Community discussions

MikroTik App
 
cgallery
newbie
Topic Author
Posts: 35
Joined: Tue Apr 24, 2018 5:25 am

VPN clients cannot access router for DNS

Tue Apr 24, 2018 5:38 am

Hi, new user here.

Device is an RB2011UiAS-2HnD-IN.

Firmware and O/S have been updates to the latest stable versions available.

I have no problems getting my VPN clients (IOS right now) to connect (via l2tp/IPsec), and everything works great so long as I don't use my router's IP address for the DNS server address under the profile I've created. If I use 8.8.8.8, it works great. If I change that to my router's IP (192.168.10.254), it won't work, nothing resolves. All the machines on my LAN are able to use 192.168.10.254 for DNS.

For grins, I did momentarily disabled the default firewall rule "drop all not coming from LAN," and then I can use the router's IP address for my DNS. Of course, I re-enabled that right away.

I think I need a firewall rule above the "drop al not coming from LAN" so DNS (53 tcp) can make it through to the router, but I'm not sure how to proceed, or if this is the correct approach.

Any tips?

Thanks in advance, BTW. This router is AWESOME! I'm having a blast learning about it.
 
User avatar
ochaconm
Trainer
Trainer
Posts: 28
Joined: Fri Feb 22, 2013 9:39 pm

Re: VPN clients cannot access router for DNS

Tue Apr 24, 2018 3:33 pm

Post your actual firewall configuration
/ip firewall export
.

The following could work, however, I don't exactly know your current firewall configuration.
#The firewall rules must be in the input chain port 53(TCP and UDP)
#The interface(ether1) is your LAN
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=udp
 
2frogs
Long time Member
Long time Member
Posts: 596
Joined: Fri Dec 03, 2010 1:38 am

Re: VPN clients cannot access router for DNS  [SOLVED]

Tue Apr 24, 2018 7:51 pm

The following could work, however, I don't exactly know your current firewall configuration.
#The firewall rules must be in the input chain port 53(TCP and UDP)
#The interface(ether1) is your LAN
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=udp
No, do not do this. You will open yourself up as an open resolver.

Change your drop rule from !LAN to WAN. This is because your VPN is not coming from LAN, but L2PT.
 
cgallery
newbie
Topic Author
Posts: 35
Joined: Tue Apr 24, 2018 5:25 am

Re: VPN clients cannot access router for DNS

Tue Apr 24, 2018 8:57 pm

Just to answer my own question, I found that adding a firewall rule above "defconf: drop all not coming from LAN" was the ticket.

My rule:
Chain: input
Protocol: 17 (udp)
Dst. Port: 53
In. Interface: all pnp
Action: accept

(Edit to add: While this works, the suggestion to change my drop rule from !LAN to WAN, is clearly the better/smarter approach, thanks 2frogs!).
Last edited by cgallery on Tue Apr 24, 2018 9:04 pm, edited 2 times in total.
 
cgallery
newbie
Topic Author
Posts: 35
Joined: Tue Apr 24, 2018 5:25 am

Re: VPN clients cannot access router for DNS

Tue Apr 24, 2018 9:01 pm

The following could work, however, I don't exactly know your current firewall configuration.
#The firewall rules must be in the input chain port 53(TCP and UDP)
#The interface(ether1) is your LAN
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=udp
No, do not do this. You will open yourself up as an open resolver.

Change your drop rule from !LAN to WAN. This is because your VPN is not coming from LAN, but L2PT.

Oh wait, this is even better! I hadn't realized that was an option but brilliant, it works great and I assume other problems I'd have seen in the future (maybe remote management of the router via the VPN) will just simply work instead of requiring additional rules.

Who is online

Users browsing this forum: No registered users and 46 guests