I have a problem with device in my network.
They say me that the problem is tcp 1883 is droped to internet but I can´t see it...
If ai try it outside my network it work perfectly.
This is my firewall:
Code: Select all
/ip firewall address-list
add address=10.0.0.20-10.0.0.101 list=Src_Administradores
add address=10.0.0.101-10.0.0.200 list=Src_Servidores_Usuarios
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=10.10.0.200 list=Src_AdministracionClientes
add address=10.10.0.0/20 list=Dst_Clientes
add address=10.10.1.12 list=Src_Administradores
add address=10.10.1.13 list=Src_Administradores
/ip firewall filter
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input disabled=yes log=yes log-prefix="DROP BlackList" \
src-address-list=BLACKLIST
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward comment=\
"##### Permite el trafico establecido y relacionado #####" \
connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="##### Filtra Paquetes Invalidos #####" \
connection-state=invalid log=yes log-prefix="DROP Invalid Packets"
add action=drop chain=input connection-state=invalid log=yes log-prefix=\
"DROP Invalid In Packets"
add action=accept chain=forward comment="##### Prermite trafico Forward #####" \
src-address-list=Src_Administradores
add action=accept chain=forward dst-address-list=Dst_Servidores_Usuarios \
src-address-list=Src_Red_LAN
add action=accept chain=forward src-address-list=Src_Red_LAN
add action=accept chain=forward dst-address-list=Dst_Servidores_Usuarios \
src-address-list=Src_Servidores_Usuarios
add action=accept chain=forward dst-address-list=Dst_Clientes src-address-list=\
Src_AdministracionClientes
add action=accept chain=forward src-address-list=Src_AdministracionClientes
add action=accept chain=forward disabled=yes dst-address=10.10.1.200 \
in-interface=*F00277 out-interface=WAN
add action=accept chain=forward disabled=yes dst-address=10.10.1.201 \
in-interface=*F00277 out-interface=WAN
add action=accept chain=input comment=\
"##### Prermite trafico Input ##### - Conexiones PPTP" dst-port=1723 \
protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_Temporal \
address-list-timeout=1m chain=input comment=\
"##### Prermite trafico Input ##### - TocToc" dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_NAS \
address-list-timeout=1d chain=input dst-port=7000 protocol=tcp \
src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS \
address-list-timeout=1d chain=input dst-port=8000 protocol=tcp \
src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment=\
"##### Prermite trafico Input ##### - Conexiones L2TP" dst-port=\
1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="##### Prermite trafico Input ##### " \
src-address-list=Src_Administradores
add action=accept chain=input comment=\
"##### Prermite trafico Input ##### Para comunicacion SNMP" dst-port=161 \
protocol=udp src-address=192.168.2.205
add action=drop chain=input comment="##### BLOQUEO POR DEFECTO #####" \
log-prefix="INPUT DROP"
add action=drop chain=forward connection-nat-state=!dstnat log=yes log-prefix=\
"FORWARD DROP"
If I remove the last forward drop don´t work neither
Thanks
