Hi everyone


I am on the latest ros 6.47.7 and just discovered that I cannot connect to the router via toolbox when connected to vpn ikev2


I have 4 routers and I can connect to 3 of them out of 4, the 4th one is the one running vpn server


all the ips are accessible on my network, even the ip of the router I cannot log in via toolbox and web interface

I can connect to it just fine without vpn

the other 3 routes are on the same network and I can connect them fine via everything


what can be a problem?

thank you, everyone

It sounds as if the IPsec policy was intercepting the traffic between the "toolbox" (whatever it is) and the router. In another words, no better advice without seeing the configuration and the topology.

It sounds as if the IPsec policy was intercepting the traffic between the "toolbox" (whatever it is) and the router. In another words, no better advice without seeing the configuration and the topology.

haha sorry I was meant to say winbox not toolbox thank you

i can connect to 10.10.0.2 / 10.10.0.3 /10.10.04 just fine

[admin@MikroTik_RB4011] > /export hide-sensitive
# nov/06/2020 22:12:24 by RouterOS 6.47.7
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge_vlan10_main
add arp=reply-only name=bridge_vlan20_guest
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 \
name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=\
QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=WAN_VLAN_100_VIA_LTE interface=ether10 name=\
2degress_ISP vlan-id=100
add comment=WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=\
10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk \
name=vlan10_main vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk \
name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 \
slaves=sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add name=IKEv2
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.253
add name=pool_vlan20_guest ranges=10.20.0.1-10.20.0.253
add name=pool_ikev2_vpn ranges=10.90.0.1-10.90.0.253
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=\
bridge_vlan10_main lease-time=23h59m59s name=\
dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no \
interface=bridge_vlan20_guest lease-time=23h59m59s name=\
dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn address-prefix-length=32 name=\
IKEv2-cfg split-include=10.10.0.0/24 static-dns=\
1.1.1.1,1.0.0.1 system-dns=no
/queue simple
add max-limit=20M/20M name=vlan20_speed_limit target=\
10.20.0.0/24
/interface bridge port
add bridge=bridge_vlan10_main interface=ether3
add bridge=bridge_vlan10_main interface=ether4
add bridge=bridge_vlan10_main interface=ether5
add bridge=bridge_vlan10_main interface=ether6
add bridge=bridge_vlan10_main interface=ether7
add bridge=bridge_vlan20_guest interface=ether8
add bridge=bridge_vlan10_main interface=vlan10_main
add bridge=bridge_vlan20_guest interface=vlan20_guest
add bridge=bridge_vlan10_main interface=ether10
add bridge=bridge_vlan10_main interface=qnap_bonding
/interface list member
add interface=Orcon_ISP list=WAN
add interface=bridge_vlan10_main list=LAN
add disabled=yes interface=bridge_vlan20_guest list=LAN
add interface=2degress_ISP list=WAN
/ip address
add address=10.10.0.1/24 interface=bridge_vlan10_main network=\
10.10.0.0
add address=10.20.0.1/24 interface=bridge_vlan20_guest network=\
10.20.0.0
/ip dhcp-client
add disabled=no interface=Orcon_ISP
add default-route-distance=2 disabled=no interface=2degress_ISP
/ip dhcp-server lease
add address=10.10.0.7 client-id=1:9c:5c:8e:20:b8:c6 comment=\
MainPC mac-address=9C:5C:8E:20:B8:C6 server=dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=\
BC:DD:C2:A8:06:52 server=dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=\
LIFXBulb mac-address=D0:73:D5:24:52:2F server=\
dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=\
CCTV mac-address=50:EC:50:3A:F7:C5 server=dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=\
D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=\
Printer mac-address=C0:B5:D7:5B:D7:4E server=\
dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=\
D4:F5:47:12:EE:02 server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=\
D0:73:D5:12:25:E9 server=dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=\
SonyTV mac-address=AC:D5:64:94:DB:DD server=dhcp_vlan10_main
add address=10.10.0.11 client-id=1:cc:f9:e4:9c:0:e0 comment=\
DellXPS_Laptop mac-address=CC:F9:E4:9C:00:E0 server=\
dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=\
MikroTik_Audience_VLAN_20 mac-address=76:4D:28:F4:F7:F3 \
server=dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=\
MikroTik_Audience_VLAN_10 mac-address=74:4D:28:F4:F7:F2 \
server=dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=\
MacbookAir mac-address=38:F9:D3:52:A6:BE server=\
dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:81 comment=\
RaspberryPi mac-address=DC:A6:32:0E:48:81 server=\
dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=\
IPTVTuner mac-address=00:18:DD:24:1C:FA server=\
dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=\
BookReader mac-address=00:0A:F5:45:BF:EC server=\
dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:b1:33:b comment=\
MikroTik_hap_ac2_VLAN_10 mac-address=C4:AD:34:B1:33:0B \
server=dhcp_vlan10_main
add address=10.20.0.3 client-id=1:c4:ad:34:b1:33:a comment=\
MikroTik_hap_ac2_VLAN_20 mac-address=C4:AD:34:B1:33:0A \
server=dhcp_vlan20_guest
add address=10.10.0.4 client-id=1:b8:69:f4:ba:4f:f1 comment=\
Mikrotik_LtAP_mini mac-address=B8:69:F4:BA:4F:F1 server=\
dhcp_vlan10_main
add address=10.10.0.21 comment=VOIP_PHONE mac-address=\
00:0B:82:EA:D2:C4 server=dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP \
mac-address=24:5E:BE:1A:4F:37 server=dhcp_vlan10_main
add address=10.10.0.6 client-id=\
ff:b5:5e:67:ff:0:2:0:0:ab:11:14:d1:4f:b6:de:77:92:10 \
comment=Linux_Server mac-address=52:54:00:13:09:91 server=\
dhcp_vlan10_main
add address=10.10.0.22 client-id=1:2c:26:17:82:8e:2b comment=\
Oculus_Quest mac-address=2C:26:17:82:8E:2B server=\
dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=\
10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=\
10.20.0.1 netmask=24
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment=\
"accept connection to IKEv2 ports" dst-port=500,4500 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=drop chain=input comment=\
"defconf: drop all not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept in ipsec policy" in-interface-list=WAN \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP \
out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP \
out-interface=2degress_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server \
generate-policy=port-strict mode-config=IKEv2-cfg peer=\
IKEv2-peer policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.90.0.0/24 group=ikev2-policies proposal=IKEv2 \
src-address=0.0.0.0/0 template=yes
/ip route rule
add action=unreachable dst-address=10.10.0.0/24 src-address=\
10.20.0.0/24
add action=unreachable dst-address=10.20.0.0/24 src-address=\
10.10.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=4w2d name=monthly_reboot on-event="/system reboot" \
policy="ftp,reboot,read,write,policy,test,password,sniff,sens\
itive,romon" start-date=aug/27/2020 start-time=03:00:00
[admin@MikroTik_RB4011] >

You forgot two things, to place [code] and [/code] tags around the configuration export in your previous post, and to describe the topology.

So a guess: you are connected via a VPN, and from a client of that VPN, you can connect using Winbox/WebFig to other routers in 10.10.0.0/24, but not to the 4011 acting as VPN server itself?

If so, you have to add a firewall rule
chain=input ipsec-policy=in,ipsec protocol=tcp dst-port=80,8291 action=accept
just above the existing
action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

The thing is that the IPsec transport packets come in via the WAN interface, and the payload packets decapsulated from the transport ones inherit the in-interface attribute from them, so the rule "drop everything not coming in via LAN" drops them.

Packets between the VPN client and the other routers in 10.10.0.0/24 are handled in chain forward, and there you have such a rule already.

If you plan only some VPN clients to have management access to the router(s), you have to make the permissive rules more selective - typically you would assign a specific IP address or pool to the /ip ipsec identity row for that privileged client, and add src-address=the.specific.addr.or.range to the permissive rules.

I've read your initial description as "whenever a VPN is up on a router, I cannot connect to that router from a locally connected management PC". So my initial suggestion that it was an IPsec policy related issue was a total miss.

You forgot two things, to place [code] and [/code] tags around the configuration export in your previous post, and to describe the topology.

So a guess: you are connected via a VPN, and from a client of that VPN, you can connect using Winbox/WebFig to other routers in 10.10.0.0/24, but not to the 4011 acting as VPN server itself?

If so, you have to add a firewall rule
chain=input ipsec-policy=in,ipsec protocol=tcp dst-port=80,8291 action=accept
just above the existing
action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

The thing is that the IPsec transport packets come in via the WAN interface, and the payload packets decapsulated from the transport ones inherit the in-interface attribute from them, so the rule "drop everything not coming in via LAN" drops them.

Packets between the VPN client and the other routers in 10.10.0.0/24 are handled in chain forward, and there you have such a rule already.

If you plan only some VPN clients to have management access to the router(s), you have to make the permissive rules more selective - typically you would assign a specific IP address or pool to the /ip ipsec identity row for that privileged client, and add src-address=the.specific.addr.or.range to the permissive rules.

I've read your initial description as "whenever a VPN is up on a router, I cannot connect to that router from a locally connected management PC". So my initial suggestion that it was an IPsec policy related issue was a total miss.

thank you Sindy it worked, this is exactly what I was needing to add the rule :

chain=input ipsec-policy=in,ipsec protocol=tcp dst-port=80,8291 action=accept