Oreska - Užice : Wireless Užice - Užice bez žice - Mikrotik DNS problem (mreza sa internim SAMBA DC i BIND serverom) - forum Uzicana - mesta: Uzice, Pozega, Arilje, Ivanjica, Kosjeric, Bajina Basta, Priboj, Prijepolje, Zlatibor

Imam sledeci problem sa Mikrotikom RB1100AHx2 - RouterOS 5.26. Pomozite ako neko ima neku ideju sta ovde nije u redu.

Hocu da zamenim postojeci Endian UTM Appliance sa RB1100AHx2.
Imam interni mail server (Zimbra Collaboration Server) i interni BIND server koji drzi forward i reverse zonu localnog domena (imefirme.local).
Odlazeci email saobracaj ide kroz Eunetov mail proxy ehrelay.eunet.rs koristeci TLS autentifikaciju.
RB1100AHx2 bi trebalo da je konfigurisan na isti nacin kao Endian UTM (ali ocigledno postoji neki problem koji ja ne vidim).

Kad zakacim mrezne kablove (lan i wan kablove) na Mikrotik, sve radi kako treba, osim odlazecih mejlova.
Sudeci po porukama iz mail.log radi se o DNS problemu: "..status=deferred (Host or domain name not found. Name service error for name=mailproxy.ourisp.com type=MX: Host not found, try again)".

Endian UTM i RB1100AHx2 su ukljuceni i stoje jedan pored drugog. Kad zakacim mrezne kablove (lan i wan kablove) na mikrotik, mejlovi prestaju da odlaze i idu u deffered queue.
Cim prebacim mrezne kablove na Endian UTM, sve iz deffered queue ode i odlazeci mail saobracaj se vraca u normalu.

Nisam siguran da li su ovde potrebna neka dodatna firewall pravila za DNS saobracaj na Mikrotiku. U svakom slucaju, evo moje konfiguracije Mikrotik firewall-a:

Kod:

# jun/10/2014 19:26:34 by RouterOS 5.26
# software id = XXXX-YYYY
#
/ip firewall layer7-protocol

add name=facebook regexp="^.+(facebook.com).*\$"


/ip firewall address-list

add address=172.23.24.0/24 disabled=no list=local-subnet

add address=192.168.0.0/16 disabled=no list=rfc-s

add address=172.16.0.0/12 disabled=no list=rfc-s

add address=10.0.0.0/8 disabled=no list=rfc-s

add address=0.0.0.0/8 disabled=no list=rfc-s

add address=224.0.0.0/3 disabled=no list=rfc-s

add address=127.0.0.0/8 disabled=no list=rfc-s


/ip firewall connection tracking

set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
	

/ip firewall filter

add action=accept chain=forward comment="ACCEPT ALL from LOCAL SUBNET" \
    disabled=no src-address-list=local-subnet

add action=drop chain=forward comment="DROP ALL from RFC-S" disabled=no \
    src-address-list=rfc-s

add action=accept chain=forward comment=SMTP disabled=no dst-port=25 \
    in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=input comment="PPTP TCP" disabled=no dst-port=1723 \
    in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=input comment="PPTP GRE" disabled=no in-interface=\
    pppoe-out1-adsl protocol=gre

add action=accept chain=input comment=WinBox disabled=no dst-port=8291 \
    in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=input comment="SSH Mikrotik" disabled=no dst-port=\
    22 in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=forward comment="DATASRV FTP 1" disabled=no dst-port=\
    20-21 in-interface=pppoe-out1-adsl protocol=tcp

add action=accept chain=forward comment="DATASRV FTP 2" disabled=no dst-port=\
    51423-61524 in-interface=pppoe-out1-adsl protocol=tcp

add action=drop chain=forward comment="Facebook BLOCK" disabled=no \
    layer7-protocol=facebook protocol=tcp

add action=accept chain=input comment="allow PING" disabled=no \
    protocol=icmp
	
add action=accept chain=input comment="allow ESTABLISHED" \
    connection-state=established disabled=no in-interface=pppoe-out1-adsl

add action=accept chain=input comment="allow RELATED" \
    connection-state=related disabled=no in-interface=pppoe-out1-adsl

add action=drop chain=input comment="DROP ALL" disabled=no \
    in-interface=pppoe-out1-adsl
	

	

/ip firewall nat

add action=masquerade chain=srcnat comment="nr0 - MASQUERADING" \
    disabled=no out-interface=pppoe-out1-adsl

add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=25 \
    in-interface=pppoe-out1-adsl protocol=tcp to-addresses=172.23.24.4 \
    to-ports=25

add action=dst-nat chain=dstnat comment="DATASRV FTP 1" disabled=no dst-port=\
    20-21 in-interface=pppoe-out1-adsl protocol=tcp to-addresses=\
    172.23.24.5 to-ports=20-21

add action=dst-nat chain=dstnat comment="DATASRV FTP 2" disabled=no dst-port=\
    51423-61524 in-interface=pppoe-out1-adsl protocol=tcp to-addresses=\
    172.23.24.5 to-ports=51423-61524




/ip firewall service-port

set ftp disabled=no ports=21

set tftp disabled=no ports=69

set irc disabled=no ports=6667

set h323 disabled=no

set sip disabled=no ports=5060,5061 sip-direct-media=yes

set pptp disabled=no



/ip dhcp-server

add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
    bootp-support=static disabled=no interface=bridge1to12 lease-time=3d \
    name=dhcp1

/ip dhcp-server config

set store-leases-disk=5m

/ip dhcp-server network

add address=172.23.24.0/24 dhcp-option="" dns-server=172.23.24.3 domain=\
    mydomain.local gateway=172.23.24.1 netmask=24 ntp-server="" wins-server=\
    172.22.22.3


/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=208.67.222.222,208.67.220.220

Oreska - Užice -