#UPDATED OP with Final export, "case closed" ! /20180122/

Hey there everyone!

The firewall rules were thrown out the window in the end.
Management IPs will be handled on a service bases.

I am closing the post, thank you for everyone who tried to help !

Kind regards,
IBR



# software id = 5IAZ-WMI5
#
# model = 2011UiAS
# serial number = 724F066F9C98
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=*********************
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 !egress-rate !ingress-rate
set 7 !egress-rate !ingress-rate
set 8 !egress-rate !ingress-rate
set 9 !egress-rate !ingress-rate
set 10 !egress-rate !ingress-rate
set 12 !egress-rate !ingress-rate
/ip pool
add name=dhcp_pool_1 ranges=192.168.249.1-192.168.251.254
/ip dhcp-server
add address-pool=dhcp_pool_1 disabled=no interface=ether5 lease-time=2d10m \
name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.248.1/22 interface=ether5 network=192.168.248.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.248.0/22 dns-server=193.110.57.4,8.8.8.8 gateway=\
192.168.248.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.248.0/22
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.248.0/22
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org

Hello,
Your configuration isn't a million miles away from a router out of the box, for testing you could try resetting the router to factory default and connecting and seeing if it works? If it does then customise what you need which will negate any easily missed mistakes.

I have noted a few things that can be adjusted though;
DHCP to give out the dynamic DNS servers, simply do not give DNS out via the router's DHCP. If left blank it will hand out the ISP's dynamic ones. If this is above the drop rule you are allowing DNS requests from the WAN, you probably need to specify the in-interface as eth5 to make it tighter.

There is no reason why DHCP should not work to your client devices though. A daft question but what are you connecting into port 5? A switch or just a laptop for testing?

Hey there Steveocee, thanks for the reply!

I've checked what you've suggested, but no luck.
The device is connected directly into a cisco distribution switch; network works fine with our previous gateway.

I've discovered some wierd symptoms though :
DHCP clients get proper IP now, however DNS resolving doesn't work for a time, the MikroTik device doesn't reply to ping requests either.
After a random period of time DNS becomes available and ping works perfectly.
I've checked the filter rules by disabling each element, and discovered that disabling the Drop * input rule seems to solve the issue, however I have no idea, what protocoll should I add to the allowed filter rules..

I'll update the OP (swapping the current config) with the exact config so you might spot the mistake!

Thanks for the aid!

Regards,
Imre

To simplify the client DNS, just use the Mikrotik as the DNS server that is used by clients. Obviously you can replace the IP addresses with whatever name servers you want, and you can use something like namebench to find the fastest options once you get your system working.
Then add your gateway as the DNS server in the DHCP assignment. May also want to add add-arp to your DHCP configuration: Disable the extra/non-default firewall rules while troubleshooting and then add them back.

Troubleshooting should follow the OSI model, start with the basics and work your way up. Do devices get IPs, can they ping each ohter, can they ping the gateway, can they ping your own router's public IP address, can your router itself ping the google DNS servers, then can your client devices do DNS lookups using your router as the DNS server, etc.

Hey there effndc, thanks for your reply too!

I've removed the DNS from the DHCP server settings because Steveocee suggested that it will dynamically hand out the DNS settings of my ISP ( if remote-requests are enabled I guess).

May also want to add add-arp to your DHCP configuration:

Code: Select all

/ip dhcp-server add-arp=yes add address-pool=dhcp_pool1 always-broadcast=yes disabled=no interface=Eth5_LAN lease-time=1w3d name=DHCP_server1

I will definitely try this setting later, might explain some of the issues as explained in my previous reply to

Steveocee

Disable the extra/non-default firewall rules while troubleshooting and then add them back.
Troubleshooting should follow the OSI model, start with the basics and work your way up. Do devices get IPs, can they ping each ohter, can they ping the gateway, can they ping your own router's public IP address, can your router itself ping the google DNS servers, then can your client devices do DNS lookups using your router as the DNS server, etc.

When I disable the filter rule that is used to "block * input ", everything seems to work fine, which indicates to me, that I should add some additional permissive rules, or that my existing rules are faulty somewhere, but I am kinda stuck on that issue, as I do not seem to find the erroneous parts.


*Edit:
Still no luck here fellas, can you spot anything else I could try? Maybe the device has factory defects?
Thanks in advance!

Hey, good evening!
Have you figured out what was the problem or still no luck? Can you upload a recent export of the config to check it, too?

George

Hey, good evening!
Have you figured out what was the problem or still no luck? Can you upload a recent export of the config to check it, too?

George

Hey there George!

It is essentially still the same config, and no, I had no luck .

Have you tried using different rules per port on your firewall, something like
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=53 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=67 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=68 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow DHCP and DNS TCP" dst-port=53 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow DHCP and DNS TCP" dst-port=67 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow DHCP and DNS TCP" dst-port=68 in-interface=Eth5_LAN protocol=tcp

instead of using then in 2 rules?

Have you tried using different rules per port on your firewall, something like
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=53 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=67 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment=" Allow DHCP and DNS UDP" dst-port=68 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow DHCP and DNS TCP" dst-port=53 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow DHCP and DNS TCP" dst-port=67 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow DHCP and DNS TCP" dst-port=68 in-interface=Eth5_LAN protocol=tcp


instead of using then in 2 rules?

Thanks brav, I'll take a look at it when I go to work next week!
Could this be a bug in routerOS?

I dont think so, i just had a idea, in a different menu or ROS if you specify 2 "states" with a comma it waits for both the states to appear (like in connection state, if you have "related,established" it waits for a connection which is related AND established. If you want to filter them separately, you have 2 make 2 different rules). I dont think a packet could handle 2 dest ports at once so rule shouldn't check for 2 ports too, but, maybe it could really be a bug or something.Give it a try and let us know!

I dont think so, i just had a idea, in a different menu or ROS if you specify 2 "states" with a comma it waits for both the states to appear (like in connection state, if you have "related,established" it waits for a connection which is related AND established. If you want to filter them separately, you have 2 make 2 different rules). I dont think a packet could handle 2 dest ports at once so rule shouldn't check for 2 ports too, but, maybe it could really be a bug or something.Give it a try and let us know!

Ooky-dooky, doing it tomorrow afternoon, but your logic seems to be pretty impeccable.

I've tested the things you guys have been advising to me, but no luck still.

I am posting the freshly exported config here:


# oct/24/2017 18:46:40 by RouterOS 6.39.2
# software id = 5IAZ-WMI5
#
/interface ethernet
set [ find default-name=ether2 ] mac-address=F0:79:59:EB:9B:98 name=\
Eth2_WAN1_DIGI
set [ find default-name=ether5 ] name=Eth5_LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.100.2-192.168.255.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 always-broadcast=yes disabled=no \
interface=Eth5_LAN lease-time=1w3d name=DHCP_server1
/ip address
add address=192.168.0.1/16 comment=LAN interface=Eth5_LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Eth2_WAN1_DIGI
/ip dhcp-server network
add address=192.168.0.0/16 gateway=192.168.0.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.24 list=AdminHosts
add address=192.168.3.3 list=AdminHosts
add address=192.168.3.2 list=AdminHosts
add address=192.168.3.1 list=AdminHosts
add address=192.168.3.4 list=AdminHosts
add address=192.168.3.5 list=AdminHosts
add address=192.168.3.6 list=AdminHosts
/ip firewall filter
add action=accept chain=input comment=\
"Allow established connections and related packets" connection-state=\
established,related in-interface=Eth5_LAN
add action=accept chain=input comment="Allow ICMP from LAN to router" \
in-interface=Eth5_LAN protocol=icmp
add action=accept chain=input comment="Allow port 53 UDP" dst-port=53 \
in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow port 53 TCP" dst-port=53 \
in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow port 67 UDP" dst-port=67 \
in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow port 67 TCP" dst-port=67 \
in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow port 68 UDP" dst-port=68 \
in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow port 68 TCP" dst-port=68 \
in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment=\
"Allow AdminHosts addresses to access router" in-interface=Eth5_LAN \
src-address-list=AdminHosts
add action=drop chain=input comment=" Drop all else input requests !"
add action=fasttrack-connection chain=forward comment="fasttrack related" \
connection-state=established,related
add action=accept chain=forward comment=" fasttrack related" \
connection-state=established,related
add action=accept chain=forward comment=" Forward packets coming from LAN" \
out-interface=Eth2_WAN1_DIGI
add action=drop chain=forward comment=" Drop all else forward requests!"
add action=accept chain=input comment=" Allow DHCP and DNS UDP" disabled=\
yes dst-port=53,67,68 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow DHCP and DNS TCP" disabled=yes \
dst-port=53,67,68 in-interface=Eth5_LAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Eth2_WAN1_DIGI
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system logging
add disabled=yes topics=dns
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org
/tool sniffer
set file-name=packetsni9ffere filter-interface=Eth5_LAN filter-mac-address=\
DC:0E:A1:DF:F5:3E/FF:FF:FF:FF:FF:FF


Also, here is an imgur post about me failing as a static and as a DHCP client, failed DNS can also be observed:
https://imgur.com/a/Rzoj5

Thanks for your help in advance!

Regards,
IBR

I do not want to bump the topic, but does anyone have any idea why this basic config fails on me?
I am thinking its filter rules, but everything seem to be fine. Maybe its faulty HW ?

i would suggest you to disable the rules and enable them one by one, so as to see what is going on. maybe there is a problem with a param but i am currently away from my lab to reproduce your setup and check what is going on :-/
i will be back on the weekend and will search it more

i would suggest you to disable the rules and enable them one by one, so as to see what is going on. maybe there is a problem with a param but i am currently away from my lab to reproduce your setup and check what is going on :-/
i will be back on the weekend and will search it more

You are awesome mate, thanks!

The thing is, I've done this a few weeks back, and nothing seems to work up until I disable the "add action=drop chain=input comment=" Drop all else input requests !"" filter rule.

Sby told me that I should move the "add action=drop chain=input" filter rule behind the forward allowing rules, anyone has a take on this?

Order of firewall rules makes sense only when you are looking in ruleset of specific chain. If you are mixing chain order with global order its bit hard for us to help you. Your default deny rule should be last observing ruleset for INPUT chain. Easiest way to filter rules is via winbox. In right corner you have dropdown menu, select chain you are editing and rearrange rules by drag and drop.

i dont know if the commands in export and winbox are in the same order so i cant tell something about the current config, yet you should know that when a packet arrives in Firewall, ALL rules are checked in order so its good to see what's going on at your firewall...for example, if you have a drop for .0.0/24 and after that you accept a 0.1, dont expect that to work. If you put the 2nd one before the 1st one, then you will allow only .0.1 and the rest will go bye-bye.So maybe one of your rules was in a bad "location", yet as said i dont know in which order are the rules exported. Checking the rules order is VERY important

so i suppose you made it work. Good to know i helped little bit ( you can still rate my posts in reputation system )

Hey fellas!

i dont know if the commands in export and winbox are in the same order so i cant tell something about the current config, yet you should know that when a packet arrives in Firewall, ALL rules are checked in order so its good to see what's going on at your firewall...for example, if you have a drop for .0.0/24 and after that you accept a 0.1, dont expect that to work. If you put the 2nd one before the 1st one, then you will allow only .0.1 and the rest will go bye-bye.So maybe one of your rules was in a bad "location", yet as said i dont know in which order are the rules exported. Checking the rules order is VERY important

so i suppose you made it work. Good to know i helped little bit ( you can still rate my posts in reputation system )

Sorry, this is still in the limbo here, as I could not test the config yet, gona get a screenshot of the filters later today, maybe that'll help.

Order of firewall rules makes sense only when you are looking in ruleset of specific chain. If you are mixing chain order with global order its bit hard for us to help you. Your default deny rule should be last observing ruleset for INPUT chain. Easiest way to filter rules is via winbox. In right corner you have dropdown menu, select chain you are editing and rearrange rules by drag and drop.

All "drop * packets" rules are at the end of each chain, but I'll get a screenshot later today!

*Edit:
Here is the promised screenshot of my filter rules: https://imgur.com/a/nirs5


*Edit 17/11/22: cfg still doesn't work, I am starting to think that this is faulty hardware..

*Bump

I just saw, you need to accept ISP's DNS servers in input. You are currently allowing DNS requests only for LAN.

I just saw, you need to accept ISP's DNS servers in input. You are currently allowing DNS requests only for LAN.

Thanks mate! Is there a way to do this dynamically, or shall I always strive to add static DNS servers?

I think only with some scripting.

I think only with some scripting.

One more thing: do you have any idea, what could cause the ping failures on LAN?

It's this rule

add action=drop chain=forward comment=" Drop all else forward requests!"

Allow icmp in forward chain without more matchers. Just rule
add action=accept chain=forward protocol=icmp

It's this rule

add action=drop chain=forward comment=" Drop all else forward requests!"

Allow icmp in forward chain without more matchers. Just rule
add action=accept chain=forward protocol=icmp

Thanks!
This sure explains why I couldn't ping outside clients, but why couldn't I ping the LAN interface (that should be input chain)?

It's this rule

add action=drop chain=forward comment=" Drop all else forward requests!"

Allow icmp in forward chain without more matchers. Just rule
add action=accept chain=forward protocol=icmp

Dude, I think I got this; could you please check out my new filter rules? (
The filter rules: https://imgur.com/a/pyrbC
A forwad rule for ICMP was added, also two WAN rules for DNS input with a source address list that are my telco's DNS servers).

I'll test this live in two days, but if there is a security hole, I wanna know!
Thanks in advance mate!

Tried the config yesterday, failed miserably.
Still unable to ping LAN address, still not forwarding DNS queries.
I wonder if its really not a faulty device now...

Hey there again!

I've made some changes based on this wiki article: https://wiki.mikrotik.com/wiki/Basic_un ... all_script
I'll be able to test this tomorrow, but if you guys spot anything wrong here, let me know please!

Here is a screenshot of my filter rules: https://imgur.com/a/U6jNd

And here is the cfg export:

# nov/30/2017 18:09:30 by RouterOS 6.39.2
# software id = 5IAZ-WMI5
#
/interface ethernet
set [ find default-name=ether2 ] mac-address=F0:79:59:EB:9B:98 name=\
Eth2_WAN1_DIGI
set [ find default-name=ether5 ] name=Eth5_LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.100.2-192.168.255.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 always-broadcast=yes disabled=no \
interface=Eth5_LAN lease-time=1w3d name=DHCP_server1
/ip address
add address=192.168.0.1/16 comment=LAN interface=Eth5_LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Eth2_WAN1_DIGI
/ip dhcp-server network
add address=192.168.0.0/16 gateway=192.168.0.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.24 list=AdminHosts
add address=192.168.3.3 list=AdminHosts
add address=192.168.3.2 list=AdminHosts
add address=192.168.3.1 list=AdminHosts
add address=192.168.3.4 list=AdminHosts
add address=192.168.3.5 list=AdminHosts
add address=192.168.3.6 list=AdminHosts
add address=193.110.57.4 list=DIGI_DNS_SRVRS
add address=193.110.56.8 list=DIGI_DNS_SRVRS
/ip firewall filter
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp \
src-address-list=DIGI_DNS_SRVRS
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp \
src-address-list=DIGI_DNS_SRVRS
add action=accept chain=input comment="Accept established" connection-state=\
established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Allow port 67 UDP (DHCP)" dst-port=67 \
protocol=udp
add action=accept chain=input comment="Allow port 67 TCP (DHCP)" dst-port=67 \
protocol=tcp
add action=accept chain=input comment="Allow port 68 UDP (DHCP)" dst-port=68 \
protocol=udp
add action=accept chain=input comment="Allow port 68 TCP (DHCP)" dst-port=68 \
protocol=tcp
add action=accept chain=input comment="Allow ICMP from LAN to router" \
in-interface=Eth5_LAN protocol=icmp
add action=accept chain=input comment=\
"Allow AdminHosts addresses to access router" in-interface=Eth5_LAN \
protocol=tcp src-address-list=AdminHosts
add action=drop chain=input comment=" Drop all else input requests !"
add action=accept chain=forward comment=" Forward packets coming from LAN" \
out-interface=Eth2_WAN1_DIGI
add action=fasttrack-connection chain=forward comment="fasttrack related" \
connection-state=established,related
add action=accept chain=forward comment=" fasttrack related" \
connection-state=established,related
add action=accept chain=forward comment="Allow Ping (ICMP) through router)" \
in-interface=Eth5_LAN protocol=icmp
add action=drop chain=forward comment=" Drop all else forward requests!"
add action=accept chain=input comment=\
"Allow established connections and related packets" connection-state=\
established,related disabled=yes in-interface=Eth5_LAN
add action=accept chain=input comment="Allow port 53 (DNS) UDP from LAN" \
disabled=yes dst-port=53 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment="Allow port 53 (DNS) UDP from WAN" \
disabled=yes in-interface=Eth2_WAN1_DIGI protocol=udp src-address-list=\
DIGI_DNS_SRVRS src-port=53
add action=accept chain=input comment="Allow port 53 (DNS) TCP LAN" disabled=\
yes dst-port=53 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment="Allow port 53 (DNS) TCP from WAN" \
disabled=yes in-interface=Eth2_WAN1_DIGI protocol=tcp src-address-list=\
DIGI_DNS_SRVRS src-port=53
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Eth2_WAN1_DIGI
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system logging
add disabled=yes topics=dns
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org

*bump

Could it be that this config should work, or that I am missing something very trivial?
Its sortof suspicious that I didn't get a reply since quite some time now!

ok, i am back again tell me, what is the current status? as before, no DHCP or DNS?
what happened when you disabled the rules and activated them 1-1, anything changed?

ok, i am back again tell me, what is the current status? as before, no DHCP or DNS?
what happened when you disabled the rules and activated them 1-1, anything changed?

Hey there!

The current status can be seen in the OP, I've refreshed it with screenshots and a fresh export as well as an updated description.
Again, I'll be able to test changes next thursday, so if you spot something, I'll be able to try the changes than.