Access to WebFig via VPN and LAN (Block config via WAN)

RouterOS Beginner Basics
1

Hi,

I have a beginners question that I tried to figure out by reading already given answers in forums but they were often slightly different, so I had no luck so far.

My RouterBOARD 750G r3 is still pretty much in standard configuration. I would like to be able to access the WebFig (or Winbox) via VPN and LAN but not via WAN. I want configuration via WAN closed. The VPN Server works. It arrives at subnet 192.168.89.x while the rest of the network including DHCP etc. is on 192.168.88.x. I can reach various IP numbers in the 192.168.88.x subnet via VPN from an outside PC without any problems.

So I don't want the router to be configurable from the outside directly. Right now I can configure it (WebFig/Winbox) from WAN and LAN but not VPN.

I would like to be able to disable these two rules:

  • add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp


  • add action=accept chain=input dst-port=80 protocol=tcp

But when I do that, I cannot configure the router from WAN anymore, and since I have it in my cottage in 1000 km away 12 hours driving, that is a bit annoying.

What should I do?

Regards,
Jens Malmgren

Here below is an export of the settings where passwords etc. are removed.

oct/21/2018 22:30:53 by RouterOS 6.43.2

software id = LK7A-X7E7

model = RouterBOARD 750G r3

serial number = xxx

/interface bridge

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pptp-server
add name=pptp-profile user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pptp-pool ranges=192.168.89.1-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/ppp profile
add local-address=pptp-pool name=pptp-profile remote-address=pptp-pool
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set ipsec-secret=xxxx use-ipsec=yes
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=pptp-profile list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set default-profile=pptp-profile enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.2 name=toughswitch
/ip firewall filter
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input comment=Unify disabled=yes dst-port=3478 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*4
/ppp secret
add name=vpn1 password=xxx profile=pptp-profile
add name=vpn2 password=yyy profile=pptp-profile
/system clock
set time-zone-name=Europe/Stockholm
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/system routerboard settings
set protected-routerboot=enabled silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox