Community discussions

MikroTik App
 
uberwebguru
Member Candidate
Member Candidate
Topic Author
Posts: 172
Joined: Sat Feb 26, 2022 12:05 pm

What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 12:35 pm

I am noticing some very weird thing with the firewall of mikrotik CCR2004
I setup a destination so i can access private ip via a public

when am on the wifi connected to ISP, i can reach this public ip and access the private ip behind it fine; it is a webserver and i can see default web page fine
but i am unable to view this on another device on internet
for example i jump into a VM from digitalocean and am unable to reach this web server by ip. Funny thing is i can ping the ip fine, but i cant telnet port 80 or curl the endpoint
which i was able to do from my home wifi network

I have zero rule under firewall, i disabled all rules
and this is what am experiencing

What is blocking these access from internet? I have no rules in firewall?
 
uberwebguru
Member Candidate
Member Candidate
Topic Author
Posts: 172
Joined: Sat Feb 26, 2022 12:05 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 12:40 pm

Or is it the NAT rule used for the destination NAT the one doing this?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 1:30 pm

Aren't you here long enough to understand that it helps to post some technical info? At least that dstnat rule, info about the public address, whether the router itself has it, of if it's somewhere else and the router is behind NAT, ... stuff like that.
 
uberwebguru
Member Candidate
Member Candidate
Topic Author
Posts: 172
Joined: Sat Feb 26, 2022 12:05 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 6:01 pm

Here is what i have for NAT rules
All firewall rules disabled

private ip of webserver is 10.101.0.101 and public IP to do destination NAT is 101.x.x.1
here is a copy of some piece of config
/ip address
add address=101.x.x.29/27 comment="ccr2004 ip" \
    interface=sfp-sfpplus12 network=101.x.x.0
add address=101.x.x.1 comment="webserver" \
    interface=bridge1 network=101.x.x.1

/ip firewall nat
add action=masquerade chain=srcnat comment="nat vlans to Internet" \
    out-interface=bridge
add action=dst-nat chain=dstnat comment=\
    "webserver 101.x.x.1" dst-address=\
    101.x.x.1 to-addresses=10.101.0.101
Issue is i can ping the public IP from everywhere on internet but can not access webserver from internet except from my home internet only
What is blocking access from everywhere else?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 6:48 pm

Well, dstnat is fine, anything going to 101.x.x.1 will be redirected to 10.101.0.101.

But I'm not sure about the rest. Based on the masquerade rule, your WAN interface is "bridge", but there's no address on that. Is perhaps sfp-sfpplus12 part of this bridge? But if it is, and you have 101.x.x.29/27 there, then what is 101.x.x.1 from same subnet(?) doing on another interface "bridge1". If it really is from that subnet, how would it be even reachable from internet? When you're pinging 101.x.x.1 from internet, are you absolutely sure that it's this address on this router?
Last edited by Sob on Sun May 01, 2022 10:56 pm, edited 1 time in total.
 
uberwebguru
Member Candidate
Member Candidate
Topic Author
Posts: 172
Joined: Sat Feb 26, 2022 12:05 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 10:04 pm

Well, dstnat is fine, anything going to 101.x.x.1 will be redirected to 10.101.0.101.

But I'm not sure about the rest. Based on the masquerade rule, your WAN interface is "bridge", but there's no address on that. Is perhaps sfp-sfpplus12 part of this bridge? But if it is, and you have 101.x.x.29/27 there, then what is 101.x.x.1 from same subnet(?) doing on another interface "bridge1". If it really is from that subnet, how would it be even reachable from internet? When you're pinging 10.101.0.101 from internet, are you absolutely sure that it's this address on this router?
Everything else works except the issue am referring to, so yes it is part of the bridge. 101.x.x.1 is ofcourse in the same 101.x.x.0/27 block
I only posted part of the config
Rather than trying to think about the config, lets focus on the problem as mentioning here
What is causing this weird thing?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Sun May 01, 2022 10:58 pm

Since dstnat rule is already correct, it must be something else. And unusual addressing would be suspicious even if it wasn't the only other part of your config I can see.
 
uberwebguru
Member Candidate
Member Candidate
Topic Author
Posts: 172
Joined: Sat Feb 26, 2022 12:05 pm

Re: What is performing firewall on mikrotik with zero firewall rules?

Mon May 02, 2022 2:31 am

Issue solved

Apparently my static IP block on ISP gateway was on private subnet, i called them to explain this weird issue and they changed it to public subnet and everything is now working fine now
one of the weirdest thing for me to troubleshoot. Wasn't aware a static ip can have private subnet setting on ISP gateway
Issues was not mikrotik config at all
Happy all solved now

thanks for the help at least

Who is online

Users browsing this forum: Ahrefs [Bot] and 78 guests