Community discussions

MikroTik App
 
hypershadow243
just joined
Topic Author
Posts: 1
Joined: Thu Nov 24, 2022 2:57 am

Packet seems to be getting dropped but not sure what the cause is

Thu Nov 24, 2022 3:06 am

I'm running into a problem where WAN machines are unable to connect to my LAN machine via port forwarding rules. I've verified connection within the LAN network and I've confirmed that I can see the WAN traffic for port 16261 with protocol UDP within the torch tool. I'm unable to connect to the server which is hosted on LAN 192.168.1.227:16261. I've also ran nmap on my LAN to verify the local firewall on the actual machine isn't an issue and it isn't as the port is shown as open|filtered after modifying the firewalld rules. When attempting to nmap the WAN IP I get a port closed (used nmap -sU -p 16261 108.53.121.81)

I've attached my current config here. I would very much appreciate any help. I've looked over the rules and I'm unsure of what it can be. Feel free to point out any other config issues that you notice if any. Network hardware wise, I have the mikrotik router with an ethernet cable connected to an older router running openwrt (I think, can't really connect to it to check) which is setup in a way that it's acting as a switch. The hosted machine is plugged into the openwrt router. Typical internet traffic flow/regular use of the machine is working just fine with outbound traffic.
# nov/23/2022 17:23:26 by RouterOS 6.47
# software id = 4KKC-NCK5
#
# model = 2011UAS-2HnD
# serial number = 3F0702597881
/interface bridge
add admin-mac=D4:CA:6D:61:5C:A7 auto-mac=no comment=defconf name=bridge
add name=bridgeIsolatedDevicesVLAN
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country="united states" disabled=no distance=indoors \
    frequency=2437 frequency-mode=manual-txpower mode=ap-bridge ssid=\
    HyperShadow24 wds-default-bridge=bridge wds-mode=dynamic \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment="WAN port"
/interface vlan
add interface=bridgeIsolatedDevicesVLAN name="Isolated Devices" vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=Guest supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:61:5C:B0 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan-guest \
    security-profile=Guest ssid=HyperShadow24-Guest wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridgeIsolatedDevicesVLAN \
    name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf disabled=yes interface=ether8
add bridge=bridgeIsolatedDevicesVLAN comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridgeIsolatedDevicesVLAN interface=ether8
add bridge=bridgeIsolatedDevicesVLAN frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan-guest pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=wlan1 vlan-ids=100
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.100.1/24 interface=bridgeIsolatedDevicesVLAN network=\
    192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:a0:63:91:d3:29:de comment=\
    "Netgear R6400 Router" mac-address=A0:63:91:D3:29:DE server=defconf
add address=192.168.1.7 client-id=1:d8:cb:8a:34:8e:10 comment="Old Gaming PC" \
    disabled=yes mac-address=D8:CB:8A:34:8E:10 server=defconf
add address=192.168.1.42 allow-dual-stack-queue=no mac-address=\
    B8:27:EB:29:24:AC server=defconf
add address=192.168.1.64 client-id=1:64:a2:f9:e3:75:97 mac-address=\
    64:A2:F9:E3:75:97 server=defconf
add address=192.168.1.7 allow-dual-stack-queue=no client-id=\
    1:b4:2e:99:3a:eb:b0 mac-address=B4:2E:99:3A:EB:B0 server=defconf
add address=192.168.1.41 allow-dual-stack-queue=no mac-address=\
    B8:27:EB:F6:42:D9 server=defconf
add address=192.168.1.20 comment="Netgear R6230" mac-address=\
    8C:3B:AD:D4:33:9E server=defconf
add address=192.168.1.25 comment=Alexa mac-address=20:A1:71:D0:D1:F8 server=\
    defconf
add address=192.168.1.40 comment="TV room TV" mac-address=D8:13:99:7D:5B:3A \
    server=defconf
add address=192.168.1.46 client-id=1:b8:27:eb:7c:71:f9 mac-address=\
    B8:27:EB:7C:71:F9 server=defconf
add address=192.168.1.227 client-id=1:d8:cb:8a:34:8e:10 mac-address=\
    D8:CB:8A:34:8E:10 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan type=A
add address=192.168.1.7 name=GAMINGPC type=A
add address=192.168.1.46 name=homeassistant type=A
add address=192.168.1.227 name=sonicserver type=A
/ip firewall address-list
add address=192.168.0.0/16 disabled=yes list=Bogon
add address=0.0.0.0/8 disabled=yes list=Bogon
add address=10.0.0.0/8 disabled=yes list=Bogon
add address=100.64.0.0/10 disabled=yes list=Bogon
add address=127.0.0.0/8 disabled=yes list=Bogon
add address=169.254.0.0/16 disabled=yes list=Bogon
add address=172.16.0.0/12 disabled=yes list=Bogon
add address=192.0.0.0/24 disabled=yes list=Bogon
add address=192.0.2.0/24 disabled=yes list=Bogon
add address=198.18.0.0/15 disabled=yes list=Bogon
add address=198.51.100.0/24 disabled=yes list=Bogon
add address=203.0.113.0/24 disabled=yes list=Bogon
add address=224.0.0.0/3 disabled=yes list=Bogon
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow LAN access to router" \
    in-interface=!ether1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    " Accept  Established  /  Related  Input" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Block isolated devices (ether 9) vlan from accessing home internal LAN" \
    dst-address=192.168.1.0/24 src-address=192.168.100.0/24
add action=accept chain=input comment=" Allow  Management  Input" disabled=\
    yes src-address=10.1.157.0/24
add action=drop chain=input comment=" Drop  Input" disabled=yes log=yes \
    log-prefix=" Input  Drop"
add action=fasttrack-connection chain=forward comment=\
    "Fast Track Established / Related Forward" connection-state=\
    established,related disabled=yes
add action=accept chain=forward comment=\
    "Accept Established / Related Forward" connection-state=\
    established,related disabled=yes
add action=drop chain=forward comment="Drop Bogon Forward -> Ether1" \
    disabled=yes in-interface=ether1 log=yes log-prefix="Bogon Forward Drop" \
    src-address-list=Bogon
add action=accept chain=forward comment="Allow client LAN traffic out WAN" \
    disabled=yes out-interface=ether1 src-address=192.168.0.0/24
add action=drop chain=forward comment="Drop All Forward" disabled=yes
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input connection-state=\
    established,related,new,untracked connection-type="" in-interface-list=\
    WAN log=yes log-prefix=drop_invalid src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Minecraft port forwarding rule" \
    disabled=yes dst-port=25565 in-interface=ether1 protocol=tcp src-port="" \
    to-addresses=192.168.1.7 to-ports=25565
add action=dst-nat chain=dstnat disabled=yes dst-port=25565 protocol=udp \
    to-addresses=192.168.1.7 to-ports=25565
add action=dst-nat chain=dstnat dst-port=9600 in-interface=ether1 protocol=\
    udp to-addresses=192.168.1.7 to-ports=9600
add action=dst-nat chain=dstnat dst-port=9600 in-interface=ether1 protocol=\
    tcp src-address-list="" to-addresses=192.168.1.7 to-ports=9600
add action=dst-nat chain=dstnat disabled=yes dst-port=8081 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.7 to-ports=8081
add action=dst-nat chain=dstnat disabled=yes dst-port=7777 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.7 to-ports=7777
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=dst-nat chain=dstnat dst-port=9876 in-interface=ether1 log=yes \
    log-prefix=vrising_server protocol=udp to-addresses=192.168.1.7 to-ports=\
    9876
add action=redirect chain=dstnat comment=\
    "DIRECT ALL DNS REQUESTS TO MIKROTIK INTERNAL DNS SERVER." dst-port=53 \
    protocol=udp to-addresses=192.168.1.1 to-ports=53
add action=dst-nat chain=dstnat comment="Project Zomboid Server" dst-port=\
    16261-16262 in-interface=ether1 log=yes log-prefix=pz protocol=udp \
    to-addresses=192.168.1.227 to-ports=16261-16262
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/New_York
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-protocol=udp filter-port=9876 streaming-server=0.0.0.0:9876
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Packet seems to be getting dropped but not sure what the cause is

Fri Nov 25, 2022 12:22 pm

You cannot map two ports using a single rule this way - the to-ports is a pool to use and there is no relationship to the original destination port. But if you remove the to-ports completely, the original dst-port will stay unchanged, so this modification should resolve your issue.

Your current rules in chain input of filter could be safer, the default ones would be better. Currently you selectively drop DNS requests from the internet but nothing else, so your router can be managed from the internet by someone who knows a vulnerability of Winbox - the list of permitted addresses works at application level and the chances that a vulnerability exists at application level are higher than of a vulnerability in the firewall.

Who is online

Users browsing this forum: Google [Bot], JDF and 46 guests