Community discussions

MikroTik App
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

vpn public ip cant ping

Sun Feb 14, 2021 5:09 pm

Hello everyone
my isp doesn't support public IP so I got VPN service with public IP and all ports are open
I use it directly on windows and everything work fine can access the open ports and everything
when I add the VPN client to Mikrotik for example PPTP-client
it gets to connect and I can browse the internet if I make mangle and firewall then the traffic go throw VPN normally
but when I want to access the router from outside using my static VPN IP
I can't get any access even can't ping to the static IP

any suggestion to try out

my network diagram

WAN---->pppoe---->mikrotik---->vpn-client---->new public ip
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sun Feb 21, 2021 4:05 am

please help i have public ip but i cant remote my mikrotik outside nor i cant ping my public ip
anyone can help me
You do not have the required permissions to view the files attached to this post.
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Thu Feb 25, 2021 3:32 am

anyone can help
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: vpn public ip cant ping

Thu Feb 25, 2021 4:52 am

What are your firewall rules?
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: vpn public ip cant ping

Thu Feb 25, 2021 8:39 am

Having a Windows machine publicly available is not really good practice security wise. You better only forward ports that are absolutely necessary. And...start running a VPN server on your router for management purposes and making resources available.

By the way, to show your config use /export hide-sensitive file=anynameyoulike and post it using code-tags.
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Fri Feb 26, 2021 4:51 pm

/interface bridge
add fast-forward=no name=bridge-hotspot
add name=bridge-local
add name=userman
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=ether1-WAN1
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether4 ] comment=BROADBAND
/interface pptp-client
add allow=chap,mschap2 comment=VPN connect-to=sg-ded-1.[REDACTED].net \
dial-on-demand=yes disabled=no name=VPN user=xxxxx4338
/interface ethernet switch port
set 5 default-vlan-id=0 vlan-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=station \
supplicant-identity="" unicast-ciphers=tkip
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=wifi \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" name=hotspot \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.portal hotspot-address=172.16.50.1 \
html-directory=flash/darkcyanhotspot login-by=http-chap,http-pap name=\
hs-profile
/ip pool
add name=default-dhcp ranges=192.168.170.2-192.168.170.254
add name=wifi-secure ranges=150.150.150.2-150.150.150.254
add name=hs-bro1 ranges=10.5.10.0/24
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge-local name=local-dhcp
add add-arp=yes address-pool=hs-unauthenticated bootp-support=none disabled=\
no interface=bridge-hotspot lease-time=6h name=hotspot-dhcp
/ip hotspot
add address-pool=hs-unauthenticated addresses-per-mac=unlimited disabled=no \
idle-timeout=none interface=bridge-hotspot name=WIFI
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-hotspot name=ADMIN on-login="\r\
\n"
add address-pool=hs-hotspot !idle-timeout !keepalive-timeout name=VM-1 \
rate-limit=5M/10M
add address-pool=hs-hotspot idle-timeout=1h name=1hr on-login=":local username\
\_\$user;\r\
\n:local date [/system clock get date];\r\
\n:local time [/system clock get time];\r\
\n:log warning \"\$username has login - \$time\"; \r\
\n{\r\
\n:if ([/system scheduler find name=\$username]=\"\") do={ /ip hotspot use\
r set [find name=\$user] limit-uptime=10s \r\
\n/system scheduler add name=\$username interval=60d on-event=\"/ip hotspo\
t user set profile=EXPIRED [find name=\$username]\\r\\n/ip hotspot active \
remove [find user=\$username]\\r\\n/system scheduler remove [find name=\$u\
sername]\"\r\
\n}\r\
\n}\r\
\n\r\
\n/system script run moveICMP" rate-limit=5M/10M
/port
set 0 name=usb1
/ppp profile
add change-tcp-mss=yes comment="<-----VIP PLAN----->" dns-server=\
192.168.170.1 local-address=hs-unauthenticated name="VIP 599 7MB" \
only-one=yes remote-address=hs-bro1
/queue simple
add name=RESIDENTIAL target=10.5.10.0/24
add max-limit=3M/7M name="reyes badette" parent=RESIDENTIAL target=\
10.5.10.1/32
/queue tree
add disabled=yes name=X-Bro priority=1
add disabled=yes max-limit=100M name=bro-download parent=X-Bro priority=1
/queue type
add kind=pcq name=gaming-pcq-download pcq-classifier=dst-address,dst-port \
pcq-limit=40KiB
add kind=pcq name=gaming-pcq-upload pcq-classifier=src-address,src-port \
pcq-limit=40KiB
add kind=pcq name="limit dl" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=main-pcq-download pcq-classifier=dst-address pcq-limit=\
40KiB
add kind=pcq name=main-pcq-upload pcq-classifier=src-address pcq-limit=40KiB
add kind=pfifo name=main-queue pfifo-limit=100
add kind=pcq name="UPLOAD Gaming" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Games" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Browsing" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="UPLOAD Browsing" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=256k pcq-src-address6-mask=64
add kind=pcq name=PPPHOMEDL-15MBPSBURST pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=15M pcq-src-address6-mask=64
add kind=pcq name=PPPHOMEUPLOAD pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=20M pcq-src-address6-mask=64
add kind=pcq name="ALL DOWNLOAD" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
add kind=pcq name="ALL UPLOAD" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
sh,!policy,!test,!winbox,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminlast policy="reboot,read,write,test,password,web,api,!local,!tel\
net,!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=techedit policy="ftp,reboot,read,write,test,winbox,password,web,api,!\
local,!telnet,!ssh,!policy,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-local comment=LAN interface=ether3
add bridge=bridge-hotspot comment=HOTSPOT interface=ether4
add bridge=bridge-hotspot comment=BROADBAND interface=ether5
add bridge=bridge-local disabled=yes interface=*1
add bridge=bridge-hotspot disabled=yes interface=*E
add disabled=yes interface=*A
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=bridge-hotspot keepalive-timeout=60 max-mru=1480 \
max-mtu=1480 one-session-per-host=yes service-name="GRACE"
/interface sstp-server server
set enabled=yes
/interface wireless access-list
add comment=ron mac-address=6E:5A:88:C7:0C:2A
add comment=rose mac-address=8C:F5:A3:F4:A4:7A
add comment=ron mac-address=90:97:F3:88:EA:C0
/ip address
add address=192.168.170.1/24 interface=bridge-local network=192.168.170.0
add address=172.16.50.1/24 interface=bridge-hotspot network=172.16.50.0
add address=192.168.171.1/24 interface=bridge-hotspot network=192.168.171.0
add address=192.168.87.1/24 interface=userman network=192.168.87.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no comment=WAN1 disabled=no interface=ether1-WAN1 \
use-peer-dns=no
/ip dhcp-server lease
add address=172.16.50.4 client-id=1:8c:f5:a3:f4:a4:7a comment=rose \
mac-address=8C:F5:A3:F4:A4:7A server=hotspot-dhcp
add address=172.16.50.2 client-id=1:cc:6e:a4:d8:c4:2d comment=samsung \
mac-address=CC:6E:A4:D8:C4:2D server=hotspot-dhcp
add address=172.16.50.3 client-id=1:34:f1:50:74:58:be comment=tcl \
mac-address=34:F1:50:74:58:BE server=hotspot-dhcp
/ip dhcp-server network
add address=150.150.150.0/24 dns-none=yes gateway=150.150.150.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=192.168.170.0/24 comment="default configuration" gateway=\
192.168.170.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.170.1 name=router
/ip firewall address-list
add address=172.16.50.0/24 list=local-address
add address=192.168.170.3-192.168.170.251 list=local-addressdns
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=\
1-52,54-1028,3478,3479,5228,8888 new-routing-mark=vpn_ian passthrough=no \
protocol=tcp src-address=10.5.10.0/24
add action=mark-routing chain=prerouting new-routing-mark=vpn_ian \
passthrough=no protocol=udp src-address=10.5.10.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1-WAN1
add action=masquerade chain=srcnat comment=VPN out-interface=VPN
/ip hotspot user
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
70:8F:47:2D:B0:73 name=emem
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
20:31:1C:E4:4C:F3 name=macmac
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
6C:D9:4C:FF:5B:CD name=patrick
add address=172.16.61.254 name=oneil
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
08:FA:79:DF:64:D3 name=talin
add name=bebe9365
add name=rose532
add mac-address=00:27:15:52:34:A1 name=ron1
/ip proxy
set cache-path=flash/webproxy enabled=yes max-cache-size=none
/ip proxy access
add action=deny dst-host=!192.168.175.1
/ip route
add comment=VPN distance=2 gateway=VPN routing-mark=vpn
add comment=WAN2 disabled=yes distance=1 gateway=2.2.2.2 routing-mark=PL1
add comment=WAN1 distance=1 gateway=192.168.2.1
add comment=WAN1_A disabled=yes distance=1 dst-address=50.100.10.12/32 \
gateway=192.168.2.1
add comment=WAN1_A disabled=yes distance=1 dst-address=xx.xx.104.116/32 \
gateway=192.168.2.1
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=RT-PL1 src-address=0.0.0.0/0 table=PL1
add dst-address=0.0.0.0/0 routing-mark=RT-PL2 src-address=0.0.0.0/0 table=PL2
/ip service
set telnet disabled=yes
set www port=82
set winbox port=8292
set api-ssl disabled=yes
/port firmware
set ignore-directip-modem=yes
/ppp secret
add comment=PAID1 name="reyes badette" profile="VIP 599 7MB" routes=PAID.1MO \
service=pppoe
/radius
add address=192.168.87.1 service=login,hotspot
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+08:00
/system ntp client
set enabled=yes server-dns-names=asia.pool.ntp.org
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool sms
set port=usb1
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sat Mar 06, 2021 3:03 am

anyone can help please
 
User avatar
dioeyandika
just joined
Posts: 19
Joined: Fri Feb 08, 2019 11:30 am

Re: vpn public ip cant ping

Tue Mar 09, 2021 3:56 pm

please help i have public ip but i cant remote my mikrotik outside nor i cant ping my public ip
anyone can help me
hem maybe you can add route for cloud2.mikrotik.com (159.148.147.201) and cloud.mikrotik.com (159.148.147.229) to vpn gateway, then see what ip on ip >> cloud again, btw in that picture it show private ip is that from your ISP or your VPN Provider? Personally i have similar case like you my ISP dont have a public ip, so i am using zerotier for remote mikrotik, it work kinda like a vpn using some ubuntu machine or raspberry pi for host zerotier to access mikrotik router, it work and more importantly its free
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Mon Mar 15, 2021 5:51 pm

please help i have public ip but i cant remote my mikrotik outside nor i cant ping my public ip
anyone can help me
hem maybe you can add route for cloud2.mikrotik.com (159.148.147.201) and cloud.mikrotik.com (159.148.147.229) to vpn gateway, then see what ip on ip >> cloud again, btw in that picture it show private ip is that from your ISP or your VPN Provider? Personally i have similar case like you my ISP dont have a public ip, so i am using zerotier for remote mikrotik, it work kinda like a vpn using some ubuntu machine or raspberry pi for host zerotier to access mikrotik router, it work and more importantly its free
hi sir its not working. its from vpn public ip sir
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Mon Mar 15, 2021 5:52 pm

anyone can help us
 
User avatar
dioeyandika
just joined
Posts: 19
Joined: Fri Feb 08, 2019 11:30 am

Re: vpn public ip cant ping

Wed Mar 17, 2021 3:35 am

i am kind of confused, you mark this as solved, you can ask to the VPN Provider to open winbox port (8291) and did you add route to vpn gateway to mikrotik cloud ip address? anyway, can you show the screenshot of ip >> cloud after adding mikrotik cloud ip address
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sat Mar 20, 2021 2:10 am

i am kind of confused, you mark this as solved, you can ask to the VPN Provider to open winbox port (8291) and did you add route to vpn gateway to mikrotik cloud ip address? anyway, can you show the screenshot of ip >> cloud after adding mikrotik cloud ip address
sorry sir. i accidentally click the solve button

this is my attached file
if my vpn info is in the mikrotik i cant ping my public ip outside
ipcloud.png


when my vpn is in my windows computer and the firewall is off i can ping my vpn public ip outside

firewall off.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
dioeyandika
just joined
Posts: 19
Joined: Fri Feb 08, 2019 11:30 am

Re: vpn public ip cant ping

Sat Mar 20, 2021 3:50 am

you need add firewall in ip >> firewall >> filter add this
 add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
thats is the default firewall too enable ping from outside, can you show me your confing on ip firewall filter?
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sat Mar 20, 2021 6:59 am

you need add firewall in ip >> firewall >> filter add this
 add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
thats is the default firewall too enable ping from outside, can you show me your confing on ip firewall filter?
same problem sir, cant ping outside
this is only my filter rules

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="NO MODEM ACCESS" dst-address=\
192.168.0.1 dst-port=80 protocol=tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.176.0/24 dst-port=80 \
protocol=tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.176.0/24 dst-port=80 \
protocol=tcp src-address=172.16.61.254
add action=drop chain=forward dst-address=192.168.176.0/24 dst-port=80 \
protocol=tcp src-address=192.168.175.0/24
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=192.168.175.2-192.168.176.254
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=172.16.60.2-172.16.61.253
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=10.5.10.0/24
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=10.5.11.0/24
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=10.5.12.0/24
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=192.168.175.2-192.168.176.254
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=172.16.60.2-172.16.61.253
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=10.5.10.0/24
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=10.5.11.0/24
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=10.5.12.0/24
 
User avatar
dioeyandika
just joined
Posts: 19
Joined: Fri Feb 08, 2019 11:30 am

Re: vpn public ip cant ping

Sat Mar 20, 2021 8:26 am

you need add firewall in ip >> firewall >> filter add this
 add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
thats is the default firewall too enable ping from outside, can you show me your confing on ip firewall filter?
same problem sir, cant ping outside
this is only my filter rules

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="NO MODEM ACCESS" dst-address=\
192.168.0.1 dst-port=80 protocol=tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.176.0/24 dst-port=80 \
protocol=tcp src-address=192.168.175.251
add action=accept chain=forward dst-address=192.168.176.0/24 dst-port=80 \
protocol=tcp src-address=172.16.61.254
add action=drop chain=forward dst-address=192.168.176.0/24 dst-port=80 \
protocol=tcp src-address=192.168.175.0/24
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=192.168.175.2-192.168.176.254
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=172.16.60.2-172.16.61.253
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=10.5.10.0/24
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=10.5.11.0/24
add action=drop chain=forward dst-address=192.168.1.1 dst-port=80 protocol=\
tcp src-address=10.5.12.0/24
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=192.168.175.2-192.168.176.254
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=172.16.60.2-172.16.61.253
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=10.5.10.0/24
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=10.5.11.0/24
add action=drop chain=forward dst-address=192.168.2.1 dst-port=80 protocol=\
tcp src-address=10.5.12.0/24
try disable other rule except the icmp, then try again
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sun Mar 21, 2021 6:54 am

same problem sir, cant ping outside
You do not have the required permissions to view the files attached to this post.
 
User avatar
dioeyandika
just joined
Posts: 19
Joined: Fri Feb 08, 2019 11:30 am

Re: vpn public ip cant ping

Sun Mar 21, 2021 7:50 am

same problem sir, cant ping outside
is that different mikrotik router, why ping need routing table that kinda weird, try ping 8498080....sn..mynetname.net from from outside if reply it should good, maybe this guide can help https://mhitips.wordpress.com/2016/04/0 ... -routeros/
 
runbound
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sun Mar 21, 2021 10:36 am

sir can i request for teamviewer

Who is online

Users browsing this forum: AshuGite and 22 guests