Community discussions

MikroTik App
 
NicholasYK
just joined
Topic Author
Posts: 5
Joined: Thu Sep 15, 2022 1:48 pm

No traffic on WAN interface after upgrade to 7.5

Fri Sep 16, 2022 10:10 am

Hello,

After upgrading working configuration from branch 6 (don't remember exactly version, last updated somewhere in 2020) to version 7.5 stable lost traffic on WAN interface.

From LAN I can ping router, access it with ssh and winbox. Also works L2TP/IPsec VPN from Internet to LAN, I can use it to access router from Internet.

DST-NAT, ping and ssh from Internet don't work. SRC-NAT from LAN also don't work.

From Mikrotik I can ping LAN bridge interface but not WAN interface.

The configuration is below:
# sep/15/2022 22:16:47 by RouterOS 7.5
# software id = 9KUN-MDHQ
#
# model = RouterBOARD 750G r3
# serial number = 
/interface bridge
add admin-mac=6C:3B:6B:C9:53:84 auto-mac=no fast-forward=no name=bridge1
add name=ipsec-bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireguard
add disabled=yes listen-port=52939 mtu=1420 name=wireguard1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=abc.r-networks.ru
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des \
    hash-algorithm=sha256 name=profile_1
add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add address=0.0.0.0/32 comment="l2tp/ipsec ipv4" disabled=yes name=peer3 \
    passive=yes profile=profile_1 send-initial-contact=no
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2 \
    send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 name=IKEv2 pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.251.2-192.168.251.15
add name=ipsec-pool ranges=192.168.251.18,192.168.251.31
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=yes \
    interface=bridge1 name=defconf
/ip ipsec mode-config
add address-pool=ipsec-pool address-prefix-length=32 name=IKEv2-cfg \
    split-include=192.168.251.16/28,192.168.128.0/24
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.128.2 local-address=192.168.251.1 name=l2tp-ipsec \
    remote-address=vpn-pool use-encryption=required wins-server=192.168.128.2
/routing ospf instance
add disabled=yes name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing bgp template
set default disabled=yes output.network=bgp-networks routing-table=main
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2-master
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap1,mschap2 default-profile=\
    l2tp-ipsec enabled=yes use-ipsec=yes
/interface list member
add interface=ether2-master list=mactel
add interface=ether2-master list=mac-winbox
/interface ovpn-server server
set auth=sha1 certificate=*4 cipher=blowfish128,aes192,aes256
/interface wireguard peers
add allowed-address=192.168.0.0/24,192.168.249.1/32 comment="xxxx1" \
    disabled=yes endpoint-address=xxxx.ddns.net endpoint-port=52939 \
    interface=wireguard1 persistent-keepalive=25s public-key=\
    "xxxx"
add allowed-address=192.168.249.2/32 comment="xxxx2" disabled=\
    yes interface=wireguard1 public-key=\
    "xxxx"
/ip address
add address=192.168.128.254/24 comment=defconf interface=bridge1 network=\
    192.168.128.0
add address=93.186.57.86/30 interface=ether1 network=93.186.57.84
add address=192.168.251.17/28 interface=ipsec-bridge network=192.168.251.16
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.128.0/24 comment=defconf gateway=192.168.128.254 netmask=\
    24
/ip dns
set servers=192.168.128.2,8.8.8.8
/ip dns static
add address=192.168.128.254 name=router
/ip firewall address-list
add address=192.168.0.0/24 disabled=yes list=external
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="ipsec in" in-interface=ether1 \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="ipsec out" in-interface=ether1 \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept Established" connection-state=\
    established,related,new,untracked
add action=accept chain=input comment=wan-ssh connection-state="" dst-port=22 \
    in-interface=ether1 log=yes log-prefix=wan-ssh protocol=tcp
add action=accept chain=input comment=l2tp/ipsec dst-port=500,1701,4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment=l2tp/ipsec in-interface=ether1 \
    protocol=ipsec-esp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=tcp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=udp
add action=accept chain=input comment=wireguard dst-port=52939 in-interface=\
    ether1 protocol=udp
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    src-nat out-interface=ether1 src-address=192.168.128.0/24 to-addresses=\
    93.186.57.86
add action=dst-nat chain=dstnat comment=tinc disabled=yes dst-port=655 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.128.2 to-ports=655
add action=dst-nat chain=dstnat comment=tinc disabled=yes dst-port=655 \
    in-interface=ether1 protocol=udp to-addresses=192.168.128.2 to-ports=655
add action=dst-nat chain=dstnat comment=ssh-dc1 dst-port=8122 in-interface=\
    ether1 log=yes log-prefix=abc-ssh-dc1 protocol=tcp to-addresses=\
    192.168.128.2 to-ports=22
add action=dst-nat chain=dstnat comment="wireguard on wg-gate" disabled=yes \
    dst-address-type="" dst-port=52939 in-interface=ether1 log-prefix=\
    wg-forward protocol=udp to-addresses=192.168.128.253 to-ports=51820
/ip ipsec identity
add generate-policy=port-strict peer=peer3 remote-id=ignore
add auth-method=digital-signature certificate=abc-ikev2 generate-policy=\
    port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
    ikev2-policies
/ip ipsec policy
add action=discard comment="Drop any L2TP unencrypted incoming traffic" \
    dst-address=0.0.0.0/0 protocol=udp src-address=93.186.57.86/32 src-port=\
    1701
add comment="ipsec ikev2" dst-address=192.168.251.0/28 group=ikev2-policies \
    proposal=IKEv2 src-address=0.0.0.0/0 template=yes
add comment="ikev2 test" dst-address=0.0.0.0/0 peer=IKEv2-peer proposal=IKEv2 \
    src-address=93.186.57.86/32 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=93.186.57.85
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=abc-https disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote strong-crypto=\
    yes
/ppp secret
add comment="xxxx3" name=user1 profile=l2tp-ipsec routes=\
    192.168.0.0/24 service=l2tp
add comment="xxxx4" name=user2 profile=l2tp-ipsec service=l2tp
add comment="xxxx4" name=user3 profile=l2tp-ipsec service=l2tp
add comment="xxxx5" name=user4 profile=l2tp-ipsec \
    service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=abc.r-networks.ru
/system logging
add disabled=yes prefix=l2tp topics=l2tp
add prefix=ipsec topics=ipsec
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.128.2
/system resource irq rps
set ether1 disabled=no
set ether2-master disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=*F00A79 filter-ip-protocol=icmp
Please, help!

P.S. Wireguard config was made for 7.5 version and disabled now.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: No traffic on WAN interface after upgrade to 7.5

Tue Sep 20, 2022 1:42 am

Only problem I see is this rule:
/ip firewall filter
add action=accept chain=input comment="Accept Established" connection-state=established,related,new,untracked
where "new" makes the router wide open, any connection to any service from anywhere should be allowed. I don't know if you kept real public address, but if you did, then the problem should be elsewhere, because I can't even ping it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No traffic on WAN interface after upgrade to 7.5

Tue Sep 20, 2022 2:18 am

Not suprizing one gets errors in such a disorganized mess of firewall rules, at least keep the chains contiguous!!!
 
NicholasYK
just joined
Topic Author
Posts: 5
Joined: Thu Sep 15, 2022 1:48 pm

Re: No traffic on WAN interface after upgrade to 7.5

Tue Sep 20, 2022 9:17 am

Only problem I see is this rule:
/ip firewall filter
add action=accept chain=input comment="Accept Established" connection-state=established,related,new,untracked
where "new" makes the router wide open, any connection to any service from anywhere should be allowed. I don't know if you kept real public address, but if you did, then the problem should be elsewhere, because I can't even ping it.
You are right, the "new" is a trace of desperate "experiments" to solve the problem :(
The public address is real and, yes, it can't be pinged. It can't be pinged from router also. The only one what works from internet is L2TP/IPsec :(

The router has long life history, some services died and rules for them were not deleted but were disabled.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: No traffic on WAN interface after upgrade to 7.5

Tue Sep 20, 2022 9:23 am

Does it work again when you restore it to version used before upgrade? Do you have backup?
 
NicholasYK
just joined
Topic Author
Posts: 5
Joined: Thu Sep 15, 2022 1:48 pm

Re: No traffic on WAN interface after upgrade to 7.5

Tue Sep 20, 2022 12:11 pm

Did not restore to previous version, looking for possibility to fix 7.5 version for now.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: No traffic on WAN interface after upgrade to 7.5  [SOLVED]

Tue Sep 20, 2022 10:00 pm

One more thing I see, your last IPSec policy ("ikev2 test") is for traffic between your public address and 0.0.0.0/0 (= any address), so it will basically block all traffic to and from your public address.
 
NicholasYK
just joined
Topic Author
Posts: 5
Joined: Thu Sep 15, 2022 1:48 pm

Re: No traffic on WAN interface after upgrade to 7.5

Wed Sep 21, 2022 9:11 am

Thanks, I'll test in the evening
 
johnson73
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: No traffic on WAN interface after upgrade to 7.5

Wed Sep 21, 2022 4:12 pm

After fixing your firewall filter, this should be more correct..
For proper firewall operation, it is recommended to use the method described here - viewtopic.php?t=180838
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=wan-ssh connection-state="" dst-port=22 \
    in-interface=ether1 log=yes log-prefix=wan-ssh protocol=tcp
add action=accept chain=input comment=l2tp/ipsec dst-port=500,1701,4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment=l2tp/ipsec in-interface=ether1 \
    protocol=ipsec-esp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=tcp
add action=accept chain=input comment=openvpn dst-port=1194 in-interface=\
    ether1 protocol=udp
add action=accept chain=input comment=wireguard dst-port=52939 in-interface=\
    ether1 protocol=udp
add action=drop chain=input in-interface=ether1

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
 
NicholasYK
just joined
Topic Author
Posts: 5
Joined: Thu Sep 15, 2022 1:48 pm

Re: No traffic on WAN interface after upgrade to 7.5

Thu Sep 22, 2022 9:46 am

Sob, thank you, everything works now!

Johnson73, thanks for advice.

Who is online

Users browsing this forum: fibracapi, FurfangosFrigyes, Google [Bot], hendry, Michiganbroadband, pajapatak, raiod, soulflyhigh and 80 guests