MikroTik

Posted: **Tue Jan 26, 2016 10:42 pm**

Hi Experts,

I have a unit that has 3 External internet connections (long story), each with static IP ranges.

I want to create a inbound rule to pass from one of my external Public IP's on Eth4 to pass to the server inside the LAN on a internal IP.

I have a range of public IP"s to use that are assigned to the ISP connection on Eth4. So not sure how you specify which IP the inbound rule works with.

I did look it up on how to do it, and most answers look identical but it didn't work for me. But I used Winbox.

As used

/ ip firewall nat
add chain=dstnat in-interface=eth4 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.1.10 to-ports=80 comment=" inbound to webserver" \
disabled=no

Then because I have public IP's assigned to ETH4 I assumed that if I tried any of them it work work from outside world. But it doesnt.

Regards

Richy

Posted: **Tue Jan 26, 2016 11:01 pm**

If you have multiple Internet links, then you're going to need to use route-marking to force the replies to return out the same interface they arrived on.

/ip firewall mangle
add chain=prerouting connection-mark=no-mark action=jump jump-target=classify
add chain=classify in-interface=ether1 action=mark-connection new-connection-mark=isp1
add chain=classify in-interface=ether2 action=mark-connection new-connection-mark=isp2
add chain=classify in-interface=ether3 action=mark-connection new-connection-mark=isp3
add chain=classify in-interface=ether4 action=mark-connection new-connection-mark=isp4
add chain=classify connection-mark=no-mark action=mark-connection new-connection-mark=default
add chain=classify action=return

add chain=prerouting connection-mark=isp1 action=mark-routing new-routing-mark=isp1
add chain=prerouting connection-mark=isp2 action=mark-routing new-routing-mark=isp2
add chain=prerouting connection-mark=isp3 action=mark-routing new-routing-mark=isp3
add chain=prerouting connection-mark=isp4 action=mark-routing new-routing-mark=isp4

add chain=output connection-mark=isp1 action=mark-routing new-routing-mark=isp1
add chain=output connection-mark=isp2 action=mark-routing new-routing-mark=isp2
add chain=output connection-mark=isp3 action=mark-routing new-routing-mark=isp3
add chain=output connection-mark=isp4 action=mark-routing new-routing-mark=isp4

/ip route
add dst=0.0.0.0/0 gateway=a.a.a.a routing-mark=isp1
add dst=0.0.0.0/0 gateway=b.b.b.b routing-mark=isp2
add dst=0.0.0.0/0 gateway=c.c.c.c routing-mark=isp3
add dst=0.0.0.0/0 gateway=d.d.d.d routing-mark=isp4

The nice thing about this, though, is that you can map the webserver on multiple WAN links and be able to access it on any of them.

Posted: **Tue Jan 26, 2016 11:38 pm**

Thank you for the reply, so if I setup the mangle as you described.

How would I write my inbound rule to allow port 80 in on the public IP assigned to ISP4 (eth4)

Regards

Richard

Posted: **Tue Jan 26, 2016 11:47 pm**

/ip firewall nat add chain=dstnat dst-address=ip.of.isp.eth4 action=dst-nat to-address=internal.ip.of.server

The filter can also be clever -
/ip firewall filter add chain=forward connection-nat-state=dstnat action=accept

This one rule will allow any dst-nat pinhole through the filter.

Posted: **Thu May 19, 2016 6:59 pm**

Hi ZeroByte,

I posted this question and your answer helpded, but becuase I used PPPoE it became confusing. So I have got it working.

However I cant PPTP in myself for VPN dial in, nor can I create a inbound rule to a internal webserver. Yet my rules on other Mikrotiks for inbound (that are not mangle WAN) work fine. So as you said must be to do with the Marking of WAN.

This is my config. is there anything you can see that is a problem.

# may/19/2016 15:18:00 by RouterOS 6.34.3
# software id = 4XTJ-IJDM
#
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1
set [ find default-name=ether2 ] comment=WAN2
set [ find default-name=ether5 ] comment="LAN" speed=\
1Gbps
/interface pppoe-client
add comment="FTCC WAN1 " disabled=no interface=ether1 name=\
pppoe-out1 password=xxxxxxx user=username1@isp.com
add comment="FTCC WAN2 " disabled=no interface=ether2 \
max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out2 password=xxxxxx \
user=username2@isp.com
/ip neighbor discovery
set ether1 comment=WAN1
set ether2 comment=WAN2
set ether5 comment="LAN"
set pppoe-out1 comment="WAN1 "
set pppoe-out2 comment="WAN2"
/ip dhcp-server option
add code=15 name="Domain Name" value="'mylan.local'"
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.252
add name=pptp-pool ranges=192.168.10.10-192.168.10.20
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether5 lease-time=1m name=\
dhcp1
/ppp profile
add local-address=pptp-pool name=pptp-profile remote-address=pptp-pool
/ip address
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.254 name=controller.local
/ip firewall filter
add chain=input comment="Dial In PPTP" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input comment="WinBox In" dst-port=8291 protocol=tcp
add chain=input comment="Accept established connections" connection-state=\
established
add chain=input comment="Accept related connections" connection-state=related
add chain=input comment=UDP protocol=udp
add chain=input comment="From our LAN" in-interface=ether5 src-address=\
192.168.88.0/24
add action=log chain=input comment="Log everything else" log-prefix=\
"DROP INPUT"
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=forward comment="Allow Only Certain Ports Out on Public WIfi LAN " \
dst-address=208.67.222.222 dst-port=53 protocol=tcp src-address=\
192.168.88.0/24
add chain=forward dst-address=208.67.222.222 dst-port=53 protocol=udp \
src-address=192.168.88.0/24
add chain=forward dst-address=208.67.220.220 dst-port=53 protocol=tcp \
src-address=192.168.88.0/24
add chain=forward dst-address=208.67.220.220 dst-port=53 protocol=udp \
src-address=192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 dst-port=80 protocol=tcp src-address=\
192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 dst-port=8041 protocol=tcp \
src-address=192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 dst-port=8040 protocol=tcp \
src-address=192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 dst-port=443 protocol=tcp \
src-address=192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 dst-port=8090 protocol=tcp \
src-address=192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 dst-port=8291 protocol=tcp \
src-address=192.168.88.0/24
add chain=forward dst-address=0.0.0.0/0 protocol=icmp src-address=\
192.168.88.0/24
add action=drop chain=forward dst-address=0.0.0.0/0 src-address=\
192.168.88.0/24
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add chain=prerouting dst-address=192.168.88.0/24 in-interface=ether5
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
pppoe-out1 new-connection-mark=WAN1 passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
pppoe-out2 new-connection-mark=WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
WAN1 out-interface=pppoe-out1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
WAN2 out-interface=pppoe-out2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether5 new-connection-mark=WAN1 \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether5 new-connection-mark=WAN2 \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
ether5 new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
ether5 new-routing-mark=WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=masquerade chain=src-nat out-interface=pppoe-out1
add action=masquerade chain=src-nat out-interface=pppoe-out2
add action=dst-nat chain=dstnat dst-address=12.12.12.100 dst-port=8443 \
protocol=tcp src-port=8443 to-addresses=192.168.88.254
/ip route
add distance=1 gateway=pppoe-out1 routing-mark=WAN1
add distance=1 gateway=pppoe-out2 routing-mark=WAN2
add distance=1 gateway=pppoe-out1
add distance=2 gateway=pppoe-out2
/ppp secret
add name=mickeymouse password=minniemouse profile=pptp-profile
/system clock
set time-zone-name=Europe/London
/system routerboard settings
set protected-routerboot=disabled

Thanks for your help

Richard

Posted: **Thu May 19, 2016 7:26 pm**

I think your mark connection "input" chain rules should be in the prerouting chain because you want to stick connections to the WAN they arrived on, no matter whether they're for the Mikrotik itself OR for any devices behind dstnat pinholes....

(packets only go to the input chain if they're for the Mikrotik itself.)

Then there's the mark-routing actions in the output chain - I would suggest that you remove the "out-interface=xxxxx" criteria from those two rules.

You could also replace mangle rule 0 (the accept rule in the prerouting chain) by using a route rule instead:
/ip route rule add dst-address=192.168.88.0/24 action=lookup-only-in-table table=main

As for the ether4 addresses - any address you want to be able to use for NAT must be configured in /ip addresses

so if your ether4 range was 192.0.2.130-134 (192.0.2.128/29) then you would need to assign each one to your ether4 interface:
/ip address
add address=192.0.2.130/29 interface=ether4
add address=192.0.2.131/29 interface=ether4
... etc

(or you could set ether4 arp=proxy-arp and then blackhole route the remaining IP addresses from the range so that the router knows to answer for those addresses)

Posted: **Fri May 20, 2016 12:38 am**

Hi,

Thanks for taking time to reply. I tried a few bits you suggested but couldn't get it to work.

When I was looking at Multi WAN and mangling everyones examples assumed a router was being used on public side. But in UK. PPPoE with a modem is popular with FTCC ISP's, they assign you a public IP on dial up.

So only example I found to make it work was to follow this article, but I don't use a bridge so chose ether5 instead.

https://blog.linitx.com/load-balancing- ... nnections/

This does seem to work, but unable to get a inbound connection to my webserver on the LAN. I changed the arp to proxy arp.

I would assume though if I assign my web server internal IP address to ether 5 then I would get a ip conflict on the LAN.

Richard

Posted: **Fri May 20, 2016 1:41 am**

I changed the arp to proxy arp.

I would assume though if I assign my web server internal IP address to ether 5 then I would get a ip conflict on the LAN.

Richard

Perhaps I misunderstood your situation - I thought you meant that in addition to the two PPPoE connections, you had another connection available on ether4, which has a public IP range on it as a static network (e.g. a public IP /29 or something like that) - If this is not the case, then the proxy-arp / blackhole route / multi-IP address information I gave doesn't apply to you.

When I was looking at Multi WAN and mangling everyones examples assumed a router was being used on public side. But in UK. PPPoE with a modem is popular with FTCC ISP's, they assign you a public IP on dial up.

The bridge mentioned in the example of the web article you linked is actually the LAN side (I don't know why he recommended use IP firewall = yes for bridge and for pppoe - it's totally unnecessary to activate those features for a basic LAN bridge or for PPPoE WAN connections.

There's nothing wrong with what you've done per-se (except of course for whatever annoying little button that hasn't been pushed to make things work the way you want) but if the mangle rules are the way you specified in your earlier post, and you made the changes I mentioned, then policy routing should not be the source of the problem. Double check the filter rules in your firewall - and unfortunately, you've followed one of those complicated packet-munching-machine firewall guides. Those are way too involved for those with little Mikrotik experience IMO.

I'd recommend this as a firewall rule set to begin with:

/ip firewall filter:
chain=input connection-state=established,related action=accept
chain=input protocol=icmp action=accept
chain=input in-interface=ether5 action=accept
chain=input action=drop
chain=forward connection-state=established,related action=fasttrack-connection
chain=forward connection-state=established,related action=accept
chain=forward in-interface=ether5 action=accept
chain=forward connection-nat-state=dstnat action=accept
chain=forward action=drop

Worry later about tracking max connection attempts/second on tcp where the SYN flag is set but the connection state is not new, etc....

MikroTik

Inbound Rule for internal webserver

Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver

Re: Inbound Rule for internal webserver