I’ve got a bunch of RouterOS boxes at WAN remote locations behind NATs. I want to use AWS CHR to Winbox into the remote client. I have the AWS CHR running and SSTP connection binding on the server and running on the remote client.
I can’t figure out how to connect with Winbox via AWS CHR to to the remote client. As I have many devices to connect, I would like to assign them ports. I picked tcp port 3999 for this one. I have tcp open inbound and outbound for that port 3999 and 8291 on AWS.
I don’t know how to use Winbox with the AWS IP:port to connect to the client. It appears I have not set up the port IP firewall Nat correctly, or am missing something else, to connect the client via Winbox logon to the AWS CHR. I’m also not clear on what to put in the Winbox logon fields to connect to the client. Thanks in advance for the help!
Here is the AWS CHR setup:
/ip pool add name=pool-vpn ranges=10.10.100.10-10.10.100.254
/ppp profile add name=sstp01 local-address=10.10.100.1 remote-address=pool-vpn
/ppp secret add name=sstpclient01 password=remote service=sstp profile=sstp01
/ppp secret add name=remotesstpclient01 password=remote2 service=sstp profile=sstp01
/interface sstp-server server set enabled=yes default-profile=sstp01
/ip firewall filter add chain=input port=443 protocol=tcp action=accept src-address=10.10.100.0/24
/ip firewall filter add chain=forward port=443 protocol=tcp action=accept src-address=10.10.100.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.100.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 src-address=10.10.100.0/24
/ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=3999 in-interface=ether1 protocol=tcp to-addresses=10.10.100.1 to-ports=3999
Here is the NAT Wan remote client setup:
/interface sstp-client add connect-to=XX.XXX.XXX.XXX:443 disabled=no name=sstpclient01 password=remote user=sstpclient01 verify-server-address-from-certificate=no comment="Winbox"
:if ([:len [/ip firewall filter find where chain=input and action=drop]] >0) do={ \
[/ip firewall filter add action=accept chain=input comment="Winbox" in-interface=sstpclient01 place-before=1]\
} else={ \
[/ip firewall filter add action=accept chain=input comment="Winbox" in-interface=sstpclient01]}
/user add name=remotesstpclient01 password=remote2 group=read address=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 comment="Winbox"