Community discussions

MikroTik App
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Full access to LAN over VPN

Fri May 22, 2020 11:39 am

Hello. I've have set a VPN over my MikroTik RB2011UiAS-2HnD. The LAN has adresses in the pool of 192.168.88.0/24 (DG: 192.168.88.1). The VPN doesn't have a pool (i don't want one), it only has one adress the 192.168.89.100. My problem is that over VPN i can access all of my devices (for example the 192.168.88.93 which is an IP Camera). But i don't have access to the router (192.168.88.1) over VPN neither i can see other PCs in the Network Discovery (which i see when i'm at the LAN).
Is it a firewall rule or a VPN configuration setting? Could anyone please help?
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Full access to LAN over VPN

Fri May 22, 2020 1:09 pm

Is it a firewall rule or a VPN configuration setting? Could anyone please help?
As you've realized yourself, there may be many reasons why you cannot connect to the router itself via the VPN, depending on the particular VPN type you use and/or your firewall rules, so to get a useful advice, provide a useful input by following the guideline in my automatic signature right below.

The functionality of Network Discovery typically depends on L2 transparency between the discovering device and the discovered ones, so you might need a VPN capable to tunnel L2, which the embedded VPN clients of Windows and MacOS do not support, so you would need to use another Mikrotik device as the client.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Full access to LAN over VPN

Sat May 23, 2020 10:39 pm

thank you for your answer. i posted below my config file with all the sensitive data hidden. although i should mention that i'm a newbie and learning most things right now. so my config is very possible to be messed up. if that's true, i don't have problem to reset the router, make some basic config and re-send you my config file. anyway, here's the config running right now



# may/23/2020 22:27:38 by RouterOS 6.46.1
# software id = C8B5-GX6M
#
# model = 2011UiAS-2HnD
# serial number = xx.xx.xx.xx
/interface bridge
add admin-mac=xxxxxxxxxxx arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=1wan
set [ find default-name=ether2 ] arp=proxy-arp name=2desktop
set [ find default-name=ether3 ] name=3ipcamera
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=1wan name=pppoe-out1 password=xxxx service-name=xxxx
use-peer-dns=yes user=xxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=xxxxx disabled=no distance=\
indoors frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge name=wifi ssid=xxxxx \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik \
wpa-pre-shared-key=xxxxxxxxx wpa2-pre-shared-key=xxxxx
/ip pool
add name=dhcp ranges=192.168.88.90-192.168.88.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=2desktop
add bridge=bridge comment=defconf interface=3ipcamera
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=xxxxxxxxx use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=1wan list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=2desktop network=192.168.88.0
/ip arp
add address=192.168.88.100 interface=bridge mac-address=xxxxxx
add address=192.168.88.102 interface=bridge mac-address=xxxxxx
add address=192.168.88.101 interface=bridge mac-address=xxxxxx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=1wan
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf:drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf:drop all not coming from LAN" in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24
/lcd
set backlight-timeout=never default-screen=stat-slideshow flip-screen=yes touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set "1wan" disabled=yes
set "3ipcamera" disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=wifi
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 remote-address=*2
/ppp secret
add local-address=192.168.88.1 name=xxxxx password=xxxxxxxxx profile=default-encryption remote-address=\
192.168.88.88 service=l2tp
/system clock
set time-zone-name=Europe/Athens
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Full access to LAN over VPN

Sat May 23, 2020 11:14 pm

The last rule in chain=input of your /ip firewall filter says action=drop chain=input comment="defconf:drop all not coming from LAN" in-interface-list=!LAN (and for some reason, this rule is there three times, so remove the last two ones).

Since the dynamically created interface representing the L2TP tunnel to the client is not a member of interface list LAN, packets coming in via this interface match this rule and thus get dropped.

Since you only ever plan to use a single client, just do
/ppp profile set default-encryption set interface-list=LAN
This will make sure that whenever the client connection establishes, the dynamically created interface will be automatically added to the interface list.

Unrelated to that, change the interface to which the IP address 192.168.88.1 is attached from 2desktop to bridge. It works like this too, but it is not correct and it may stop working in some future RouterOS version. Just switch Safe Mode on before doing the change and only exit Safe Mode if you can see the change has been done successfully, or do the change while connected via the VPN.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Full access to LAN over VPN

Sun May 24, 2020 11:45 am

thank you very much for your help. problem solved!
Is there anything else i can do for the network discovery? I am planning on building up a very tiny home file server in an old pc i have!
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Full access to LAN over VPN

Sun May 24, 2020 12:29 pm

I have no idea how the network discovery you have in mind works, but as I wrote, L3 VPNs do not transport broadcast packets or ARP packets, so you would most likely need an L2 VPN, and for that, you need to either write your own VPN application for Windows or to use another Mikrotik (such as mAP) to create an L2 VPN tunnel. Despite the name of the protocol, most implementations can only use L2TP to set up L3 tunnels.

Theoretically, you might run a CHR on your PC, if your virtualisation software can handle L2 interconnection between the Windows and the virtual machine.

Or just forget about SMB, and use WinSCP to access the file server from the VPN client.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Full access to LAN over VPN

Mon May 25, 2020 9:28 am

so i tried some solutions out and it seems that with a few changes in the windows firewall, i managed to get access to the pc which i use as an FTP server from the network discovery via my VPN. When connected to VPN, windows network discovery can't recognize the PCs in the network but if i type the target pc address (ftp server) in the bar of the file explorer (in my case \\192.168.88.100), it gives me access to all the stuff i want. This will work if the VPN client is also on the same subnet (192.168.88.0/24).
Thank you again for your time and all your advice!

Who is online

Users browsing this forum: No registered users and 124 guests