Community discussions

MikroTik App
 
szczyglik
just joined
Topic Author
Posts: 2
Joined: Mon Oct 31, 2022 9:45 am

[hAP ac2] Two devices are not accessible from LAN

Mon Oct 31, 2022 10:07 am

Hello,
First of all I am very sorry I only speak a little English.
To the point:
I have connection issues to some of the LAN devices (cameras). I think I read almost whole forum and didn't find problem like mine.
I configured some firewall rules to access my cameras from WAN and connection works fine.
I'm able to reach cameras from outside of my network, but I'm not able to reach them from LAN. But the problem is that I'm not able to reach them even I use local IP addresses.
After cameras restart I'm able to get them locally for some time (up to 4 hours). Then I can reach them only from outside of my network (like LTE connection on my phone).
That's why I'm thinking about the routing issues, not the firewall.
For info: other forwarded ports are working fine (son can reach his Minecraft server using external IP, I'm able to use SMB externally and more), so I'm not pasting their config. It looks identical.
Here is my firewall config (I replaced my external IP by 111.111.111.111):
/ip firewall filter
add action=accept chain=forward comment="defconf: drop winserv" disabled=yes dst-address=!192.168.1.1 src-address=192.168.1.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Camera external" dst-address=111.111.111.111 dst-port=8100 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.100 to-ports=8100
add action=dst-nat chain=dstnat comment="Camera external" dst-address=111.111.111.111 dst-port=8102 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.102 to-ports=8102
add action=dst-nat chain=dstnat comment="Camera internal" dst-address=!192.168.1.1 dst-address-type=local dst-port=8100 protocol=tcp to-addresses=192.168.1.100 to-ports=8100
add action=dst-nat chain=dstnat comment="Camera internal" dst-address=!192.168.1.1 dst-address-type=local dst-port=8102 protocol=tcp to-addresses=192.168.1.102 to-ports=8102
add action=masquerade chain=srcnat dst-address=!192.168.1.1 src-address=192.168.1.0/24
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: [hAP ac2] Two devices are not accessible from LAN

Mon Oct 31, 2022 6:50 pm

So you think it's not caused by firewall, but only thing you posted is firewall. I see a small flaw in your plan. :)

Btw, you don't need separate dstnat rules for access from inside and outside. If you remove in-interface=pppoe-out1 from outside ones, they will work for both.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14354
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [hAP ac2] Two devices are not accessible from LAN

Mon Oct 31, 2022 7:08 pm

Please post network diagram and as sob indicated
full config

/export file=anynameyouwish ( minus serial number and any public wan IP information )
 
szczyglik
just joined
Topic Author
Posts: 2
Joined: Mon Oct 31, 2022 9:45 am

Re: [hAP ac2] Two devices are not accessible from LAN

Mon Oct 31, 2022 8:22 pm

Please post network diagram and as sob indicated
full config

/export file=anynameyouwish ( minus serial number and any public wan IP information )
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=poland default-authentication=no frequency=auto \
    mode=ap-bridge ssid=XXXXXX wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    service-name=XXXXXX use-peer-dns=yes user=\
    XXX
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.1.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country=poland frequency=auto mode=ap-bridge ssid=XXXXXXX \
    wds-default-bridge=*A wds-mode=dynamic-mesh wireless-protocol=802.11
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wlan2
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.1.111 client-id=1:XXXXXX comment=FileServer \
    mac-address=XXXXXX server=dhcp1
add address=192.168.1.201 client-id=1:XXXXXX comment=\
    "Nova Slave Mesh3 Bedroom" mac-address=XXXXXX server=dhcp1
add address=192.168.1.105 client-id=1:XXXXXX comment=CameraDzieci \
    mac-address=XXXXXX server=dhcp1
add address=192.168.1.100 client-id=1:XXXXXX comment=\
    "Camera Garage" mac-address=XXXXXX server=dhcp1
add address=192.168.1.200 client-id=1:XXXXXX comment=\
    "Nova Master M6 Office" mac-address=XXXXXX server=dhcp1
add address=192.168.1.112 client-id=1:XXXXXX comment=Canon \
    mac-address=XXXXXX server=dhcp1
add address=192.168.1.113 client-id=1:XXXXXX comment=Acer \
    mac-address=XXXXXX server=dhcp1
add address=192.168.1.202 client-id=1:XXXXXX comment=\
    "Nova Slave Mesh3 Upstairs" mac-address=XXXXXX server=dhcp1
add address=192.168.1.114 client-id=1:XXXXXX mac-address=\
    XXXXXX server=dhcp1
add address=192.168.1.102 client-id=1:XXXXXX comment=\
    "Camera Entrance" mac-address=XXXXXX server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall address-list
add address=192.168.1.10-192.168.1.200 list=allowed_to_router
/ip firewall filter
add action=accept chain=forward comment="defconf: drop winserv" disabled=yes \
    dst-address=!192.168.1.1 src-address=192.168.1.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Camera external" dst-address=\
    XXX.XXX.XXX.XXX dst-port=8100 protocol=tcp to-addresses=192.168.1.100 \
    to-ports=8100
add action=dst-nat chain=dstnat comment="Camera external" dst-address=\
    XXX.XXX.XXX.XXX dst-port=8102 log=yes log-prefix=nat protocol=tcp \
    to-addresses=192.168.1.102 to-ports=8102
add action=dst-nat chain=dstnat comment="SMB External" dst-address=\
    XXX.XXX.XXX.XXX dst-port=445 protocol=tcp to-addresses=192.168.1.111 \
    to-ports=445
add action=dst-nat chain=dstnat comment=Minecraft dst-address=XXX.XXX.XXX.XXX \
    dst-port=25565 protocol=tcp to-addresses=192.168.1.111 to-ports=25565
add action=dst-nat chain=dstnat comment=STRONKA dst-address=XXX.XXX.XXX.XXX \
    dst-port=80 protocol=tcp to-addresses=192.168.1.111 to-ports=80
add action=dst-nat chain=dstnat comment="STRONKA SSL" dst-address=\
    XXX.XXX.XXX.XXX dst-port=8443 protocol=tcp to-addresses=192.168.1.111 \
    to-ports=8443
add action=dst-nat chain=dstnat comment="STRONKA SSL" dst-address=\
    XXX.XXX.XXX.XXX dst-port=443 protocol=tcp to-addresses=192.168.1.111 \
    to-ports=443
add action=masquerade chain=srcnat dst-address=!192.168.1.1 src-address=\
    192.168.1.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip service
set ftp disabled=yes
/ip smb
set allow-guests=no domain=XXXXXXXX
/ip smb shares
add directory=disk11 name=dane
/ip smb users
add name=smbuser read-only=no
/ppp secret
add name=vpn profile=default-encryption
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Reboot on-event="/system reboot" policy=reboot \
    start-date=oct/30/2022 start-time=03:30:00
add interval=1d name="WoL ServerPC" on-event=\
    "tool wol interface=bridge1 mac=XXXXXXXX" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/13/2022 start-time=11:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14354
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [hAP ac2] Two devices are not accessible from LAN

Mon Oct 31, 2022 8:53 pm

Looks good so far.......

(1) This could be stated a bit shorter...... and you have an entry in red, that does nothing for you.
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN


/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN


(2) I would clean up the firewall rules a bit and ensure correct order.
{forward chain}
FROM:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat ( this line may help you out significantly )
add action=accept chain=forward comment="allow internet} in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"


{input chain}
From:
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN

TO:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"


(3) What is the purpose of this rule ????
add action=masquerade chain=srcnat dst-address=!192.168.1.1 src-address=\
192.168.1.0/24

Who is online

Users browsing this forum: SaS and 15 guests