MikroTik

Hi All

Is there a way to give the router internet access (PPPoE or simply DHCP) without having the dynamic route 0.0.0.0/0?

Maybe my example will shed some more light ... I have an isolated network at a client, which I want to expose to the internet to establish a VPN connection with. Ether 1 on my router gets a DHCP address from the clients router so internet is sorted. Problem is that it creates a dynamic route (0.0.0.0/0 to Ether 1) and this enables any device on the isolated network to set the Routers IP (bridge, Ether 2-5) as their gateway to get access to the internet and I want to stop that. Removing the dynamic route however kills my routers internet access

Any way around this?

Thanks,
R

I suppose we are talking about devices connected to the LAN side of your router, not other devices connected to client's router LAN side where your router's WAN side is connected.

If so, post the export of the configuration of your router, it will be just a matter of modifying the rules in chain=forward of /ip firewall filter so that no connections could be open by hosts in LAN, but connections initiated from your side and arriving to the router via the VPN tunnel could be set towards the LAN hosts, which I believe is the very purpose of the VPN access.

Hi Sindy

Your assumption is correct. On my internal network I would like for only the router to have internet access and I have also configured a PPPoE server for when I do need temp access from inside (at this points it places the PPPoE connection on the bridge, but this will obviously have to change once the original objective is met).


/interface bridge
add name="bridge1"
/interface ethernet
set [ find default-name=ether1 ] comment="External Netowrk"
set [ find default-name=ether5 ] comment="Internal Network"

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name="VPN Pool" ranges=192.168.100.190-192.168.100.200
add name="PPPoE Pool" ranges=172.17.0.1-172.17.0.200
/ip dhcp-server
add address-pool="VPN Pool" interface="bridge1" name=dhcp1
/ppp profile
set *0 bridge="bridge1" local-address="VPN Pool" remote-address=\
"VPN Pool"
add comment="PPPoE Internal Internet" local-address="PPPoE Pool" name=\
"PPPoE Internal" remote-address="PPPoE Pool"
set *FFFFFFFE bridge="bridge1"
/interface bridge port
add bridge="bridge1" interface=ether2
add bridge="bridge1" interface=ether3
add bridge="bridge1" interface=ether4
add bridge="bridge1" hw=no interface=ether5
add disabled=yes interface=ether1
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface="bridge1" list=LAN
/interface pppoe-server server
add default-profile="PPPoE Internal" disabled=no interface="bridge1" \
service-name="PPPoE Internal Internet"
/ip address
add address=192.168.100.253/24 interface="bridge1" network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.253 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8100 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8100 protocol=tcp to-addresses=\
192.168.100.253 to-ports=8100
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox port=8100
set api-ssl disabled=yes
/ppp secret
add name=internet profile="PPPoE Internal"

Thanks,
R

OK, so your configuration seems a little bit messy to me. The L2TP server's profile is configured to create both an L2 tunnel locally connected to the LAN bridge and an L3 tunnel; is the L2TP client another Mikrotik device or Linux so that you could really use the L2 tunnel? If you do, and if there is a DHCP client on the client side, the client gets two IP addresses from the same pool, one via IPCP for the L3 tunnel endpoint and another one via DHCP through the L2 tunnel.

I need to understand this in order to suggest the proper way to provide access from the client to the devices in LAN.

Another thing which may have a reason but I have never seen it is that you assign an individual local-address for the PPPoE clients, can you explain the reasons?

The easiest way to prevent both the devices connected directly on the bridge1 interface and the PPPoE clients from accessing internet via the default route is to remove in-interface-list=WAN condition from the very last action=drop chain=forward rule in ip firewall filter. But I assume you need to access these devices from the L2TP client directly, not by logging in to the Tik first and then logging to them from the Tik? If you do use the L2 tunnel of the L2TP connection, tis is automatic for the devices connected directly to the bridge, but not for the PPPoE clients.

The action=dst-nat chain=dstnat dst-port=8100 protocol=tcp to-addresses=192.168.100.253 to-ports=8100 opens Winbox access to anyone who can access the WAN IP of the device, which means the whole internet if the WAN IP is a public one and no external firewall protects it. Is it intentional and if not, are you aware of this?

Messy ... yeah I really need to do my MTCRE already

On the onsite router I have an L2 connection from the bridge to a Mikrotik router at our office as well as a L2 server for the client to connect directly. The PPPoE is for once there is no direct internet access from inside the network. The PPPoE server issues from a different pool as the hosts in the current range is near depletion.

The last firewall filter rule is a default, does that not simply drop connections from the WAN side that are not NATed? Ah ok, but I suppose once you remove the "WAN" In interface it will drop packets on the LAN side as well, correct?

As for the last one ... I'm simply going to plead temporary insanity.

Thanks,
R

Messy ... yeah I really need to do my MTCRE already

Well, maybe just "so unusual that a mere mortal cannot understand it without having additional context". Details below.

On the onsite router I have an L2 connection from the bridge to a Mikrotik router at our office as well as a L2 server for the client to connect directly.

Slow down. You mention "your router" (=the Tik we are currently dealing with), "clients router" (the one which provides "your router" with internet access"), and now you come with "onsite router".

And I feel as if you freely mixed "L2" and "L2TP". So is the L2 tunnel from the bridge on "your router" to your office provided using the L2TP session where the Tik in your office is an L2TP client and "your router" is the L2TP server, or is there anything else? Because you say you have also "an L2 server for the client to connect directly", which suggests that the L2TP server on "your router" serves only one of these purposes.

The PPPoE is for once there is no direct internet access from inside the network.

My English is not good enough to be sure what this sentence means. Do you want to say that although the general goal is to prevent devices connected to the LAN side of "your router" from accessing the internet, you plan to permit some exceptions, and that these "privileged" devices will have to use a PPPoE client in order to get internet access because that way you can authenticate them? If so, you'll need an additional permissive rule in the firewall filter, accepting forward traffic which either matches src-address matching the /ip pool used for PPPoE clients, or matches in-interface-list=some-nice-name if you add interface-list=some-nice-name to the property list of the /ppp profile used for PPPoE clients.

The PPPoE server issues from a different pool as the hosts in the current range is near depletion.

I have no problem with assigning the remote-address (the client's one) to PPPoE clients from another /ip pool than to L2TP clients in L3 mode. What I don't understand is why you use a pool instead of a single address as local-address as I suspect (but have never tried that) that it means that you assign a new address at "your router" for each client connection, i.e. that each client connection takes two IPs from the pool, instead of just one for the client.

Also, by using the same pool for the DHCP server on bridge and for L2TP clients in L3 mode you may spend two addresses from that pool per connected client, one for the L2TP client side of the L3 tunnel and another one if the L2 tunnel has a DHCP client at L2TP client side.

The last firewall filter rule is a default, does that not simply drop connections from the WAN side that are not NATed? Ah ok, but I suppose once you remove the "WAN" In interface it will drop packets on the LAN side as well, correct?

Correct. A default rule is appropriate when the rest of the configuration stays default too; once you customize the default configuration to your needs, there is no reason not to customize the firewall rules too. If it makes you feel better, copy the rule, modify one of them (replace the comment with the irritatng word "default" in it with a more appropriate one, and remove the in-interface=WAN and just disable the original one instead of removing it.

Hi sindy

Seems I have reached the stage where I know just enough to get me into trouble so my apologies if I'm mixing and matching and making things confusing.

I made a rough drawing indicating the current scenario so hope that sheds some light ...

https://imgur.com/QkgkBlf

Thanks,
R

I made a rough drawing indicating the current scenario so hope that sheds some light ...

It hasn't changed my understanding of what the topology is and what are the goals, but it has neither dissolved the concerns I've expressed before

If the client's L2TP client is not another Mikrotik or another device supporting BCP, it may have problems accessing the devices on the bridge of the client side Mikrotik (or, more precisely, those devices cannot send packets to it because it gets an address from their subnet but is not reachable on L2).