Community discussions

 
matejk
just joined
Topic Author
Posts: 2
Joined: Fri Jul 12, 2019 5:49 pm

Mikrotik Web Interface not accesible via VPN on remote router

Fri Jul 12, 2019 6:43 pm

I'm one of the many who have some problems when accesing WebFig when connected via VPN. It's been driving me slighty mad for the last 24 hours, both export files are included. Any help or suggestions are most welcome!

I have 2 MikroTik routers: both just the basic config, fixed WAN IP, plus VPN for remote admin and access
Router 1: is a RouterBOARD 962UiGS-5HacT2HnT, when a VPN connection is established, I can ping the router IP on 192.168.88.1, open WebFig and/or SSH session and access the internal LAN devices on 192.168.88.X
Router 2: is a RBD52G-5HacD2HnD, again, just the basic configuration (after a factory reset), however when a VPN connection is opened to it, I can ping it on 192.168.1.1, access the devices on internal LAN 192.168.1.X, BUT I CANT open WebFig or SSH session

I tried many of the solutions reported in previous posts (adding firewall rules to not-drop-all-trafic, adding IP ranges to ip/service...), but nothing fixes the problem on "Router 2". It's even more frustrating since both routers use just the basic "factory" config. The only difference is minor diffence in RouterOS versions, but I'm not upgrading "Router 1" until I can solve this issue.

Router 1 Export:
# jul/12/2019 16:00:17 by RouterOS 6.44.3
# software id = SA5N-TJ8C
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=6C:3B:6B:11:FC:09 auto-mac=no comment=defconf fast-forward=no \
name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
comment="WLAN 2.4ghz" disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=Mikro2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce \
comment="WLAN 5ghz" disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=Mikro5G wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan1 comment="WLAN 2.4ghz"
set wlan2 comment="WLAN 5ghz"
/interface wireless nstreme
set wlan1 comment="WLAN 2.4ghz"
set wlan2 comment="WLAN 5ghz"
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=6E:3B:6B:11:FC:0F master-interface=wlan1 name=\
wlan3 security-profile=profile ssid=new
add disabled=no mac-address=6E:3B:6B:11:FC:0E master-interface=wlan2 name=\
wlan4 security-profile=profile ssid=new
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=wlan3 list=discover
add interface=wlan4 list=discover
add interface=ether2-master list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master list=mac-winbox
add interface=wlan2 list=mactel
add interface=wlan1 list=mac-winbox
add interface=sfp1 list=mactel
add interface=wlan2 list=mac-winbox
add interface=wlan3 list=mactel
add interface=sfp1 list=mac-winbox
add interface=wlan4 list=mactel
add interface=wlan3 list=mac-winbox
add interface=wlan4 list=mac-winbox
add interface=ether1 list=WAN
add interface=bridge list=mactel
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
add address=777.777.238.232/16 interface=ether1 network=777.777.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add distance=1 gateway=89.212.0.1
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=vpn
add name=matejk
/system clock
set time-zone-name=Europe/
/system identity
set name="MikroTik P2"
/system leds
set 1 interface=wlan2
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=ether1
add interface=wlan1
add interface=wlan2
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Router 2 Export:
# jul/12/2019 15:57:22 by RouterOS 6.45.1
# software id = A0J2-H9IA
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=74:4D:28:95:AC:51 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-95AC55 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country= disabled=no distance=\
indoors frequency=auto frequency-mode=regulatory-domain installation=\
indoor mode=ap-bridge ssid=MikroTik-95AC56 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
add address=777.777.238.235/16 interface=ether1 network=777.777.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add distance=1 gateway=89.212.0.1
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/
/system identity
set name="MikroTik ac2"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Again, many thanks for any help or suggestions!
Matej
Last edited by matejk on Sat Jul 13, 2019 11:58 pm, edited 1 time in total.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Mikrotik Web Interface not accesible via VPN on remote router

Fri Jul 12, 2019 8:24 pm

There are actually major differences between the 2 routers when you consider the firewall rules.

On Router 1, the default drop for input is dropping all from ether1, which is your WAN. By default it is accepting from all other ports including all other ethers, wlans, bridges, l2tp ,etc.
/ip firewall filter
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
On Router 2, the default drop for input is dropping all not from interface list LAN. The only interface in list for LAN is the bridge. You can either add l2tp to LAN list or change rule to drop from WAN list.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
 
matejk
just joined
Topic Author
Posts: 2
Joined: Fri Jul 12, 2019 5:49 pm

Re: Mikrotik Web Interface not accesible via VPN on remote router

Sat Jul 13, 2019 1:55 pm

2frogs, thnx for your help. I suspected that the rule
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
was connected to the problem, since "!LAN" is defined to narrow. Changed to drop everything from WAN and now everything works as "planned"
add action=drop chain=input comment="defconf: drop all not coming from WAN" in-interface-list=WAN
Question:
how can I add the VPN IP range and other internal networks to the "LAN" list so as to better restrict the access to Router 2?

Again, many thanks for your insight, the solution seems so obvious once somebody points it out to you :)

M.
 
sindy
Forum Guru
Forum Guru
Posts: 3942
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Web Interface not accesible via VPN on remote router

Sat Jul 13, 2019 2:21 pm

LAN is a list of interfaces (/interface list, /interface list member nodes of the configuration). For grouping addresses, you use /ip firewall address list instead. Form firewall rules, you refer to in-interface-list or out-interface-list, and to src-address-list and dst-address-list.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Mikrotik Web Interface not accesible via VPN on remote router

Sat Jul 13, 2019 11:45 pm

Or add script to ppp profile to add/remove the interface when you login/logout:
on-up=/interface list member add list="LAN" interface=[/interface get [find type=l2tp-in && dynamic=yes] name]

on-down=/interface list member remove [find interface!="bridge" && list="LAN"]
Or you can also set l2tp server binding and set that interface to member list:
/interface l2tp-server
add name=VPN user=username

/interface list member
add interface=VPN list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 3942
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Web Interface not accesible via VPN on remote router

Sun Jul 14, 2019 8:51 am

You don't even need a script for this. Each row of /ppp profile has items address-list and interface-list to which the IP address of the other end of the tunnel and the interface name (which is especially interesting at server side where the interface is created dynamically) are added when the user logs in and removed when the connection ends.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 119 guests