Need help with NAT or Firewall

quasar66 · Fri Apr 22, 2022 6:50 pm

Hi..
I am somewhat familiar with networking, just a notch above newbie.
My home setup uses RB3011 UiAS-RM and was running fine till yesterday. I was doing some code development at home that need one machine to talk to the other. That suddenly stopped working.
Steps taken since then :
1. Did ether boot reset (around 6 or 7 times) (couple of attempts were caused by my ignorance that ver 7.2 does not install on RB3011)
2. Have now successfully installed 6.49.6.
3. The configuration is simple - get DHCP client WAN from Verizon (local supplier), and configure a simple bridge.
4. The /export output is here :

# apr/22/2022 11:15:04 by RouterOS 6.49.6
# software id = AGEK-8YNP
#
# model = RB3011UiAS
# serial number = E7EA0E3205F9
/interface bridge
add name=home-bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.16.2-192.168.16.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=home-bridge lease-time=30m name=\
    dhcp1
/interface bridge port
add bridge=home-bridge interface=ether2
add bridge=home-bridge interface=ether3
add bridge=home-bridge interface=ether4
add bridge=home-bridge interface=ether5
add bridge=home-bridge interface=ether6
add bridge=home-bridge interface=ether7
add bridge=home-bridge interface=ether8
add bridge=home-bridge interface=ether9
add bridge=home-bridge interface=ether10
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=home-bridge list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.16.1/24 interface=home-bridge network=192.168.16.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.16.1 name=home-lan
add address=8.8.8.8 name=google
/ip firewall address-list
add address=192.168.16.2-192.168.16.254 list=within-home
add address=0.0.0.0/8 list=not-internet
add address=172.16.0.0/12 list=not-internet
add address=192.168.0.0/16 list=not-internet
add address=10.0.0.0/8 list=not-internet
add address=169.254.0.0/16 list=not-internet
add address=127.0.0.0/8 list=not-internet
add address=224.0.0.0/4 list=not-internet
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/lcd
set default-screen=stats-all
/system clock
set time-zone-name=America/New_York
[admin@MikroTik] > export hide-sensitive > /doc.txt
expected end of command (line 1 column 23)
[admin@MikroTik] >

Am unable to ping any website or reach any website.
I have attached the firewall traffinc data as an image to this request. It shows no failures about DNS. When I try ping www.google.com on a standard windows powershell, the system complains of DNS failure.
The traffic on NAT interface shows 0 B.
Any guidance is welcome.
Thanks

anav · Sat Apr 23, 2022 12:21 am

I see nothing terribly wrong.

(1) Interface List Members: Only need bridge-home list=LAN (dont need all the other ports) they are included!!

(2) Filter rules, its best to put all the input chain rules together (normally first) and then all the forward chain rules together.
Suggesting you move the first forward chain rule BELOW the FASTRACK Forward chain rule and then the rest of the forward chain rules.

(2) Dont need connection-state=new ON ANY Rules...........

(3) THERE IS NOTHING BLOCKING INTERNET ACCESS in firewall rules!!

(4) DNS looks okay as well.

(5) I suspect IP DHCP client ???? Or SOURCE NAT or IP ROUTE issues.....

Do you get a public IP? DId you answer YES the default route question ?? Is it a pppoe connection or vlan on WAN side??

quasar66 · Sat Apr 23, 2022 4:08 am

Hi,,
Thanks for the response.
To address your queries :
1. I changed the interface-list - must have done it mechanically worrying about bigger challenges.
2. Yes, indeed .. what you say makes sense. Have made the changes. That has pushed all heavy traffic rules upwards, and I think that would speed up the whole processing.
Also, connection_state = new is only for the two DNS traffic rules - my conjecture was that this is a DNS issue. Can change those if needed.

Now re the other points :
The WAN side is connected as a DHCP Client that also offers a local DNS (Verizon). So, I have configured a DHCP client. (Pls refer to the attached pic).
The route table - pic attached also seems to show an immediate next hop connection.

Am concerned about the NAT table (pic attached). The traffic says 0 Bytes - this possibly cannot be true (in my limited knowledge) - since the machines are trying to ping or reach some website.
The manual seems to say that a translation address should be specified - not sure how do I specify a DHCP allocated IP address to the NAT table. Any guidance on this would be deeply appreciated.

I have added the DNS (both the DHCP server entry (for local machines) and the DNS for the router (have used the Google public DNS addresses).

Thanks for your attention. Am seriously stumped ...

anav · Sat Apr 23, 2022 4:21 am

Recommend using paint or some other program to rub out your actual WANIPs etc... or delete the photos as you should never publish your actual WANIP info or WANIP gateways...
I get the picture. See next post for ideas.

anav · Sat Apr 23, 2022 4:26 am

Okay, you need to check the box allowing remote requests, here!!!
...........

dns2.jpg

quasar66 · Sat Apr 23, 2022 4:51 am

Thanks So Much ... it worked !!!

Could you point me to some write up that explains why this needs to be kept on and then use firewall filters to block off external DNS requests? At your convenience of course...

anav · Sat Apr 23, 2022 12:24 pm

THis rule blocks all traffic to the Router (including external DNS), but allows LAN traffic, so you are okay.
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=!LAN

Need help with NAT or Firewall

Need help with NAT or Firewall

Re: Need help with NAT or Firewall

Re: Need help with NAT or Firewall

Re: Need help with NAT or Firewall

Re: Need help with NAT or Firewall

Re: Need help with NAT or Firewall

Re: Need help with NAT or Firewall

Who is online