I’ve installed Router OS CHR and setup an Ipsec vpn . I’m able to connect from remote client and I receive a correct IP address from DHCP server but I cannot access anything on my LAN except the router itself.
my configuration is :
2024-12-28 14:19:43 by RouterOS 7.16.2
# software id =
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] advertise=\
1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX disable-running-check=no
/interface l2tp-server
add name=l2tp-in1 user=VPN
/interface vlan
add interface=ether2 name="vlan Tim" vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan Tim" name=pppoe-tim \
use-peer-dns=yes user=aliceadsl
/interface list
add name=LAN
add name=WAN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp_pool0 ranges=192.168.1.10-192.168.1.99
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether1 name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.1.1 remote-address=dhcp_pool0
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes max-mtu=1280 use-ipsec=yes
/interface list member
add interface=ether1 list=LAN
add interface=pppoe-tim list=WAN
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 domain=mikrotik gateway=192.168.1.1
/ip firewall filter
add action=accept chain=input comment="allow ICMP ping" protocol=icmp
add action=accept chain=input comment="Allow Web config" dst-port=80 protocol=\
tcp src-address=192.168.1.0/24
add action=accept chain=input comment="allow Winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp \
src-address=192.168.1.0/24
add action=accept chain=input comment="accept established connections" \
connection-state=established
add action=accept chain=input comment="accept related connections" \
connection-state=related
add action=accept chain=input comment="allow DNS for trusted network" \
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500,1701 in-interface-list=WAN \
protocol=udp
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
sha256
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=VPN profile=default-encryption service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/system ups
add name=APC offline-time=4m port=*80000002
/tool graphing interface
add interface="vlan Tim" store-on-disk=no
Everything looks decent so will focus on firewall rules… Keep it simple… Also missing entirely any forward chain rules!! EDIT: Also noted, nowhere do you assign a local IP address to the VPN**???**
One should keep rules in a proper order and for organization purposes and easy troubleshooting the chains together. This is a big SECURITY infraction. Letting winbox open to the WWW!!!
add action=accept chain=input comment=“allow Winbox” dst-port=8291 protocol=tcp
Based on this will work a bit to give you a securer method
If CHR, you are probably safe removing firewall rules at least on the forward chain, I would keep all the input chain rules.
already provided the idea of only allowing Admin relate IP addresses to access the router for config purposes…
how you want to move forward is up to you. Just dont open up input chain to the WWW.
I’ve another problem. I can ping all the LAN client from remote Vpn client except one. It is the Ap device. I don’t understand why … it is on the same lan.