connect to winbox through vpn

pasin · December 26, 2023, 10:27am

Hi,
I have just configured for the first time mikrotik. Below are my firewall rules and config. I have succesfully configured openvpn server on mikrotik. When I connect to vpn I get an ip from local lan. i can also access other pc with RDP. I would like to also access mikrotik with openvpn but I can’t. How can I make it possible to connect to winbox when I am connected to openvpn from client pc.
Thanks

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=**** interface=ether1 network=***
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=443 in-interface=\
    pppoe-out2 log=yes protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input dst-port=443 log=yes protocol=tcp src-address=\
    !****
add action=accept chain=input comment="accept ovpn" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes src-address=****
/ip route
add distance=1 gateway=***

leoservices · December 26, 2023, 10:24pm

Hello, your firewall rules are missing a rule to allow traffic coming from the VPN to your router.

/ip firewall filter add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=!WAN protocol=tcp

This is an example rule that except WAN will have access to winbox.
consider specifying your winbox port if it is other than 8291

pasin · December 26, 2023, 10:53pm

When I try to connect to winbox from a computer inside LAN(without vpn connection), I can connect with winbox. It’s when I am connect through vpn(I get an ip of the LAN where mikrotik is connected), that I am not able to connect.
So I can connect to router when I am trying to connect from a pc in the office, inside LAN. Can you please help in understanding why I need a rule for vpn, when I don’t need one when I am connecting from a pc inside the LAN without vpn.
Thanks

leoservices · December 26, 2023, 11:02pm

Your router has the firewall rule below;

add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

This rule says to block all access that comes from interfaces other than the LAN. Except LAN, all traffic that comes from other interfaces that are not part of the LIST=LAN interface will be blocked.

The VPN interface is created dynamically when connecting and is not part of the LAN LIST. Therefore, you need to create a rule to allow access.

pasin · December 27, 2023, 9:30am

Is the rule you wrote above allowing winbox connection only when connected to vpn? I don’t want to allow connections to mikrotik when not connected to vpn.

/ip firewall filter add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=!WAN protocol=tcp

Thank you

erlinden · December 27, 2023, 10:36am

Can you explicitely say who should be able to use Winbox?
All LAN users and all VPN users for instance? Or is there a specific IP address besides LAN users?

leoservices · December 27, 2023, 11:04am

Is the rule you wrote above allowing winbox connection only when connected to vpn? I don’t want to allow connections to mikrotik when not connected to vpn.
/ip firewall filter add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=!WAN protocol=tcp
Thank you

The suggested rule releases for all interfaces except the WAN interfaces that remained blocked.

Another alternative is to enter the source IP you want to release using the SRC-ADDRESS field, which accepts entering the network e.g.: 192.168.0.0/24 and replace it with the VPN network.

pasin · December 27, 2023, 11:45am

Hi,
Winbox connection must be available to users who are connected to VPN. If possible to the vpn user who will get a specific LAN ip after the vpn connection has been completed.
Thanks

anav · December 27, 2023, 3:02pm

WRONG, users do not get access to the router ONLY THE ADMINs should get access to config the router.
How do to this.
Create a source-address-list=Admin fireall address list!!

/ip firewall address-list
add address=IP1 list=Admin (local admin desktop)
add address=IP2 list=Admin (local admin laptop)
add address=IP3 list=Admin (local admin smartphone/ipad)
add address=IP4 list=Admin (remote wireguard IP)
add address=IP5 list=Admin (remote other VPN IP)

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input src-address-list=Admin comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”

pasin · December 27, 2023, 7:08pm

But why rdp to lan pc-s is allowed when I am connected to vpn

anav · December 27, 2023, 9:01pm

Because you dont block it… You decided to allow it with this rule.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

The only thing blocked by this default rule is WAN to LAN traffic that is not dstnatted.
Suggesting its much better to change this to

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment=“Drop all else”