Remote management

Josephny · September 19, 2022, 9:17pm

I really have read many threads on this, but still have problems.

I am trying to enable remote management of the router.

I understand that simply disabling the firewall for all non-lab originating traffic and forwarding port 80 to the router’s wan address is not recommended.

I understand that setting up a vpn is the recommended method.

I set up a vpn using the router’s built in vpn feature and am able to establish the vpn connection.

But, when I point a browser to 192.168.88.1 it can’t connect.

If I disable the firewall that blocks all non lan originating traffic, I can point a browser to the wan (public) ip and it works.

What am I missing?

EDIT: I have confirmed that if disable the firewall rule that blocks all non-LAN incoming connections, the VPN works and I can access the router from either the 192.168.88.1 address or the public address. If I enable the rule, I cannot access the router at either IP address (even though the VPN still connects).

Thank you!

anav · September 20, 2022, 12:54pm

Lets look at the logic.

On the input chain (to the router), for services such as DNS, NTP etc, and to configure the router, the default rule is often in the form of.

add action=drop chain=input in-interface-list=!LAN

Since your VPN is not cinluded in the in-interface-list it is being blocked from accessing the router.

So simply add a rule above the drop all not LAN rule ( order is important! ) and it would look like

To access the router for config purposes:
add action=accept chain=input chain src-address=VPNaddress { where VPNaddress is the random Ip address you assigned to the VPN. }

To access the LAN subnets
add action=accept chain=forward chain src-address=VPNaddress dst-address=192.168.88.0/24 { where VPNaddress is the random Ip address you assigned to the VPN. }

More on firewall rules… steep learning curve for sure…
https://forum.mikrotik.com/viewtopic.php?t=180838
https://www.youtube.com/watch?v=6boYA7xdjZY&t=1376s

Josephny · September 20, 2022, 2:25pm

Wow!

You made that so clear – thank you so much.

Quick question:

Is “VPNaddress” 192.168.89.1 or 192.168.89.1/32

You also solved my port forwarding problem (at least while using the VPN).

Very much appreciated.

(Where do I sign up for the course you teach??)

anav · September 20, 2022, 2:30pm

Jajajaja, you want an MTUNA certification, could by my first sith disciple!

No, I barely know anything, just enough to keep my head above water and depend on others (sob, mkx, sindy etc…) to keep me from drowning,

As to your question I dont know… how is it defined , and how do you use it to connect remotely.
By the way, I tend to use fake numbers for any forum posts, for public WANIP info and in this case your externally used vpn address too…
So suggest go back and change it if its the actual.

Josephny · September 21, 2022, 11:07am

Just wanted to thank you again. I’ve been working on this and got it to a nice place (for now) where I am able to access everything from 2 locations that I am frequently at, as well as by VPN, with NAT (forwarding) for the camera.
Screenshot 2022-09-21 070632.jpg

Screenshot 2022-09-21 070711.jpg