Hi there Philippines here,
Can anybody help me regarding on how to broadcast my mikrotik’s ip for remote and OVPN Access
i have 1 static IP that is standard for DSL Connections, but the thing is i cant ping my mikrotik’s public IP offsite what i mean is outside my network
i’am a beginner to this configuration please enlighten and teach how to do this, i want to raise my knowledge regarding VPN’s
hope anybody here would help me and give me a helping hand.,
Thank you very much.,
What is your current public address ?
my current public IP is 121.96.x.x/30, gateway is 121.96.x.x, primary dns is 121.96.x.x and secondary dns is 202.78.x.x
sorry for late reply i’am currently suffering from this configuration it gives me migraine but still i want to learn it.,
thank you sir for the reply.
Maybe the ICMP is blocked by your provider ?!
By default the WebFig is enabled on port 80 of your router. Can you access it via web browser through your public address ??
no i can’t, even the public ip that is given to me and configured in my IP addresses on mikrotik, cant either ping or access it to port 80 or 8080
note
settings of my MT is basic configuration.
my ISP Modem is a modem only not a Router/modem cant touch or access it to configure.
Trials that i have made for me to see if the problem is on my ISP Provider:
1, try to connect a different router RV042 Cisco and it did do the trick i can communicate with my public IP through port 8080.
but currently replacing that buggy thing thats why i purchase RB951 to replace but sadly i cant figure it out why i cant communicate using my public IP.
please need more information my head is going to break (-_-) sorry it is just a metaphor
So if it’s working with the other router, it’s not an ISP issue.
Post your config (/export compact) here and we can help you.
-Chris
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge
/interface ethernet
set [ find default-name=ether1 ] comment=“POE Devices” disabled=yes
set [ find default-name=ether2 ] comment=WAN
set [ find default-name=ether3 ] comment=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.2.10-192.168.2.100
add name=vpn ranges=192.168.2.101-192.168.2.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 lease-time=1d10m name=
dhcp1
/ppp profile
add local-address=vpn name=OVPN remote-address=vpn
set *FFFFFFFE local-address=192.168.2.101 remote-address=vpn
/interface l2tp-server server
set enabled=yes ipsec-secret=123456 use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=LAN interface=ether3 network=192.168.2.0
add address=121.96.x.x/30 comment=WAN interface=ether2 network=121.96.x.x
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=
121.96.x.x,202.78.x.x,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input dst-port=1143 in-interface=ether2 protocol
add action=accept chain=input in-interface=ether2 protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=1 gateway=121.96.x.x
/ppp secret
add local-address=192.168.2.102 name=user1 password=123456 profile=OVP
remote-address=192.168.2.103 service=ovpn
/system clock
set time-zone-name=Asia/Manila
/system ntp client
set enabled=yes server-dns-names=“0.aisa.ntp.pool.org,1.aisa.ntp.pool.
.ntp.pool.org,3.aisa.ntp.pool.org”
/system routerboard settings
set init-delay=0s
Sir. satman1w and Sir. cdiedrich
i have a very basic setup of my MT and added 2 filter rule that is on input chain which allows ICMP and port 1143 on ether2-WAN, correct me please if i’am wrong.,
even though i have added this two on my filters i cant ping or either connect to my VPN or remote my MT on port 80.
please help trying to figure this out by reading forums for 3 weeks, until now it breaks my head (-_-) metaphor again sorry
First, I see
/ip firewall filter
add action=accept chain=input dst-port=1143 in-interface=ether2 protocol
The port is wrong. OVPN listens on port 1194 by default, not 1143
I looks like the protocol is stripped from your pasted config. Sure, you are using tcp? MTik does not support ovpn over udp.
I am missing the ovpn server section in your config. Is it enabled? Do you have a cert assigned?
It should look like this:
/interface ovpn-server server
set certificate=acertificatehere cipher=blowfish128,aes128,aes192,aes256 default-profile=default-encryption enabled=yes
icmp-wise I don’t see an issue why it shouldn’t work.
Is this you whole config?
You firewall filter section is pretty short and if this is rteally everything, your router is wide open to the internet.
If your pasted config does not show the complete firewall, it is important to have these accept rules on top.
Once you have that sorted and get at least basic ovpn connectivity, please come back to me - there’s a lot to improve in your addressing which might (no, it certainly will) cause unexpected behavior.
-Chris
Sorry Sir. cdiedrich for the wrong port given on my OVPN section its 1194 default port, yes sir it is enabled but even though it is enable and allow it on my firewall
i cant connect to it.,
sorry forgot to tell that there is no certificates yet and tcp is the one that i’am attempting use, planning to work out on my VPN Connection first before configuring my firewall for security
this is my first time to configure VPN on MT planning to use OVPN for connecting our 6 branches to our main site,
our old device which is RV042 is eating up a lot of bandwidth cant control it.,
please Sir cdiedrich continue to guide me i will post my latest config for follow up after my test on monday here in phillippines.,
thank you sir cdiedrich for helping me out
Sir. Chris Good morning here is my updated configuration, please see the Exported Config. below if
i have done some mistakes, please correct me.
[admin@xxxxxx] > /export compact
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge
/interface ethernet
set [ find default-name=ether1 ] comment="POE Devices" disabled=yes
set [ find default-name=ether2 ] comment=WAN
set [ find default-name=ether3 ] comment=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.2.10-192.168.2.100
add name=OVPN ranges=192.168.2.101-192.168.2.200
add name=PPTP ranges=192.168.2.201-192.168.2.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 lease-time=1d10m name=
dhcp1
/ppp profile
add local-address=OVPN name=OVPN remote-address=OVPN
add local-address=PPTP name=PPTP remote-address=PPTP
set *FFFFFFFE local-address=192.168.89.1 remote-address=OVPN
/interface l2tp-server server
set enabled=yes ipsec-secret=123456 use-ipsec=yes
/interface ovpn-server server
set certificate=xxxxxx cipher=blowfish128,aes128,aes192,aes256 enabled=yes
require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=LAN interface=ether3 network=192.168.2.0
add address=121.96.x.x/30 comment=WAN interface=ether2 network=121.96.x.x
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=
121.96.x.x,202.78.x.x,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=input comment=PPTP dst-address=121.96.x.x dst-port=
1723 in-interface=ether2 protocol=tcp
add action=accept chain=input comment="OVPN Port" dst-address=121.96.x.x
dst-port=1149 in-interface=ether2 protocol=tcp
add action=accept chain=input comment="Router Access" dst-address=121.96.x.x
dst-port=80 in-interface=ether2 protocol=tcp
add action=accept chain=input comment="WINBOX 8080" dst-address=121.96.x.x
dst-port=8192 in-interface=ether2 protocol=tcp
add action=accept chain=input comment="Allow PING ICMP " protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Masquerade Rule for LAN"
out-interface=ether2 src-address=192.168.2.1-192.168.2.255
add action=dst-nat chain=dstnat comment="Router Access" dst-address=
121.96.x.x dst-port=80 in-interface=ether2 protocol=tcp to-addresses=
192.168.2.0/24 to-ports=80
add action=dst-nat chain=dstnat comment=WINBOX dst-address=121.96.x.x
dst-port=8080 in-interface=ether2 protocol=tcp to-addresses=192.168.2.0/24
to-ports=8080
add action=dst-nat chain=dstnat comment="OVPN Port" dst-address=121.96.x.x
dst-port=1149 in-interface=ether2 protocol=tcp to-addresses=192.168.2.0/24
to-ports=1149
add action=dst-nat chain=dstnat comment=PPTP disabled=yes dst-address=
121.96.x.x dst-port=1723 in-interface=ether2 protocol=tcp to-addresses=
192.168.2.0/24 to-ports=1723
add action=src-nat chain=srcnat comment="Rotue traffic via 121.96.x.x"
src-address=192.168.2.0/24 to-addresses=121.96.x.x
/ip route
add check-gateway=ping distance=1 gateway=121.96.x.x
/ip service
set winbox port=8080
/ppp secret
add comment=OVPN-1 local-address=192.168.2.102 name=user1 password=123456
profile=OVPN remote-address=192.168.2.103 service=ovpn
add comment=PPTP-1 local-address=192.168.2.201 name=userdev1 password=123456
profile=PPTP remote-address=192.168.2.202 service=pptp
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=xxxxxx
/system ntp client
set enabled=yes server-dns-names="0.aisa.ntp.pool.org,1.aisa.ntp.pool.org,2.aisa
.ntp.pool.org,3.aisa.ntp.pool.org"
/system routerboard settings
set init-delay=0s
reason why i have enabled PPTP Server is to test if my public IP is live, tried to connect to it using PPTP
it works and when i tried to ping my Public IP it works like a charm it did respond.,
I haven't tested my OVPN Connection yet but, sir do you think on this config,? does my config will grant me access to my OVPN Server, and
furthermore using MT951 on both OVPN Server and client, how can i access files and resource from both networks from server's
network to client's network vise versa.
another question sir chris is my Firewall NAT Correct or need to remove it?
thank you for answering my questions, very glad that someone is helping me out on this very stressful situation.,
Sincerely
-Nico