RouterOS access via VPN (IPsec)

RouterOS Beginner Basics
1

Hi Everyone!

First of all, thanks for all the expert's time on this forum to make our life a LOT easier!

I have a small problem BUT it is still a problem...

I have the following setup:
Laptop/PC-----(Internet)-----SXT LTE-----Data Logger

The goal of this installation is to:

  • Provide internet for the remote data logger
  • Have secure remote access to the data logger
  • Have secure remote access to Mikrotik LTE

I used 'quick set' to program the LTE. Progress so far:

  • Internet for the data logger
  • The VPN working over the LTE connection (Default 'quick set' setup - IPsec)
  • I can ping the local IP of the mikrotik while connected via VPN

My challenge:

  1. I would like to use Winbox to access the mikrotik, but Winbox does not see the mikrotik if connected with the VPN
  • Not sure if this is possible or best practice, I guess I can do port forwarding for the Winbox. But it feels 'safer' to only open VPN to the outside world
  1. As backup; I cannot access the webfig of the mikrotik even though I can ping the local IP via the VPN
  • If I disable the 'drop all WAN' firewall filter, then I can access the webfig. Maybe I am missing a firewall filter?

Any advise will be appreciated!!! Also on possible improvements on my firewall.


Below is the export
(I removed some detail)

Export:

oct/03/2017 19:22:42 by RouterOS 6.40.3

software id = ......

model = RouterBOARD SXT LTE 3-7

serial number = .........

/interface lte
set [ find ] add-default-route=yes apn=unrestricted default-route-distance=1 mac-address=....... name=lte1 network-mode=lte use-peer-dns=yes
/ip neighbor discovery
set lte1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.90.10-192.168.90.254
add name=vpn ranges=..........
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether1 name=defconf
/ppp profile
set *FFFFFFFE local-address=........... remote-address=vpn
/interface l2tp-server server
set enabled=yes ipsec-secret=..... use-ipsec=yes
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.90.1/24 comment=defconf interface=ether1 network=192.168.90.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.90.0/24 comment=defconf gateway=192.168.90.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=lte1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=........0/24
/ppp secret
add name=..... password=.....
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1

2

For management over the VPN you need to add a firewall filter rule. Like this, where 192.168.1.0/24 is the LAN I am connecting FROM.

chain=input action=accept protocol=tcp src-address=192.168.1.0/24 dst-port=80,443,8291 log=no log-prefix=""