Hello,
I connected to one of routers mikrotik by vpn ppty and I can ping all devices, remote desktop, network shared, but I cant acces to routerboard (web interface).

/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=vpn


[admin@MikroTik] /ip firewall> export

mar/01/2018 09:58:39 by RouterOS 6.41.2

model = RouterBOARD 962UiGS-5HacT2HnT

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface-list=!mactel
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat out-interface=all-ethernet
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1 out-interface-list=WAN


Thank you!

Capture.PNG1790×682 27.8 KB

in IP->Services is WWW service enabled?

Probably this or it’ll be locked down to your routers local subent.

Yes, it`s on!
/ip service print
Flags: X - disabled, I - invalid

NAME PORT ADDRESS CERTIFICATE

0 telnet 23
1 ftp 21
2 www 80
3 ssh 22
4 I www-ssl 443 *FFFFFFFF
5 api 8728
6 winbox 8291
7 api-ssl 8729 none

How strange.
OK go back to basics.

You’ve shown you can ping it.
Can you SSH to it?
Can you Winbox to it?

The only thing I can see that may be affecting you from your firewall is this;

add action=drop chain=input in-interface-list=!mactel

Try (temporary for testing) disabling it and see if you get access.

Heres another one.

What happens if you browse to 192.168.89.1? Do you still get the same?

No, I cant connect with ssh, winbox, 192.168.89.1. After disabling firewall (action=drop chain=input in-interface-list=!mactel), its work! How strange???

Not at all.
that rule is dropping any input traffic that is not on the “mactel” interface list. If your LAN & WAN interface is on that list it would work but I bet your pptp tunnel interface name is not on the list.

Thank you, its all clear for me now. But, I connected the routers from last year and they doesnt appear in interface list, mactel.
What is that mean?

It’s a list that either you or someone else with access to the router has created. There is no way anyone on here will be able to tell you that.

That thread helped me with managing MT hEX from the VPN
it seems that current RouterOS-es have that firewall rule written by MikroTik company.
Mine in default config has " add action=drop chain=input in-interface-list=!LAN" which can be variation of “add action=drop chain=input in-interface-list=!mactel”.
Maybe someties erlier was “add action=drop chain=input in-interface-list=WAN”