Avi
September 2, 2024, 5:09pm
1
Hy everyone, please assist me with this one, I know it must be something simple, but I have no idea what…
WebFix is not opening from 10.0.0.0/23 neither with NAT (10.0.1.207:8080) or straight through IP (10.0.1.207) assigned with VPN.
NAT rule works fine if I point it to machine (192.168.88.254) on the LAN but not if it’s to router’s IP(192.168.88.1).
/interface lte" user=" "
For the love of God and your router, please do not use PPTP! It is obsolete, deprecated and insecure! At least use L2TP over IPsec. And please update your router to either 6.49.17 or 7.x
Avi
September 3, 2024, 9:32am
3
Found it on one of the shelfs covered with dust and decided to give it a use, sorry, now updated to latest available. Unfortunately, have to use pptp for this moment
/interface lte" user=" "
xrlls
September 3, 2024, 11:06am
4
You have the “accept” rule for your PPTP:
add action=accept chain=input dst-port=80,443 protocol=tcp src-address=10.0.0.0/23
after your general “drop rule”:
add action=drop chain=input comment="defconf: drop all not coming from LAN"
You need to change the sequence to make it work, or add the PPTP interface to the “LAN” interface list.
Avi
September 3, 2024, 11:27am
5
Hi xrlls, many thanks for response!
Have moved my accept rules to the very top and added pptp to LAN list, unfortunately with no joy…
/interface list
/ip firewall filter
xrlls
September 3, 2024, 12:44pm
6
It is probably some kind of routing error. But it may be dependent on missing configuration on the remote end of your PPTP. Can you ping the router from the host you are trying to connect from?
Avi
September 3, 2024, 2:48pm
7
Ping works fine from machine to router’s IP in 10.0.0.0/23 network. Funny thing is that once I change destination IP in NAT rule to one of machines which is running dummy web-page, it opens without any problems.
xrlls
September 3, 2024, 5:27pm
8
I’m getting dizzy by the NAT’ing
I suspect it would work without that dstnat. As far as I can see, you are have no dstnat on https, so maybe tray connecting using https on port 443 and see if it works.
I guess I don’t have experience enough in NAT’ing to say for sure what is happening. If it was my own setup I would probably start looking at a packet trace, but there might be someone more skilled in NAT on this forum.
Port 8080 of the dst-nat rule is a reserved port for other use, so change it to a more obsolete one (e.g. 17680)
And you’ve leaked your PPTP username and password, elide them PRONTO and change them afterwards!
Avi
September 4, 2024, 8:21am
10
Thanks Cat for noticing, elided now, password changed, thanks again.
According to port 8080, as I noticed before the NAT rule worked fine for machine connected to router but didn’t for router itself, so wouldn’t fall on port in this case. Changed it to 17680 but got the same result
xrlls, yes you are right, I suspected it as well, and was surprised it didn’t work… It definitely should open webFig with local VPN address of the router but it didn’t, and did when router was hooked to 10th network through eth0 port directly.
I’m almost ready enough for packet tracer experience
Not that I expect it to be the problem, but could you add the following firewall rules somewhere in the beginning:
/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=1723
add action=accept chain=input protocol=47
