Community discussions

 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Request help! RouterOS Configuration screwed up.

Mon May 14, 2018 10:28 pm

Hello forum, first things first. I'm new to Mikrotik and the world of corporate / enterprise level networking. I have inherited my position, since the manager left the company, management informed me they will not replace him any time soon. I have been task to make sure the list below is in order and working properly asap. I have read a lot of forum posts and attempted a few things myself, but no success. I need some help understanding what is the proper / best practices to be followed in configuring, because something or multiple things are wrong since a simple task like port forwarding isn't working. I thank in advance anyone here who helps me understand how to properly configure my mess.

I'm willing to wipe everything and start over if that is what it takes to make the Mikrotik Router work flawlessly.

Here is what I am trying to do.
1. Configure WAN with inbound ISP
2. Configure Multiple LAN ports with both inbound / outbound traffic
3. Setup Router security (Firewall Hardening)
3. Setup VLAN (Guest, Employee, HR, Management, VPN, VoIP)
4. Several Internal Servers, need to enable proper internal redirection without having send/receive packet loss or NAT confusion
5. Configure Port Forwarding
6. Enable ability to monitor traffic (websites, protocols, IPs, MAC, etc)
7. Configure VPN remote access
8. Allows Active Directory to be the authentication for VPN users
9. Proper White listing of inbound server traffic to our network

Network Equipment
Router: CCR1036-8G-2s+
- Firmware: tilegx, 3.41
- RouterOS: 6.40.4 (Update to 6.42.1 is scheduled during maintenance this month.)
Network Switches HPE Pro Curve v1920
Aruba IAP-105


Network Topology
ISP (Fiber to RJ45) > Mikrotik (Port 1 = WAN) > Mikrotik (Port 2 = LAN) > HPE Pro Curve > Aruba IAP
- HPE Pro Curve are daisy chained to each floor
- Aruba IAP's are connected directly to the HPE Pro Curves on each floor

Export of current configuration

Code: Select all

# may/14/2018 15:04:15 by RouterOS 6.40.4
# software id = 0SK2-94LN
#
# model = CCR1036-8G-2S+
# serial number = xxxxxxxxxxxxxx
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590
set [ find default-name=ether2 ] l2mtu=1590 name=ether2-master-local
set [ find default-name=ether3 ] comment="Slave to 2" l2mtu=1590 name=ether3-slave
set [ find default-name=ether4 ] l2mtu=1590
set [ find default-name=ether5 ] l2mtu=1590 name=ether5-callcenter
set [ find default-name=ether6 ] l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590
set [ find default-name=ether8 ] l2mtu=1590
set [ find default-name=sfp-sfpplus1 ] l2mtu=1590 name=sfp-plus1
set [ find default-name=sfp-sfpplus2 ] l2mtu=1590 name=sfp-plus2
/interface vlan
add interface=ether2-master-local name=vlan300-VoIP vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RouterOS
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=10.10.10.50-10.10.11.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=ether2-master-local lease-time=1d name=dhcp1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=10.10.10.1/23 interface=ether2-master-local network=10.10.10.0
add address=X.X.X.243/29 interface=ether1 network=X.X.X.240
/ip arp
add address=10.10.10.13 interface=ether3-slave mac-address=00:80:A3:93:3B:8A
add address=10.10.10.10 interface=ether2-master-local mac-address=00:25:90:9A:06:70
add address=10.10.10.18 interface=ether2-master-local mac-address=00:80:92:7B:03:D6
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/23 dns-server=64.58.254.2,64.58.255.2,8.8.8.8,4.2.2.2,8.8.4.4 gateway=10.10.10.1 netmask=23
/ip dns
set servers=8.8.8.8,8.8.4.4,4.2.2.2,64.58.254.2,64.58.255.2
/ip dns static
add address=10.10.10.3 name=files.level.agency
/ip firewall address-list
add address=199.7.172.123 list=OnSIP
add address=199.7.172.128 list="Boot Onsip.com"
add address=199.7.173.102 list=SIP.OnSIP.com
add address=199.7.175.92 list="OnSIP - Inbound"
add address=107.21.211.20 list="Velocify IP1"
add address=107.21.231.147 list="Velocify IP"
add address=54.236.81.101 list="Velocify IP2"
add address=54.236.96.128 list="Velocify IP3"
add address=54.236.97.29 list="Velocify IP4"
add address=54.236.97.135 list="Velocify IP5"
add address=54.172.60.0 list="Velocify IP6"
add address=54.172.60.1 list="Velocify IP7"
add address=54.172.60.2 list="Velocify IP8"
add address=54.172.60.3 list="Velocify IP9"
add address=54.244.51.0 list="Velocify IP10"
add address=54.244.51.1 list="Velocify IP11"
add address=54.244.51.2 list="Velocify IP12"
add address=54.244.51.3 list="Velocify IP13"
add address=69.95.58.227 list=KennyRoss
add address=54.208.27.23 list="CAKE IP1"
add address=52.203.126.205 list="CAKE IP2"
add address=52.203.126.249 list="CAKE IP3"
add address=52.71.71.132 list="CAKE IP4"
add address=54.218.28.138 list="CAKE IP5"
add address=52.39.178.150 list="CAKE IP6"
add address=52.38.248.157 list="CAKE IP7"
add address=52.11.253.146 list="CAKE IP8"
add address=54.229.59.241 list="CAKE IP9"
add address=52.16.198.7 list="CAKE IP10"
add address=54.194.229.129 list="CAKE IP11"
add address=52.50.194.143 list="CAKE IP12"
add address=54.93.189.97 list="CAKE IP13"
add address=52.29.89.77 list="CAKE IP14"
add address=52.29.230.146 list="CAKE IP15"
add address=54.255.163.189 list="CAKE IP16"
add address=52.74.19.248 list="CAKE IP17"
add address=52.77.151.31 list="CAKE IP18"
add address=52.68.11.84 list="CAKE IP19"
add address=52.192.124.43 list="CAKE IP20"
add address=52.196.119.37 list="CAKE IP21"
add address=54.232.198.22 list="CAKE IP22"
add address=52.67.3.239 list="CAKE IP23"
add address=52.67.18.10 list="CAKE IP24"
add address=52.67.18.32 list="CAKE IP25"
add address=52.67.47.102 list="CAKE IP26"
add address=52.67.149.245 list="CAKE IP27"
add address=52.67.77.69 list="CAKE IP28"
add address=50.57.10.52 list="CAKE IP29"
add address=50.57.10.53 list="CAKE IP30"
add address=72.3.174.17 list="CAKE IP31"
add address=72.3.174.16 list="CAKE IP32"
add address=66.133.109.36 comment="Free SSL Certificate Service" list=Lets-Encrypt
add address=0.0.0.0/8 comment=RFC6890 disabled=yes list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 disabled=yes list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 disabled=yes list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 disabled=yes list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 disabled=yes list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 disabled=yes list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 disabled=yes list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 disabled=yes list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 disabled=yes list=NotPublic
add address=173.75.63.52 list=SDS-Home
add address=174.231.143.141 list=VZW-hotspot
/ip firewall filter
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related disabled=yes
add action=accept chain=input comment="Accept all connections from local network" disabled=yes in-interface=ether2-master-local
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related disabled=yes
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" disabled=yes in-interface=ether2-master-local src-address=!10.10.10.0/23
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related disabled=yes in-interface=ether1
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" disabled=yes dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" disabled=yes src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" disabled=yes in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" disabled=yes in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat comment="SKYNET - OSTicket" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8088 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.3 to-ports=8088
add action=accept chain=dstnat comment="The Wilson Group SNMP Monitor" dst-port=161 in-interface=ether1 protocol=udp
add action=src-nat chain=srcnat comment="The Wilson Group SNMP send" out-interface=ether2-master-local protocol=udp src-port=161 to-ports=161
add action=masquerade chain=srcnat comment="Outbound traffic" out-interface=ether2-master-local src-address=10.10.10.0/23
add action=masquerade chain=srcnat comment=Loopback out-interface=ether2-master-local to-addresses=X.X.X.243
add action=masquerade chain=srcnat comment=Loopback disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat comment=Loopback dst-address=X.X.X.243 to-addresses=10.10.10.3
add action=dst-nat chain=dstnat comment="Authentication Packets for Apps, Software, Websites, etc." dst-port=443 in-interface=ether1 protocol=tcp to-ports=443
add action=dst-nat chain=dstnat comment="RDP - SkyNet" dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment="SQL Broker Port" dst-port=1433 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=1433
add action=dst-nat chain=dstnat comment="SQL Authentication SSL" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=443
add action=dst-nat chain=dstnat comment="SQL Interface" dst-port=1434 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.10 to-ports=1434
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=25 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.5 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=587 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.5 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=25 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.5 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=587 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.15 to-ports=587
add action=dst-nat chain=dstnat comment="OnSIP Communication Port" dst-address=X.X.X.243 dst-port=5060 in-interface=all-ethernet protocol=udp to-ports=5060
add action=dst-nat chain=dstnat comment="OnSIP RTP Audio Media Packets" dst-address=X.X.X.243 port=10000-20000 protocol=udp to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=1433 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.6 to-ports=1433
add action=redirect chain=dstnat comment="RDP into LVL-Base Server" dst-address=X.X.X.243 dst-port=4050 in-interface=all-ethernet protocol=tcp to-ports=3389
add action=dst-nat chain=dstnat in-interface=all-ethernet port=500 protocol=udp to-ports=500
add action=dst-nat chain=dstnat in-interface=all-ethernet port=50-51 protocol=udp to-ports=50-51
add action=dst-nat chain=dstnat in-interface=all-ethernet port=4500 protocol=udp to-ports=4500
add action=dst-nat chain=dstnat comment="IT RDP In" dst-port=4052 in-interface=ether1 protocol=tcp to-addresses=10.10.10.254 to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip proxy
set cache-path=disk1/web/proxy max-cache-object-size=4096KiB parent-proxy=0.0.0.0
/ip route
add check-gateway=ping distance=1 gateway=X.X.X.241
/ip service
set telnet address=10.10.10.0/24 disabled=yes
set ftp address=10.10.10.0/24 disabled=yes
set www address=10.10.10.0/23,71.182.231.41/32,54.204.152.194/32 port=51506
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2-master-local type=internal
/system clock
set time-zone-autodetect=no time-zone-name=EST5EDT
/system clock manual
set dst-end="nov/06/2016 02:00:00" dst-start="mar/13/2016 02:00:00" time-zone=+05:00
/system identity
set name=RouterOS
/system leds
set 0 interface=sfp-plus1
set 1 interface=sfp-plus1
set 2 interface=sfp-plus2
set 3 interface=sfp-plus2
/system ntp client
set enabled=yes primary-ntp=97.107.128.58 secondary-ntp=66.228.42.59
/system scheduler
add interval=1w name="auto backup" on-event="/system backup save name=October7 backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/09/2017 start-time=10:00:00
add comment="Auto backup send to IT@level.agency. This is also to have an off device backup." interval=1w name="autoback up send to email" on-event=\
"/tool email sent to=\"it@level.agency\" subject=(/system identity get name]\" backup\") file=today backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/09/2017 \
start-time=10:00:00
add disabled=yes interval=1d name=backup_MT1 on-event="/export file=configuration_MT1 hide-sensitive ;\r\
\n/system backup save name=backup_MT1 ;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/10/2017 start-time=11:16:00
/tool graphing interface
add interface=ether1
/tool graphing queue
add
/tool sniffer
set filter-interface=ether1 filter-port=587 filter-stream=yes only-headers=yes
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
jarda
Forum Guru
Forum Guru
Posts: 7324
Joined: Mon Oct 22, 2012 4:46 pm

Re: Request help! RouterOS Configuration screwed up.

Tue May 15, 2018 8:42 am

Very challenging. First things first. Make good test of the newer version with your configuration to be sure it works as you need before you decide to upgrade productive device. You know why...
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Tue May 15, 2018 10:16 pm

Very challenging. First things first. Make good test of the newer version with your configuration to be sure it works as you need before you decide to upgrade productive device. You know why...
Jarda,
Thank you for your post, but please pardon my ignorance here, but how would I test the updated firmware 6.42.1? Is there a sandbox environment or a virtual way of testing the update / settings?
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
jarda
Forum Guru
Forum Guru
Posts: 7324
Joined: Mon Oct 22, 2012 4:46 pm

Re: Request help! RouterOS Configuration screwed up.

Tue May 15, 2018 10:30 pm

Virtually you can run CHR. Because running ros on particular device might bring different unwanted effects, you should test on the same device model if you would like to be sure. You can also make the tests on productive device using the partitions for different versions of ros.
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 1:20 am

Virtually you can run CHR. Because running ros on particular device might bring different unwanted effects, you should test on the same device model if you would like to be sure. You can also make the tests on productive device using the partitions for different versions of ros.
Thank you Jarda,
I looked up the wiki article https://wiki.mikrotik.com/wiki/Manual:CHR on CHR and will see if I can spin up a Hyper-V tonight for testing the new firmware upgrade.

Are there any suggestions you might have towards cleaning up the configuration or fine tuning it to work properly? If you provide forum links, or wiki links, I'll read through them. Though I'm looking for experienced members to help guide me through cleaning up my configuration. It just doesn't make sense to me why our Port forwarding isn't working and as a byproduct, I cannot implement other features and trust the configuration to work properly.
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
Paternot
Member
Member
Posts: 341
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 4:17 am

It just doesn't make sense to me why our Port forwarding isn't working and as a byproduct, I cannot implement other features and trust the configuration to work properly.
When You say it is not working, what exactly is (isn't) happening?

1) People on the Internet cannot access the internal server?
2) People inside the network cannot access one of the internal servers, using its public IP?

If the problem is 2), then You need to look at hairpin NAT. The official documentation has an example. Look at the NAT section.
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 6:19 pm

It just doesn't make sense to me why our Port forwarding isn't working and as a byproduct, I cannot implement other features and trust the configuration to work properly.
When You say it is not working, what exactly is (isn't) happening?

1) People on the Internet cannot access the internal server?
2) People inside the network cannot access one of the internal servers, using its public IP?

If the problem is 2), then You need to look at hairpin NAT. The official documentation has an example. Look at the NAT section.
Paternot,
It is number two. I read through the Mikrotik Hairpin NAT article https://wiki.mikrotik.com/wiki/Hairpin_NAT and I attempted to follow the hairpin NAT setup from the example. I lost the ability to do port forwarding from that moment on. Before the hairpin NAT I had successfully setup the Port Forwarding for RDP, SSH, and FTP to a server inside the network. But once the hairpin NAT was setup for faster local resource access, it broke those connections. I'm not sure how to test to provide proof. But if I remove the hairpin NAT, it breaks whatever connect is made to resolve a FQDN sub-domain name pointed to our Public IP to access an internal resource NAS.
I will say it doesn't make sense to me because in my head it would make sense to do the following and have it work.
  • Setup Sub Domain at Authority
  • Point Sub Domain to Public IP Address
  • Configure Port forwarding to say, when port XXXX is accessed send to IP XXX.XXX.XXX.XXX and Port XXXX
It should just work.

Because it doesn't work, it means to me I've probably set it up wrong and therefore have these issues.
I believe these are the lines I used to setup the main outbound NAT rule and the hairpin NAT.
add action=masquerade chain=srcnat comment="Outbound traffic" out-interface=ether2-master-local src-address=10.10.10.0/23
add action=masquerade chain=srcnat comment=Loopback out-interface=ether2-master-local to-addresses=X.X.X.243
add action=masquerade chain=srcnat comment=Loopback disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat comment=Loopback dst-address=X.X.X.243 to-addresses=10.10.10.3
At this point I have my company accustom to using the easy to remember FQDM instead of the internal IP. While I can update each computers host file, it would be a pain and I'd rather have it at one location like the Router since it is central and easier to manage.

I am open to suggestions or additional reading material to better understand why the hairpin NAT is effecting the port forwarding.
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 6:24 pm

Virtually you can run CHR. Because running ros on particular device might bring different unwanted effects, you should test on the same device model if you would like to be sure. You can also make the tests on productive device using the partitions for different versions of ros.
Thank you Jarda,
I looked up the wiki article https://wiki.mikrotik.com/wiki/Manual:CHR on CHR and will see if I can spin up a Hyper-V tonight for testing the new firmware upgrade.

Are there any suggestions you might have towards cleaning up the configuration or fine tuning it to work properly? If you provide forum links, or wiki links, I'll read through them. Though I'm looking for experienced members to help guide me through cleaning up my configuration. It just doesn't make sense to me why our Port forwarding isn't working and as a byproduct, I cannot implement other features and trust the configuration to work properly.
I downloaded a CHR for Hyper-V, set it up and am testing the configuration with it this afternoon. Thank you Jarda for the suggestion, I didn't realize this was possible until you pointed it out. Hopefully everything works and I can run the updates soon.
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
User avatar
nickshore
Member
Member
Posts: 436
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 6:32 pm

Please remember that you should stick with bugfix channel for production routers.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
Paternot
Member
Member
Posts: 341
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 7:05 pm

The problem with NAT, from internal address, is that the answer comes from the wrong IP - all due to the NAT shenanigans. This is my hairpin relevant section:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment=L4D2 dst-address-list=IP_externo dst-port=27000-27300 log-prefix=l4d2 protocol=udp to-addresses=10.10.2.247
add action=masquerade chain=srcnat comment="l4d2 - hairpin NAT (acerta a resposta do servidor)" dst-address=10.10.2.247 dst-port=27000-27300 log-prefix="hairpin masq l4d2" out-interface-list=Intranet protocol=udp src-address=10.10.2.0/24
add action=dst-nat chain=dstnat comment="TF2 port forward" dst-address-list=IP_externo dst-port=29000-29100 log-prefix=tf2 protocol=udp to-addresses=10.10.2.102
add action=masquerade chain=srcnat comment="tf2 - hairpin NAT (acerta a resposta do servidor)" dst-address=10.10.2.102 dst-port=29000-29100 log-prefix="hairpin masq tf2" out-interface-list=Intranet protocol=udp src-address=10.10.2.0/24
There are 3 NATs here:

1) UDP ports, from 27000 to 27300. Used to Left 4 Dead servers (an FPS game).
2) UDP ports, from 29000 to 29100. Used to Team Fortress servers (another FPS game).
3) A default src NAT, to default access to the Internet.

How they work:
The first dst-nat forwards Internet traffic, from UDP ports 27000 to 27300, to the internal IP 10.10.2.247

Then we get the hairpin rule. It will do a src-nat, when the destination is the INTERNAL IP of the server (10.10.2.247). The server will see a packet arriving from the router, not from the client who started the connection.
Why? Because it would, then, answer to the client - but this answer would have the internal IP, not the external one. So the client would discard it as invalid.
This way the packet transverses the firewall two times: from client to server, and from server to client.

Take a look ate the second server.
The packets with UDP ports 29000 to 29100 destination are forwarded to the internal server (10.10.2.102). If they are from Internet, that's it. If they are from the intranet, they are src-nated, to look like they come from the router.

Exactly like the first one.

The reference page is quite good:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
 
jarda
Forum Guru
Forum Guru
Posts: 7324
Joined: Mon Oct 22, 2012 4:46 pm

Re: Request help! RouterOS Configuration screwed up.

Wed May 16, 2018 7:33 pm

Even the chr is amazing and you can do anything with it, don't forget to use partitions and keep previous version to be able to switch immediately back to untouched system with its original working config if whatever happens.
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Thu May 17, 2018 10:51 pm

The problem with NAT, from internal address, is that the answer comes from the wrong IP - all due to the NAT shenanigans. This is my hairpin relevant section:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment=L4D2 dst-address-list=IP_externo dst-port=27000-27300 log-prefix=l4d2 protocol=udp to-addresses=10.10.2.247
add action=masquerade chain=srcnat comment="l4d2 - hairpin NAT (acerta a resposta do servidor)" dst-address=10.10.2.247 dst-port=27000-27300 log-prefix="hairpin masq l4d2" out-interface-list=Intranet protocol=udp src-address=10.10.2.0/24
add action=dst-nat chain=dstnat comment="TF2 port forward" dst-address-list=IP_externo dst-port=29000-29100 log-prefix=tf2 protocol=udp to-addresses=10.10.2.102
add action=masquerade chain=srcnat comment="tf2 - hairpin NAT (acerta a resposta do servidor)" dst-address=10.10.2.102 dst-port=29000-29100 log-prefix="hairpin masq tf2" out-interface-list=Intranet protocol=udp src-address=10.10.2.0/24
There are 3 NATs here:

1) UDP ports, from 27000 to 27300. Used to Left 4 Dead servers (an FPS game).
2) UDP ports, from 29000 to 29100. Used to Team Fortress servers (another FPS game).
3) A default src NAT, to default access to the Internet.

How they work:
The first dst-nat forwards Internet traffic, from UDP ports 27000 to 27300, to the internal IP 10.10.2.247

Then we get the hairpin rule. It will do a src-nat, when the destination is the INTERNAL IP of the server (10.10.2.247). The server will see a packet arriving from the router, not from the client who started the connection.
Why? Because it would, then, answer to the client - but this answer would have the internal IP, not the external one. So the client would discard it as invalid.
This way the packet transverses the firewall two times: from client to server, and from server to client.

Take a look ate the second server.
The packets with UDP ports 29000 to 29100 destination are forwarded to the internal server (10.10.2.102). If they are from Internet, that's it. If they are from the intranet, they are src-nated, to look like they come from the router.

Exactly like the first one.

The reference page is quite good:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
Paternot, Thank you for that information. I'll take a look at my hairpin NAT tonight to see if it matches your suggestions.
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Sat Jun 09, 2018 12:16 am

I have updated to the latest Firmware 6.43rc21. Everything is stable and running fine. I think I am going to rebuild my NAT rules from the ground up. See if I can isolate why the hairpin NAT is causing so many issues with my port forwarding.

Any advice on hardening the firewall from outside threats? I don't want our system to be hacked. Would like to keep the Public IP locked down, but allow for my IP and VPN connections to be allowed.
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
anav
Long time Member
Long time Member
Posts: 647
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Request help! RouterOS Configuration screwed up.

Sat Jun 09, 2018 2:43 am

Good plan to start with latest OS.
Typically I accept the default setup which is secure and then start modifying slowly USING THE SAFE MODE ( i use winbox ).
That way if you do something destructive you dont have to start from scratch.

Right off the bat what I noticed was this
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp

WRONG!!! it appears to me that this allows anybody anwhere to connect to your router.
Typically the way to do this is...
add action=accept chain=input in-interface={the LAN interface the admin is typically using} source-address-list=adminaccess
or source-address=192.168.1.0/24 (whatever subnet the admin uses)

In the /ip firewall address-lists (enter in the PCs that will be used by the admin to access the router or perhaps the subnet up to you)
pc1 IP name=adminaccess
pc2 IP name=adminaccess

IN WINBOX turn off all items in
/ip service list except winbox and SSH but change SSH to a different port and set ssh crypto to strong.
/ip ssh set strong-crypto=yes

ON that page you can list the only IPs from the subnet above if not using admin access list or use both for both winbox and ssh entry permission.
Go into packages and disable all the ones not being used.

I tend to prefer DROP all at the end of input chain and forward chain.
In other words 99.9% of rules are only for those things I want to allow.
 
LevelAdmin
just joined
Topic Author
Posts: 8
Joined: Wed Jan 18, 2017 10:46 pm
Location: Pittsburgh
Contact:

Re: Request help! RouterOS Configuration screwed up.

Mon Jun 11, 2018 8:54 pm

...Typically I accept the default setup which is secure and then start modifying slowly USING THE SAFE MODE ( i use winbox ).
That way if you do something destructive you dont have to start from scratch.
I am also using WinBox (ver 3.14rc1). What is "Safe Mode" and how do I utilize it? Sounds like a good step towards not breaking the internet while I'm working/making changes.
Right off the bat what I noticed was this
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp

WRONG!!! it appears to me that this allows anybody anwhere to connect to your router.
Typically the way to do this is...
add action=accept chain=input in-interface={the LAN interface the admin is typically using} source-address-list=adminaccess
or source-address=192.168.1.0/24 (whatever subnet the admin uses)
This was setup before I got here. I'll accept your recommendation and issue those changes ASAP.
In the /ip firewall address-lists (enter in the PCs that will be used by the admin to access the router or perhaps the subnet up to you)
pc1 IP name=adminaccess
pc2 IP name=adminaccess
Is this just under the IP > FIREWALL > ADDRESS LIST? or is this another section of the Mikrotik I could/should be utilizing to make my life easier?
IN WINBOX turn off all items in
/ip service list except winbox and SSH but change SSH to a different port and set ssh crypto to strong.
/ip ssh set strong-crypto=yes
I didn't think about this, but now that I am seeing it. It is an enlightening moment and I completely agree! Implementing ASAP.
ON that page you can list the only IPs from the subnet above if not using admin access list or use both for both winbox and ssh entry permission.
Go into packages and disable all the ones not being used.

I tend to prefer DROP all at the end of input chain and forward chain.
In other words 99.9% of rules are only for those things I want to allow.
How will this effect NAT port forwarding rules? Or will this only effect the WinBox and SSH inbound traffic?

Thank you again, this is exactly the type of information I was hoping to receive from more experience people. I am so grateful for your help.
Level Agency Admin
Router: Mikrotik CC1036-8G-2S+
 
anav
Long time Member
Long time Member
Posts: 647
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Request help! RouterOS Configuration screwed up.

Thu Jun 14, 2018 9:22 pm

Properly configured firewall rules should not interfere with NAT rules.
Remember NAT rules at least destination NAT rules are actually FIREWALL RULES For inbound unsolicited traffic being forwarded across the router.
( a destination NAT rule is in my small mind equivalent to saying ALLOW WAN to LAN traffic on port XX to LANIP 192.168.x.yy )

This is the point where I point out that IF POSSIBLE, limit the external access to that PC or server by source address list. If you access or other access it not from fixed IPs then that is not possible. For example I have dst rules for access to my solar panel and septic panel from fixed vendor IPs..........
 
Sob
Forum Guru
Forum Guru
Posts: 3068
Joined: Mon Apr 20, 2009 9:11 pm

Re: Request help! RouterOS Configuration screwed up.

Thu Jun 14, 2018 9:35 pm

( a destination NAT rule is in my small mind equivalent to saying ALLOW WAN to LAN traffic on port XX to LANIP 192.168.x.yy )
Not by itself. Destination NAT only changes destination address and/or port, nothing else. You still need to allow packets through firewall filter. But yeah, combined with popular "allow everything dstnatted" rule, it can have described effect.
 
anav
Long time Member
Long time Member
Posts: 647
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Request help! RouterOS Configuration screwed up.

Thu Jun 14, 2018 9:43 pm

To illustrate Sobs point so that it becomes practical,
I have a drop everything Firewall Chain concept, where one has to explicitly allow TYPES of traffic, otherwise they are dropped'

examples
input chain
-allow valid traffic (established, etc
-allow admin to access router
-allow lan to access dns on the router
drop everything else

forward chain
-allow valid traffic (established,etc)
-allow lan to wan traffic
-allow ipsec traffic
- allow dsnatted traffic****************
drop everything else

Which does beg a question I do have separate drop invalid traffic rules and am wondering if i still need those????????????
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 738
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Request help! RouterOS Configuration screwed up.

Fri Jun 15, 2018 4:27 pm

...
Which does beg a question I do have separate drop invalid traffic rules and am wondering if i still need those????????????

It is your choice, if you want invalid to be dropped before any other rules, then yes, if you ok with it being dropped last with the default drop rule, then no
MTCNA, MTCTCE & MTCRE
 
anav
Long time Member
Long time Member
Posts: 647
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Request help! RouterOS Configuration screwed up.

Fri Jun 15, 2018 4:46 pm

CZFAN, I have lots of wishes and desires but they are emotional entities LOL, in terms of dropping invalid packets,
are you of the camp that says

a. drop invalid first even before established, connected, untracked accept rule ---> but why???
b. drop invalid RIGHT AFTER established, connection, untracked ---> but why????
c. don't include invalid drop rule if you have drop everything at the end.


The question really becomes two fold.
1. LOAD on CPU, is there any difference where in the food chain invalid connections are dropped??? (efficiency to be gained and is it significant)
2. SECURITY, is there an increasing level of risk the longer one waits to drop invalid connections???

So lets focus on facts, and not emotions. :-)
 
Sob
Forum Guru
Forum Guru
Posts: 3068
Joined: Mon Apr 20, 2009 9:11 pm

Re: Request help! RouterOS Configuration screwed up.

Fri Jun 15, 2018 7:19 pm

@anav: Connection state of each packet is established OR related OR untracked OR invalid OR new. So your option b) takes care of 4 of 5 at the beginning and any rule after that applies only to "new". Option c) leaves you with "new" and "invalid", so unless you add connection-state=new to following rules, they will apply to both.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 738
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Request help! RouterOS Configuration screwed up.

Fri Jun 15, 2018 9:15 pm

@anav, for me personally, it really depends on the direction the wind blows.... :-)

At home, where I have a combined number of maybe 10 - 15 rules for both input and forward, I don't really care where I drop it, so drop it in default drop rule. On clients network, which has many, many rules, is a very busy network, etc, I drop it as soon as possible to save on resources
MTCNA, MTCTCE & MTCRE
 
mkx
Member Candidate
Member Candidate
Posts: 280
Joined: Thu Mar 03, 2016 10:23 pm

Re: Request help! RouterOS Configuration screwed up.

Sat Jun 16, 2018 2:31 pm

As @CZFan wrote it all ends with router's CPU load. Which is proportional to sum of number of packets times number of FW rules passed (by each packet). To lower CPU load, most frequently matched rules should be at top of list. With one notable exception: drop all at the end. If that last one is executed too frequently, some deep analysis of dropped packets is in place to check if some specific drop rule higher in the chain would be benefitial.

A side note: as the evilness of internet evolves, alert FW administrator would regularly re-evaluate FW rules and their ordering. N.B. I'm not one of alert FW administrators :wink:
BR,
Metod
 
anav
Long time Member
Long time Member
Posts: 647
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Request help! RouterOS Configuration screwed up.

Sat Jun 16, 2018 6:24 pm

Thanks CZ, Ive dropped the FAN part because obviously there is too much wind blowing in your area (could be hot gasses?)
Good points and exactly what i was looking for, same same MKX.

Who is online

Users browsing this forum: No registered users and 13 guests