Port forwarding issue

RouterOS General
1

Hello,

I am running a sstp client on my box and the connection is working. The name for the interface is “sstp_client”.
I do have a masquerade rule for this interface and the “Out Interface” is set to sstp_client.

The sstp server is forwarding all ports to my client.

I am trying to access my router (with winbox) from the public IP I got from the sstp server. I can not access my router. It looks like I get a timeout.

I created a firewall accept rule just to make sure the sstp server is forwarding the port correctly. I dot get packages on the port 8291 on the interface sstp_client.

So the packages are arriving at my router.

Under IP → Services all IP`s are allowed to connect to the winbox server. I tried to delete everything and tried again but its not working. 0.0.0.0/0 also not working.
Something is not working but at this point I have no ideas what to try again.

Any ideas?

2

Not until you post your config.
/export hide-sensitive file=anynameyouwish

Note I didnt say part of config LOL.

Use the code tags that will keep it short for viewing purposes and thus not to long etc.
Its on the tags line, above to the right of the Bold, Italics etc when editing a post, that is a black square with white square brackets inside the square.

3

Here are the important party of my config:

/interface sstp-client add connect-to=domain.tld disabled=no max-mtu=1600 name=sstp_client profile=default-encryption user=user verify-server-address-from-certificate=no
/ip firewall nat add action=masquerade chain=srcnat comment=sstp_client out-interface=sstp_client
/ip service set winbox address=0.0.0.0/0
/ip firewall filter add action=accept chain=input comment=test dst-port=8291 in-interface=sstp_client log=yes protocol=tcp

If you need more. Just let me know. :slight_smile:

The whole config is just too much.

EDIT: Changed my pasted code. I can disable all of my firewall rules but

/ip firewall filter add action=accept chain=input comment=test dst-port=8291 in-interface=sstp_client log=yes protocol=tcp

but it still not connection even the counter is counting.

4

see my edited post above yours…

5

sddfdf

6

Will add comments as a I read through ti.

  1. Recommend you do not use VLAN1, 1 is used as a default in many devices and its best not to use it for any functional primary vlan purposes.
  2. Do not put VLAN IDs in the wifi rules. The wifi rules are for wifi parameters only, vlan identification is using Vlan bridge filtering and bridge port settings
  3. Your entire Bridge Vlan structure is hosed.

Best to read through this reference:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Basically the bridge port settings are to indicate Ingress and bridge vlan settings to indicate egress
access ports on ingress are assigned a pvid and one adds frame-types=admit-only-untagged-and-priority-tagged
trunk ports on ingress only require usually to add frame-types=admit-only-vlan-tagged

The bridgevlan settings are tricky so read and give it your best shot, and when done I will have a look.

(this bridge frame settings for vlans themselves never seen before)

7

Can we please focus on my issue before I change my compete configuration?
I am not home right now and I will not risk such huge changes now.

8

You basically added another WAN interface. The problem is that there’s still the same default route as before and it uses your internet connection, so all outgoing traffic will use that.

You need to add another default route in separate routing table, where gateway is sstp server’s internal address. Then mark new connections coming from sstp. And finally mark routing for outgoing packets that belong to previously marked connections, to use the new routing table. In other words, if there’s a request coming from tunnel, you must help router to send response back to tunnel.

Access my router remotely via static ip on my SSTP-client interface
9

Thank you very much. It worked.