No LAN access when connected to BTH

The only access I have while connected to BTH is to the router.

I have no access to any other LAN device.

“allow LAN” = yes

# 2024-04-11 21:37:04 by RouterOS 7.14.1
# software id = SKU-FU
#
# model = RB4011iGS+
# serial number = D4NKSERIAL4U
/interface bridge
add admin-mac=b0:l0:c5:55:77:d0 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] name=ether10-Management
/interface wireguard
add comment=back-to-home-vpn listen-port=33603 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether5 name=ether5-911 vlan-id=911
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether5-911 \
    keepalive-timeout=60 name=pppoe-wan user=\
    hardluck@isp.com
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Neighbours
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 force=yes name=AdGuard_99 value="'192.168.50.99'"
/ip ipsec policy group
add name=vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip kid-control
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
    7h-23h wed=7h-23h
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
    7h-23h wed=7h-23h
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
    7h-23h wed=7h-23h
add name=TEST tue=7h-20h
/ip pool
add name=dhcp ranges=192.168.50.150-192.168.50.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp interface=ether10-Management name=Management-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add fib name=""
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether9 untagged=ether10-Management vlan-ids=10
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=pppoe-wan list=WAN
add interface=ether10-Management list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.50.1/24 interface=bridge network=192.168.50.0
add address=192.168.100.1/24 interface=ether10-Management network=\
    192.168.100.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m \
    update-time=no
/ip cloud advanced
set use-local-address=yes
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-S916B" name=\
    "MikroTik_RB4011 | RB4011iGS+" private-key=\
    "80088008800880088008800880088008800880088008=" public-key=\
    "80088008800880088008800880088008800880088008="
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.3,1.0.0.3 \
    gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip firewall address-list
add address=192.168.50.2-192.168.50.254 list=allowed_to_router
add address=192.168.216.2-192.168.216.10 list=\
    back-to-home-lan-restricted-peers
add address=192.168.100.0/24 list=Management
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="IP's Allowed to Router" \
    src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Established, Related to FastTrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp profile
set *FEEEEEEEE local-address=192.168.89.1 remote-address=*2
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTik_RB4011
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=51.89.151.183
add address=178.62.250.107
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Neighbours

Any help appreciated.

By far the easiest (and in my opinion best) way is to add:

 /interface list member
add interface=back-to-home-vpn list=LAN

This way, all wireguard connections are handled as being part of the trusted LAN list.

This already exists, although not shown in the config above.

Created Dynamically.

Just unsure why I have access to the router and nothing else.

The only thing I see is an address list “back-to-home-lan-restricted-peers” that could indicate…something. And that list isn’t used.
Is the export complete? Or did you perhaps redact it?

For your info: I configured Wireguard manually. And by looking at your config I’m surprised it is working at all…
Especially as a lot of the config can’t be found, based on:
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Last check: do you see counters on the last forward firewall increasing when you try to connect to the LAN?

Ran the command...

/export file=""

for the config and omitted sensitive stuff and the DHCP lease table.

I did have Wireguard working great a few months back. BTH was working then, but I'm trying to figure out what has changed to create this issue.

Counters are increasing on the last forward firewall filter rule.

Individual BTH users have an option "Allow LAN". So there must be a dynamic entry created, in the Firewall Filter list maybe, for said BTH users when this option =yes. But this is not happening.

Note: I also have WAN connection while on BTH.

I'll continue to figure out the issue. Thanks for your input.

Just to be sure I understand.
Your router has a non–public IP address. The wan is either like CGNAT or a private IP from an upstream ISP router (which you cannot forward a port on).

What you want to do is while away from home remote into the router, via wireguard, and access the LAN, and most likely be able to configure the router as well, if need be.

WAN is on a public IP address Sir (83.##,##,##) no CGNAT, and port forwarding all working fine.

BTH was working fine a few months back, when I was out and about I could remote back home to my server and nzb360 if need be.

You do not need BTH.
Just configure Wireguard manually/properly.

For example, you have no ALLOWED IPs setup that I can see.

Also do you have the particulars of the setup of remote peer clients??

Hi Anav, I am facing the situation you are describing. Do you have an idea how to resolve it please?

Though not being @anav , configuring manually can be easily done by following the documentation:

Erlinden, you can pretend to me anytime you like, as long as you send chocolate!!

Thanks.

I need to setup BTH because my router is behind CGNAT and I don't have a public IP address.

Setting up BTH as per instructions works, and I can access both the router and also internet through it. However, I cannot access devices on LAN.

I suppose there is a rule (or more) on the firewall that needs to be set, but I don't know what it is.

Please share the complete config to get some relevant feedback, @TK1 .

As I'm actually a nice guy (which makes pretending a bit harder @anav), I'll sent you chocolate anyway

Awww, I am a puddy tat, unless you are in the same Zwift race.

Hi Erlinden, may I please ask you to check my config to see why I am unable to access my Windows computer when connected via BTH?

I am trying to achieve what this guy managed:

https://m.youtube.com/watch?v=CRLUQgU1_Xs

In the 12th minute, he can access his home computer.

@erlinden

I setup the firewall forward rule as you suggested and placed it as first in the list.

I can see the inbound traffic in statistics, but i still cannot see nor access the devices on my LAN via the BTH device.

The BTH user of course has been created with Allow LAN enabled.

Which other rules / settings do I need to establish to gain access to my devices? Thank you.

PS as a new user, I am not permitted to post more that 3x in this thread, so I will be editing this post gradually. I hope the posts will be visible / allowing notifications.

I would expect a rule like this:

/ip firewall filter
add action=accept chain=forward comment="allow bth to lan" disabled=no
in-interface=back-to-home-vpn out-interface-list=LAN

Haven't checked your complete config, so first check if you added a rule as the above yourself.

Its most likely a default dynamic rule created by BTH, ( so not visible on a config export ) but when creating BTH its an option to specify that you want to make LAN shareable.

@erlinden @anav

may I please ask for help/navigation?

Sure:

Step 1: create your own topic
Step 2: post your config

Sure if your willing to contact me on discord??
will take one session with anydesk to sort it out.