For over a week now, I've been trying to change my home lab network setup using a MikroTik router, transitioning from a single LAN for all services to several VLANs for different services, with the MikroTik router as the "head."
Setup
Here's a simplified overview of my setup for better understanding:
Code: Select all
Internet <--------> ISP router (192.168.0.0/24, LAN 1) <--------> (192.168.0.10/24) Microtik (10.0.0.0/24, LAN 2) <---------> Server (10.0.0.11)
- Between the internet and the ISP router, there's ISP NAT. The DMZ points to the MikroTik router IP with port forwarding on ports 433 and 80.
- In the MikroTik router, there's a bridge connecting all interfaces, and a VLAN on the bridge interface with the network 10.0.0.0/24. The MikroTik is connected to the ISP router via eth1, and the server is connected to the VLAN via eth5 with tag 20.
- On the server, I'm using Apache2 to host websites with a Cloudflare certificate, which works fine (I'll explain more below).
The MikroTik acts as a secondary NAT, where all traffic is directed and then forwarded to the desired machine.
Problem
The issue arises when attempting to connect via HTTPS to the MikroTik (192.168.0.10) with port forwarding to the server inside the VLAN. It raises an "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error only when HTTPS is used (the certificate and server work perfectly, tested outside the VLAN). It's peculiar because connecting via port 80 without SSL works. Additionally, I can confirm that accessing from outside with a DNS domain works only on port 80.
I've tried different methods to resolve this, such as HairpinNAT, using two bridges instead of one, forwarding all traffic, etc., but none have been successful with HTTPS and SSL.
I also installed my Cloudflare certificate on the router for testing purposes, but with no success
When analyzing the results with Wireshark, when ACK is made the server send the SYN,ACK but when client send "Client hello", the handshake does not succeed and rise an fatal error.
Code: Select all
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
As mentioned, this does not happen if I access directly via IP: https://10.0.0.11, or when moving the server outside the VLAN: https://192.168.0.63. The problem only occurs when port forwarding the port from the Microtik: https://192.168.0.10 [does not work, 433], but http://192.168.0.10 [works. 80]
In the logs, I receive messages like this multiple times with different socket ports [192.168.0.11 is the PC]:
Code: Select all
---> dstnat: in:bridge1 out:(unknown 0), connection-state:new src-mac 08:bf:b8:2a:ad:a7, proto TCP (SYN), 192.168.0.11:52042->192.168.0.10:433, len 52When I make a CURL call, I get this:
Code: Select all
C:\Users\teo2d>curl -v https://192.168.0.10
* Trying 192.168.0.10:443
* Connected to 192.168.0.10 (192.168.0.10) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection
* schannel: shutting down SSL/TLS connection with 192.168.0.10 port 443
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.But if i curl on the VLAN IP, I get this and works:
Code: Select all
C:\Users\teo2d>curl -v --insecure https://10.0.0.11
* Trying 10.0.0.11:443...
* Connected to 10.0.0.11 (10.0.0.11) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: 10.0.0.11
> User-Agent: curl/8.4.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Date: Fri, 08 Mar 2024 01:44:18 GMT
< Server: Apache/2.4.56 (Debian)And if I access via HTTP (port 80) on the MikroTik, the forwarding works fine:
Code: Select all
C:\Users\teo2d>curl -v 192.168.0.10
* Trying 192.168.0.10:80...
* Connected to 192.168.0.10 (192.168.0.10) port 80
> GET / HTTP/1.1
> Host: 192.168.0.10
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OKAt this point, I'm very desperate to find a solution that seems to not exist.
What does work
- Port forwarding
- DHCP binding
- Ping inside and outside the machine
- Connect via SSH and HTTP (port 80), Telnet, etc., into the VLAN
- Everything works in every port except 433 (which is already forwarded)
- Connecting the server outside the VLAN (in LAN 1 with the IP 192.168.0.63) and connecting with HTTP and HTTPS with SSL and TLSv1.2
What does not work
- Making a secure connection via HTTPS to the router forwarding the connection to the server (433)
- Trying to connect via SFTP or anything that requires SSL or TLS
Any help would be greatly appreciated.