VPN Client Can Access Local Network but Not the MikroTik Router Itself

hlsd · September 15, 2023, 10:35am

Hello everyone,

I’m facing a puzzling issue with my MikroTik RB2011iLS router and VPN setup. I’ve successfully configured a remote computer to connect to my internal network via VPN. The client is assigned an IP address within the same subnet as my local devices (192.168.88.x range). I can communicate with all these devices without any issue, but the problem arises when I try to access the MikroTik router itself (192.168.88.1).

Network Configuration:
MikroTik RB2011iLS running RouterOS (latest version).
Local devices are in the 192.168.88.10 to 192.168.88.50 IP range.
MikroTik Router IP: 192.168.88.1
VPN Client is assigned an IP in the same 192.168.88.x subnet.

The issue:
While the VPN connection is active, I can ping and access local devices in the 192.168.88.x range but can’t communicate with the MikroTik router (192.168.88.1) itself. This is problematic because I need to manage the MikroTik router remotely over this VPN connection.

Troubleshooting Steps Taken:
Checked Firewall rules to ensure there’s no explicit block for VPN traffic to the MikroTik router.
Reviewed VPN settings and routes.
Attempted to access MikroTik with different protocols (SSH, Web, etc.) to no avail.
I’ve gone through the usual troubleshooting steps and read similar forum posts, but I still can’t find the reason for this behavior. Any suggestions on what I might be overlooking would be greatly appreciated.

Thank you for your time and assistance.

Best regards.

CONF

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.201-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.88.1 remote-address=default-dhcp
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.88.0/24
/ppp secret
add name=vpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=RouterOS
/system logging
add topics=ppp
add topics=firewall
add topics=ssh
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

MickeyT · September 18, 2023, 7:31am

My first impression (which could easily be wrong) is that the VPN connections are not part of your LAN and, therefore, not allowed access to the MikroTik itself.
I have occasionally configured remote management for MikroTik units and used something like this:

/ip firewall address-list add address=192.168.88.202 list="Approved Remote Management"

/ip firewall filter
add action=accept chain=input comment="Permit Remote Management" dst-port=\
    8291,22,80,443 log-prefix=RemoteMan protocol=tcp \
    src-address-list="Approved Remote Management"

You will need to play around with the exact settings as I was using the above for a specific test scenario but it did work for me.

–
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig/export file=MyConfig

anav · September 18, 2023, 1:43pm

Why not try wireguard?? if you are on vers 7

hlsd · September 18, 2023, 2:14pm

Thank you for your help. It was too hard for me, I had to solve it outside of MikroTik.
I will google “Wireguard”, to find out what it is - luckily I posted in the “Beginner Basic” section

memelchenkov · September 18, 2023, 2:22pm

Create address list with your VPN address range, then:

add action=accept chain=input comment=“accept requests to MikroTik from VPN”
ipsec-policy=in,ipsec src-address-list=LAN