHx2;
*) console - '/import' prints each command that is executed;
*) console - 'import' has new argument 'from-line' that starts executing
commands after specified line;
*) secure api - fixed problem when wrong client ip address was reported;
*) hotspot - fixed universal client;
*) api - added support for API over TLS (SSL);
*) api - api service is now enabled by default;
*) ppp - do not show R flag for locally authenticated users;
*) vrrp - fixed ah authentication;
*) webfig - added support for RADIUS authentication (via MS-CHAPv2);
*) ipsec - for peers with full IP address specified system will
autostart ISAKMP SA negotiation;
*) trafficgen - added inject-pcap command for replaying pcap files into network;
*) dns - retry queries with tcp if truncated results received;
*) improved queue statistics updating;
*) fix 1G linking with some Cisco devices (affects RB7xx, RB9xx, RB1100, RB2011, CCR);

What's new in 6.0 (2013-May-17 14:04):

*) ipsec - added /peer passive option which will prevent starting ISAKMP negotiation
and signifies xauth responder/initiator side;
*) RouterBOARD - default wireless config now includes password - serial number;
*) lte - support YOTA WLTUBA-107;
*) console - fixed crash when variable name was not specified for
':global', ':local', ':set', ':for' and ':foreach' commands;
*) hotspot - added mac-cookie login method;
http://wiki.mikrotik.com/wiki/Manual:Ho ... MAC_Cookie
*) lcd - show a message when system shutdown is complete;
*) lcd - added Log screen which is accessible through the Main Menu
and shows log messages where action=echo;
*) ipsec - added pre-shared-key-xauth and rsa-signature-hybrid
authentication methods;
*) increased max l2mtu on CCR to 10226 bytes;
*) fixed crash on RB1200;
*) fixed bonding - did not work after remove, undo;
*) fixed queues - router could become unresponsive when configuring queues;

tabate47 · Wed Nov 20, 2013 7:30 pm

I am on version 5.26.

What version is most stable right now?

Do I have to upgrade to 6.7 in order for this to work?

Thanks.

pcunite · Wed Nov 20, 2013 9:18 pm

I am on version 5.26. What version is most stable right now? Do I have to upgrade to 6.7 in order for this to work?

What hardware are you on?

efaden · Wed Nov 20, 2013 9:37 pm

I am on version 5.26. What version is most stable right now? Do I have to upgrade to 6.7 in order for this to work?
What hardware are you on?

Why is this disabled?

ros code

add chain=input disabled=yes in-interface=bridge-local

efaden · Wed Nov 20, 2013 9:39 pm

I am on version 5.26. What version is most stable right now? Do I have to upgrade to 6.7 in order for this to work?
What hardware are you on?
Why is this disabled?

ros code
add chain=input disabled=yes in-interface=bridge-local

Also this looks odd...

ros code

add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0

tabate47 · Thu Nov 21, 2013 1:15 am

Eric the whole firewall looks odd! It was disabled because it was not working enabled, and then I just disabled the whole thing.

Your other thing that you said looks odd... isn't that the default masquerade rule?

Maybe we can take this one thing at a time and I can learn something and it might help someone else out.

efaden · Thu Nov 21, 2013 1:18 am

I'll look through the whole thing in a bit from my laptop. Can you post the export of just the firewall inside of the code tags...

Sent from my SCH-I545 using Tapatalk

efaden · Thu Nov 21, 2013 1:22 am

Also what was it doing wrong? I'm pretty sure I remember what you want, but could you post the basic parameters you need? Eg what you want it to do?

Sent from my SCH-I545 using Tapatalk

tabate47 · Thu Nov 21, 2013 1:56 am

I could not get the hairpin nat to work, and something in the firewall was preventing me from getting internet access, so I had to totally disable it.

Here is what I am trying to accomplish, and have working so far, except for the firewall:

- wan on port 1
- lan on port 2
- vlan1 on port 3 (guest)
- vlan2 of port 4 (kids)
- trunk of lan, vlan1 & vlan2 on port 5
- camera system on port 8090 with address 192.168.1.26
- hairpin nat for camera system (this is NOT working)

I would like the firewall to:

- provide good overall protection, with default drop rule, etc
- provide protection against floods (like I have now, unless you know a better way, but I think it’s in the wrong place)
- separate the lan, vlan1, & vlan2 so they are secure from one another
- force vlan2 to only use opendns dns servers 208.67.222.222 (like we talked about)
- allow hairpin nat

Here is the current firewall:

ros code

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=vpn dst-port=1723 protocol=tcp
add chain=input comment=vpn protocol=gre
add action=drop chain=input comment="default configuration" connection-state=\
    invalid disabled=yes in-interface=ether1-gateway
add action=jump chain=input disabled=yes in-interface=bridge-vlan1 \
    jump-target=input-vlan2
add action=jump chain=input disabled=yes in-interface=bridge-vlan2 \
    jump-target=input-vlan2
add chain=input disabled=yes in-interface=bridge-local
add action=drop chain=input disabled=yes
add chain=forward disabled=yes out-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add chain=input-vlan2 disabled=yes dst-port=53 protocol=tcp
add chain=input-vlan2 disabled=yes dst-port=53 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=67 protocol=udp
add chain=input-vlan2 disabled=yes dst-port=68 protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.3.0/24 to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=8090 \
    in-interface=ether1-gateway protocol=tcp src-port="" to-addresses=\
    192.168.1.26 to-ports=8090
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.26 to-ports=6868
add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.1.26 to-ports=6767
add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.1.26 to-ports=6868
add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=\
    192.168.1.26 dst-port=8090 out-interface=ether2-local protocol=tcp \
    src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Hairpin Nat" dst-address-type=local \
    dst-port=8090 protocol=tcp to-addresses=192.168.1.26
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0

Thanks Eric.

efaden · Thu Nov 21, 2013 2:44 am

Alright... here it is... There were some random errors in it. Try this out and well see how it works. You may want to add it a piece at a time.

ros code

/ip firewall filter
# INPUT CHAIN
add chain=input comment="Connection State - Established" connection-state=established
add chain=input comment="Connection State - Related" connection-state=related
add action=drop chain=input comment="Connection State - Invalid" connection-state=invalid

add action=jump chain=input comment="ICMP - From Internet - Jump" in-interface=ether1-gateway jump-target=ICMP protocol=icmp
add chain=input comment="ICMP - From Local" protocol=icmp in-interface=!ether1-gateway

add action=drop chain=input comment="TCP - Syn Flood Suppression - Drop SynFlood" src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood address-list-timeout=30m chain=input comment="TCP - Syn Flood Detection - Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" protocol=tcp psd=21,3s,3,1 add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit BlackList (3 Connections Per IP Address)" connection-limit=3,32 protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="TCP - DoS Attack Detection - Add to BlackList for 1d (10 Connections per IP Address)" connection-limit=10,32 protocol=tcp

add chain=input comment="SSH Brute Force" in-interface=ether1-gateway dst-port=22 protocol=tcp action=jump jump-target=sshBruteforce

add chain=input comment="Allow Local" in-interface=bridge-local
add action=jump chain=input comment="VLAN1 Traffic Jump" in-interface=bridge-vlan1 jump-target=vlan1
add action=jump chain=input comment="VLAN2 Traffic Jump" in-interface=bridge-vlan2 jump-target=vlan2

add action=jump chain=input comment="VPN Traffic" in-interface=ether1-gateway jump-target=vpn

add action=drop chain=input comment="Default Drop"

# FORWARD
add chain=forward comment="Connection State - Established" connection-state=established
add chain=forward comment="Connection State - Related" connection-state=related
add action=drop chain=forward comment="Connection State - Invalid" connection-state=invalid
add chain=forward comment="Forward to Ether1-Gateway" out-interface=ether1-gateway
add chain=forward comment="DST NAT - Port 8090" dst-port=8090 dst-address=192.168.1.26
add chain=forward comment="DST NAT - Port 6767" dst-port=6767 dst-address=192.168.1.26
add chain=forward comment="DST NAT - Port 6868" dst-port=6868 dst-address=192.168.1.26
add action=drop comment="Default Drop" chain=forward


# OUTPUT

# VLAN1
add chain=vlan1 comment="VLAN1 DNS TCP" dst-port=53 protocol=tcp
add chain=vlan1 comment="VLAN1 DNS UDP" dst-port=53 protocol=udp
add chain=vlan1 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan1 comment="DHCP Port 68" dst-port=68 protocol=udp

# VLAN2
add chain=vlan2 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan2 comment="DHCP Port 68" dst-port=68 protocol=udp

# VPN
add chain=vpn comment="VPN Traffic" dst-port=1723 protocol=tcp
add chain=vpn comment="VPN Traffic" protocol=gre

# ICMP
add chain=ICMP comment="ICMP - Allow Echo Reply (0:0-255), Limit 5pps" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" icmp-options=12 limit=5,5 protocol=icmp add action=drop chain=ICMP comment="ICMP - Drop All Others" protocol=icmp

# SSH
add action=drop chain=sshBruteforce src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=sshBruteforce src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=sshBruteforce protocol=tcp
/ip firewall nat

# DST-NAT
add action=dst-nat comment="DNS TCP for VLAN2" chain=dstnat dst-port=53 protocol=tcp in-interface=bridge-vlan2 to-addresses=208.67.222.222
add action=dst-nat comment="DNS UDP for VLAN2" chain=dstnat dst-port=53 protocol=udp in-interface=bridge-vlan2 to-addresses=208.67.222.222

add action=dst-nat chain=dstnat comment="Port 8090 Forward" dst-port=8090 dst-address-type=local protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6767 Forward" dst-port=6767 dst-address-type=local protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6868 Forward" dst-port=6868 dst-address-type=local protocol=tcp to-addresses=192.168.1.26

# SRC-NAT
add chain=srcnat comment="Hairpin Port 8090" src-address=192.168.1.0/24 dst-address=192.168.1.26 protocol=tcp dst-port=8090 out-interface=bridge-local action=masquerade
add chain=srcnat comment="Hairpin Port 6767" src-address=192.168.1.0/24 dst-address=192.168.1.26 protocol=tcp dst-port=6767 out-interface=bridge-local action=masquerade
add chain=srcnat comment="Hairpin Port 6868" src-address=192.168.1.0/24 dst-address=192.168.1.26 protocol=tcp dst-port=6868 out-interface=bridge-local action=masquerade

add action=masquerade chain=srcnat comment="Masquerade" out-interface=ether1-gateway

tabate47 · Thu Nov 21, 2013 3:16 am

Eric, thank you. I am going to go over this in detail and respond to each thing you did. I want to see if I understand it to the point of doing it myself. It looks great. You took the time to label things and make them readable.

I will give it a try tomorrow and let you know, and also write back with my comments and maybe you can let me know if I got it right.

efaden · Thu Nov 21, 2013 3:20 am

Sounds good...

Sent from my SCH-I545 using Tapatalk

tabate47 · Thu Nov 21, 2013 6:00 am

I forgot about the routeros version... which is the MOST stable? Right now I am still on 5.26. I am looking for rock solid with no bugs, so if I need to stay on 5.26 I will.

tabate47 · Thu Nov 21, 2013 7:19 am

Eric,

I went through your firewall. I fixed a few typos that were causing install errors and I'll post the final working firewall with the changes tomorrow.

The only error I am having a problem with now is:

[admin@MikroTik] /ip firewall filter> add chain=forward comment="DST NAT - Port 8090" dst-port=8090 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] /ip firewall filter> add chain=forward comment="DST NAT - Port 6767" dst-port=6767 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] /ip firewall filter> add chain=forward comment="DST NAT - Port 6868" dst-port=6868 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp

Do you know what this means?

efaden · Thu Nov 21, 2013 2:54 pm

Eric,

I went through your firewall. I fixed a few typos that were causing install errors and I'll post the final working firewall with the changes tomorrow.

The only error I am having a problem with now is:

[admin@MikroTik] /ip firewall filter> add chain=forward comment="DST NAT - Port 8090" dst-port=8090 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] /ip firewall filter> add chain=forward comment="DST NAT - Port 6767" dst-port=6767 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp
[admin@MikroTik] /ip firewall filter> add chain=forward comment="DST NAT - Port 6868" dst-port=6868 dst-address=192.168.1.26
failure: ports can be specified if proto is tcp or udp

Do you know what this means?

Yeah... add protocol=tcp... totally forgot it.

tabate47 · Thu Nov 21, 2013 11:59 pm

I added the protocol and it loaded successfully.

It seems that the port forwarding is NOT working. When I do a port check to see if port 8181 is open, it is closed. What do you think is the issue?

efaden · Fri Nov 22, 2013 12:02 am

I added the protocol and it loaded successfully.

It seems that the port forwarding is NOT working. When I do a port check to see if port 8181 is open, it is closed. What do you think is the issue?

8181? What port is that?.. I didn't have a forward for that one....

tabate47 · Fri Nov 22, 2013 12:06 am

I'm losing my mind! I mean 8090

efaden · Fri Nov 22, 2013 12:08 am

I'm losing my mind! I mean 8090

Post your most recent export. So it isn't working? Just that part?

Sent from my SCH-I545 using Tapatalk

tabate47 · Fri Nov 22, 2013 12:15 am

So far that is the only thing I have found is not working. Once that is working I can check the hairpin nat.

here is my current firewall export:

ros code

/ip firewall filter
add chain=input comment="Connection State - Established" connection-state=\
    established
add chain=input comment="Connection State - Related" connection-state=related
add action=drop chain=input comment="Connection State - Invalid" \
    connection-state=invalid
add action=jump chain=input comment="ICMP - From Internet - Jump" \
    in-interface=ether1-gateway jump-target=ICMP protocol=icmp
add chain=input comment="ICMP - From Local" in-interface=!ether1-gateway \
    protocol=icmp
add action=drop chain=input comment=\
    "TCP - Syn Flood Suppression - Drop SynFlood" src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood \
    address-list-timeout=30m chain=input comment="TCP - Syn Flood Detection - \
    Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 \
    protocol=tcp tcp-flags=syn
add action=drop chain=input comment=\
    "TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" protocol=tcp \
    psd=21,3s,3,1
add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit Bl\
    ackList (3 Connections Per IP Address)" connection-limit=3,32 protocol=\
    tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList \
    address-list-timeout=1d chain=input comment="TCP - DoS Attack Detection - \
    Add to BlackList for 1d (10 Connections per IP Address)" \
    connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="SSH Brute Force" dst-port=22 \
    in-interface=ether1-gateway jump-target=sshBruteforce protocol=tcp
add chain=input comment="Allow Local" in-interface=bridge-local
add action=jump chain=input comment="VLAN1 Traffic Jump" in-interface=\
    bridge-vlan1 jump-target=vlan1
add action=jump chain=input comment="VLAN2 Traffic Jump" in-interface=\
    bridge-vlan2 jump-target=vlan2
add action=jump chain=input comment="VPN Traffic" in-interface=ether1-gateway \
    jump-target=vpn
add action=drop chain=input comment="Default Drop"
add chain=forward comment="Connection State - Established" connection-state=\
    established
add chain=forward comment="Connection State - Related" connection-state=\
    related
add action=drop chain=forward comment="Connection State - Invalid" \
    connection-state=invalid
add chain=forward comment="Forward to Ether1-Gateway" out-interface=\
    ether1-gateway
add chain=forward comment="DST NAT - Port 8090" dst-address=192.168.1.26 \
    dst-port=8181 protocol=tcp
add chain=forward comment="DST NAT - Port 6767" dst-address=192.168.1.26 \
    dst-port=6767 protocol=tcp
add chain=forward comment="DST NAT - Port 6868" dst-address=192.168.1.26 \
    dst-port=6868 protocol=tcp
add action=drop chain=forward comment="Default Drop"
add chain=vlan1 comment="VLAN1 DNS TCP" dst-port=53 protocol=tcp
add chain=vlan1 comment="VLAN1 DNS UDP" dst-port=53 protocol=udp
add chain=vlan1 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan1 comment="DHCP Port 68" dst-port=68 protocol=udp
add chain=vlan2 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan2 comment="DHCP Port 68" dst-port=68 protocol=udp
add chain=vpn comment="VPN Traffic" dst-port=1723 protocol=tcp
add chain=vpn comment="VPN Traffic" protocol=gre
add chain=ICMP comment="ICMP - Allow Echo Reply (0:0-255), Limit 5pps" \
    icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment=\
    "ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" \
    icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" \
    icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" \
    icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" \
    icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" \
    icmp-options=12 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="ICMP - Drop All Others" protocol=icmp
add action=drop chain=sshBruteforce src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=sshBruteforce src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=sshBruteforce protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS TCP for VLAN2" dst-port=53 \
    in-interface=bridge-vlan2 protocol=tcp to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="DNS UDP for VLAN2" dst-port=53 \
    in-interface=bridge-vlan2 protocol=udp to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="Port 8090 Forward" dst-address-type=\
    local dst-port=8181 protocol=tcp to-addresses=192.168.1.245
add action=dst-nat chain=dstnat comment="Port 6767 Forward" disabled=yes \
    dst-address-type=local dst-port=6767 protocol=tcp to-addresses=\
    192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6868 Forward" disabled=yes \
    dst-address-type=local dst-port=6868 protocol=tcp to-addresses=\
    192.168.1.26
add action=masquerade chain=srcnat comment="Hairpin Port 8090" dst-address=\
    192.168.1.245 dst-port=8181 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 6767" disabled=yes \
    dst-address=192.168.1.26 dst-port=6767 out-interface=bridge-local \
    protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 6868" disabled=yes \
    dst-address=192.168.1.26 dst-port=6868 out-interface=bridge-local \
    protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Masquerade out-interface=\
    ether1-gateway to-addresses=0.0.0.0

tabate47 · Fri Nov 22, 2013 12:18 am

Eric,

I made the mistake. I changed the port to 8181 and I did not update the ip address in the forward area. It now works!

Thank you.

I will test everything and post the final export.

efaden · Fri Nov 22, 2013 12:21 am

Nice... Anything not working?

Sent from my SCH-I545 using Tapatalk

tabate47 · Fri Nov 22, 2013 12:27 am

Everything seems to be working that I have tested so far. I am going to go over the firewall line by line to learn it and understand what is going on. Thanks for all the help.

efaden · Fri Nov 22, 2013 12:32 am

Everything seems to be working that I have tested so far. I am going to go over the firewall line by line to learn it and understand what is going on. Thanks for all the help.

No problem.

Sent from my SCH-I545 using Tapatalk

tabate47 · Fri Nov 22, 2013 12:34 am

Eric should I be on 5.26, or something else?

efaden · Fri Nov 22, 2013 12:38 am

Eric should I be on 5.26, or something else?

Up to you. I run 6.5.

Sent from my SCH-I545 using Tapatalk

tabate47 · Fri Nov 22, 2013 3:31 am

I am getting "Safari can't find the server" a lot. Many web pages are not showing up all the way, for example images are being left out.

Do you think this has anything to do with the firewall, or just my internet provider having issues today?

It's a coincidence, but could there be anything in the firewall that would make that stuff happen?

efaden · Fri Nov 22, 2013 3:48 am

I am getting "Safari can't find the server" a lot. Many web pages are not showing up all the way, for example images are being left out.

Do you think this has anything to do with the firewall, or just my internet provider having issues today?

It's a coincidence, but could there be anything in the firewall that would make that stuff happen?

Seems odd to me. Sounds like an ISP issue.

tabate47 · Fri Nov 22, 2013 3:59 am

Seems like it is mostly affecting Safari.

I changed my dns to 8.8.8.8 and it seems to have fixed it.

Are you of the camp to use googles servers, or do you like to stick with those from your iso?

I have heard both ways.

efaden · Fri Nov 22, 2013 2:28 pm

Seems like it is mostly affecting Safari.

I changed my dns to 8.8.8.8 and it seems to have fixed it.

Are you of the camp to use googles servers, or do you like to stick with those from your iso?

I have heard both ways.

I use Googles.

Sent from my SCH-I545 using Tapatalk

tabate47 · Fri Dec 06, 2013 9:09 am

Eric,

I discovered something tonight. I tried to vpn into my router from outside my network at someone else's house. I was able to connect via vpn fine. However, I could not navigate to any local ip addresses on my home network except those that had forwarded ports. I disabled the firewall, and then I was able to navigate to the ip addresses such as my printer, etc. Also, I could not access winbox unless I disabled the firewall as well.

Do you know why this happens, and can it be fixed so that I don't have to disable the firewall?

I want to be able to log into my network from outside with my vpn, and then navigate to ip addresses on my local network as if I was there.

Thanks.

tabate47 · Fri Dec 06, 2013 5:33 pm

Here is my current firewall:

ros code

/ip firewall filter
add chain=input comment="Connection State - Established" connection-state=\
    established disabled=yes
add chain=input comment="Connection State - Related" connection-state=related \
    disabled=yes
add action=drop chain=input comment="Connection State - Invalid" \
    connection-state=invalid disabled=yes
add action=jump chain=input comment="ICMP - From Internet - Jump" disabled=\
    yes in-interface=ether1-gateway jump-target=ICMP protocol=icmp
add chain=input comment="ICMP - From Local" disabled=yes in-interface=\
    !ether1-gateway protocol=icmp
add action=drop chain=input comment=\
    "TCP - Syn Flood Suppression - Drop SynFlood" disabled=yes \
    src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood \
    address-list-timeout=30m chain=input comment="TCP - Syn Flood Detection - \
    Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 \
    disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment=\
    "TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" disabled=yes \
    protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit Bl\
    ackList (3 Connections Per IP Address)" connection-limit=3,32 disabled=\
    yes protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList \
    address-list-timeout=1d chain=input comment="TCP - DoS Attack Detection - \
    Add to BlackList for 1d (10 Connections per IP Address)" \
    connection-limit=10,32 disabled=yes protocol=tcp
add action=jump chain=input comment="SSH Brute Force" disabled=yes dst-port=\
    22 in-interface=ether1-gateway jump-target=sshBruteforce protocol=tcp
add chain=input comment="Allow Local" disabled=yes in-interface=bridge-local
add action=jump chain=input comment="VLAN1 Traffic Jump" disabled=yes \
    in-interface=bridge-vlan1 jump-target=vlan1
add action=jump chain=input comment="VLAN2 Traffic Jump" disabled=yes \
    in-interface=bridge-vlan2 jump-target=vlan2
add action=jump chain=input comment="VPN Traffic" disabled=yes in-interface=\
    ether1-gateway jump-target=vpn
add action=drop chain=input comment="Default Drop" disabled=yes
add chain=forward comment="Connection State - Established" connection-state=\
    established disabled=yes
add chain=forward comment="Connection State - Related" connection-state=\
    related disabled=yes
add action=drop chain=forward comment="Connection State - Invalid" \
    connection-state=invalid disabled=yes
add chain=forward comment="Forward to Ether1-Gateway" disabled=yes \
    out-interface=ether1-gateway
add chain=forward comment="DST NAT - Port 8090" disabled=yes dst-address=\
    192.168.1.26 dst-port=8090 protocol=tcp
add chain=forward comment="DST NAT - Port 6767" disabled=yes dst-address=\
    192.168.1.26 dst-port=6767 protocol=tcp
add chain=forward comment="DST NAT - Port 6868" disabled=yes dst-address=\
    192.168.1.26 dst-port=6868 protocol=tcp
add action=drop chain=forward comment="Default Drop" disabled=yes
add chain=vlan1 comment="VLAN1 DNS TCP" disabled=yes dst-port=53 protocol=tcp
add chain=vlan1 comment="VLAN1 DNS UDP" disabled=yes dst-port=53 protocol=udp
add chain=vlan1 comment="DHCP Port 67" disabled=yes dst-port=67 protocol=udp
add chain=vlan1 comment="DHCP Port 68" disabled=yes dst-port=68 protocol=udp
add chain=vlan2 comment="DHCP Port 67" disabled=yes dst-port=67 protocol=udp
add chain=vlan2 comment="DHCP Port 68" disabled=yes dst-port=68 protocol=udp
add chain=vpn comment="VPN Traffic" disabled=yes dst-port=1723 protocol=tcp
add chain=vpn comment="VPN Traffic" disabled=yes protocol=gre
add chain=ICMP comment="ICMP - Allow Echo Reply (0:0-255), Limit 5pps" \
    disabled=yes icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment=\
    "ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" disabled=yes \
    icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" \
    disabled=yes icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" \
    disabled=yes icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" \
    disabled=yes icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" \
    disabled=yes icmp-options=12 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="ICMP - Drop All Others" disabled=yes \
    protocol=icmp
add action=drop chain=sshBruteforce disabled=yes src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=sshBruteforce disabled=yes \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=sshBruteforce disabled=yes \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=sshBruteforce disabled=yes \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=sshBruteforce disabled=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS TCP for VLAN2" dst-port=53 \
    in-interface=bridge-vlan2 protocol=tcp to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="DNS UDP for VLAN2" dst-port=53 \
    in-interface=bridge-vlan2 protocol=udp to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="Port 8090 Forward" dst-address-type=\
    local dst-port=8181 protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6767 Forward" dst-address-type=\
    local dst-port=6767 protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6868 Forward" dst-address-type=\
    local dst-port=6868 protocol=tcp to-addresses=192.168.1.26
add action=masquerade chain=srcnat comment="Hairpin Port 8090" dst-address=\
    192.168.1.26 dst-port=8090 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 6767" dst-address=\
    192.168.1.26 dst-port=6767 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 6868" dst-address=\
    192.168.1.26 dst-port=6868 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Masquerade out-interface=\
    ether1-gateway to-addresses=0.0.0.0

The firewall is blocking me from accessing local ip addresses when I am logged into the vpn from outside the network. If I disable the firewall everything is fine and I can access local ip addresses.

If anyone can take a look and point me in the right direction I would appreciate it. Thanks.

efaden · Fri Dec 06, 2013 8:01 pm

I'm out of town, but I assume you are using ipsec? If so you need to allow your vpn ip on your wan interface as input and forward

Sent from my SCH-I545 using Tapatalk

tabate47 · Sat Dec 07, 2013 9:15 am

Eric,

Thanks for checking in.

I am running a pptp vpn. Does that make a difference? Do I still need to do what you said?

No rush on this. When you get back if you have time take a look and let me know.

Have a great time. Thanks again.

efaden · Sun Dec 08, 2013 8:56 pm

I just got home and am a little brain dead, but simple test... disable your default drop in the input and forward chains and see if it works... if it does then we know where the issue is. I have to research a bit and see based on the packet flow diagram how PPTP packets show up...

-Eric

efaden · Sun Dec 08, 2013 8:56 pm

I just got home and am a little brain dead, but simple test... disable your default drop in the input and forward chains and see if it works... if it does then we know where the issue is. I have to research a bit and see based on the packet flow diagram how PPTP packets show up...

-Eric

Also... what addresses are your PPTP clients getting? And can you post your PPTP config etc?... just easier if I can read it.

tabate47 · Sun Dec 08, 2013 9:45 pm

Sure thing. As soon as I get home I'll do it. I'm pretty sure the vpn ip's are in the 192.168.10.x range.

efaden · Sun Dec 08, 2013 9:48 pm

Sure thing. As soon as I get home I'll do it. I'm pretty sure the vpn ip's are in the 192.168.10.x range.

I'm pretty sure its something in forward...... I think what you want to do is configure the PPTP profile to add all of the connections to a bridge you create (call it bridge-VPN).... then you need to allow forward traffic between bridge-vpn and bridge-local.. "I think"... I'll have to see he results of your forward test... (test input and forward separately so we know which is causing the issue.

tabate47 · Mon Dec 09, 2013 2:31 am

Ok, here is what I discovered:

The default drop for the input chain prevents me from accessing winbox when logged in via vpn.

The default drop for the forward chain prevents me from accessing local ip addresses when logged in via vpn. For example, I can't log into my printer from outside the network connected via vpn.

So two things are going on.

Here is my vpn setup:

ros code

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression= \
    default use-encryption=default use-mpls=default use-vj-compression= \
    default
set 1 change-tcp-mss=yes local-address=192.168.1.1 \
    name=default-encryption only-one=default remote-address=pool-vpn \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

efaden · Mon Dec 09, 2013 2:37 am

Ok, here is what I discovered:

The default drop for the input chain prevents me from accessing winbox when logged in via vpn.

The default drop for the forward chain prevents me from accessing local ip addresses when logged in via vpn. For example, I can't log into my printer from outside the network connected via vpn.

So two things are going on.

Here is my vpn setup:

ros code
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression= \
    default use-encryption=default use-mpls=default use-vj-compression= \
    default
set 1 change-tcp-mss=yes local-address=192.168.1.1 \
    name=default-encryption only-one=default remote-address=pool-vpn \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

Do this

ros code

/interface bridge
  add name=bridge-vpn

/ppp profile 
  set 1 bridge=bridge-vpn

Then add a rules (above your default drops)

ros code

add chain=input in-interface=bridge-vpn 

add chain=forward in-interface=bridge-vpn out-interface=bridge-local
add chain=forward in-interface=bridge-local out-interface=bridge-vpn

Also do you use google hangouts?... may be faster to just chat on there... my email is my forum username @gmail.com

efaden · Mon Dec 09, 2013 2:44 am

Ok, here is what I discovered:

The default drop for the input chain prevents me from accessing winbox when logged in via vpn.

The default drop for the forward chain prevents me from accessing local ip addresses when logged in via vpn. For example, I can't log into my printer from outside the network connected via vpn.

So two things are going on.

Here is my vpn setup:

ros code
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression= \
    default use-encryption=default use-mpls=default use-vj-compression= \
    default
set 1 change-tcp-mss=yes local-address=192.168.1.1 \
    name=default-encryption only-one=default remote-address=pool-vpn \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
Do this

ros code
/interface bridge
  add name=bridge-vpn

/ppp profile 
  set 1 bridge=bridge-vpn
Then add a rules (above your default drops)
ros code
add chain=input in-interface=bridge-vpn 

add chain=forward in-interface=bridge-vpn out-interface=bridge-local
add chain=forward in-interface=bridge-local out-interface=bridge-vpn
Also do you use google hangouts?... may be faster to just chat on there... my email is my forum username @gmail.com

I think you can also do something like this using the Firewall rules for PPTP

ros code

/ip firewall filter
add action=jump chain=forward disabled=no jump-target=ppp

/ip firewall filter
add action=accept chain=ppp-in disabled=no
add action=accept chain=ppp-out disabled=no

/ppp profile
set 1 incoming-filter=ppp-in outgoing-filter=ppp-out

I haven't tested this though...

tabate47 · Mon Dec 09, 2013 2:49 am

I never tried google hangouts. I will check it out.

Should I try both of your suggestions, or is one better than the other. I know you said you never tried the second suggestion.

efaden · Mon Dec 09, 2013 2:56 am

I never tried google hangouts. I will check it out.

Should I try both of your suggestions, or is one better than the other. I know you said you never tried the second suggestion.

Not sure entirely how the second one functions.... since I know you have multiple networks and such... I'm just not sure which networks it would allow access to etc... I would try the first and see how/if it works....

tabate47 · Mon Dec 09, 2013 3:01 am

I will give them both a try and let you know. Thanks as always for the help.

tabate47 · Mon Dec 09, 2013 7:21 am

I tried the first one and it did not work.

I attempted to try the second one but I just did not understand it.

I have not had time to sit down and grasp what you are doing with the firewall, but it seems like you are making a list of things to "jump" to, and if things are not on that list they get dropped.

Then, if they are on the list, it "jumps" to the area you specified.

I am assuming you did it this way because I have several networks that need to be separated, otherwise you would not need jumps, you could just do drops.

Is that right?

There is obviously something in the rules that is blocking access to winbox and local ip addresses, because when I disable the drop rules everything works.

efaden · Mon Dec 09, 2013 4:04 pm

I tried the first one and it did not work.

I attempted to try the second one but I just did not understand it.

I have not had time to sit down and grasp what you are doing with the firewall, but it seems like you are making a list of things to "jump" to, and if things are not on that list they get dropped.

Then, if they are on the list, it "jumps" to the area you specified.

I am assuming you did it this way because I have several networks that need to be separated, otherwise you would not need jumps, you could just do drops.

Is that right?

There is obviously something in the rules that is blocking access to winbox and local ip addresses, because when I disable the drop rules everything works.

Yeah... Not really sure. I'd have to poke at the config for a bit and see if I can figure it out... I don't know about the ppp chains and how they work.

tabate47 · Mon Dec 09, 2013 5:19 pm

Thanks Eric. I read a lot last night, and saw things like proxy-arp, and some others, but I don't think any of them apply to my situation. It seems like the proxy is for when you are on the same subnet as the local, which I am not.

What would be blocking winbox access? When I look at it it's almost treating me like I am on a different subnet instead of a vpn. I am on a different subnet when using vpn, but it is supposed to treat me like I am not. I think the problem lies somewhere there.

webpagetech · Wed Dec 11, 2013 8:38 pm

It looks like your using pptp tunnel right?... To get the vpn to work the following setup should do it.

input, established, accept
input, related, accept
input, new, tcp, dst-port=1723, accept. 
input, drop

forward, established, accept
forward, related, accept
forward, new, src=<lan-subnet>, accept
forward, new, src=<vpn-subnet>, accept
forward, drop

input tcp 1723 will accept the initial connection and the gre tunnel will be accepted though the related rule.

Then you need to make sure that your forward chain accepts your vpn and lan subnets before the drop rule.

I am on a different subnet when using vpn, but it is supposed to treat me like I am not. I think the problem lies somewhere there.

You could have your ppp profile remote-address set to a pool that is on your lan. That is the easiest way to get it to work. Otherwise you need to make sure that the client that is using the vpn has routes to your lan network via pptp tunnel. If they have default gw set to vpn it should work fine but having your vpn and lan subnets separated does create complexities.

Also make sure that all your service ports are enabled in /ip firewall service ports.

I'll check out the config soon to see if I can figure out what is up with remote winbox access as well as vpn access to lan.

webpagetech · Thu Dec 12, 2013 1:51 am

VPN not working

The rule in your forward chain to accept all traffic going out interface ether1-gateway does not accept traffic going out your dynamically created vpn interface.
Since your vpn connection gets created dynamically when the connection is established it would be hard to accept via outgoing interface.

You could add an accept rule in your forward chain. Something along the lines of.
forward, new, src-address=<vpn-subnet>, accept

#####
winbox from outside

You don't have any rules accepting tcp 8291 from the outside.

You could change your ssh brute force to include tcp port 8291.

add action=jump chain=input comment="SSH Brute Force" dst-port=22,8291 \
    in-interface=ether1-gateway jump-target=sshBruteforce protocol=tcp

########
on a side you might want to... mostly personal preference, just some thoughts...

icmp OK... some updates like echo reply and dst unreachable would never be seen on input chain because they would be on output chain.

port scanners you might want to add src to block list instead just droping port scan occurrence. Just like how you have syc flood set up.

input chain bridge lan... you might want to accept services then drop all rather than just accepting all
input vlan 1... you might want to accept services drop all else
input vlan2... drop all... The dhcp accept rules for vlan2 belong on a bridge filter. You can just remove them.

For your forward chain you might want to...

forward, established, accept
forward, related, accept
forward, new, src=vlan1, not out ether1, drop.
forward, new, src=vlan2, jump vlan2-forward.
forward, new, src=vlan1, accept.
forward, new, src=bridge-lan, accept.
forward, new, src=bridge-vpn, accept.
forward, new, accept your port forwards...
forward, drop
vlan2-forward, proto=udp, dst-port=53, dst-address=!<kids-acceptable-content-dns-server>, drop
vlan2-forward, out-interface=!wan, drop
vlan2-forward, accept

This would take care of the vpn issue because it does not work using out interface but still does not allow vlan1 or vlan2 to access lan resources and still makes vlan2 use a specific dns server.

tabate47 · Thu Dec 12, 2013 5:40 am

Thanks for the reply and the help. I will give it a try in the next couple of days when I have time and let you know what happens. I appreciate it.

tabate47 · Fri Dec 13, 2013 8:21 am

I tried to add your suggestions to my firewall, but it did not work.

I changed my vpn ip to my lan ip. I thought this might help, but it didn't.

I still cannot access the devices on my lan from the vpn, and I cannot access inbox from the vpn.

What am I missing? I have been reading so much my eyes are going to fall out.

efaden · Sat Dec 14, 2013 2:00 am

I tried to add your suggestions to my firewall, but it did not work.

I changed my vpn ip to my lan ip. I thought this might help, but it didn't.

I still cannot access the devices on my lan from the vpn, and I cannot access inbox from the vpn.

What am I missing? I have been reading so much my eyes are going to fall out.

Now that I'm back home again I'll take a look at the configuration. Can you post your latest and what you have tried?

Sent from my SCH-I545 using Tapatalk

tabate47 · Sat Dec 14, 2013 3:30 am

I have tried so many things I can't even remember. Nothing has worked.

One change I made is putting my vpn addressees in the same subnet as my lan addresses. I don't think that's necessary though.

Here is my compact export:

ros code

/interface bridge
add comment="Local Bridge" l2mtu=1598 name=bridge-local
add comment="Vlan1 Bridge" l2mtu=1594 name=bridge-vlan1
add comment="Vlan2 Bridge" l2mtu=1594 name=bridge-vlan2
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local
set 2 name=ether3-vlan1
set 3 name=ether4-vlan2
set 4 name=ether5-trunk
/interface vlan
add interface=bridge-local l2mtu=1594 name=vlan-vlan1-ether5 vlan-id=101
add interface=bridge-local l2mtu=1594 name=vlan-vlan2-ether5 vlan-id=102
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=pool-local ranges=192.168.1.100-192.168.1.254
add name=pool-vlan1 ranges=192.168.2.2-192.168.2.254
add name=pool-vlan2 ranges=192.168.3.2-192.168.3.254
add name=pool-vpn ranges=192.168.1.90-192.168.1.95
/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=local
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1
add address-pool=pool-vlan2 disabled=no interface=bridge-vlan2 name=vlan2
/ppp profile
set 1 local-address=192.168.1.1 remote-address=pool-vpn
/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether5-trunk
add bridge=bridge-vlan1 interface=ether3-vlan1
add bridge=bridge-vlan1 interface=vlan-vlan1-ether5
add bridge=bridge-vlan2 interface=ether4-vlan2
add bridge=bridge-vlan2 interface=vlan-vlan2-ether5
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge-local
add address=192.168.2.1/24 interface=bridge-vlan1
add address=192.168.3.1/24 interface=bridge-vlan2
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway \
    use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=input comment="Connection State - Established" connection-state=\
    established
add chain=input comment="Connection State - Related" connection-state=related
add action=drop chain=input comment="Connection State - Invalid" \
    connection-state=invalid
add action=jump chain=input comment="ICMP - From Internet - Jump" \
    in-interface=ether1-gateway jump-target=ICMP protocol=icmp
add chain=input comment="ICMP - From Local" in-interface=!ether1-gateway \
    protocol=icmp
add action=drop chain=input comment=\
    "TCP - Syn Flood Suppression - Drop SynFlood" src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFlood \
    address-list-timeout=30m chain=input comment="TCP - Syn Flood Detection - \
    Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 \
    protocol=tcp tcp-flags=syn
add action=drop chain=input comment=\
    "TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" protocol=tcp \
    psd=21,3s,3,1
add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit Bl\
    ackList (3 Connections Per IP Address)" connection-limit=3,32 protocol=\
    tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackList \
    address-list-timeout=1d chain=input comment="TCP - DoS Attack Detection - \
    Add to BlackList for 1d (10 Connections per IP Address)" \
    connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="SSH Brute Force" dst-port=22 \
    in-interface=ether1-gateway jump-target=sshBruteforce protocol=tcp
add chain=input comment="Allow Local" in-interface=bridge-local
add action=jump chain=input comment="VLAN1 Traffic Jump" in-interface=\
    bridge-vlan1 jump-target=vlan1
add action=jump chain=input comment="VLAN2 Traffic Jump" in-interface=\
    bridge-vlan2 jump-target=vlan2
add action=jump chain=input comment="VPN Traffic" in-interface=ether1-gateway \
    jump-target=vpn
add action=drop chain=input comment="Default Drop"
add chain=forward comment="Connection State - Established" connection-state=\
    established
add chain=forward comment="Connection State - Related" connection-state=\
    related
add action=drop chain=forward comment="Connection State - Invalid" \
    connection-state=invalid
add chain=forward comment="Forward to Ether1-Gateway" out-interface=\
    ether1-gateway
add chain=forward comment="DST NAT - Port 8090" dst-address=192.168.1.26 \
    dst-port=8181 protocol=tcp
add chain=forward comment="DST NAT - Port 6767" dst-address=192.168.1.26 \
    dst-port=6767 protocol=tcp
add chain=forward comment="DST NAT - Port 6868" dst-address=192.168.1.26 \
    dst-port=6868 protocol=tcp
add action=drop chain=forward comment="Default Drop"
add chain=vlan1 comment="VLAN1 DNS TCP" dst-port=53 protocol=tcp
add chain=vlan1 comment="VLAN1 DNS UDP" dst-port=53 protocol=udp
add chain=vlan1 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan1 comment="DHCP Port 68" dst-port=68 protocol=udp
add chain=vlan2 comment="DHCP Port 67" dst-port=67 protocol=udp
add chain=vlan2 comment="DHCP Port 68" dst-port=68 protocol=udp
add chain=vpn comment="VPN Traffic" dst-port=1723 protocol=tcp
add chain=vpn comment="VPN Traffic" protocol=gre
add chain=ICMP comment="ICMP - Allow Echo Reply (0:0-255), Limit 5pps" \
    icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment=\
    "ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" \
    icmp-options=3 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" \
    icmp-options=4 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" \
    icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" \
    icmp-options=11 limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" \
    icmp-options=12 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="ICMP - Drop All Others" protocol=icmp
add action=drop chain=sshBruteforce src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=sshBruteforce src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=sshBruteforce src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=sshBruteforce protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS TCP for VLAN2" dst-port=53 \
    in-interface=bridge-vlan2 protocol=tcp to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="DNS UDP for VLAN2" dst-port=53 \
    in-interface=bridge-vlan2 protocol=udp to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="Port 8090 Forward" dst-address-type=\
    local dst-port=8181 protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6767 Forward" dst-address-type=\
    local dst-port=6767 protocol=tcp to-addresses=192.168.1.26
add action=dst-nat chain=dstnat comment="Port 6868 Forward" dst-address-type=\
    local dst-port=6868 protocol=tcp to-addresses=192.168.1.26
add action=masquerade chain=srcnat comment="Hairpin Port 8090" dst-address=\
    192.168.1.26 dst-port=8181 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 6767" dst-address=\
    192.168.1.26 dst-port=6767 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 6868" dst-address=\
    192.168.1.26 dst-port=6868 out-interface=bridge-local protocol=tcp \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Masquerade out-interface=\
    ether1-gateway to-addresses=0.0.0.0
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether3-vlan1 disabled=yes
set ether4-vlan2 disabled=yes
set bridge-vlan1 disabled=yes
set bridge-vlan2 disabled=yes
set vlan-vlan1-ether5 disabled=yes
set vlan-vlan2-ether5 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes

efaden · Sat Dec 14, 2013 3:33 am

And your using straight pptp? I'll set one up on my test rig. And try it out

Sent from my SCH-I545 using Tapatalk

tabate47 · Sat Dec 14, 2013 3:36 am

As far as I know, yes. Very basic.

Do you suggest something else? I want to be able to vpn in from the iPhone and iPad.

efaden · Sat Dec 14, 2013 3:39 am

Do they suppot l2tp over ipsec? I'll investigate that tomorrow.

Sent from my SCH-I545 using Tapatalk

tabate47 · Sat Dec 14, 2013 3:48 am

Yes, it is possible. Is that a more secure vpn? If so, I am open to use it. Is it more difficult to set up?

efaden · Sat Dec 14, 2013 4:13 am

We could try it. I use it personally. Never tried with the ipad but I have with osx. Not sure if it's more secure.

Sent from my SCH-I545 using Tapatalk

tabate47 · Sat Dec 14, 2013 4:39 am

Ok let's try it

efaden · Sat Dec 14, 2013 4:42 am

Ok let's try it

When I get a chance I'll send you the config for the L2TP/IPSec... also if you want to give me remote I can poke at it myself and get it to work.

efaden · Sat Dec 14, 2013 4:50 am

For L2TP over IPSec... Pretty sure I got it all.... It does work with the IPad in theory... I haven't tested it yet though. It works with the OSX builtin client.

ros code

/interface bridge
add name=bridge-vpn

/ip address
add interface=bridge-vpn address=192.168.4.1/24

/ip pool
add name=vpn-pool ranges=192.168.4.2-192.168.4.254

/ppp profile
add change-tcp-mss=yes dns-server=192.168.4.1 local-address=192.168.4.1 name=L2TP-Roadwarrior remote-address=vpn-pool use-encryption=yes

/ppp secret
add name=username password=SOME_KEY profile=L2TP-Roadwarrior service=l2tp

/interface l2tp-server server
set default-profile=L2TP-Roadwarrior enabled=yes

/ip ipsec policy group
add name=l2tp-roadwarrior

/ip ipsec proposal
add enc-algorithms=3des,aes-256-cbc name=l2tp-roadwarrior pfs-group=none

/ip ipsec peer
add comment="L2TP Roadwarrior" disabled=yes enc-algorithm=3des exchange-mode=main-l2tp \
    generate-policy=port-override nat-traversal=yes policy-group=l2tp-roadwarrior secret=\
    SOME_OTHER_KEY

/ip ipsec policy
add comment="L2TP Roadwarrior" group=l2tp-roadwarrior proposal=l2tp-roadwarrior template=yes

tabate47 · Sat Dec 14, 2013 5:12 am

Will this fix the firewall issues I'm having?

tabate47 · Sat Dec 14, 2013 5:55 am

Maybe its a good idea to stick to the pptp and get my original firewall going.

Then, we can attempt the lpt2.

Ok?

Thanks Eric.

efaden · Sat Dec 14, 2013 6:18 pm

Maybe its a good idea to stick to the pptp and get my original firewall going.

Then, we can attempt the lpt2.

Ok?

Thanks Eric.

Try

ros code

/ip firewall filter
add place-before=0 chain=input src-address=192.168.4.0/24
add place-before=0 chain=forward src-address=192.168.4.0/24
add place-before=0 chain=input dst-address=192.168.4.0/24

tabate47 · Sat Dec 14, 2013 6:31 pm

I would need to add this too, correct?

ros code

/interface bridge
add name=bridge-vpn
 
/ip address
add interface=bridge-vpn address=192.168.4.1/24
 
/ip pool
add name=vpn-pool ranges=192.168.4.2-192.168.4.254

efaden · Sat Dec 14, 2013 6:49 pm

I would need to add this too, correct?

ros code

/interface bridge
add name=bridge-vpn
 
/ip address
add interface=bridge-vpn address=192.168.4.1/24
 
/ip pool
add name=vpn-pool ranges=192.168.4.2-192.168.4.254

Uh... not 100% necessary, but 192.168.4.1 should be assigned to some interface. Personally I find it easiest to make it on a bridge-vpn so it makes sense to me.

tabate47 · Sat Dec 14, 2013 6:53 pm

Eric,

You did it again!

All I did was change my vpn ip range into the .4's and add your code:

ros code

/ip firewall filter
add place-before=0 chain=input src-address=192.168.4.0/24
add place-before=0 chain=forward src-address=192.168.4.0/24
add place-before=0 chain=input dst-address=192.168.4.0/24

and, it works!

Thanks man. The great part about it is I actually understand what you did. The firewall is so good that you have to allow things otherwise they will not work.

efaden · Sat Dec 14, 2013 6:56 pm

Eric,

You did it again!

All I did was change my vpn ip range into the .4's and add your code:

ros code
/ip firewall filter
add place-before=0 chain=input src-address=192.168.4.0/24
add place-before=0 chain=forward src-address=192.168.4.0/24
add place-before=0 chain=input dst-address=192.168.4.0/24
and, it works!

Thanks man. The great part about it is I actually understand what you did. The firewall is so good that you have to allow things otherwise they will not work.

Nice... glad it works.

efaden · Sat Dec 14, 2013 7:00 pm

Also if you run into other problems and I don't answer on here feel free to drop me an email... my email is my username @gmail.com ... I try to stay on here a lot, but sometimes I miss messages.

tabate47 · Sat Dec 14, 2013 7:02 pm

Thanks Eric.

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

ros code

Who is online