Webfig/Winbox not available over PPTP VPN

grutten · January 16, 2021, 3:26pm

Hi All,

I’m fairly new to Mikrotik + i’m more of GUI user instead of code writer…
I’m trying a simple setup where i can access the winbox/webfig from remote via VPN.
I created a VPN profile and this works like a charm. I can use RDP to PC’s connected to the router,transfer files over SMB, etc.
However I am unable to open Webfig or Winbox.

I have tracked the issue to one the standard firewall rules of the Mikrotik.
Specific this one:
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

If I disable this rule i can perfectly access the Winbox/Webfig configuration.
But then the GRC shieldsup! report lights up like a christmas tree.

Is there some kind of exception I can add to this rule?
Or maybe create a second rule to allow this traffic?

Thanks in advance!

Full firewall rule printout:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

Regards!

grutten · January 23, 2021, 7:56pm

Bump , Anybody got a solution ?

Sob · January 23, 2021, 8:23pm

Are you sure that you found the right rule? I’d say it’s the one after it that is blocking the access.

Solution is simple, allow traffic that comes from VPN client(s) to WinBox/WebFig ports, so add this before the last rule:

/ip firewall filter
add chain=input protocol=tcp dst-port=80,8291 in-interface=<VPN interface> action=accept

Where is either specic interface (if you added it for VPN user as “PPTP Server Binding”), or you can use “all-ppp” to allow access from all VPN clients.

And it’s probably better to use something else than PPTP, it’s quite outdated.

grutten · January 24, 2021, 2:14pm

Hi Sob,

Thanks for the reponse!
This indeed fixed my issue!

I’ll be changing to L2TP soon.
This is just a first test.

Thank you again!

Regards,

Glenn

gotsprings · January 24, 2021, 2:22pm

Make a firewall rule to accept the address scope of your VPN.