Hello,
did a search and could not resolve my issue.
my issue is that while i have successfully setup a SSTP VPN to my router from outside my network and i can use it to access the internet, i can not access the SMB shares hosted by the MikroTik device itself. whats strange is, i can access \MikroTik fine but not any of the configured shares on it (works fine on my LAN)
just some background on my network:
Router: CRS125-24G-1S-2HnD
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
...
1 chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
2 chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
...
/ip smb print
enabled: yes
domain: WORKGROUP
comment: MikroTik Router
allow-guests: yes
interfaces: all
Is anyone able to point me in the right direction to get this fixed?
CZFan
February 22, 2018, 5:58pm
2
Will need more info in order to see what is missing/incorrect, i.e. all rules in /Firewall Filter and /Firewall NAT
Mark any sensitive IP’s such as wan with something like 196.40.xx.xx
/ip firewall filter
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix=""
1 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
2 ;;; default configuration
chain=input action=accept protocol=icmp log-prefix=""
3 ;;; default configuration
chain=input action=accept connection-state=established log-prefix=""
4 ;;; default configuration
chain=input action=accept connection-state=related log-prefix=""
5 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log-prefix=""
6 ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway log-prefix=""
7 ;;; default configuration
chain=forward action=accept connection-state=established log-prefix=""
8 ;;; default configuration
chain=forward action=accept connection-state=related log-prefix=""
9 ;;; default configuration
chain=forward action=drop connection-state=invalid
/ip firewall nat
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
2 chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
3 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log-prefix=""
4 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=sfp1-gateway log-prefix=""
5 ;;; masquerade hotspot network
chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=10.20.30.0/24 log-prefix=""
6 ;;; Steam game client traffic
chain=dstnat action=dst-nat to-addresses=192.168.0.252 protocol=udp in-interface=ether1-gateway dst-port=27000-27015 log-prefix=""
7 ;;; Steam Matchmaking and HLTV
chain=dstnat action=dst-nat to-addresses=192.168.0.252 protocol=udp in-interface=ether1-gateway dst-port=27016-27030 log-prefix=""
8 ;;; Steam in-Home Streaming UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.252 protocol=udp in-interface=ether1-gateway dst-port=27031,27036 log-prefix=""
9 ;;; Steam in-Home Streaming TCP
chain=dstnat action=dst-nat to-addresses=192.168.0.252 protocol=tcp in-interface=ether1-gateway dst-port=27036,27037 log-prefix=""
CZFan
February 23, 2018, 12:43pm
4
Personally, I only use NAT when I have to, so I will delete the following under /ip firewall nat, mikrotik device should add a dynamic route for these subnets:
1 chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
2 chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
Then create yourself a “Trusted zone” in Interface List to include dynamic interfaces, then add your LAN interfaces to this zone and configure rules accordingly using this “Zone” in the interface list
/interface list
add comment="Trusted Zone" include=dynamic name=Trusted
/interface list member
add comment=LAN interface=bridge1 list=Trusted
#Place rule below above Rule 5 in your config
/ip firewall filter
add action=accept chain=input comment="Allow New connections from LAN" connection-state=new in-interface-list=Trusted
#This one above rule 9
add action=accept chain=forward comment="Allow New connections from LAN" connection-state=new in-interface-list=Trusted
If you are using a Windows device, ensure “Use default gateway on remote network” is enabled on VPN connection
Let me know outcome
no good,
while i can still use the connection to access the internet, i can no longer access \MikroTik
CZFan
February 24, 2018, 7:38am
6
Sounds like the Interface List is not working as expected, can you place the output of a full export here so we can look at everything?
export hide-sensitive
remove software ID and serial number at the top of the export before pasting
# feb/24/2018 19:31:10 by RouterOS 6.41
# software id = ####-####
#
# model = CRS125-24G-1S-2HnD
# serial number = ############
/interface bridge
add admin-mac=D4:CA:6D:FA:A7:B1 arp=proxy-arp auto-mac=no fast-forward=no mtu=1500 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors mode=ap-bridge ssid="Darude LANstorm"
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local
set [ find default-name=ether3 ] arp=proxy-arp name=ether3-slave-local
set [ find default-name=ether4 ] arp=proxy-arp name=ether4-slave-local
set [ find default-name=ether5 ] arp=proxy-arp name=ether5-slave-local
set [ find default-name=ether6 ] arp=proxy-arp auto-negotiation=no name=ether6-slave-local
set [ find default-name=ether7 ] arp=proxy-arp name=ether7-slave-local
set [ find default-name=ether8 ] arp=proxy-arp name=ether8-slave-local
set [ find default-name=ether9 ] arp=proxy-arp name=ether9-slave-local
set [ find default-name=ether10 ] arp=proxy-arp name=ether10-slave-local
set [ find default-name=ether11 ] arp=proxy-arp name=ether11-slave-local
set [ find default-name=ether12 ] arp=proxy-arp name=ether12-slave-local
set [ find default-name=ether13 ] arp=proxy-arp name=ether13-slave-local
set [ find default-name=ether14 ] arp=proxy-arp name=ether14-slave-local
set [ find default-name=ether15 ] arp=proxy-arp name=ether15-slave-local
set [ find default-name=ether16 ] arp=proxy-arp name=ether16-slave-local
set [ find default-name=ether17 ] arp=proxy-arp name=ether17-slave-local
set [ find default-name=ether18 ] arp=proxy-arp name=ether18-slave-local
set [ find default-name=ether19 ] arp=proxy-arp name=ether19-slave-local
set [ find default-name=ether20 ] arp=proxy-arp name=ether20-slave-local
set [ find default-name=ether21 ] arp=proxy-arp name=ether21-slave-local
set [ find default-name=ether22 ] arp=proxy-arp name=ether22-slave-local
set [ find default-name=ether23 ] arp=proxy-arp name=ether23-slave-local
set [ find default-name=ether24 ] arp=proxy-arp name=ether24-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add comment="Trusted Zone" include=dynamic name=Trusted
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add eap-methods="" management-protection=allowed name=none supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] dns-name=guest login-by=cookie,http-chap,trial
add dns-name=guest hotspot-address=10.20.30.40 login-by=cookie,http-chap,trial name=hsprof1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.254
add name=hs-pool-31 ranges=10.20.30.1-10.20.30.39,10.20.30.41-10.20.30.254
add name=sstp-pool ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=1d name=default
add address-pool=hs-pool-31 authoritative=after-2sec-delay disabled=no lease-time=1h name=dhcp1
/ipv6 dhcp-server
add address-pool=default-dhcp-v6 interface=bridge-local lease-time=1d name=defaultv6
/ipv6 pool
add name=default-dhcp-v6 prefix=64:ff9b:1::/64 prefix-length=64
/ppp profile
add local-address=sstp-pool name=vpn-profile remote-address=sstp-pool use-ipv6=no
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local hw=no interface=wlan1
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether6-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=ether11-slave-local
add bridge=bridge-local interface=ether12-slave-local
add bridge=bridge-local interface=ether13-slave-local
add bridge=bridge-local interface=ether14-slave-local
add bridge=bridge-local interface=ether15-slave-local
add bridge=bridge-local interface=ether16-slave-local
add bridge=bridge-local interface=ether17-slave-local
add bridge=bridge-local interface=ether18-slave-local
add bridge=bridge-local interface=ether19-slave-local
add bridge=bridge-local interface=ether20-slave-local
add bridge=bridge-local interface=ether21-slave-local
add bridge=bridge-local interface=ether22-slave-local
add bridge=bridge-local interface=ether23-slave-local
add bridge=bridge-local interface=ether24-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface ethernet switch port
set 0 dscp-based-qos-dscp-to-dscp-mapping=no
set 1 dscp-based-qos-dscp-to-dscp-mapping=no
set 2 dscp-based-qos-dscp-to-dscp-mapping=no
set 3 dscp-based-qos-dscp-to-dscp-mapping=no
set 4 dscp-based-qos-dscp-to-dscp-mapping=no
set 5 dscp-based-qos-dscp-to-dscp-mapping=no
set 6 dscp-based-qos-dscp-to-dscp-mapping=no
set 7 dscp-based-qos-dscp-to-dscp-mapping=no
set 8 dscp-based-qos-dscp-to-dscp-mapping=no
set 9 dscp-based-qos-dscp-to-dscp-mapping=no
set 10 dscp-based-qos-dscp-to-dscp-mapping=no
set 11 dscp-based-qos-dscp-to-dscp-mapping=no
set 12 dscp-based-qos-dscp-to-dscp-mapping=no
set 13 dscp-based-qos-dscp-to-dscp-mapping=no
set 14 dscp-based-qos-dscp-to-dscp-mapping=no
set 15 dscp-based-qos-dscp-to-dscp-mapping=no
set 16 dscp-based-qos-dscp-to-dscp-mapping=no
set 17 dscp-based-qos-dscp-to-dscp-mapping=no
set 18 dscp-based-qos-dscp-to-dscp-mapping=no
set 19 dscp-based-qos-dscp-to-dscp-mapping=no
set 20 dscp-based-qos-dscp-to-dscp-mapping=no
set 21 dscp-based-qos-dscp-to-dscp-mapping=no
set 22 dscp-based-qos-dscp-to-dscp-mapping=no
set 23 dscp-based-qos-dscp-to-dscp-mapping=no
set 24 dscp-based-qos-dscp-to-dscp-mapping=no
set 25 dscp-based-qos-dscp-to-dscp-mapping=no
/interface l2tp-server server
set authentication=mschap1,mschap2 use-ipsec=required
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-slave-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=ether11-slave-local list=discover
add interface=ether12-slave-local list=discover
add interface=ether13-slave-local list=discover
add interface=ether14-slave-local list=discover
add interface=ether15-slave-local list=discover
add interface=ether16-slave-local list=discover
add interface=ether17-slave-local list=discover
add interface=ether18-slave-local list=discover
add interface=ether19-slave-local list=discover
add interface=ether20-slave-local list=discover
add interface=ether21-slave-local list=discover
add interface=ether22-slave-local list=discover
add interface=ether23-slave-local list=discover
add interface=ether24-slave-local list=discover
add interface=bridge-local list=discover
add list=discover
add list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether6-slave-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-slave-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether9-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether20-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether21-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=ether22-slave-local list=mactel
add interface=ether20-slave-local list=mac-winbox
add interface=ether23-slave-local list=mactel
add interface=ether21-slave-local list=mac-winbox
add interface=ether24-slave-local list=mactel
add interface=ether22-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether23-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether24-slave-local list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add comment=LAN interface=bridge-local list=Trusted
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=bridge-local network=192.168.0.0
add address=10.20.30.40/24 comment="hotspot network" network=10.20.30.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=sfp1-gateway
/ip dhcp-server lease
add address=192.168.0.252 always-broadcast=yes client-id=1:1c:6f:65:d6:bb:4a mac-address=1C:6F:65:D6:BB:4A server=default
add address=192.168.0.248 always-broadcast=yes mac-address=00:13:E8:34:32:E7 server=default
add address=192.168.0.254 mac-address=00:1B:24:54:BF:CC server=default
/ip dhcp-server network
add address=192.168.0.0/24 boot-file-name=pxelinux.0 comment="default configuration" dns-server=192.168.0.1 domain=local gateway=192.168.0.1 next-server=192.168.0.252
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.local
/ip firewall filter
add action=accept chain=input dst-port=443 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established
add action=accept chain=input comment="default configuration" connection-state=related
add action=accept chain=input comment="Allow new connections from LAN" connection-state=new in-interface-list=Trusted
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="Allow new connections from LAN" connection-state=new in-interface-list=Trusted
add action=accept chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.20.30.0/24 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="Steam game client traffic" dst-port=27000-27015 in-interface=ether1-gateway protocol=udp to-addresses=192.168.0.252
add action=dst-nat chain=dstnat comment="Steam Matchmaking and HLTV" dst-port=27016-27030 in-interface=ether1-gateway protocol=udp to-addresses=192.168.0.252
add action=dst-nat chain=dstnat comment="Steam in-Home Streaming UDP" dst-port=27031,27036 in-interface=ether1-gateway protocol=udp to-addresses=192.168.0.252
add action=dst-nat chain=dstnat comment="Steam in-Home Streaming TCP" dst-port=27036,27037 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.252
/ip hotspot user
add name=St0ner1995
/ip proxy
set cache-path=web-proxy1
/ip smb
set comment="MikroTik Router" domain=WORKGROUP enabled=yes
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/Storage max-sessions=2 name=Storage
/ip smb users
add name=St0ner1995 read-only=no
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway request=address
add add-default-route=yes interface=sfp1-gateway request=address
/ipv6 firewall filter
add action=accept chain=input comment="Allow established connections" connection-state=established
add action=accept chain=input comment="Allow related connections" connection-state=related
add action=accept chain=input comment="Allow limited ICMP" limit=50/5s,5 protocol=icmpv6
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="Allow established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward
/lcd
set default-screen=stats
/lcd pin
set pin-number=8788
/lcd screen
set 1 disabled=yes
/ppp secret
add name=St0ner1995 profile=vpn-profile
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Melbourne
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1-gateway disabled=yes display-time=5s
set ether2-master-local disabled=yes display-time=5s
set ether3-slave-local disabled=yes display-time=5s
set ether4-slave-local disabled=yes display-time=5s
set ether5-slave-local disabled=yes display-time=5s
set ether6-slave-local disabled=yes display-time=5s
set ether7-slave-local disabled=yes display-time=5s
set ether8-slave-local disabled=yes display-time=5s
set ether9-slave-local disabled=yes display-time=5s
set ether10-slave-local disabled=yes display-time=5s
set ether11-slave-local disabled=yes display-time=5s
set ether12-slave-local disabled=yes display-time=5s
set ether13-slave-local disabled=yes display-time=5s
set ether14-slave-local disabled=yes display-time=5s
set ether15-slave-local disabled=yes display-time=5s
set ether16-slave-local disabled=yes display-time=5s
set ether17-slave-local disabled=yes display-time=5s
set ether18-slave-local disabled=yes display-time=5s
set ether19-slave-local disabled=yes display-time=5s
set ether20-slave-local disabled=yes display-time=5s
set ether21-slave-local disabled=yes display-time=5s
set ether22-slave-local disabled=yes display-time=5s
set ether23-slave-local disabled=yes display-time=5s
set ether24-slave-local disabled=yes display-time=5s
set sfp1-gateway disabled=yes display-time=5s
/system leds
set 0 interface=wlan1
/system note
set note=""
/system ntp client
set enabled=yes primary-ntp=XXX.XXX.XXX.XXX secondary-ntp=XXX.XXX.XXX.XXX
/system ntp server
set broadcast=yes enabled=yes
/tool graphing interface
add interface=ether1-gateway
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
CZFan
February 24, 2018, 11:08am
8
While I look through your config, update your device to 6.41.2, many fixes in that, 6.41 quite problematic
CZFan
February 24, 2018, 1:10pm
9
Not sure if I miss something, but I cant see anything wrong, I tested interface-list at my place and also getting problems.
So lets then use src address list rather, run the below in terminal window which will remove the previous created "Trusted Zone and will make amendments to the rules I suggested earlier
/ip firewall address-list add address=192.168.0.0/23 list=LocalLAN
/ip firewall filter set numbers=5,9 !in-interface-list src-address-list=LocalLAN
/interface list remove [find name="Trusted"]
/interface list member remove [find comment=LAN]
Please let me know outcome
CZFan
February 25, 2018, 10:40am
11
Created SMB share, etc at my place and works, you will need to make the following changes also:
#Under IP Pool, change the following:
add name=sstp-pool ranges=192.168.1.1-192.168.1.254 #To add name=sstp-pool ranges=192.168.1.2-192.168.1.254
#Under ppp profile, change the following
add local-address=sstp-pool name=vpn-profile remote-address=sstp-pool use-ipv6=no #To add local-address=192.168.1.1 name=vpn-profile remote-address=sstp-pool use-ipv6=no
Then to access it via VPN, you will need to use \192.168.1.1 and not \192.168.0.1
ah awesome, that works fine!
Thank you!