I’m looking to set up a Backup LTE connection for my home network.
Primarily for getting in remotely, for example a LTE Enabled VPN server which I can connect to from outside over its public IP.
I already have a provider in my country identified which would give me a public not NATed un Firewalled public IP v4 on a pre payed LTE plan.
I would like the most a VPN which works from a windows client without any extra clients and which is not easily blocked, like SSTP.
The VPN server would need toe ability to detect its own IP and update a dyndns host accordingly.
To get the best reliability I think it should be one device that does the VPN server and LTE connectivity.
Alternatively I would like the option to set up the LTE box to bridge the obtained IP to a Ethernet port such that i can plug there in anything and its gets the IP assigned via DHCP and has full open network connectivity. Such that I can connect some other router and/or vpn server.
So what Miktorik hardware would be best for this job?
I live in Vienna and the reception is quite good here.
Traffic, not much 4k remote desktop that’s all.
I’m looking forward to use it with a 30GB/365-Days plan for only 40€/year.
Easy and RouterOS usually don’t go in the same sentence
The learning curve is quite steep but once you get how it works, it’s amazing what you can do with these devices.
I used to have an SXT LTE in vacation house in South of France with remote access for management and control.
Only keeping that link alive via Wireguard towards my home was a couple of Gb per month, not doing anything. So be careful if you only have 30Gb/year.
And Wireguard is considered one of the least chatty VPN protocols, others consume a lot more.
Ofcourse if you only activate that VPN on dial-up basis, your LTE only needs to listen. It will not send that much.
So that will result in a lot less traffic.
Yea I have a proper fiber internet connection for the everyday use the LTE is only in case the main internet goes down or the modem needs power cycling, or something that cant be resolved remotely, BSOD on the home server which does the everyday Routing and VPN, etc…
So the traffic should be minimal normally.
So I got the AX Lite LTE6 and set it up to use LTE for WAN, it has a LAN on ports 2,3,4 (192.168.x.x) and port 1 is connected to my regular network, excluded from the bridge, it gets a 10.x.x.x ip
when I setup port forwarding to the LAN it works fine but when i try to worward to a 10.x.x.x IP it does not.
How should I configure the port forwarding for the described use case such that it works?
The goal is to be able to RDP into PC’s in the 10.x.x.x through the LTE connection but not to provide actual internet connectivity to this network as it has an own fast fiber connection, the RDP over LTE is needed in case the main internet goes down and some remote troubleshooting is required to get the main network back up and running.
By default ether1 is WAN on most Mikrotik devices, it is possible that you did not change its categorization to LAN?
If this is the case, likely you have some firewall rules that block the connection.
Follow the instructions in this post: http://forum.mikrotik.com/t/forum-rules/173010/1
and post your configuration, so that some forum member may be able to give you some more accurate advice.
I have narrowed down the issue, watching the traffic with wireshark on the target machine the incomming traffic is redirected properly, but it keeps its publilc IP and the target machine ofcause uses a different default gateway, so not sure how to fix that actually
Can this even be fixed? the microtik router would need to replace the public IP of the requesting client with some 10.70.x.x of its own so that the answer arrives and so on…
EDIT: its working its working i just needed to add a masquarade rule for the LAN list as well,
how i wonder should i create a separate list for the port 1 instead of keeping it in the LAN list?
Next problem:
I have setup L2TP VPN, for it a created a new address pool 10.70.2.200/29
when i connect to the VPN from outside and attempt to connect to clients on the 10.x.x.x network the clients see the one router IP not the IP of the client, same as when using port forwarding with masquerade. When I disable the masquerade rule i cant connect to any 10.x.x.x from the VPN.
I have set up a new network bridge containing only the ethernet 1 port but that did not help eider.
the client sees the request comming from a VPN address 10.70.2.207 but it seams it can not answer i.e. the microtic router does not claim the 10.70.2.207 IP
how can i fix this issue?
EDIT: when i switch the VPN to use the regular lan pool 192.168.x.x where i woudl assume all should work normally i have the same issue
# 2024-08-29 09:12:00 by RouterOS 7.12.2
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
add name=vpn-bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-1E02AB \
security.authentication-types=wpa2-psk,wpa3-psk
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=webipaut use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=10.70.2.200/29
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE bridge=vpn-bridge local-address=vpn-pool remote-address=\
vpn-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=vpn-bridge comment=vpn-bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=vpn-bridge list=LAN
/interface sstp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=SSTP-VPN dst-port=443 protocol=tcp
add action=accept chain=input comment=PPTP-VPN dst-port=1723 protocol=tcp
add action=accept chain=input comment=PPTP-VPN protocol=gre
add action=accept chain=input comment=L2TP-VPN dst-port=500,1701,4500 \
protocol=udp
add action=accept chain=input comment=L2TP-VPN protocol=ipsec-esp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=5900 in-interface=lte1 \
protocol=tcp to-addresses=10.70.0.1 to-ports=5900
add action=masquerade chain=srcnat disabled=yes out-interface-list=LAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=Trax profile=default-encryption
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes
/tool sniffer
set filter-ip-protocol=tcp filter-port=vnc-2
Personally I believe that once something is working, the more “narrow” you can make the related rules/settings, the better, so, yes, I would check if the setup works with the masquerade rule attached to the single port you are interested to as opposed to an interface list.
i,e, try;
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
If the idea is that ether1 will get the IP from a DHCP server, either the interface is standalone or you have to attach the dhcp client to the bridge containing ether1 (but cannot say if it is connected to the issue you are now having.
If you do:
/ip address print
you should see a difference in the addresses assigned to ether1 (or to the bridge) when changing the settings.
But if you have ether1 in a bridge, likely you have to add the masquerade to the bridge and not to ether1 (which is slave)?
Or it means that you need interface-list=LAN because this way you are masquerading also on the original LAN bridge?
