Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

WAN IP leak

Locked
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

WAN IP leak

Sat Mar 31, 2018 4:35 am

My WAN IP on my Mikrotik is leaking inside my network. Is there a way to stop this?
My pfSense is reporting:

Interface: LAN
Source: Mikrotik WAN IP
Destination: voip.ms

Instead of the WAN IP it should be my internal IP that should be coming from the device up to my pfSense.
Ideas?

Thanks!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: WAN IP leak

Sat Mar 31, 2018 6:03 am

You missed a step, first you need to find out why it happens. Stopping comes after that. If it was my problem, I'd check the config, or if I couldn't find it myself, I'd have someone else take a look.
Top
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: WAN IP leak

Sat Mar 31, 2018 6:22 am

Here is what my config looks like.
Nothings stands out to me on why is this happening...
Code: Select all
# mar/30/2018 22:07:06 by RouterOS 6.41
# software id = AXKP-SIF0
#
# model = CRS125-24G-1S
# serial number = 
/interface bridge
add admin-mac= arp=proxy-arp auto-mac=no fast-forward=no \
    mtu=1500 name=Bridge-pfSense protocol-mode=none
add disabled=yes fast-forward=no mtu=1500 name=bridge-trunk

/interface ethernet
set [ find default-name=ether1 ] mac-address= name=\
    Port1-Mikrotik-WAN
set [ find default-name=ether2 ] mac-address= name=\
    Port2-master-pfSense-Primary
set [ find default-name=ether3 ] mac-address= name=\
    Port3-slave-pfSense-Secondary
set [ find default-name=ether22 ] mac-address= name=\
    Port22-slave-UPLINK-Desk
set [ find default-name=ether4 ] mac-address= name=\
    ether4-slave-local
set [ find default-name=ether5 ] mac-address= name=\
    ether5-slave-local
set [ find default-name=ether6 ] mac-address= name=\
    ether6-slave-local
set [ find default-name=ether7 ] mac-address= name=\
    ether7-slave-local
set [ find default-name=ether8 ] mac-address= name=\
    ether8-slave-local
set [ find default-name=ether9 ] mac-address= name=\
    ether9-slave-local
set [ find default-name=ether10 ] mac-address= name=\
    ether10-slave-local
set [ find default-name=ether11 ] mac-address= name=\
    ether11-slave-local
set [ find default-name=ether12 ] mac-address= name=\
    ether12-slave-local
set [ find default-name=ether13 ] mac-address= name=\
    ether13-slave-local
set [ find default-name=ether14 ] mac-address= name=\
    ether14-slave-local
set [ find default-name=ether15 ] mac-address= name=\
    ether15-slave-local
set [ find default-name=ether16 ] mac-address= name=\
    ether16-slave-local
set [ find default-name=ether17 ] mac-address= name=\
    ether17-slave-local
set [ find default-name=ether18 ] mac-address= name=\
    ether18-slave-local
set [ find default-name=ether19 ] mac-address= name=\
    ether19-slave-local
set [ find default-name=ether20 ] mac-address= name=\
    ether20-slave-local
set [ find default-name=ether21 ] mac-address= name=\
    ether21-slave-local
set [ find default-name=ether23 ] mac-address= name=\
    ether23-slave-local
set [ find default-name=ether24 ] mac-address= name=\
    ether24-slave-local
set [ find default-name=sfp1 ] mac-address= name=\
    sfp1-gateway

/interface vlan
add interface=Bridge-pfSense name=vlan2 vlan-id=2
add interface=Bridge-pfSense name=vlan3 vlan-id=3

/interface list
add name=mactel
add name=mac-winbox

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan2 ranges=10.30.10.100-10.30.10.200
add name=vlan3 ranges=10.30.20.100-10.30.20.200
add name=dhcp_pool1 ranges=10.30.2.1,10.30.2.100-10.30.2.254

/ip dhcp-server
add address-pool=vlan2 authoritative=after-2sec-delay disabled=no interface=\
    vlan2 lease-time=3d name=server1-wireless
add address-pool=vlan3 authoritative=after-2sec-delay disabled=no interface=\
    vlan3 lease-time=3d name=dmz_vlan3
add address-pool=dhcp_pool1 authoritative=after-2sec-delay interface=\
    Bridge-pfSense name=dhcp1

/queue simple
add name=VoIP packet-marks=VoIP priority=2/2 target=10.30.2.0/24
add max-limit=20M/100M name="Internal Network" priority=3/3 target=\
    Bridge-pfSense,Bridge-pfSense

/snmp community
set [ find default=yes ] addresses=10.30.2.13/32,10.30.2.34/32

/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
    test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"

/interface bridge port
add bridge=Bridge-pfSense interface=Port2-master-pfSense-Primary
add bridge=Bridge-pfSense disabled=yes hw=no interface=Port1-Mikrotik-WAN
add bridge=Bridge-pfSense hw=no interface=sfp1-gateway
add bridge=Bridge-pfSense interface=Port3-slave-pfSense-Secondary
add bridge=Bridge-pfSense interface=ether4-slave-local
add bridge=Bridge-pfSense interface=ether5-slave-local
add bridge=Bridge-pfSense interface=ether6-slave-local
add bridge=Bridge-pfSense interface=ether7-slave-local
add bridge=Bridge-pfSense interface=ether8-slave-local
add bridge=Bridge-pfSense interface=ether9-slave-local
add bridge=Bridge-pfSense interface=ether10-slave-local
add bridge=Bridge-pfSense interface=ether11-slave-local
add bridge=Bridge-pfSense interface=ether12-slave-local
add bridge=Bridge-pfSense interface=ether13-slave-local
add bridge=Bridge-pfSense interface=ether14-slave-local
add bridge=Bridge-pfSense interface=ether15-slave-local
add bridge=Bridge-pfSense interface=ether16-slave-local
add bridge=Bridge-pfSense interface=ether17-slave-local
add bridge=Bridge-pfSense interface=ether18-slave-local
add bridge=Bridge-pfSense interface=ether19-slave-local
add bridge=Bridge-pfSense interface=ether20-slave-local
add bridge=Bridge-pfSense interface=ether21-slave-local
add bridge=Bridge-pfSense interface=Port22-slave-UPLINK-Desk
add bridge=Bridge-pfSense interface=ether23-slave-local
add bridge=Bridge-pfSense interface=ether24-slave-local

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface ethernet switch port
set 0 dscp-based-qos-dscp-to-dscp-mapping=no
set 1 dscp-based-qos-dscp-to-dscp-mapping=no
set 2 dscp-based-qos-dscp-to-dscp-mapping=no
set 3 dscp-based-qos-dscp-to-dscp-mapping=no
set 4 dscp-based-qos-dscp-to-dscp-mapping=no
set 5 dscp-based-qos-dscp-to-dscp-mapping=no
set 6 dscp-based-qos-dscp-to-dscp-mapping=no
set 7 dscp-based-qos-dscp-to-dscp-mapping=no
set 8 dscp-based-qos-dscp-to-dscp-mapping=no
set 9 dscp-based-qos-dscp-to-dscp-mapping=no
set 10 dscp-based-qos-dscp-to-dscp-mapping=no
set 11 dscp-based-qos-dscp-to-dscp-mapping=no
set 12 dscp-based-qos-dscp-to-dscp-mapping=no
set 13 dscp-based-qos-dscp-to-dscp-mapping=no
set 14 dscp-based-qos-dscp-to-dscp-mapping=no
set 15 dscp-based-qos-dscp-to-dscp-mapping=no
set 16 dscp-based-qos-dscp-to-dscp-mapping=no
set 17 dscp-based-qos-dscp-to-dscp-mapping=no
set 18 dscp-based-qos-dscp-to-dscp-mapping=no
set 19 dscp-based-qos-dscp-to-dscp-mapping=no
set 20 dscp-based-qos-dscp-to-dscp-mapping=no
set 21 dscp-based-qos-dscp-to-dscp-mapping=no
set 22 dscp-based-qos-dscp-to-dscp-mapping=no
set 23 dscp-based-qos-dscp-to-dscp-mapping=no
set 24 dscp-based-qos-dscp-to-dscp-mapping=no
set 25 dscp-based-qos-dscp-to-dscp-mapping=no

/interface list member
add interface=Port2-master-pfSense-Primary list=mactel
add interface=sfp1-gateway list=mactel
add interface=Port2-master-pfSense-Primary list=mac-winbox
add interface=sfp1-gateway list=mac-winbox

/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=10.30.2.0/24

/ip address
add address=10.30.2.2/24 comment="default configuration" interface=\
    Port2-master-pfSense-Primary network=10.30.2.0
add address=WANGW interface=Port1-Mikrotik-WAN network= WANIP
add address=10.30.10.1/24 interface=vlan2 network=10.30.10.0
add address=10.30.20.1/24 interface=vlan3 network=10.30.20.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    Port1-Mikrotik-WAN

/ip dhcp-server network
add address=10.30.2.0/24 comment="default configuration" dns-server=10.30.2.1 \
    gateway=10.30.2.2 netmask=24 next-server=192.168.88.1
add address=10.30.10.0/24 dns-server=8.8.8.8 gateway=10.30.10.1
add address=10.30.20.0/24 dns-server=8.8.8.8 gateway=10.30.20.1

/ip dns
set allow-remote-requests=yes servers=10.30.2.1

/ip dns static
add address=10.30.2.2 name=router

/ip firewall address-list
add address=10.0.0.0/8 list=bogons
add address=172.16.0.0/26 list=bogons
add address=192.168.0.0/16 list=bogons

/ip firewall filter
add action=log chain=forward dst-address-list=bogons in-interface=vlan2
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=Port1-Mikrotik-WAN

/ip firewall mangle
add action=mark-packet chain=forward disabled=yes new-packet-mark=VoIP \
    passthrough=yes src-address=10.30.2.53
add action=mark-packet chain=forward disabled=yes dst-address=10.30.2.53 \
    new-packet-mark=VoIP passthrough=yes
add action=mark-routing chain=prerouting dst-address=!10.30.10.0/24 \
    new-routing-mark=mikrotik passthrough=yes src-address=10.30.10.0/24
add action=mark-routing chain=prerouting dst-address=!10.30.0.0/16 \
    new-routing-mark=pfsense passthrough=no src-address=10.30.2.175

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=Port1-Mikrotik-WAN

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip proxy
set cache-path=web-proxy1

/ip route
add distance=1 gateway=10.30.2.1 routing-mark=pfsense
add distance=1 gateway=WANGW routing-mark=mikrotik

/ip service
set telnet disabled=yes
set ftp disabled=yes

/lcd
set backlight-timeout=1h30m default-screen=stats

/lcd interface pages
set 0 interfaces="Port1-Mikrotik-WAN,Port2-master-pfSense-Primary,Port3-slave-\
    pfSense-Secondary,ether4-slave-local,ether5-slave-local,ether6-slave-local\
    ,ether7-slave-local,ether8-slave-local,ether9-slave-local"

/snmp
set enabled=yes

/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago

/system leds
set 0 interface=Port1-Mikrotik-WAN leds=""

/system ntp client
set enabled=yes primary-ntp=162.210.196.6 secondary-ntp=50.7.0.66

/tool e-mail
set address=10.30.2.51 from=switch@darktcp.net

/tool graphing interface
add allow-address=10.30.2.0/24
add allow-address=172.30.10.0/24

/tool graphing resource
add allow-address=10.30.2.0/24
add allow-address=172.30.10.0/24

/tool mac-server
set allowed-interface-list=mactel

/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

/tool romon port
add
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12985
Joined: Thu Mar 03, 2016 10:23 pm

Re: WAN IP leak

Sat Mar 31, 2018 12:16 pm

Are you sure it's Mikrotik who leaks? Any client host which has possibility of discovering public IP address (perhaps through client-server communication on Layer 7) could potentially do it.
You'll have to trace it down using wireshark or similar tools to discover plaintiff. After you find the source, you can try to fix it.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: WAN IP leak

Sat Mar 31, 2018 2:47 pm

Masquerade is only on Port1-Mikrotik-WAN, so that's not it. In theory, if it was coming from router itself, it could decide to use WANIP as source, but it shouldn't. Did you check what exactly it is (protocol, port)?
Top
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: WAN IP leak

Sat Mar 31, 2018 4:45 pm

It s the Mikrotik. The Protocol is SIP/UDP Port 5060
The Source is inet addr:10.30.2.175 so I know is not grabbing the WAN IP.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: WAN IP leak

Sat Mar 31, 2018 8:48 pm

It s the Mikrotik. The Protocol is SIP/UDP Port 5060
The Source is inet addr:10.30.2.175 so I know is not grabbing the WAN IP.

I suspect you have a NAT aware PBX system, it is a way the PBX companies are trying to workaround the NAT traversal problems, what it does (if I recall correctly) is it checks for the Public IP, and then inserts this IP into the SIP packet as the src address
Top
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: WAN IP leak

Sun Apr 01, 2018 2:02 am

It s the Mikrotik. The Protocol is SIP/UDP Port 5060
The Source is inet addr:10.30.2.175 so I know is not grabbing the WAN IP.

I suspect you have a NAT aware PBX system, it is a way the PBX companies are trying to workaround the NAT traversal problems, what it does (if I recall correctly) is it checks for the Public IP, and then inserts this IP into the SIP packet as the src address
I think you are right... Not much I can do about that... :(
Top
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: WAN IP leak

Sun Apr 01, 2018 6:51 am

It s the Mikrotik. The Protocol is SIP/UDP Port 5060
The Source is inet addr:10.30.2.175 so I know is not grabbing the WAN IP.

I suspect you have a NAT aware PBX system, it is a way the PBX companies are trying to workaround the NAT traversal problems, what it does (if I recall correctly) is it checks for the Public IP, and then inserts this IP into the SIP packet as the src address
Doing some trouble shooting I found that if I block all traffic:

src: mypbx
destination: mikrotik-gateway
action: drop

The box looses all connections and can only ping internally and not out to the internet...
This tells me that the box is going out to internet via mikrotik gw and the mangle preroute rule is not working properly hence why I am seen a delay.

Thoughts?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21930
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: WAN IP leak

Sun Apr 01, 2018 5:52 pm

Well make a more direct mangle rule....
all traffic from 10.30.2.5 going to Ether1 Gateway mark.
Route traffic to pfsense.


See if that more direct angle works.........
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: WAN IP leak

Sun Apr 01, 2018 7:45 pm

It s the Mikrotik. The Protocol is SIP/UDP Port 5060
The Source is inet addr:10.30.2.175 so I know is not grabbing the WAN IP.

I suspect you have a NAT aware PBX system, it is a way the PBX companies are trying to workaround the NAT traversal problems, what it does (if I recall correctly) is it checks for the Public IP, and then inserts this IP into the SIP packet as the src address
I think you are right... Not much I can do about that... :(

It sounds like it is working as per design, so personally, I would not do this:

Look into your PBX config, some of them allow you to disable this functionality, but suspect you might then have many VoIP problems.

Why is it bugging you? i.e. what do you think the risks are?
Top
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: WAN IP leak

Sun Apr 01, 2018 7:57 pm

It s the Mikrotik. The Protocol is SIP/UDP Port 5060
The Source is inet addr:10.30.2.175 so I know is not grabbing the WAN IP.

I suspect you have a NAT aware PBX system, it is a way the PBX companies are trying to workaround the NAT traversal problems, what it does (if I recall correctly) is it checks for the Public IP, and then inserts this IP into the SIP packet as the src address
I think you are right... Not much I can do about that... :(

It sounds like it is working as per design, so personally, I would not do this:

Look into your PBX config, some of them allow you to disable this functionality, but suspect you might then have many VoIP problems.

Why is it bugging you? i.e. what do you think the risks are?
How is it working? If I am telling mikrotik that for 0.0.0.0 with a mark of pfsense to go out 10.30.2.1 which the GW is totally different....
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: WAN IP leak

Sun Apr 01, 2018 9:27 pm

How is it working? Same way as SIP ALG will work on your router / firewall / NAT device, just being done on the PBX itself instead of NAT device.

If I am telling mikrotik that for 0.0.0.0 with a mark of pfsense to go out 10.30.2.1 which the GW is totally different.... If I understand you correctly, this is what I do in my environments:

All servers have static IP configs, specify the pfsense as gateway on the PBX device statically instead of wasting resources with mangle, etc on router, i.e. KISS, "Keep It Simple, S..."
Top
Locked

Who is online

Users browsing this forum: No registered users and 15 guests
  4. RouterOS
  5. Beginner Basics