Community discussions

MikroTik App
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 3:14 pm

Hi all
I have the problem that I cannot reach port 993 on the internet.

the following installation:
from the internet via a Fritzbox with exposed host to the Mikrotik router. and from there into 2 internal networks. from net1 access to imap.google.de:993 works. It doesn't work from the 2nd network. Port 25 works, port 993 doesn't work. It works from the outside in.

rules for nat:
0 chain=srcnat action=masquerade out-interface=ether1 log=yes log-prefix='srcnat'
chain=dstnat action=dst-nat to-addresses=192.168.3.2 to-ports=993 protocol=tcp in-interface=ether1 dst-port=993

there are no restrictions on this in the firewall.

why does it work from network 1 but not from network 2? can someone enlighten me?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 3:24 pm

Not sure why it works from one network and not from the other, but rule
chain=dstnat action=dst-nat to-addresses=192.168.3.2 to-ports=993 protocol=tcp in-interface=ether1 dst-port=993
will DST NAT any connection to port 993 which passes router, regardless of in-interface and out-interface ... and it'll send that traffic towards machine with IP address 192.168.3.2.
If you only want to DST NAT connections, originating in internet, then you should add something like "in-interface=ether1" to the rule so it will only act on connections coming in via ether1 (based on SRC NAT rule I'm assuming that's your WAN port), but not when connections come in via any other interface.
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 4:04 pm

no the DST NAT works as it should. There is a Mailserver and this works correct but from the mail server or any server in this network area I can't eg. to imap.google.de:993 or to any other imap server with port 993. port25 works fine to everywhere
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 4:06 pm

Sorry, maybe it is friday, but I don't understand what you are trying to do. Why are you using DST-NAT to redirect people to google mail server?
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 4:26 pm

no you don't understand correctly. I'm trying to fetch emails from the google mail server
The mail server works perfectly from the outside to the internal net. Sending mails also works perfectly. but fetching mails from imap don't works. it says network not reachable. all other things from this net to the outside works but not port 993. This problem is only in this net segment. on the second net, port 993 to the outside works an i can use any imap server in the internet.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 4:42 pm

Fetching mails from IMAP for devices inside LAN requires zero DST-NAT rules. All internet access should be working by default. Including port 993 to any IMAP server
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 5:00 pm

Its a confusing picture based on your 'loose' use of the word server.
Normis is bang on, in that if you are not hosting a server behind your router, there is no need to dstnat to reach an external server, makes no sense.
Something else is the issue but I would get rid of any rules not required.
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Fri Apr 21, 2023 5:58 pm

ok a 3rd try.
there is a server behind the router. a mail server. This is not my problem at all, everything works as it should. from this server I try to fetch mail e.g from gmail which does not work. so my problem is not the server behind the router but the access from this server to port 993 at google.

example: network in which the server is located:

openssl s_client -starttls imap -connect imap.gmail.com:993
eventually a timeout comes

PING imap.gmail.com (108.177.15.109) 56(84) bytes of data.
64 bytes from wr-in-f109.1e100.net (108.177.15.109): icmp_seq=1 ttl=103 time=28.3 ms
64 bytes from wr-in-f109.1e100.net (108.177.15.109): icmp_seq=2 ttl=103 time=31.5 ms

as you can see, ping works and other ports, for example 25, also work.

Example from the other network area:
openssl s_client -starttls imap -connect imap.gmail.com:993
CONNECTED(00000003)

as you can see it works there. from the network in which the server is not.

ether1 is wan
ether2 is the network where the server is located
ether3 is the internal network
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Sat Apr 22, 2023 11:12 pm

I'm still a bit confused. Are you running a mail SERVER or a client? You keep saying server, but E-Mail servers use port 25 to communicate with other servers. It sounds like you are running an E-Mail client device that is trying to use IMAP to get mail from a G-Mail server. In that case, you should not have to do anything special to reach the G-Mail server. Please post your configuration.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Sun Apr 23, 2023 1:55 am

Yeah without a config not much help can be provided.
If you have a LAN to WAN firewall rule in place there is nothing on the router that is going stop outgoing traffic from the LAN to the Internet.
Nothing to do with the router and everything to do with what gong show setup is on the mail server........
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Mon Apr 24, 2023 7:48 am

@k6ccc
why are you confused I said there is a mail server, not a client. this mail server should pick up mail from other mail servers. you can now see that using the attached config.


@anav
yes, from the network 192.168.4.0/24 that also works but not from the network 192.168.3.0/24 and the strange thing is only port 993. Port 25 works. My mail server works fine in normal operation.
# apr/24/2023 06:07:53 by RouterOS 7.9rc3
# software id = xxxx-xxxx
#
# model = RB4011iGS+
# serial number = xxxxxxxxxx
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no comment=Internet \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] auto-negotiation=no comment="3er Netz" \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] auto-negotiation=no comment=\
    "4er Netz" rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment=Camera
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name=domain-search-first-second value=\
    0x0B646965636F72626163687304686F6D65000B646965636F72626163687302646500
/ip pool
add name=dhcp_pool0 ranges=192.168.4.140-192.168.4.200
add name=dhcp_pool1 ranges=192.168.5.100-192.168.5.110
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether3 lease-time=1d name=dhcp_Netz_4
add address-pool=dhcp_pool1 disabled=yes interface=ether6 lease-time=1d name=\
    dhcp_Netz_5
/port
set 0 name=serial0
set 1 name=serial1
/queue tree
add limit-at=1G max-limit=1G name=queue1 parent=ether1 queue=default
add limit-at=152M max-limit=152M name=prio5-streaming packet-mark=streaming \
    parent=queue1 priority=5 queue=default
add limit-at=1G max-limit=1G name=prio8-untagged packet-mark=no-mark parent=\
    queue1 queue=default
add limit-at=100k max-limit=9500k name=prio6-http packet-mark=http parent=\
    queue1 priority=6 queue=default
add limit-at=1G max-limit=1G name=prio2-misc-fast packet-mark=http parent=\
    queue1 priority=2 queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether6 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.4.254/24 comment="4er Netz" interface=ether3 network=\
    192.168.4.0
add address=xx.xx.xx.xx/30 comment=Internet interface=ether1 network=\
    78.94.20.24
add address=192.168.3.254/24 comment="3er Netz" interface=ether2 network=\
    192.168.3.0
add address=192.168.5.254/24 comment="5er Netz" interface=ether6 network=\
    192.168.5.0
/ip dhcp-server lease
add address=192.168.4.138 always-broadcast=yes mac-address=04:6C:59:0C:40:D1 \
    server=dhcp_Netz_4
add address=192.168.4.238 client-id=1:0:4:20:fd:b0:c5 mac-address=\
    00:04:20:FD:B0:C5 server=dhcp_Netz_4
add address=192.168.4.200 client-id=1:ec:e5:12:11:7e:e5 mac-address=\
    EC:E5:12:11:7E:E5 server=dhcp_Netz_4
add address=192.168.4.187 mac-address=3C:71:BF:4B:34:8C server=dhcp_Netz_4
add address=192.168.4.177 client-id=1:b8:27:eb:b3:fe:61 mac-address=\
    B8:27:EB:B3:FE:61 server=dhcp_Netz_4
add address=192.168.4.10 client-id=1:0:9:34:2f:14:fa mac-address=\
    00:09:34:2F:14:FA server=dhcp_Netz_4
add address=192.168.4.36 client-id=1:0:1e:b8:bf:85:8e mac-address=\
    00:1E:B8:BF:85:8E server=dhcp_Netz_4
/ip dhcp-server network
add address=192.168.4.0/24 dhcp-option=domain-search-first-second dns-server=\
    192.168.4.254 domain=xxx,yyy gateway=\
    192.168.4.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    8.26.56.26,46.182.19.48,80.241.218.68,1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.3.2 comment="Mailserver" name=xxx
add address=192.168.4.254 comment="Gateway xxx" name=\
    gateway.xxx
/ip firewall address-list
add address=192.168.3.0/24 list=3er-Netz
add address=192.168.4.0/24 list=4er-Netz
add address=127.0.0.0/8 comment=loopback list=bogons
add address=xxxxxxxxxx/30 list=Internet
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=192.168.3.0/24 list=support
add address=192.168.4.0/24 list=support
add address=100.64.0.0/10 list=bogons
add address=192.168.5.0/24 list="5er Netz Kamera"
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes in-interface=ether1 out-interface=\
    ether3
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes in-interface=ether3 out-interface=\
    ether1
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes in-interface=ether1 out-interface=\
    ether2
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes in-interface=ether2 out-interface=\
    ether1
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="Drop when connectionstate invalid" \
    connection-state=invalid log=yes log-prefix=input-invalid
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=accept chain=input comment="accept DNS UDP DMZ" dst-address=\
    192.168.0.0/16 dst-port=53 in-interface=ether2 protocol=udp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT DNS UDP INTERNAL" dst-address=\
    192.168.0.0/16 dst-port=53 in-interface=ether3 protocol=udp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT DNS UDP GARAGE" dst-address=\
    192.168.0.0/16 dst-port=53 in-interface=ether6 protocol=udp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT DNS TCP 2'nd net" dst-address=\
    192.168.0.0/16 dst-port=53 in-interface=ether2 protocol=tcp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT DNS TCP INTERNAL" dst-address=\
    192.168.0.0/16 dst-port=53 in-interface=ether3 protocol=tcp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT DNS TCP GARAGE" dst-address=\
    192.168.0.0/16 dst-port=53 in-interface=ether6 protocol=tcp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT SSH INTERNAL" dst-address=\
    192.168.0.0/16 dst-port=22 in-interface=ether3 protocol=tcp src-address=\
    192.168.0.0/16
add action=accept chain=input comment="ACCEPT SSH 2'nd net" dst-address=\
    192.168.0.0/16 dst-port=22 in-interface=ether2 protocol=tcp src-address=\
    192.168.0.0/16
add action=accept chain=input src-address=192.168.0.0/16
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=reject chain=input comment="reject https on router from outside" \
    dst-port=443 in-interface=ether1 log=yes protocol=tcp reject-with=\
    icmp-network-unreachable
add action=reject chain=input dst-port=80 in-interface=ether1 log=yes \
    protocol=tcp reject-with=icmp-network-unreachable
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=drop chain=input comment="Drop if not established,related" \
    connection-state=!established,related in-interface=ether1 log=yes \
    log-prefix=not_established-related
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=accept chain=input comment="Full access to SUPPORT address list" \
    log=yes src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log=yes \
    log-prefix=drop_Rest_input
add action=fasttrack-connection chain=forward comment=\
    "Accept FASTTRACK established,related forward" connection-state=\
    established,related hw-offload=no
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop when connectionstate invalid" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop to bogon list" in-interface=\
    ether1 src-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="drop --> WAN w/o DSTNAT" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=forward comment=\
    "erlaube von ether1 (Wan) zu lan3 (ether 3)" connection-nat-state=dstnat \
    connection-state=established,related,new in-interface=ether1 log=yes \
    out-interface=ether3
add action=accept chain=forward comment=\
    "erlaube von ether1 (Wan) zu lan2 (ether2)" connection-nat-state=dstnat \
    connection-state=established,related,new in-interface=ether1 log=yes \
    out-interface=ether2
add action=accept chain=forward comment=\
    "erlaube von ether1 (Wan) zu lan6 (ether 6)" in-interface=ether1 \
    out-interface=ether6
add action=accept chain=forward comment="erlaube von 3.2 zu 4.248 Port 9000" \
    dst-address=192.168.4.248 dst-port=9000 in-interface=ether2 log=yes \
    out-interface=ether3 protocol=tcp src-address=192.168.3.2
add action=accept chain=forward comment="Accept from 3.2 to 4.248 SSH" \
    dst-address=192.168.4.248 dst-port=22 protocol=tcp src-address=\
    192.168.3.2
add action=accept chain=forward comment=\
    "erlaube LAN->Wan 3erNetz nur aus dem Adressbereich 192.168.0.0/16" \
    dst-address=!192.168.0.0/16 in-interface=ether2 out-interface=ether1 \
    src-address=192.168.0.0/16
add action=accept chain=forward comment=\
    "erlaube LAN->Wan 4er Netz nur aus dem Adressbereich 192.168.0.0/16" \
    dst-address=!192.168.0.0/16 in-interface=ether3 out-interface=ether1 \
    src-address=192.168.0.0/16
add action=accept chain=forward comment=\
    "erlaube Lan -> Wan 5er Netz nur aus dem Adressbereich 192.168.0.0/16" \
    dst-address=!192.168.0.0/16 in-interface=ether6 out-interface=ether1 \
    src-address=192.168.0.0/16
add action=accept chain=forward comment="Erlaube netz4 zu net3" \
    in-interface=ether3 log=yes out-interface=ether2
add action=accept chain=forward comment="erlaube Netz 4 zu Net 5" \
    in-interface=ether3 out-interface=ether6
add action=drop chain=forward comment="Verwerfe net3 to netz4" in-interface=\
    ether3 out-interface=ether2
add action=accept chain=forward
add action=drop chain=forward comment="drop anything else" log=yes \
    log-prefix=drop_Rest_forward
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall mangle
add action=mark-packet chain=postrouting connection-mark=streaming \
    new-packet-mark=streaming passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=misc-fast \
    packet-size=40 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting connection-mark=http \
    new-packet-mark=http passthrough=no
add action=mark-connection chain=postrouting comment=Streaming \
    connection-state=new dst-port=1935 new-connection-mark=streaming \
    out-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=srcnat out-interface=\
    ether1
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.3.2 to-ports=22
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.3.2 to-ports=25
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.3.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.3.2 to-ports=993
add action=dst-nat chain=dstnat dst-port=9988 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.5.5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx 
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.4.0/24
set ssh address=192.168.0.0/16
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set interfaces=ether1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=gateway.xxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.171.23.163
add address=85.114.26.194
/system package update
set channel=testing
/system resource irq rps
set sfp-sfpplus1 disabled=no
 
Kindon
just joined
Posts: 1
Joined: Mon Apr 24, 2023 9:33 am

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Mon Apr 24, 2023 9:38 am

Thanks to this post: can't reach port 993 from internal net to outside, I learned a lot of knowledge. ThanksPapa's Pizzeria
Last edited by Kindon on Wed Apr 26, 2023 9:23 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Mon Apr 24, 2023 5:21 pm

(1) Perhaps missing the dhcp network for ether6 may have something to do with it??
/ip dhcp-server network
add address=192.168.4.0/24 dhcp-option=domain-search-first-second dns-server=\
192.168.4.254 domain=xxx,yyy gateway=\
192.168.4.254 netmask=24


(2) Perhaps its because you have the ether6 pool disabled ????
add address-pool=dhcp_pool1 disabled=yes interface=ether6 lease-time=1d name=\
dhcp_Netz_5


(3) Oh I see the issue is with ether3....................... back to the drawing board..

(4) Strange dhcp-server network settings for ether3 but I suppose not an issue.

(5) What I dont get is your DNS strategy.............. very confusing.

/ip dns
set allow-remote-requests=yes servers=\
8.26.56.26,46.182.19.48,80.241.218.68,1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.3.2 comment="Mailserver" name=xxx
add address=192.168.4.254 comment="Gateway xxx" name=\


(4) Your fastrack settings are so bizarre cannot even comprehend what your are doing....... nothing basic about that.
Can you explain??

(5) what the heck are you doing with DNS on the input chain, again so complex but for what purpose........

(6) Your firewall rules are bordering on insane and unsafe........ you would be best advised to reset from defaults and
focus on traffic you require, NOT focus on traffic you might think of blocking (wrong approach)

++++++++++++++++++++++++++++++
Not much can do with this mess in terms of sorting out fact from fiction and to spot issues..........
why is unsecure www service allowed on your router....................
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Mon Apr 24, 2023 5:48 pm

@k6ccc
why are you confused I said there is a mail server, not a client. this mail server should pick up mail from other mail servers. you can now see that using the attached config.
Because you keep saying server, but trying to use IMAP to get mail from another server is a CLIENT function. Servers use port 25 to communicate with each other.
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Tue Apr 25, 2023 7:50 am

@anav
I have the problem with ether 2 not ether3
ether2 and 5 don't have dhcp. all fixed ip addresses
the config has grown historically. It was always pulled along with the different routers. I copied the fasttrack config somewhere at the very beginning. it may be that it is confused but it seems to work and is also used. packages are running on it.

dns servers are just specified for the purpose of failover. yes it could be less.

dns in the input chain prohibits dns on the router from the outside. At least that's what I thought, and packets from outside are also discarded here. so it seems to be working.
please tell me where the firewall rules are insecure. I like to learn about it. Most of the rules in the firewall relate to connections within the internal network and have no effect on the internet site.

I agree with you the other way around, so forbidding everything and only allowing what is needed would be better, but then I would have to start all over again and I don't have much time for that at the moment.

insecure www service is allowed? from the outside? where? it should be disabled. I actually only activate it briefly for letsencrypt-cert-refresh and then it is forwarded to the web server.

please give me a brief explanation of where the config is insecure from the outside. From the internal network, that's not so important, it's just me

@k6cc
Yes, it is a mail server, but it still picks up mail from another mail server
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Tue Apr 25, 2023 8:36 am

As @Normis already mentioned: the DST NAT rule which is about TCP port 993, should not be needed.

The firewall setup you have is too convoluted and it's hard to follow (IMO that's the reason you don't get any usable advice ... it's extremely hard to follow somebody else's twisted logic expressed in code).

So if I gather things correctly, ether1 is your WAN interface. And the machine which acts as IMAPS client is behind ether2.

This rule allows IMAPS client to break out to internet:
add action=accept chain=forward comment=\
    "erlaube LAN->Wan 3erNetz nur aus dem Adressbereich 192.168.0.0/16" \
    dst-address=!192.168.0.0/16 in-interface=ether2 out-interface=ether1 \
    src-address=192.168.0.0/16

A check ... try TCP traceroute (linux command is tcptraceroute, I don't know what it's called in other OSes) to see where the connection attempt actually breaks:
tcptraceroute imap.gmail.com 993

And a BTW: in initial post, you're saying you're trying to access imap.google.de (at port 993). Here and now DNS doesn't know sqat about host name imap.google.de. So you should check settings on your SMTP server (google does change a thing or two occasionally). In subsequent posts you're actually mentioning imap.gmail.com (which seems to be correct). However, if I try to tcptraceroute to any of Google's mailbox servers (pop, imap, ...), I can't seem to connect to any of them. I suspect that google implemented some kind of a very smart defence which also kicks in for such simple attempts as tcptraceroute. However, if the problem lies outside of your network, tcptraceroute should show at least some hops outside your network (your ISP and further).
 
vossy74
just joined
Topic Author
Posts: 7
Joined: Fri Apr 21, 2023 3:08 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Tue Apr 25, 2023 11:18 am

the dst-nat rule is required because there is a server behind that must be accessible from the outside with a mail client. the server should pick up and deliver mails from a mailbox at gmail (with fetchmail) too

I wrote in the thread above that I don't have the problem in all networks.

ether 1 is wan , that's right. behind ether2 are some servers. and ether3 is the internal network where the clients are. from the internal network, access works with a mail client on the gmail server or the gmx server

it doesn't work from the network where the servers are located and that's my only problem. imap does not work only from this specific network. port 25 for the mail server works fine and other services too

the address google.de was wrong. correct is gmail.com

as I said it does not work only from this network area. not even from other servers that are still in there.

"However, if I try to tcptraceroute to any of Google's mailbox servers (pop, imap, ...), I can't seem to connect to any of them. I suspect that google implemented some kind of a very smart defense which also kicks in for such simple attempts as tcptraceroute. However, if the problem lies outside of your network, tcptraceroute should show at least some hops outside your network (your ISP and further)."

that is the reason why i took openssl for testing. From the network with the clients ok, from the network with the servers not ok

tcptraceroute imap.gmail.com 993
Selected device end0, address 192.168.3.2, port 56681 for outgoing packets
Tracing the path to imap.gmail.com (74.125.133.108) on TCP port 993 (imaps), 30 hops max
1 wo-in-f108.1e100.net (74.125.133.108) 0.297 ms 0.157 ms 0.140 ms
2 * * *

traceroute to imap.gmail.com (74.125.133.109), 30 hops max, 60 byte packets
1 192.168.3.254 (192.168.3.254) 0.218 ms 0.139 ms 0.131 ms
2 ip-078-094-020-025.um19.pools.vodafone-ip.de (78.94.20.25) 0.743 ms 0.856 ms 2.386 ms
3 * * *
4 ip-080-069-106-000.um20.pools.vodafone-ip.de (80.69.106.0) 21.822 ms 20.303 ms 21.633 ms
5 de-bom01a-rd04-ae-0-0.aorta.net (84.116.196.90) 28.993 ms 28.942 ms 30.473 ms
6 * * *
7 de-bfe18a-rt01-lag-1.aorta.net (84.116.190.34) 27.983 ms 29.686 ms 29.522 ms
8 74.125.48.122 (74.125.48.122) 32.318 ms 28.922 ms 30.478 ms
9 * * *
10 142.251.64.184 (142.251.64.184) 26.372 ms 108.170.252.65 (108.170.252.65) 16.813 ms 172.253.66.136 (172.253.66.136) 21.085 ms
11 108.170.252.18 (108.170.252.18) 23.724 ms 108.170.252.83 (108.170.252.83) 27.637 ms 108.170.251.144 (108.170.251.144) 23.263 ms
12 72.14.239.167 (72.14.239.167) 24.414 ms 209.85.240.113 (209.85.240.113) 24.521 ms 209.85.242.79 (209.85.242.79) 20.398 ms
13 142.251.79.28 (142.251.79.28) 27.231 ms 37.625 ms 142.251.78.252 (142.251.78.252) 37.333 ms
14 142.251.71.167 (142.251.71.167) 31.118 ms 142.251.79.8 (142.251.79.8) 33.683 ms 66.249.94.140 (66.249.94.140) 33.348 ms
15 209.85.241.61 (209.85.241.61) 26.688 ms 209.85.241.237 (209.85.241.237) 28.371 ms 27.834 ms
16 * * *
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011iGS+ can't reach port 993 from internal net to outside

Tue Apr 25, 2023 3:56 pm

tcptraceroute imap.gmail.com 993
Selected device end0, address 192.168.3.2, port 56681 for outgoing packets
Tracing the path to imap.gmail.com (74.125.133.108) on TCP port 993 (imaps), 30 hops max
1 wo-in-f108.1e100.net (74.125.133.108) 0.297 ms 0.157 ms 0.140 ms
2 * * *

This is a highly suspicious outcome. It shows that router indeed performs DST-NAT towards some LAN target (which either doesn't exist or drops incoming connections on TCP port 993). Or else you'd see similar trace as you see with "normal" traceroute.

Bot frankly, I don't have energy to go through your firewall settings (did I mention it's convoluted) to see where that traffic sinks.

You can (temporarily) disable the mentioned DST NAT rule and try the tcptraceroute again to see if anything changes.

And another thing: there have been (rare) cases where device (mis)behaved in a way that configuration did not explain. The cure was to perform complete reset (preferably perform netinstall) and to re-apply the very same config.
I'm just mentioning because it did happen to few users so far ...

Who is online

Users browsing this forum: No registered users and 41 guests