Community discussions

MikroTik App
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Reaching services behind firewall

Fri Oct 21, 2022 6:28 pm

Long time since I did Mikrotik configuration, and setting up a router/firewall is now a bit challenging.
I have a 951 unit set up as a router between a fiber WAN and a LAN with PC's, printers and 3 "servers" that should be reached from the WAN side by using MSTSC (Microsoft Terminal Service Client - normally using port 3389.

All servers have IP-addresses that are reserved in the DHCP server in the Mikrotik unit.
To reach the different servers, I want to access them from the outside by using the public IP:port (where port is 3387, 3388 or 3389). The firewall is configured to forward port 3387 to local-ip1:3389, port 3388 to local-ip2:3389 and port 3389 to local-ip3:3389.
For some reason I'm not able to reach any of these servers from the outside.

I also tried to configure winbox access to the router from the WAN side, but this doesn't work either. Seems like I've set up the firewall incorrectly..
Have attached an edited configuration that shows the firewall settings + some more. Hope someone would help finding the problem (and a solution)
Thanks!
-Olaf
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Reaching services behind firewall

Fri Oct 21, 2022 6:51 pm

Any reason why you are still on 6.42.6 ? Ever considered upgrading to latest 6.49.7 ?

Are you SURE your device is directly accessible from outside ? No other ISP device in between which might filter things ?

From what I can see, it should work (to be safer you could add in-interface-list=WAN to those dst-nat rules and the rule for allowing Winbox)
So I'd double check on that external accessibility.

PS remove serial number from export when posting.
Not that it will directly hurt but it's better to avoid bad guys trying to bombard your device from the outside if you ever activate IP cloud since then they will find you.

PS2 that's a pretty clean config !! :lol:
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: Reaching services behind firewall

Fri Oct 21, 2022 7:25 pm

Thanks for your response!
Had to set up the router in a hurry, and found an old unit on the shelf... Will upgrade the OS as soon as I get physical access to the router.

The fiber company say that their unit is in bridge mode (double checked), and I got a fixed, public IP, a gateway IP, a netmask and DNS-server IPs from them.
Access to external services from the PCs in the LAN (browsing and email) works well.
What puzzles me is that not even the Winbox works. I also kept the http access enabled, but no response frim the 951G when trying this access,
Need to double check with the fiber company if there are any "hidde features" that they didn't tell me about....
-Olaf
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1096
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Reaching services behind firewall

Sat Oct 22, 2022 1:07 am

I highly recommend changing your firewall concept. You're kinda mixing accept and drop rules. Remember that any packet that makes it to the end of a chain is accepted. Suggest accept what specifically is desired and drop everything else with these two rules (at the end of the appropriate chain):
add action=drop chain=input comment=\
    "Drop any other input packets that get this far" 
--and--
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

You are not able to get to the router from the WAN because there is no way to establish a NEW connection from the WAN on port 8291. See these two rules:
add action=accept chain=input comment="Accept Winbox" connection-state=\
    established,related,untracked dst-port=8291 log=yes protocol=tcp
--and--
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
The accept does not include NEW, and the drop rule will drop the NEW packet before the Input chain ends.

These are completely un-needed. The MSTSC is going to things other than the router so it will be in the Forward chain.
add action=accept chain=input comment=" Accept MSTSC" connection-state=\
    established,related dst-port=3387 protocol=tcp
add action=accept chain=input connection-state=established,related dst-port=\
    3388 protocol=tcp
add action=accept chain=input connection-state=established,related dst-port=\
    3389 protocol=tcp
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: Reaching services behind firewall

Sun Oct 23, 2022 4:11 pm

Thanks for your response!!
Seems like I need to update my router config skills quite a bit... ;-)
Have tried to implement your suggestions. Does this seems better? (will not be able to test before doing the changes at customer's site next week...
-Olaf

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
new,established,related,untracked log=yes
add action=accept chain=input comment="Accept Winbox" connection-state=\
new,established,related,untracked dst-port=8291 log=yes protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=" Accept MSTSC" connection-state=\
established,related dst-port=3387 protocol=tcp
add action=accept chain=forward connection-state=established,related dst-port=\
3388 protocol=tcp
add action=accept chain=forward connection-state=established,related dst-port=\
3389 protocol=tcp

add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3387 protocol=tcp to-addresses=\
192.168.1.129 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=\
192.168.1.128 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3388 protocol=tcp to-addresses=\
192.168.1.32 to-ports=3389
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: Reaching services behind firewall

Tue Oct 25, 2022 9:09 pm

A short update.
I changed the firewall rules according to the previous post, and accessing the winbox from external sites now works.
The access to mstsc to 3 different internal addresses also works ok.

When looking at a default firewall setup, I notice that there are no "new" state in the Input Chain. Will it be wrong to have the "new" state in addition to the factory default "established", "related" and "untracked"?? Is the "new" state needed in any way?

-Olaf
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Reaching services behind firewall

Tue Oct 25, 2022 11:40 pm

Hi Olaf,
The quick answer is no, new is redundant.

Have a read here....... Para 6 applies, all good reading.

viewtopic.php?t=180838

Who is online

Users browsing this forum: Ahrefs [Bot], granjow, Semrush [Bot] and 10 guests