I need remote access to my RB4011 router. I set up L2TP IPSec and can successfully remotely log onto the router. However, I cannot access it with WinBox. I disabled the firewall rule allowing port 8291 access, because I recall that this simple filter rule was hacked. I can access the router via winBox on my local LAN, but not remorely.
I'm missing something, but don't know what. Help appreciated! My Firewall export is below.
# aug/31/2020 21:12:49 by RouterOS 6.47.2
# software id = M86E-F0VR
#
# model = RB4011iGS+
# serial number = 968A09471487
/ip firewall address-list
add address=192.168.60.0/24 list=fulladmin
/ip firewall filter
add action=drop chain=RouterServices comment=\
"Prevent guest access to main network" dst-address=192.168.60.0/24 \
src-address=172.16.0.0/24
add action=drop chain=RouterServices comment=\
"Prevent IOT access to main network" dst-address=192.168.60.0/24 \
src-address=10.10.0.0/24
add action=drop chain=RouterServices comment=\
"Prevent Hotspot acess to main network" dst-address=192.168.60.0/24 \
src-address=10.10.10.0/24
add action=accept chain=input comment="L2TP-IPSec VPN access" port=\
1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp \
src-address-list=192.168.60.0/24
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=0.0.0.0/0
-
-
davidreaton
Frequent Visitor
- Posts: 88
- Joined:
Re: Trouble with remote access
Follow up:
A friend suggested enabling ARP-Proxy on the bridge. This helped and allowed remote access to other mikrotik devices on my LAN (60.3, 60.5) but not the main router, 60.1.
So to summarize: I can remote log in to my router using L2TP-IPSec, on my LAN, can ping and Winbox access my Mikrotik APs, but I cannot WinBox access my main router.
What do I have set wrong?
Thanks in advance.
A friend suggested enabling ARP-Proxy on the bridge. This helped and allowed remote access to other mikrotik devices on my LAN (60.3, 60.5) but not the main router, 60.1.
So to summarize: I can remote log in to my router using L2TP-IPSec, on my LAN, can ping and Winbox access my Mikrotik APs, but I cannot WinBox access my main router.
What do I have set wrong?
Thanks in advance.
Re: Trouble with remote access
I can remote log in to my router using L2TP-IPSec, on my LAN, can ping and Winbox access my Mikrotik APs, but I cannot WinBox access my main router.
Let me guess: while you defined suitable rules to forward traffic to your LAN, you probably forgot to set up input rules to allow the ppp interface access the router itself...
I think this one blocks the traffic not coming from LAN to the router:
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LANYou either need to include the ppp interface in your LAN list or set up an IP address based rule to allow traffic to the router, e.g. (assuming when connected via L2TP you are assigning yourself an address from the fulladmin list):
Code: Select all
add action=accept chain=input src-address-list=fulladmin-
-
davidreaton
Frequent Visitor
- Posts: 88
- Joined:
Re: Trouble with remote access
Thank you. I'll try these.
Re: Trouble with remote access
Since you VPN into the ROuter, then you need an input rule to allow your VPN "network" on the LAN to access the router..
add action=accept chain=input comment="Allow Mobile_ADMIN to Router" \
connection-state=new ipsec-policy=in,ipsec log=yes log-prefix=\
MobileAdmin_to_Router src-address-list=MobileVPN
In my case the list MobileVPN includes the LANIP assigned to my IKEv2 connection.
Not sure how it works with L2TP??
add action=accept chain=input comment="Allow Mobile_ADMIN to Router" \
connection-state=new ipsec-policy=in,ipsec log=yes log-prefix=\
MobileAdmin_to_Router src-address-list=MobileVPN
In my case the list MobileVPN includes the LANIP assigned to my IKEv2 connection.
Not sure how it works with L2TP??
-
-
davidreaton
Frequent Visitor
- Posts: 88
- Joined:
Re: Trouble with remote access
Thanks for the suggestions. I added an input rule to allow fulladmin to port 8291, and I this works well. Does this look OK? I think I'm at risk because this opens up port 8291 to the whole word, not just my local LAN.
Comments / criticism welcome.
/ip firewall address-list
add address=192.168.60.0/24 list=fulladmin
/ip firewall filter
add action=accept chain=input dst-port="" port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-address-list=fulladmin dst-port=8291 \
protocol=tcp src-address-list=fulladmin
Comments / criticism welcome.
/ip firewall address-list
add address=192.168.60.0/24 list=fulladmin
/ip firewall filter
add action=accept chain=input dst-port="" port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-address-list=fulladmin dst-port=8291 \
protocol=tcp src-address-list=fulladmin
Re: Trouble with remote access
First of all you dont need to put the winbox port as a firewall rule primarily because we dont need to see it LOL.
Also I would change the port to a non-standard number 43434 sounds good for example.
To answer your question here is my rule........
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=AllowInt src-address-list=adminaccessible
Notes
1. create interface list to include all the places on the LAN you may wish to access the router from AS AN admin.
2. Create firewall address list to specify which IP addresses you will permit to access the router.
In this regard you are defining sources to those you allow (in this case interface on the LAN) and further specify which specific IPs are allowed.
3. One still needs the separate rule I noted in my previous post for the ipsec LAN IP entry.
In addition I add this rule to my input chain (and forward chain) as my LAST rule.
add action=drop chain=input comment="DROP ALL ELSE"
Therefore anything I didnt allow gets dropped which would include wan to router attempts
Obviously this requires a DANGER DANGER warning (best be using SAFE MODE) as if you dont have admin access nailed down, you will lock yourself out of the router.
++++++++++++++++++++++++++++++++++++++++++++++++++
The reason I dont need to specify the port number is because that is handled elsewhere plus as Admin I want access to all the ports, and the rules above allow me that.
You can delineate access to winbox in many places in different ways.
a. IP services- "Winbox" for example - here you can change the port used..............
b. System - "Users" who can sign in to the router
c. Tools - MACServer "MacWinboxServer" which interfaces are permitted.
Also I would change the port to a non-standard number 43434 sounds good for example.
To answer your question here is my rule........
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=AllowInt src-address-list=adminaccessible
Notes
1. create interface list to include all the places on the LAN you may wish to access the router from AS AN admin.
2. Create firewall address list to specify which IP addresses you will permit to access the router.
In this regard you are defining sources to those you allow (in this case interface on the LAN) and further specify which specific IPs are allowed.
3. One still needs the separate rule I noted in my previous post for the ipsec LAN IP entry.
In addition I add this rule to my input chain (and forward chain) as my LAST rule.
add action=drop chain=input comment="DROP ALL ELSE"
Therefore anything I didnt allow gets dropped which would include wan to router attempts
Obviously this requires a DANGER DANGER warning (best be using SAFE MODE) as if you dont have admin access nailed down, you will lock yourself out of the router.
++++++++++++++++++++++++++++++++++++++++++++++++++
The reason I dont need to specify the port number is because that is handled elsewhere plus as Admin I want access to all the ports, and the rules above allow me that.
You can delineate access to winbox in many places in different ways.
a. IP services- "Winbox" for example - here you can change the port used..............
b. System - "Users" who can sign in to the router
c. Tools - MACServer "MacWinboxServer" which interfaces are permitted.
-
-
davidreaton
Frequent Visitor
- Posts: 88
- Joined:
Re: Trouble with remote access
Thank you. This helped a lot.
Best Regards
Best Regards