Make ssh/web reachable from VPN network

lacibsd · October 16, 2021, 9:24am

My MikroTik is reachable on 192.168.10.1 for ssh and web, the LAN is 192.168.10.0/24
Clients connecting from the internet via MikroTik’s VPN are getting an IP from 192.168.89.0/24

I’d like to make 192.168.10.1 reachable on 22/tcp, 80 and 443 tcp from 192.168.89.0/24, how can I do it? As of now I can ping 192.168.10.1 when on VPN but can’t connect via desired ports.

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  192.168.1.0/24     192.168.1.11    ether1                    0
 2 ADC  192.168.10.0/24    192.168.10.1    bridgeVLAN10              0
 3 ADC  192.168.89.10/32   192.168.89.1    <l2tp-ppp..               0

joegoldman · October 16, 2021, 10:07am

Mikrotik management services listen on all addresses by default.

What will be stopping access is either IP ACL on the service or username itself
OR
Firewall rules blocking access to anything but specific IP’s

Post /export hide-sensitive so we can help determine what the issue is.

holvoetn · October 16, 2021, 10:13am

Apart from the valid answer to post your config, in the default firewall rules only LAN interfaces are allowed to access through whatever.
Is your VPN interface part of the LAN list ?

Alternative (since some VPN interfaces have dynamic nature): change the relevant firewall rule from accepting only LAN to accept when it’s not WAN. This way your VPN interfaces will also be allowed.

lacibsd · October 16, 2021, 11:31am

Understood, please see the export below, I did remove a few irrelevant lines:
https://private.sparky.red/?24f0434ef0eba9b6#82Wx6hoGb7tTeY11vyndU63X3kdX8Jy9sfQe7yWtRKET

lacibsd · October 16, 2021, 11:33am

Maybe it’s line 75 that’s blocking the connection?

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

holvoetn · October 16, 2021, 11:39am

Yes. Change that to WAN. Don’t forget to remove the NOT-tick.

And Safe Mode to be sure !

lacibsd · October 16, 2021, 11:45am

I changed it like this:

add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="accept all not coming from WAN" in-interface-list=!WAN

Now it works! Yay, thank you!
Yes, safe mode is awesome, ty!

holvoetn · October 16, 2021, 11:56am

Errrmm… you opened everything now.
All not coming from Lan is blocked but coming from WAN is accepted now. Which is basically … all accepted.

Second line should be this.
add action=drop chain=input comment=“drop all coming from WAN” in-interface-list=WAN

Remove first line.

lacibsd · October 16, 2021, 3:06pm

You are right, I made the swap:

add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="accept all not coming from WAN" disabled=yes in-interface-list=!WAN
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN

The first two lines are going to be deleted, just pasting here to show the change