I ran a port scan from outside the network and see that ports 443 and 1723 are open.
I understand that 443 is HTTPS and 1723 is PPTP (VPN).
I do have ACCEPT firewall rules for both those ports enabled.
I assume I need 1723 open to allow for the VPN I have setup.
I also assume 443 is to allow router management via browser.
I use Winbox, but it would be nice to be able to use a browser in a pinch.
Is this the advised way to do this?
Thank you.
You do it wrong way:
The proper way:
Thank you.
I have disabled the firewall rule that opens 443.
The PPTP VPN is the one set up in Winbox’s Quickset.
A quick search on how to set up IPSEC shows that I’m in over my head already.
WireGuard looks nice, but I think it requires a development version of the FW.
Ugh.
Ho joseph,
Software 7.5 is touted by MT as a stable firmware.
For home use it should be perfectly fine.
WIreguard is the better way for you to securely config the router remotely.
However, it assumes you have either
a. a public IP address from your ISP OR
b. an ISP modem/router where at least you can access to forward ports.
Good to hear. I downloaded and installed 7.5 and can now see the Wireguard options.
Internet connectivity is provided by Spectrum cable. Their modem provides a public IP (dynamically assigned, but I have DDNS set up).
I’ve been trying to set up Wireguard on the Mikrotik router and the client on my Win10 by following a YouTube tutorial, but so far it’s not working. No more time this morning, but hopefully will play with it later.
https://www.youtube.com/watch?v=OGBWSpl1Wik
Thank you again.
Please read this link…
https://forum.mikrotik.com/viewtopic.php?t=182340
Thank you for the link to the write-up.
It is great of you to have taken the time to write that.
Unfortunately, it’s just too complicated for me.
I have this on the router:
I understand its scary at first, but one has to jump into the pool at some time…
Please post your config /export ( minus the serial number and any public IP information as you have done on those diagrams).
(I will assume the other end of the connection is your windows laptop or IPHONE to connect to the home router remotely.)
Thank you for the encouragement. I’m sure I could do it if I could find the time to work it through.
# sep/23/2022 15:54:23 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=\
vpn
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.10.10.1/24 endpoint-address=192.168.88.1 \
endpoint-port=13231 interface=wireguard1 public-key=\
"b4xWJ41+IB8iaa1sZT3Ka0000000000qEvDUTY5NDT8="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=00000.dyndns.org list=00000
add address=11111.dyndns.org list=1111
/ip firewall filter
add action=accept chain=input src-address-list=00000
add action=accept chain=input src-address-list=111
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
192.168.89.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=ether1 protocol=gre
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow PPP" in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=9000 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=8035
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
Paste this on terminal, this fix some mess between updates of different RouterOS versions.
Then follow @anav 
{
/interface lte apn set [ find default=yes ] ip-type=auto use-network-apn=yes
/routing ospf area remove [find]
/routing ospf instance remove [find]
/ipv6 settings set max-neighbor-entries=16384
/interface detect-internet set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface ovpn-server server set auth=sha1,md5,sha256,sha512
/interface bridge set [find] protocol-mode=none
/interface bridge port set [find] ingress-filtering=yes
}
I don’t know what I’ve done, but I followed your instructions and thank you for them.
I’ve been trying for hours and can’t get this to work.
I’ve looked at multiple instructions and guides and they are simply not clear what values go where.
If you wonder why I don’t help you with wireguard, it’s very simple: I’ve never used it…
Wait for @anav to come back, take your time, it sure helps.
Many, many hours later… I think I got it working (not 100% certain).
Here are the details of my config – I left the first bunch of characters for the keys so readers can see which keys go where (I know, I know, it would be much better to have a deep and true understanding of why and how).
I don’t know why the only firewall traffic is for the INPUT rule, and not the FORWARD rules, but it seems to work.
How did I do?
You have censored public key on last image, and not the private…
Thank you!
I posted too soon.
I thought it was working, but it’s not.
From the router, I can ping 10.10.10.2 (Windows Wireguard interface IP).
But, I can’t ping 10.10.10.1 from Windows.
Nor can I ping from Windows anything connected to the router.
Post the latest complete config please.
/export (minus serial number, public WANIP or gateway IP or any keys LOL)
Working from generator power, lost power at 10:30Pm last night, hopefully getting it back on tuesday.
# sep/24/2022 11:09:07 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:xxxxxxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=\
vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.10.10.2/32 endpoint-address=10.10.10.2 endpoint-port=\
13231 interface=wireguard1 public-key=\
"DcTp6igWYbPNfcrRxxxxxxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxx.dyndns.org list=xxxxm
add address=xxxxxx.dyndns.org list=xxxx2
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24
add action=accept chain=forward log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24 src-address-list=""
add action=accept chain=forward dst-address=10.10.10.0/24 in-interface=\
wireguard1 log=yes
add action=accept chain=forward disabled=yes in-interface=wireguard1 \
out-interface=all-ethernet
add action=accept chain=input src-address-list=mtdale
add action=accept chain=input disabled=yes src-address-list=2xxxxx
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
192.168.89.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=ether1 protocol=gre
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow PPP" in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address-list=192.168.88.1 \
src-address-list=10.10.10.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=mxxxxxe to-addresses=192.168.88.35 to-ports=9000
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam disabled=yes dst-port=8080 \
protocol=tcp src-address-list=2xxxx2 to-addresses=192.168.88.35 to-ports=\
8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address-list=mtxxxxxe to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=9000 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=mxxxxx to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=2xxxxx2 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=mxxxxxxe to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=mtxxxxx to-addresses=192.168.88.35 to-ports=8035
/ip route
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
An interesting piece of information:
A ping initiated on my Windows PC to 10.10.10.1 (router’s IP) fails UNLESS I first initiate a ping from the router to 10.10.10.2 (Windows PC) (which works), and then .1 to .2 will work.
Like the “established session” firewall is allowing it maybe?