Page 1 of 1

Can't reach internet

Posted: Fri Oct 27, 2017 3:11 am
by dragonauta
I have some issues trying to get working 951G.

ether1 gets dynamic IP from my ISP.
I can access all local hosts (some server in my lan); I can ping internet domains (i.e. can ping 8.8.8.8 or google.com) but can't surf.
I feel I'm missing something but can't figure what.

These are my firewall rules:
/ip firewall export 
# oct/26/2017 19:52:26 by RouterOS 6.40.4
# software id = ZSC0-VWPN
#
# model = 951G-2HnD
# serial number = 64XXXXXXXXB9
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" in-interface=ether1-gw protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related in-interface=ether1-gw
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related in-interface=ether1-gw
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related in-interface=ether1-gw
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-gw
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid in-interface=ether1-gw
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gw
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.168.0.1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=10022 protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=10006 protocol=tcp to-addresses=192.168.0.10 to-ports=8006
add action=dst-nat chain=dstnat dst-port=12080 protocol=tcp to-addresses=192.168.0.14 to-ports=80
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=192.168.0.14 to-ports=1194
add action=dst-nat chain=dstnat dst-port=18389 protocol=tcp to-addresses=192.168.0.18 to-ports=3389
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.0.19 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.0.19 to-ports=80

Re: Can't reach internet

Posted: Fri Oct 27, 2017 3:19 am
by sid5632
Why have you got "to-addresses=0.0.0.0" on that first masquerade rule?

Re: Can't reach internet

Posted: Fri Oct 27, 2017 4:20 am
by dragonauta
Sorry, wrong document!
I always export and save as txt.
Fixed my first post.

Re: Can't reach internet

Posted: Fri Oct 27, 2017 11:53 am
by lazarosk
have you done:

ip-firewall-nat-
add-src nat-out interface eth1(or the pppoe if you are doing it from the mikrotik)-action masquerade

?

Re: Can't reach internet

Posted: Fri Oct 27, 2017 5:39 pm
by dragonauta
Thanks lazarosk,
Nope, I haven't done that.

But I found where was my mistake.
These 2 rules prevent me to surf the web:
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.0.19 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.0.19 to-ports=80
I disabled and everything works now.

BUT:
I have a local server (192.168.0.19) which is an nginx reverse proxy: it provides me several services from a proxmox server with some containers.

When using an awfull TP-LINK I was able to access those service through a NOIP domain from inside my lan, just forwarding ports.
I've tried enablin hairpin but it's not working.

Should use add these to my rules??
/ip firewall nat 
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.19 protocol=tcp dst-port=80 out-interface=LAN action=masquerade comment="hairpin for http"
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.19 protocol=tcp dst-port=443 out-interface=LAN action=masquerade comment="hairpin for https"
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.18 protocol=tcp dst-port=18389 out-interface=LAN action=masquerade comment="hairpin for RDP"

Re: Can't reach internet  [SOLVED]

Posted: Fri Oct 27, 2017 8:33 pm
by dragonauta
ok, got it working now.

Found this on the forum: Hairpin & DDNS
Thanks to docmarius for giving the answer I was looking for.

So after several tries I got these rules working:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" in-interface=ether1-gw protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related in-interface=ether1-gw
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related in-interface=ether1-gw
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related in-interface=ether1-gw
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-gw
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid in-interface=ether1-gw
add action=drop chain=forward comment="defconf: drop allfrom WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gw
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
add action=dst-nat chain=dstnat dst-port=10022 in-interface=ether1-gw protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=12080 in-interface=ether1-gw log=yes protocol=tcp to-addresses=192.168.0.14 to-ports=80
add action=dst-nat chain=dstnat dst-port=1194 in-interface=ether1-gw protocol=udp to-addresses=192.168.0.14 to-ports=1194
add action=dst-nat chain=dstnat dst-port=18389 in-interface=ether1-gw protocol=tcp to-addresses=192.168.0.18 to-ports=3389
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gw protocol=tcp to-addresses=192.168.0.19 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gw protocol=tcp to-addresses=192.168.0.19 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=Hairpin in-interface=bridge to-addresses=192.168.0.19
/ip firewall address-list 
add address=AAA.BBB.CCC.DDD comment="updated by hairpin_public_ip script" list=Hairpin
/system scheduler add interval=5m name=hairpin_public_ip on-event=hairpin_public_ip policy=read,write,test start-date=oct/27/2017 start-time=17:00:00
And finally, the hairpin_public_ip script that updates Hairpin list with actual public IP.
# this is the global variable holding the last known public IP
:global HairpinPreviousIP ;

# get the current WAN IP
:local currentIP ;

:do {
    :set currentIP [/ip address get [find interface=ether1-gw] address] ;
} on-error={
    # you could add a failover static IP here, just have something so the script won't fail
    :set currentIP 192.168.0.19 ;
}

# Strip the net mask off the IP address
:for i from=( [:len $currentIP] - 1) to=0 do={
   :if ( [:pick $currentIP $i] = "/") do={
       :set currentIP [:pick $currentIP 0 $i] ;
   }
}

# Public IP has changed
:if ($currentIP != $HairpinPreviousIP) do={

    # clear the address list
    :foreach entry in=[/ip firewall address-list find list="Hairpin"] do={
         /ip firewall address-list remove $entry
     }
     
   # add new address to the address list
   /ip firewall address-list add list="Hairpin" address=$currentIP
   
   # here you could also add other static router IPs to the Hairpin list
   # /ip firewall address-list add list="Hairpin" address=192.168.1.2
   
   # store the new IP
   :set HairpinPreviousIP $currentIP ;
}
Now I have internet, can reach my servers from internet and using my dynamicDNS.