OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

mily · Mon Aug 13, 2018 11:23 am

Hello

After successful configuration of OpenVPN on my router, I'm able to connect from Android and Mac.
While connected I can ping and connect to all hosts in LAN network but unfortunately not to Mikrotik address 192.168.88.1 (its responding for ping but not for traceroute)
When I disable firewall rule: "drop all not coming from LAN" i can connect to router but I guess its a bad idea turn off that rule.
I will be very grateful for help with this topic.
Please find my exported configuration below:

# aug/13/2018 09:37:51 by RouterOS 6.42.6
# software id = XG76-0ZTT
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE0937214B
/interface bridge
add admin-mac=B8:69:F4:1B:C3:28 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wpa supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=wpa ssid=milki wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=wpa ssid="milki 5GHz" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=openvpn ranges=10.0.0.2-10.0.0.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=openvpn remote-address=openvpn use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server_cert cipher=aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.246 client-id=1:b8:27:eb:f6:0:c mac-address=B8:27:EB:F6:00:0C server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=mily profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system package update
set channel=bugfix
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=5m name=noip_schedule on-event="/system script run noip" policy=read,write,test,password start-time=startup
/tool graphing interface
add interface=wlan1
add interface=wlan2
add interface=ether1
add interface=ether2
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Steveocee · Mon Aug 13, 2018 1:18 pm

Your firewall filter rule disallows access from anything not on your LAN interface list. You are effectively not coming from your LAN interface when VPN'ing in to the router. That is most likely the cause.

total9022 · Mon Aug 13, 2018 1:45 pm

Hi,

I would liket to openvpn server configure to Active Directory RADIUS authentication.
I configure Network Policy Server and enable mikrtoik radius, but don't working.

Could you help?

Thanks,

mily · Mon Aug 13, 2018 1:57 pm

Your firewall filter rule disallows access from anything not on your LAN interface list. You are effectively not coming from your LAN interface when VPN'ing in to the router. That is most likely the cause.

Hello Steveocee, thank you for quick answer.
Following your advice adding rule:

chain=input action=accept protocol=tcp src-address=10.0.0.0/24 dst-port=80,443,8291 log=no

should do the job, right?
But I'm still little bit concerned why its possible to access host on IP 192.168.88.246 (tested on ports 80, 22) but not 192.168.88.1?
The rule mentioned above should block access to whole LAN not only to on IP.

Steveocee · Mon Aug 13, 2018 2:11 pm

That should work as long as it is above the block access rule.
The original rule was input chain so would only apply to traffic destined for the router. If you were blocking access to the LAN you'd want a forward rule as well, that is why you can ping hosts and not the router.

mily · Mon Aug 13, 2018 2:31 pm

Steveocee thank you for explanation.
The one more thing I would like to ask:
Is adding new rule like I mentioned above safe?
Or maybe there are other ways to get the router accessible over VPN?

Steveocee · Mon Aug 13, 2018 4:06 pm

Steveocee thank you for explanation.
The one more thing I would like to ask:
Is adding new rule like I mentioned above safe?
Or maybe there are other ways to get the router accessible over VPN?

That rule could be tightened down a little more by specifying the in-interface as your VPN. I think that should work. Of course though then anybody who VPN's in can access the router so you may want to assign yourself a static IP in your VPN server and then only allow the single IP access rather than the full range?

OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Re: OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Re: OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Re: OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Re: OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Re: OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Re: OpenVPN - can't access Mikrotik (192.168.88.1) - other hosts are accesible

Who is online