MikroTik

Community discussions
https://forum.mikrotik.com/

VPN clients cannot access router for DNS

https://forum.mikrotik.com/viewtopic.php?t=133574

Page 1 of 1

VPN clients cannot access router for DNS

Posted: Tue Apr 24, 2018 5:38 am
by cgallery
Hi, new user here.

Device is an RB2011UiAS-2HnD-IN.

Firmware and O/S have been updates to the latest stable versions available.

I have no problems getting my VPN clients (IOS right now) to connect (via l2tp/IPsec), and everything works great so long as I don't use my router's IP address for the DNS server address under the profile I've created. If I use 8.8.8.8, it works great. If I change that to my router's IP (192.168.10.254), it won't work, nothing resolves. All the machines on my LAN are able to use 192.168.10.254 for DNS.

For grins, I did momentarily disabled the default firewall rule "drop all not coming from LAN," and then I can use the router's IP address for my DNS. Of course, I re-enabled that right away.

I think I need a firewall rule above the "drop al not coming from LAN" so DNS (53 tcp) can make it through to the router, but I'm not sure how to proceed, or if this is the correct approach.

Any tips?

Thanks in advance, BTW. This router is AWESOME! I'm having a blast learning about it.

Re: VPN clients cannot access router for DNS

Posted: Tue Apr 24, 2018 3:33 pm
by ochaconm
Post your actual firewall configuration
Code: Select all
/ip firewall export
.

The following could work, however, I don't exactly know your current firewall configuration.
Code: Select all
#The firewall rules must be in the input chain port 53(TCP and UDP)
#The interface(ether1) is your LAN
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=udp

Re: VPN clients cannot access router for DNS  [SOLVED]

Posted: Tue Apr 24, 2018 7:51 pm
by 2frogs
The following could work, however, I don't exactly know your current firewall configuration.
Code: Select all
#The firewall rules must be in the input chain port 53(TCP and UDP)
#The interface(ether1) is your LAN
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=udp
No, do not do this. You will open yourself up as an open resolver.

Change your drop rule from !LAN to WAN. This is because your VPN is not coming from LAN, but L2PT.

Re: VPN clients cannot access router for DNS

Posted: Tue Apr 24, 2018 8:57 pm
by cgallery
Just to answer my own question, I found that adding a firewall rule above "defconf: drop all not coming from LAN" was the ticket.

My rule:
Chain: input
Protocol: 17 (udp)
Dst. Port: 53
In. Interface: all pnp
Action: accept

(Edit to add: While this works, the suggestion to change my drop rule from !LAN to WAN, is clearly the better/smarter approach, thanks 2frogs!).

Re: VPN clients cannot access router for DNS

Posted: Tue Apr 24, 2018 9:01 pm
by cgallery
The following could work, however, I don't exactly know your current firewall configuration.
Code: Select all
#The firewall rules must be in the input chain port 53(TCP and UDP)
#The interface(ether1) is your LAN
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 protocol=udp
No, do not do this. You will open yourself up as an open resolver.

Change your drop rule from !LAN to WAN. This is because your VPN is not coming from LAN, but L2PT.

Oh wait, this is even better! I hadn't realized that was an option but brilliant, it works great and I assume other problems I'd have seen in the future (maybe remote management of the router via the VPN) will just simply work instead of requiring additional rules.
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/