Imam sledeci problem sa Mikrotikom RB1100AHx2 - RouterOS 5.26. Pomozite ako neko ima neku ideju sta ovde nije u redu.
Hocu da zamenim postojeci Endian UTM Appliance sa RB1100AHx2.
Imam interni mail server (Zimbra Collaboration Server) i interni BIND server koji drzi forward i reverse zonu localnog domena (imefirme.local).
Odlazeci email saobracaj ide kroz Eunetov mail proxy ehrelay.eunet.rs koristeci TLS autentifikaciju.
RB1100AHx2 bi trebalo da je konfigurisan na isti nacin kao Endian UTM (ali ocigledno postoji neki problem koji ja ne vidim).
Kad zakacim mrezne kablove (lan i wan kablove) na Mikrotik, sve radi kako treba, osim odlazecih mejlova.
Sudeci po porukama iz mail.log radi se o DNS problemu: "..status=deferred (Host or domain name not found. Name service error for name=mailproxy.ourisp.com type=MX: Host not found, try again)".
Endian UTM i RB1100AHx2 su ukljuceni i stoje jedan pored drugog. Kad zakacim mrezne kablove (lan i wan kablove) na mikrotik, mejlovi prestaju da odlaze i idu u deffered queue.
Cim prebacim mrezne kablove na Endian UTM, sve iz deffered queue ode i odlazeci mail saobracaj se vraca u normalu.
Nisam siguran da li su ovde potrebna neka dodatna firewall pravila za DNS saobracaj na Mikrotiku. U svakom slucaju, evo moje konfiguracije Mikrotik firewall-a:
# jun/10/2014 19:26:34 by RouterOS 5.26
# software id = XXXX-YYYY
#
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"
/ip firewall address-list
add address=172.23.24.0/24 disabled=no list=local-subnet
add address=192.168.0.0/16 disabled=no list=rfc-s
add address=172.16.0.0/12 disabled=no list=rfc-s
add address=10.0.0.0/8 disabled=no list=rfc-s
add address=0.0.0.0/8 disabled=no list=rfc-s
add address=224.0.0.0/3 disabled=no list=rfc-s
add address=127.0.0.0/8 disabled=no list=rfc-s
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="ACCEPT ALL from LOCAL SUBNET" \
disabled=no src-address-list=local-subnet
add action=drop chain=forward comment="DROP ALL from RFC-S" disabled=no \
src-address-list=rfc-s
add action=accept chain=forward comment=SMTP disabled=no dst-port=25 \
in-interface=pppoe-out1-adsl protocol=tcp
add action=accept chain=input comment="PPTP TCP" disabled=no dst-port=1723 \
in-interface=pppoe-out1-adsl protocol=tcp
add action=accept chain=input comment="PPTP GRE" disabled=no in-interface=\
pppoe-out1-adsl protocol=gre
add action=accept chain=input comment=WinBox disabled=no dst-port=8291 \
in-interface=pppoe-out1-adsl protocol=tcp
add action=accept chain=input comment="SSH Mikrotik" disabled=no dst-port=\
22 in-interface=pppoe-out1-adsl protocol=tcp
add action=accept chain=forward comment="DATASRV FTP 1" disabled=no dst-port=\
20-21 in-interface=pppoe-out1-adsl protocol=tcp
add action=accept chain=forward comment="DATASRV FTP 2" disabled=no dst-port=\
51423-61524 in-interface=pppoe-out1-adsl protocol=tcp
add action=drop chain=forward comment="Facebook BLOCK" disabled=no \
layer7-protocol=facebook protocol=tcp
add action=accept chain=input comment="allow PING" disabled=no \
protocol=icmp
add action=accept chain=input comment="allow ESTABLISHED" \
connection-state=established disabled=no in-interface=pppoe-out1-adsl
add action=accept chain=input comment="allow RELATED" \
connection-state=related disabled=no in-interface=pppoe-out1-adsl
add action=drop chain=input comment="DROP ALL" disabled=no \
in-interface=pppoe-out1-adsl
/ip firewall nat
add action=masquerade chain=srcnat comment="nr0 - MASQUERADING" \
disabled=no out-interface=pppoe-out1-adsl
add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=25 \
in-interface=pppoe-out1-adsl protocol=tcp to-addresses=172.23.24.4 \
to-ports=25
add action=dst-nat chain=dstnat comment="DATASRV FTP 1" disabled=no dst-port=\
20-21 in-interface=pppoe-out1-adsl protocol=tcp to-addresses=\
172.23.24.5 to-ports=20-21
add action=dst-nat chain=dstnat comment="DATASRV FTP 2" disabled=no dst-port=\
51423-61524 in-interface=pppoe-out1-adsl protocol=tcp to-addresses=\
172.23.24.5 to-ports=51423-61524
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=bridge1to12 lease-time=3d \
name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=172.23.24.0/24 dhcp-option="" dns-server=172.23.24.3 domain=\
mydomain.local gateway=172.23.24.1 netmask=24 ntp-server="" wins-server=\
172.22.22.3
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096 servers=208.67.222.222,208.67.220.220
A da li si probao da ugasis sva pravila pod Filter Rules i onda vidis da li radi?
I naravno, da li si kad si upalio rb1100 obrisao njihovu defaultnu konfiguraciju? ona ume da napravi problem.
Ono sto bih ja probao je:
1. Klot rb1100 - /system reset no-defaults=yes
2. podesi adrese i dns
3. probaj da li radi.
Da li računari u lokalnoj mreži koriste lokalni BIND server kao opšti DNS server ili im je mirotik ruter DNS?
Pozdrav.
IP->DNS - Allow remote request "yes"
posle toga obavezno napravi filter rule:
;;; DNS - Public drop
chain=input action=drop protocol=udp src-address=x.x.x.x dst-port=53
BTW: layer7 pravilo koje imas, ne pomaze bas mnogo, zna vise da pravi problema nego sto koristi