Community discussions

 
caukajun
just joined
Topic Author
Posts: 3
Joined: Sun Jan 14, 2018 12:01 am

Help with Port Forwarding an OpenVPN Client Interface

Sun Jan 14, 2018 12:25 am

Hi all,

I've configured my Mikrotik router as an OpenVPN client by following this guide: https://github.com/missinglink/mikrotik-openvpn-client
And it connects to the OpenVPN server in the cloud and routes outbound traffic through it as intended. I've also been successful using port forwarding on the server to reach specific devices and services physically connected to the Mikrotik LAN. For example, I have an IP camera connected to the Mikrotik with static IP of 192.168.20.80 and am able to reach it's HTTP configuration webpage using a firewall rule (DST-NAT) on the OpenVPN interface. The issue I'm having is that I'm unable to expose the Mikrotik webfig using similar rules. If I'm wired directly into the Mikrotik, then I can reach the webfig via 192.168.20.1:80, however, for some reason similar firewall rules used for the IP camera don't work when trying to access the webfig site. My best guess is that it has something to do with the webfig IP being the same as the gateway IP? So any ideas on how can I access the webfig remotely through the OpenVPN network? Any help on this would be greatly appreciated!

Thanks,
caukajun
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Help with Port Forwarding an OpenVPN Client Interface

Sun Jan 14, 2018 3:35 pm

Post results of:
/ip firewall filter export
 
caukajun
just joined
Topic Author
Posts: 3
Joined: Sun Jan 14, 2018 12:01 am

Re: Help with Port Forwarding an OpenVPN Client Interface

Mon Jan 15, 2018 12:24 am

Here's the output you asked for. Not much there currently except for some protection from hackers trying to bruteforce their way in. Let me know if there's any other info that would help.
/ip firewall filter export
# jan/03/2018 09:33:43 by RouterOS 6.41
# software id = X7Q7-RL8R
#
# model = 493AH
# serial number = 33BF0582D4A1
/ip firewall filter
# p2p matcher is obsolete please use layer7 matcher instead
add action=drop chain=forward comment="Drop Bittorrent" p2p=bit-torrent
# p2p matcher is obsolete please use layer7 matcher instead
add action=drop chain=forward comment="Drop Gnutella" p2p=gnutella
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=\
    "530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new \
    dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new \
    dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new \
    dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new \
    dst-port=23 protocol=tcp
add action=drop chain=forward comment="drop telnet brute downstream" dst-port=23 protocol=tcp src-address-list=\
    telnet_blacklist
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Help with Port Forwarding an OpenVPN Client Interface

Mon Jan 15, 2018 10:38 am

Try adding this line:
/ip firewall filter
add action=accept chain=input comment="webif access" connection-state=established,related,new dst-port=80 protocol=tcp
By the way, you filter firewall seems to be very small. Have you considered reseting the configuration and run the default one from one of the latest ROS realeases?
 
caukajun
just joined
Topic Author
Posts: 3
Joined: Sun Jan 14, 2018 12:01 am

Re: Help with Port Forwarding an OpenVPN Client Interface

Mon Jan 15, 2018 5:57 pm

I added that filter rule as you suggested and it's still not working. I can see traffic hitting that filter rule and the DST-NAT rule I have forwarding traffic from port 8888 on the OpenVPN interface to the local 192.168.20.1:80 (Webfig). However, the HTTP site fails to load when I try to request it. Perhaps its the response not able to make its way back out the router?

Who is online

Users browsing this forum: No registered users and 41 guests