Hi,
I am unable to access any kind of management while connected to the router via ipsec vpn. I thought I added the access rule that should allow this to work however it did not. Here is the rule I added. add action=accept chain=input comment="VPN MGMT" in-interface=ether1 ipsec-policy=in,ipsec
I should also add that everything else is working while connected via the VPN. I am able to access my local network.
Thanks for the advise in advance.
# apr/20/2018 10:46:31 by RouterOS 6.41.3
# software id = 4S6E-7VCB
#
# model = 750
# serial number = 467802215213
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2.4
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=eCee name=\
5
/interface bridge
add fast-forward=no name=GuestNetwork
add admin-mac=D4:CA:6D:F3:F3:3E auto-mac=no comment=defconf name=HomeNet
/interface ethernet
set [ find default-name=ether1 ] comment="Wan Interface"
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
/caps-man datapath
add bridge=HomeNet name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment="" encryption=\
aes-ccm,tkip name=security1 passphrase=
/caps-man configuration
add channel=2.4 country="united states3" datapath=datapath1 mode=ap name=\
homenet security=security1 ssid=myster24
add channel=5 country="united states3" datapath=datapath1 mode=ap name=\
homenet2 rx-chains=0,1,2 security=security1 ssid=mystery5 tx-chains=0,1,2
/caps-man interface
add configuration=homenet disabled=no l2mtu=1600 mac-address=\
CC:2D:E0:1D:6A:BB master-interface=none name=cap12 radio-mac=\
CC:2D:E0:1D:6A:BB
add configuration=homenet2 disabled=no l2mtu=1600 mac-address=\
CC:2D:E0:1D:6A:BA master-interface=none name=cap13 radio-mac=\
CC:2D:E0:1D:6A:BA
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.60-192.168.2.80
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=HomeNet lease-time=8h name=\
bridge1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
homenet
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
homenet2
/interface bridge port
add bridge=HomeNet comment=defconf interface=ether2
add bridge=HomeNet comment=defconf interface=ether3
add bridge=HomeNet comment=defconf interface=ether4
add bridge=HomeNet comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes ipsec-secret= use-ipsec=\
yes
/interface list member
add comment=defconf interface=HomeNet list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
192.168.2.0
add address=192.168.10.1/24 interface=GuestNetwork network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.2.1 name=router.lan
add address=192.168.2.7 name=cloud.warllo.org
add address=192.168.2.7 name=office.warllo.org
add address=192.168.2.11 name=tv.warllo.org
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="VPN MGMT" in-interface=ether1 \
ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Nas Login" dst-port=8080 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.4 to-ports=8080
add action=dst-nat chain=dstnat comment="Open Vpn" dst-port=20500 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.2 to-ports=20500
add action=dst-nat chain=dstnat comment="Open Vpn" dst-port=1194 \
in-interface=ether1 protocol=udp to-addresses=192.168.2.2 to-ports=1194
add action=dst-nat chain=dstnat comment=Next-cloud-https dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.7 to-ports=443
add action=dst-nat chain=dstnat comment="Collabra office " dst-port=9980 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.7 to-ports=9980
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.2.11 to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set www port=81
/ip upnp
set enabled=yes
/ppp secret
add name=vpn password= service=l2tp
/system clock
set time-zone-name=America/Chicago
/system leds
add interface=ether1 leds=user-led type=interface-transmit
/system scheduler
add comment="Update No-IP DDNS" interval=5m name=no-ip_ddns_update on-event=\
no-ip_ddns_update policy=read,write,test start-date=mar/17/2018 \
start-time=16:11:01
/system script
add name=no-ip_ddns_update owner=admin policy=read,write,test source="# No-IP \
automatic Dynamic DNS update\r\
\n\r\
\n#--------------- Change Values in this section to match your setup -----\
-------------\r\
\n\r\
\n# No-IP User account info\r\
\n:local noipuser \"\"\r\
\n:local noippass \"\"\r\
\n\r\
\n# Set the hostname or label of network to be updated.\r\
\n# Hostnames with spaces are unsupported. Replace the value in the quotat\
ions below with your host names.\r\
\n# To specify multiple hosts, separate them with commas.\r\
\n:local noiphost \"office.warllo.org,ftp.warllo.org,cloud.warllo.org,tv.w\
arllo.org\"\r\
\n\r\
\n# Change to the name of interface that gets the dynamic IP address\r\
\n:local inetinterface \"ether1\"\r\
\n\r\
\n#-----------------------------------------------------------------------\
-------------\r\
\n# No more changes need\r\
\n\r\
\n:global previousIP\r\
\n\r\
\n:if ([/interface get \$inetinterface value-name=running]) do={\r\
\n# Get the current IP on the interface\r\
\n :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
\_disabled=no] address]\r\
\n\r\
\n# Strip the net mask off the IP address\r\
\n :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
\n :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
\n :set currentIP [:pick \$currentIP 0 \$i]\r\
\n } \r\
\n }\r\
\n\r\
\n :if (\$currentIP != \$previousIP) do={\r\
\n :log info \"No-IP: Current IP \$currentIP is not equal to previou\
s IP, update needed\"\r\
\n :set previousIP \$currentIP\r\
\n\r\
\n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Requi\
red since \? is a special character in commands.\r\
\n :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curr\
entIP\"\r\
\n :local noiphostarray\r\
\n :set noiphostarray [:toarray \$noiphost]\r\
\n :foreach host in=\$noiphostarray do={\r\
\n :log info \"No-IP: Sending update for \$host\"\r\
\n /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuse\
r password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host \
. \".txt\")\r\
\n :log info \"No-IP: Host \$host updated on No-IP with IP \$cur\
rentIP\"\r\
\n }\r\
\n } else={\r\
\n :log info \"No-IP: Previous IP \$previousIP is equal to current I\
P, no update needed\"\r\
\n }\r\
\n} else={\r\
\n :log info \"No-IP: \$inetinterface is not currently running, so there\
fore will not update.\"\r\
\n}\r\
\n\r\
\n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN