Page 1 of 1

Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Thu Sep 19, 2019 8:51 pm
by DSK
I've got a CHR on AWS acting as a SSTP server with wAP LTE and LtAPs as clients on subnet 10.10.80.0/24. I've got DUDE setup there as well. I am able to monitor the devices via DUDE well. I would like to remotely Winbox into the LTE devices. On the clients I've allowed Winbox access from WAN/SSTP Interface. Someone help with the way forward.

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Sun Sep 22, 2019 10:23 am
by DSK
Anyone?

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Tue Oct 01, 2019 8:44 pm
by DSK
Anyone to help?

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Thu Oct 10, 2019 4:29 am
by SiB
yes, anyone can help you. Example is "I am".
When you connect to CHR then CHR see the connected to it LTE clients in
ppp active print
If yes then you see the IP address of them.

You should connect to them from:
  • CHR Terminal via Telnet/SSH to them
  • Your PC WinBox when you allow to it in CHR forward chain

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Thu Oct 10, 2019 9:08 am
by DSK
Many thanks for the reply.
ppp active print command brings up all the units.
I would prefer using My PC Winbox. Could you please help with the specific firewall rule on CHR to enable this?
Thanks again!

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Fri Oct 11, 2019 9:29 am
by SiB
I assume:
AWS subnet is 10.10.80.0/24 with CHR have got 10.10.80.1.
Your LTE devices connect by SSTP to CHR and they have got 10.10.80.100-101.
Your PC have got 192.168.1.100 and your local router=gateway is 192.168.1.1

In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
* CHR must have firewall rule in chain=forward to allow that traffic after accepting established&related and before rule two have action like drop/deny/tarpit
ip firewall filter add chain=forward src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"
* at LTE you have got accept in Input chain after accepting established&related but before action like drop/deny/tarpit
ip firewall filter add chain=input src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"
and in IP>Service the WinBox service must be active and the IP must be 0.0.0.0/0 or/and your specific
and in System > Users your user not must restricion from logon from not your IP

Of course classic testing like
* ping 10.10.80.101
* tools traceroute 10.10.80.101
* ip firewall connections (=connection tracking, conntrack) and filter traffic to 10.10.80.101 show you what is blocked in firewall, one dirrection like Tx works but no Rx etc...
* tools torch show similar to conntrack

I hope I give you hint in this way.
This is like that easy that should just work out-of-box.

And If your LTE devices receive other IP like 10.20.30.100-101 then just change the 10.10.80.0/24 to 10.20.30.0/24 in firewall rules.

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Fri Oct 11, 2019 2:11 pm
by DSK
On my home router, I have added a route where dst address is 10.10.80.0/24 and gateway as sstp interface. I however still can't access CHR over Winbox. I can however access CHR via public IP Winbox.

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Fri Oct 11, 2019 2:36 pm
by SiB
On my home router, I have added a route where dst address is 10.10.80.0/24 and gateway as sstp interface. I however still can't access CHR over Winbox. I can however access CHR via public IP Winbox.
This means first point of my howto... is not working.
In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
What address exist at your PC sstp-interface when you connect to SSTP ? 10.10.80.x?
You should receive 2 address like Remote 10.10.80.1 AND Local 10.10.80.103 or other. In WinBox you must use this remote site one.
You not provide any more details and I must assume. Write more.
Check in Firewall if you not block a WinBox port.

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Tue Oct 15, 2019 12:55 pm
by DSK
This means first point of my howto... is not working.
Sure, Below is what the SSTP server logs when I attempt to log in from SSTP client home router.
Winbox SSTP Server Log.png
I have also added route on the home router as below
Home Router SSTP Route.png
What address exist at your PC sstp-interface when you connect to SSTP ? 10.10.80.x?
You should receive 2 address like Remote 10.10.80.1 AND Local 10.10.80.103 or other. In WinBox you must use this remote site one
SSTP on home router.png
Check in Firewall if you not block a WinBox port
I have firewall rule on SSTP server to allow all ppp tcp 8291 input
SSTP Server allow Winbox.png

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN  [SOLVED]

Posted: Tue Oct 15, 2019 9:58 pm
by SiB
Still you not provide a proper information at your full setup.
Look, I do in 5m at gliffy.com, a free online diagram from current information what you provide but still some stuff are not proper.
Look at diagram and write what is not proper, correct this for me.
firefox_Sremqed4Dx.png
You write about 2xLTE devices, 1xHomeRouter, 1xCHR.
LTE device should have 10.10.80.x but in screen I see 10.10.10.x network.
One of screenshot with LTAP is LTAP mini, is your home router ? If yes then you should connect to 10.10.10.51 if CHR have got route to your home router via sstp_connection.

You see. We loose time to write a post to understand your situation.
Remember that you can constant me directly and we can do a remote_access and finish this in minutes.
.
I have firewall rule on SSTP server to allow all ppp tcp 8291 input
Then this is bad rule. You should have got the "NEW" tcp connection state select, not established and related - this two should be upper rule but this is not topic about how to do a proper firewall rules.

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Wed Oct 16, 2019 5:04 pm
by DSK
I am happy to inform you that I can now successfully log into both the remote devices and CHR SSTP Server via the SSTP VPN tunnel from PC Winbox. I had only added a route on the home router. After adding a route on the CHR for Dst. 192.168.0.0/24 it now works. My network layout is attached below though for further advice if any. I have made a little changes to appear abit organised.
Thanks alot for your time and advice
Image

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Posted: Wed Oct 16, 2019 7:47 pm
by SiB
If you have that many devices who can be accessable by PublicIP then please look at simple secure your Input chain - this is always should be checked, monitor, safe.
You collect some PublicIP you manage as safe to connect to all other devices. Look, I have >200mtk online now and can reach it from only 8 places remotely but via proper vpn without limit.
You should check RoMon, backup login via ssh, port knocking etc.

List of your safe public IP at home/work/work2/customer1/customer2 as backup entry to other customers.
/ip firewall address-list
add address=10.0.0.0/8 comment="LAN_private Class A" list=LAN_private
add address=172.16.0.0/12 comment="LAN_private Class B" list=LAN_private
add address=192.168.0.0/16 comment="LAN_private Class C" list=LAN_private
add address=169.254.0.0/16 comment="LAN_private APIPA" list=LAN_private
add address=a.a.a.a/a comment="ISP CustomerN" list=YourSafeISP-Admins
add address=b.b.b.b/b comment="ISP Home" list=YourSafeISP-Admins
add address=c.c.c.c/c comment="ISP CHR" list=YourSafeISP-Admins
add address=10.10.10.0/24 comment="ISP CHR" list=YourSafeISP-Admins
example of simple input chain with ISP at eth1 and eth2
/ip firewall filter
add action=accept chain=input comment="established & related" connection-state=established,related place-before=0
add action=accept chain=input comment="L2TP - Dst.Port & Nat-Traversal" dst-port=500,1701,4500 protocol=udp place-before=0
add action=accept chain=input comment="L2TP - esp" protocol=ipsec-esp place-before=0
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp src-address-list=YourSafeISP-Admins place-before=0
add action=accept chain=input protocol=icmp place-before=0
add action=drop chain=input dst-port=53 in-interface=[/interface ethernet find default-name=ether1] protocol=udp place-before=0
add action=drop chain=input in-interface=[/interface ethernet find default-name=ether1] place-before=0
add action=drop chain=input dst-port=53 in-interface=[/interface ethernet find default-name=ether2] protocol=udp place-before=0
add action=drop chain=input in-interface=[/interface ethernet find default-name=ether2] place-before=0
not use default admin login, remove it.
user add group=full name=DSK password="longer_then_100char_with_special_char" disabled=no comment="MyOwnUserName YourCompanyName"
user remove [find name=admin]