Community discussions

 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Need to set up access to NAS openvpn

Thu Jul 18, 2019 6:05 pm

Hello!

We have qnap nas D4 connected via Mikrotik Rb951ui-2hnd to the internet. I have installed myQNAPcloud Connect app at home to get access to it via VPN, activated open vpn on server. When I try to establish openvpn or pptp connection I am getting endless spinning wheel in myQNAPcloud Connect app. So I assumed I need to do something in mikrotik?
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Fri Jul 19, 2019 10:21 am

I've added rule /ip firewall nat add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to-addresses=192.168.0.8 and it didn't help
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Fri Jul 19, 2019 3:42 pm

I'm sure that your whole firewall has more rules than just this one. They can influence each other. And so far only you know about everything you have, anyone here can only guess.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Fri Jul 19, 2019 10:00 pm

I hope I exported it correctly
# jul/19/2019 21:58:31 by RouterOS 6.43.8
# software id = WAIS-1BW7
#
# model = RouterBOARD 750G r3
# serial number = 8AFF08EE8010
/interface bridge
add admin-mac=CC:2D:E0:F1:9D:35 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.110-192.168.0.140
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set mrru=1500
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether3 network=\
    192.168.0.0
add address=159.224.216.242/18 interface=ether1 network=159.224.192.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=109.86.2.2
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.0.108 to-ports=8080
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=\
    tcp to-addresses=192.168.0.108 to-ports=21
add action=masquerade chain=srcnat dst-address=192.168.0.108 dst-port=21 \
    protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local \
    dst-port=1194 protocol=udp to-addresses=192.168.0.8
add action=dst-nat chain=dstnat comment=OpenVPNServer dst-port=1194 \
    protocol=udp to-addresses=192.168.0.8 to-ports=0
/ip route
add distance=1 gateway=159.224.216.254
/ip service
set ftp address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Kiev
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0
[admin@MikroTik] >
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 12:31 am

The last dstnat rule (with to-ports=0) is wrong, because of to-ports and also because it does not in any way specify original target address, so it will catch also outgoing OpenVPN connections. But the one before it is correct, except that it's disabled. So enable it and watch what happens. It it doesn't work, check that its counter increases, it means that packets from outside are reaching your router. If it does increase, use Tools->Torch on bridge1 and look for packets to 192.168.0.8:1194, you should see them. Also pay attention to rx and tx columns. Packets in tx column are going to NAS, packets in rx column are responses from NAS. If there's tx but zero rx, check the config of NAS.

Btw, you have quite unusual netmask on WAN.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 12:37 pm

Thank you! As for the mask, I guess we use just what ISP said? By the way, I have mikrotik hap ac at home from where I am trying to connect to server. Should I do something at home router too?
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 1:45 pm

If "at home" is different network and you only use OpenVPN client from there, you don't need to do anything special. Of course outgoing connections to your VPN server must be allowed, but that's default behaviour, so unless you changed it, it's ok.

True about the mask, but it really is unusual, /18 is huge network with 16 thousand addresses and the mask suggests that they should all be directly reachable on WAN interface without going through another router, at least that's how things normally work. Which I'm almost sure is not true, but there are ways how it can still work correctly with such mask, so it's not necessarily wrong. I only mentioned it, so that you can check if it's really what ISP gave you. Because in case it was mistake, the behaviour would be that almost everything (whole internet) would work correctly, but you would not be able to communicate with most other addresses in this /18 and if VPN client also happened to be in 159.224.192-255.x range, it could explain your problem.

If I'm wrong about the mask, then forget it and try the troubleshooting I described before.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 5:35 pm

It's hard to tell why the ISP gave us such settings but our building is really hard to reach and we were just lucky they established connection with another organization in another building next to us. So they connected us over the roofs. Maybe it required some specific settings, I don't know.
But the funny thing is my ip is 178.150.253.3 so withing the range you specified as potentialy problematic...

Here is what I see in torch when trying to connect with OpenVPN
VPN monitor.jpg
This is what I see when the 2 bottom lines are showing together (the first line doesn't matter).
At first I see udp connection with 0 bytes and icmp after that.
You do not have the required permissions to view the files attached to this post.
Last edited by FoleyWalkers on Sat Jul 20, 2019 5:44 pm, edited 1 time in total.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 5:38 pm

It doesn't not reach 192.168.0.8:1194.

OpenVPN says

Sat Jul 20 17:24:08 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]159.224.216.242:1194
Sat Jul 20 17:24:08 2019 UDP link local: (not bound)
Sat Jul 20 17:24:08 2019 UDP link remote: [AF_INET]159.224.216.242:1194
Sat Jul 20 17:25:08 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 20 17:25:08 2019 TLS Error: TLS handshake failed
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 5:43 pm

By the way, I have the same ISP at home. And here is my settings with similar mask
homesettings.JPG
I think it's the way they work...
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 3210
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 5:46 pm

True about the mask, but it really is unusual, /18 is huge network ....
One of larger ISPs in my country (which in turn is fairly small) operating FTTH and VDSL used /16 netmask until a year ago. They went to /17 after that. Still some way to reach /18 ;-)

Their network is running fairly good, seems like they have decent gear in their core network ...
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 5:49 pm

It will be better if you try this:
/ip firewall mangle
add chain=postrouting dst-address=192.168.0.8 protocol=udp dst-port=1194 action=log log-prefix=request
add chain=prerouting src-address=192.168.0.8 protocol=udp src-port=1194 action=log log-prefix=response
And no, 178.x.x.x and 159.x.x.x are not in same /18, so no need to worry about that.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 6:12 pm

And no, 178.x.x.x and 159.x.x.x are not in same /18, so no need to worry about that.
Good to know :-)

Now it looks like this. Is this right? Still no go
# jul/20/2019 18:09:42 by RouterOS 6.43.8
# software id = WAIS-1BW7
#
# model = RouterBOARD 750G r3
# serial number = 8AFF08EE8010
/interface bridge
add admin-mac=CC:2D:E0:F1:9D:35 auto-mac=no comment="created from master port" \
    name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.110-192.168.0.140
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set mrru=1500
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether3 network=192.168.0.0
add address=159.224.216.242/18 interface=ether1 network=159.224.192.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=109.86.2.2
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=log chain=postrouting dst-address=192.168.0.8 dst-port=1194 \
    log-prefix=request protocol=udp
add action=log chain=prerouting log-prefix=response protocol=udp src-address=\
    192.168.0.8 src-port=1194
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.0.108 to-ports=8080
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=tcp \
    to-addresses=192.168.0.108 to-ports=21
add action=masquerade chain=srcnat dst-address=192.168.0.108 dst-port=21 \
    protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=\
    udp to-addresses=192.168.0.8
/ip route
add distance=1 gateway=159.224.216.254
/ip service
set ftp address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Kiev
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0
[admin@MikroTik] > 
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 6:31 pm

Those two rules were supposed to log some packets when you try to connect. So there's nothing? What about counter for dstnat rule (for port 1194)? Is there anything?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 6:45 pm

I think I get it. Here is what counters show
counter.JPG
counter 2.JPG
The number increases
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 10:30 pm

So you have incoming packets, they passed through router and were sent to 192.168.0.8, but as you see, nothing is coming back. In other words, it's the service on NAS that's not responding. You need to check what happens there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sat Jul 20, 2019 10:56 pm

I'd still run /tool sniffer quick interface=the-expected-out-interface ip-address=ip.of.the.nas to make sure that the packets do leave towards the proper MAC address via the proper interface before finally concluding that the NAS ignores them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 9:24 am

Like this?
/tool sniffer quick interface=ether1 ip-address=192.168.0.8
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 9:48 am

No, 192.168.0.8 is associated to ether3, so /tool sniffer quick interface=ether3 ip-address=192.168.0.8. When the packet passes through ether1, it still has the public IP as destination, not the private one. And don't forget to make the command line window as wide as your screen allows before issuing the command.

But before you do that, fix a mistake in your configuratuion. The IP address 192.168.0.1/24 is attached to ether3 but it should be attached to bridge1 instead. The way you have it now it partially works but surprises of all kinds happen.

Which brings me to a question whether the NAS is actually connected to (via) ether3; if not, sniff at the proper one out of ether4, ether5.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 10:21 am

Thanks!

But I forgot to say it's connected via cisco switch. But there are no special settings in it.
67728773_388030751842198_3466175217896783872_n (2).jpg
THe black cable is connected to the switch. I am not sure if it's ethernet 1 or 2... I think it's ethernet 1? So there ethernet 3 is not involved at all but there is settings for it (see below)
The IP address 192.168.0.1/24 is attached to ether3 but it should be attached to bridge1 instead.
The interface and address lists shows:
interface list.JPG
IS it safe to change that settings? I suspect it has something to do with ISP settings for us
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 10:46 am

Your hEX configuration is simple:
  • ether1 is WAN, don't touch it.
  • ether2 through to ether5 are member ports of the same bridge. All ports of a bridge share the same IP configuration which must be attached to the bridge. In your case, the dhcp server is attached to the bridge (correct) but the IP address 192.168.0.1/24 is attached to the slave port ether3 (wrong). If it was set up like this by your ISP, it doesn't change the fact that it is wrong (у каждого бывают моменты). So open the settings of the address 192.168.0.1/24, and change the interface item from ether3 to bridge1 (and press [Apply] of course).
Next, test the OpenVPN access to the NAS again. If it still doesn't work, connect the NAS directly to any of ether3..ether5 of the hEX to exclude any surprise caused by the Cisco switch. If it doesn't work even that way, run the /tool sniffer as above, indicating the ether interface to which the NAS is actually connected, to see whether the UDP packets for the NAS do leave the hEX via the proper interface when you try to connect the remote client.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 10:50 am

OK, thanks, I'll do that.
у каждого бывают моменты
)) действительно
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 11:03 am

The IP address 192.168.0.1/24 is attached to ether3
Where can I see it?

By the way, can the problem be caused by the fact the NAS is outside of DHCP range?

Currently I have changed the etherned 3 to bridge. It didn't help. I can't exclude cisco from the chain right now.

Sniffing on ether2 shows this:
sniff 1.JPG
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 11:27 am

The IP address 192.168.0.1/24 is attached to ether3
Where can I see it?
On the setting card of the address where you've changed it from ether3 to bridge1.

In the configuration export, it was in
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether3 network=192.168.0.0


By the way, can the problem be caused by the fact the NAS is outside of DHCP range?
No, as it is still within the same subnet like the LAN IP address of the hEX. 192.168.0.1/24 means "192.168.0.1 in 192.168.0.0-192.168.0.255".

Currently I have changed the etherned 3 to bridge. It didn't help.
Nevertheless keep it this way.

Sniffing on ether2 shows this:
That's some fault of Winbox then, repeating the header line instead of the actual data. Try WebFig instead (http://192.168.0.1).

And, to go to the roots, what is the output of /ping 192.168.0.8 arp-ping=yes interface=bridge1 ?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 11:38 am

/ping 192.168.0.8 arp-ping=yes interface=bridge1
it says 0 192.168.0.8 timeout

I am connecting via Winbox remotely. Just tried to do it via browser and it doesn't work so I can't use WebFig right now.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 11:53 am

From remote you cannot connect to a private IP, that's right, and you also cannot connect to the public one as only Winbox connection is permitted on the WAN side (which is not a good idea any more, as nowadays it sometimes looks as if the bad guys knew the Winbox interface of RouterOS better than its developers).

But the fact that the NAS doesn't respond even to arp-ping means something else is broken than just the forwarding rules. Devices in the same subnet must respond to arp requests for the connection to work. So I'm afraid it will require a site visit to move forward.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 12:03 pm

The strange thing is that ftp port forwarding works. Also I have succesfully forwarded port to connect to the nas web interface.
So I'm afraid it will require a site visit to move forward.
Which site? Do you mean NAS web interface?
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 12:30 pm

The strange thing is that ftp port forwarding works. Also I have succesfully forwarded port to connect to the nas web interface.
That's really strange. So what does /ip arp print where address~"192.168.0.8" say?

So I'm afraid it will require a site visit to move forward.
Which site? Do you mean NAS web interface?
No, I mean "site" as in "площадка", the place where the hEX and the NAS are physically located. But if at the very same time you can access remotely the NAS web interface and arp-ping doesn't work, there must be something really unusual there which I cannot even imagine as there is no static arp record configured in your hEX.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 12:44 pm

So what does /ip arp print where address~"192.168.0.8" say?
It says # ADDRESS MAC-ADDRESS INTERFACE .

So I am afraid it's the same bug that didn't allow to see what sniffer says. It could be that I will visit площадка today and try to check it via webfig..
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 12:46 pm

Btw there is some activity on connections tab I don't undertstand. I do not try to connect via vpn
connections.JPG
at the moment
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 1:18 pm

Looks like the LAN device using address 192.168.0.108 is downloading some torrents.

As for the single header line in response to /ip arp print, it is not a bug this time, it simply means that the ARP record is not there.

Grrrr... you redirect the web and FTP to 192.168.0.108, but you redirect the OpenVPN port to 192.168.0.8. I'm speechless.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 1:29 pm

Grrrr... you redirect the web and FTP to 192.168.0.108, but you redirect the OpenVPN port to 192.168.0.8. I'm speechless.
What a stupid mistake...Sorry. But I do not redirect it to some specific IP. The only rule I have is
rule.JPG
But as for the monitoring commands they were all wrong. I will redo them right now. Sorry again
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 1:35 pm

The GUI is a very misleading tool when it comes to firewall rules, as the table view only shows about 1/10 of all the parameters.
The command line export shows that you do redirect port 1194 to a particular address:

add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to-addresses=192.168.0.8
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 1:38 pm

The GUI is a very misleading tool when it comes to firewall rules, as the table view only shows about 1/10 of all the parameters.
The command line export shows that you do redirect port 1194 to a particular address:

add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to-addresses=192.168.0.8
I see now. How can I remove thios line and insert the correct one?
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 1:42 pm

Double-click that dst-nat rule in the table view and correct the to-addresses value there.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 1:56 pm

No surprise it works now :-/. Sorry guys and thanks for your patience. If you'll need some help related to the audio post-production just let me know :)
 
Sob
Forum Guru
Forum Guru
Posts: 4810
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 6:06 pm

I see you're doing fine without me. Those numbers are tricky, aren't they? ;)

Btw sindy, out of curiosity, in addition to being good with routers, are you also some kind of polyglot? Everyone can cheat these days with translator, but from other threads I get the impression that it's not your case.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Sun Jul 21, 2019 6:13 pm

Everyone can cheat these days with translator, but from other threads I get the impression that it's not your case.
I did cheat where Spanish was involved. I'm afraid that to choose the right translation of "site" cheating doesn't help, you need to know the language from regular professional use.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Mon Jul 22, 2019 1:18 pm

I see you're doing fine without me. Those numbers are tricky, aren't they? ;)
Yup :-) You need to be very careful with them
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Tue Jul 23, 2019 5:40 pm

Hi!

As open VPN appeared to be slower 10 times than ftp connection (100 mbs vs 1 gbs) I tried to do it via PPTP (successfully but speed the same). And now trying L2TP/IPsec. I have created the 3 rules for UDP ports 500, 1701, 4500 but it doesn't work..

Here is my config now
# jul/23/2019 17:39:55 by RouterOS 6.43.8
# software id = WAIS-1BW7
#
# model = RouterBOARD 750G r3
# serial number = 8AFF08EE8010
/interface bridge
add admin-mac=CC:2D:E0:F1:9D:35 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.110-192.168.0.140
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set mrru=1500
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge1 network=192.168.0.0
add address=159.224.216.242/18 interface=ether1 network=159.224.192.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=109.86.2.2
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8081 protocol=tcp to-addresses=192.168.0.108 to-ports=8081
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=tcp to-addresses=192.168.0.108 to-ports=21
add action=masquerade chain=srcnat dst-address=192.168.0.108 dst-port=21 protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to-addresses=192.168.0.108
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=192.168.0.108
add action=dst-nat chain=dstnat dst-port=1723 protocol=tcp to-addresses=192.168.0.108
add action=dst-nat chain=dstnat dst-address-type=local dst-port=500 protocol=udp to-addresses=192.168.0.108
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1701 protocol=udp to-addresses=192.168.0.108
add action=dst-nat chain=dstnat dst-address-type=local dst-port=4500 protocol=udp to-addresses=192.168.0.108
/ip route
add distance=1 gateway=159.224.216.254
/ip service
set ftp address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Kiev
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0
[admin@MikroTik] > 

What is wrong now? :)
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Tue Jul 23, 2019 6:44 pm

Assuming that you want the L2TP/IPsec to run on the NAS, the issue may be that the native VPN client of Microsoft Windows in default settings doesn't accept NAT at server side. An if you are trying from a recent upgrade of Win10, the L2TP/IPsec may not work at all. The issue with the default settings can be resolved by changing the registry, but to the last improvements in W10 there is no known cure yet. But maybe you don't try from Windows?

Other than that, forwarding UDP port 1701 is at best useless and at worst dangerous. The L2TP packets to port 1701 should normally be hidden inside the IPsec transport packets hence it is useless; if both the client and server use plaintext transmission as a fallback option if IPsec "negotiation" fails, permitting this mode by forwarding UDP port 1701 becomes dangerous.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Wed Jul 24, 2019 7:58 pm

Thanks! I think I simply won't try it then
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need to set up access to NAS openvpn

Wed Jul 24, 2019 8:06 pm

I think it is a wise decision. I have no idea what CPU is used in the NAS, but I don't expect it to use hardware encryption for one VPN type and not use it for another (which is what Mikrotik does but Mikrotik is a special case as they has never truly embraced OpenVPN to put it softly). So you might spend a lot of effort to get the same speed.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Wed Jul 24, 2019 8:27 pm

Yes, I though the same. We have the cheap NAS model with CPU Annapurna Labs Alpine AL212 Dual-core ARM Cortex-A15 CPU @ 1.70GHz (cores: 2).
So in general it's normal for VPN to be way slower then regular FTP connection right?

NAS support suggests now to try WebDAV but I think it could be the same.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Need to set up access to NAS openvpn

Thu Jul 25, 2019 7:35 am

Thought I would let you know that L2TP/IPSec is not any better. I have a TS-431XeU with AnnapurnaLabs Alpine AL-314 32-bit ARM® Cortex-A15 quad-core 1.7GHz processor and 10-11MB/s is all it will do at 40% CPU usage. QVPN represents only 10% CPU usage.
 
FoleyWalkers
newbie
Topic Author
Posts: 28
Joined: Thu May 23, 2019 1:50 pm

Re: Need to set up access to NAS openvpn

Thu Jul 25, 2019 9:35 am

Thanks!

Who is online

Users browsing this forum: No registered users and 26 guests