Community discussions

 
schrodingersdoge
just joined
Topic Author
Posts: 6
Joined: Mon Aug 19, 2019 7:31 pm

Beginner: SSTP Server on MikroTik behind Linksys router

Tue Aug 27, 2019 5:22 am

Hello and thanks in advance,

I am somewhat new to networking and I'm learning as I go. I apologize in advance for not being the most knowledgeable or if I'm a bit slow.

I've setup the MikroTik in wireless client mode and can successfully connect to the internet through the MikroTik. I have had no luck getting an SSTP server setup and connected to though. Here's my (simple) network:

A Motorola Surfboard modem with a dynamic IP address (duckdns is setup to point at the public IP address).

A Linksys EA8300 is the primary router with most of my network devices on it. 192.168.1.1 (DHCP 192.168.1.100 - 192.168.1.150). I have the MikroTik setup with a static IP address 192.168.1.123. I also had a port forward setup from external 443 to internal 443 192.168.1.123.

My MikroTik is wirelessly connected to the Linksys router over wlan2 so that it can be in my home office. I'm using this router solely for remote access to a computer used for work while I'm away from my home office. The plan is to do this by setting up an SSTP server on the MikroTik router and then using Remote Desktop Connection to interact with the computer over the VPN. 192.168.88.1 (DHCP 192.168.88.10 - 192.168.88.254)

I see in the export below that I have a dynamic DNS from the Linksys, but also a static DNS at 192.168.88.1? I'm in over my head. Any help would be incredible.

I've included the /export hide-sensitive below:
# aug/26/2019 20:52:04 by RouterOS 6.45.3
# software id = L0AF-NAW4
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=74:4D:28:75:75:58 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-75755C wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=jeff supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=5745 security-profile=jeff ssid="Linksys's AP Name" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=192.168.1.1 local-address=192.168.88.1 name=sstp01 remote-address=dhcp use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan2 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=sstp01 enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wlan2
/ip dhcp-server lease
add address=192.168.88.251 client-id=1:1c:69:7a:2:aa:f mac-address=1C:69:7A:02:AA:0F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input src-address=192.168.88.0/24
add action=accept chain=forward src-address=192.168.88.0/24
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wlan2 src-address=192.168.88.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=schrodingersdoge profile=sstp01 service=sstp
/system clock
set time-zone-name=America/Chicago
/system watchdog
set auto-send-supout=yes watch-address=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
schrodingersdoge
just joined
Topic Author
Posts: 6
Joined: Mon Aug 19, 2019 7:31 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Fri Aug 30, 2019 8:02 pm

Maybe I'm way off base here, but do I need to port forward 443 from the MikroTik to the SSTP server on the same MikroTik?
 
Sob
Forum Guru
Forum Guru
Posts: 4527
Joined: Mon Apr 20, 2009 9:11 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router  [SOLVED]

Tue Sep 03, 2019 4:03 am

Order of firewall rules matters. They are processed from top to bottom, so you need to have this:
add action=accept chain=input dst-port=443 protocol=tcp
before this:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
schrodingersdoge
just joined
Topic Author
Posts: 6
Joined: Mon Aug 19, 2019 7:31 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Fri Sep 06, 2019 5:29 pm

Thank you for your response! That's such a simple oversight.

I've been really tied up with work and haven't had a chance to test this yet. I will definitely post back when I do, and whether it's resolved. Thanks again!
 
schrodingersdoge
just joined
Topic Author
Posts: 6
Joined: Mon Aug 19, 2019 7:31 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Sun Sep 08, 2019 5:53 pm

The connection is working! There was a slight mistake on my certificates but I got that resolved. The only problem I'm facing now is I can't get RDP to work over the VPN when it works locally, but I think I can get that squared away.

SOB, thank you for you help!
 
schrodingersdoge
just joined
Topic Author
Posts: 6
Joined: Mon Aug 19, 2019 7:31 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Mon Sep 09, 2019 12:44 am

Should I start a new thread? It's related to my original question so I'll continue here.

I've spent the majority of today trying to get Remote Desktop to work over the VPN from outside my home network. At this point I'm just trying different settings and hoping, so it's time to throw in the towel and ask for help again.

Remote desktop works when both computers are connected by ethernet to the MikroTik. I can get to the "remote" computer by IP and also by computer name. When I connect via VPN, I can no longer initiate a remote desktop session. I'm baffled.

One thing that I thought was weird (but could be totally normal) is when I'm connected to the VPN, the assigned address under /IP Addresses is 192.168.88.1/32, the network is 192.168.88.123 and the interface is <sstp-nameofsecret>.

I'll probably end up setting the router back up with the export from my first post. Thank you again!

Here is the most recent export since I've been mucking about all day:
# sep/08/2019 16:38:05 by RouterOS 6.45.3
# software id = L0AF-NAW4
#
# model = RBD52G-5HacD2HnD
# serial number = B4A30AA34358
/interface bridge
add admin-mac=74:4D:28:75:75:58 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-75755C wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=jeff supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=5745 security-profile=jeff ssid="Linksys SSID" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=192.168.1.1 local-address=192.168.88.1 name=sstp01 remote-address=dhcp use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan2 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=server2 default-profile=default-encryption enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip arp
add address=192.168.88.251 interface=bridge mac-address=1C:69:7A:02:AA:0F
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wlan2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.251 client-id=1:1c:69:7a:2:aa:f mac-address=1C:69:7A:02:AA:0F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.251 disabled=yes name=nuc.router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input src-address=192.168.88.0/24
add action=accept chain=forward src-address=192.168.88.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wlan2 src-address=192.168.88.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=192.168.88.1 name=name profile=default-encryption remote-address=192.168.88.123 service=sstp
/system clock
set time-zone-name=America/Chicago
/system logging
add disabled=yes topics=sstp
add disabled=yes topics=certificate
/system watchdog
set auto-send-supout=yes watch-address=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by schrodingersdoge on Wed Sep 11, 2019 5:02 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4527
Joined: Mon Apr 20, 2009 9:11 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Mon Sep 09, 2019 2:36 am

1) ARP changes (DHCP's add-arp=yes, static entry for 192.168.88.251). If the goal was to prevent devices with manually assigned IP addresses from connecting through this router, it's fine. If it was done to help with RDP problem, it's useless.

2) When ether2 is part of bridge, 192.168.88.1/24 should be on bridge, not on ether2. It should be harmless, but it's better to fix it anyway.

3) If 192.168.88.123 should be reachable from the rest of 192.168.88.x network, you need either arp=proxy-arp on bridge interface or:
/ip arp
add address=192.168.88.123 interface=bridge published=yes
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
schrodingersdoge
just joined
Topic Author
Posts: 6
Joined: Mon Aug 19, 2019 7:31 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Wed Sep 11, 2019 5:02 pm

Sob, you've done it. I'm at work and can connect to the VPN at home and RDP into the machine there. Can I buy you a beer (or your preferred poison)? I've included my final /export below in case someone in the future has a similar problem.
[admin@MikroTik] >> /export  hide-sensitive       
# sep/11/2019 08:57:05 by RouterOS 6.45.3
# software id = L0AF-NAW4
#
# model = RBD52G-5HacD2HnD
# serial number = B4A30AA34358
/interface bridge
add admin-mac=74:4D:28:75:75:58 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-75755C wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=jeff supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=5745 security-profile=jeff ssid="wlan2 name" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=192.168.1.1 local-address=192.168.88.1 name=sstp01 remote-address=dhcp use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan2 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=server2 default-profile=sstp01 enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip arp
add address=192.168.88.123 interface=bridge published=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wlan2
/ip dhcp-server lease
add address=192.168.88.251 client-id=1:1c:69:7a:2:aa:f mac-address=1C:69:7A:02:AA:0F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.251 disabled=yes name=nuc.router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input src-address=192.168.88.0/24
add action=accept chain=forward src-address=192.168.88.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=wlan2 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wlan2 src-address=192.168.88.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=192.168.88.1 name=name profile=sstp01 remote-address=192.168.88.123 service=sstp
/system clock
set time-zone-name=America/Chicago
/system logging
add disabled=yes topics=sstp
add disabled=yes topics=certificate
/system watchdog
set auto-send-supout=yes watch-address=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 4527
Joined: Mon Apr 20, 2009 9:11 pm

Re: Beginner: SSTP Server on MikroTik behind Linksys router

Wed Sep 11, 2019 6:08 pm

Don't worry about it, there's plenty of beer here. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: BoandlKramer and 22 guests