Community discussions

MikroTik App
  4. RouterOS
  5. General

Cannot access VPN clients from LAN  [SOLVED]

Post Reply
 
mihaifpopa
just joined
Topic Author
Posts: 10
Joined: Wed Jul 28, 2021 1:21 pm

Cannot access VPN clients from LAN

Thu Aug 05, 2021 5:23 pm

Hello! I'm having a problem connecting through RDP (or any other way) into a VPN client from my LAN. This is the case with any VPN client from LAN. I can access both LAN and VPN clients from VPN, though.

My configuration:
Code: Select all
 /export hide-sensitive
# aug/05/2021 17:17:37 by RouterOS 6.48.3
# software id = UX4J-2Z99
#
# model = 951G-2HnD
# serial number = 642F073E725C
/interface bridge
add admin-mac=64:D1:54:A0:FE:38 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=romania distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-A0FE3C wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=IS282663601
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=0s-1d \
    tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.15.10-192.168.15.254
add name=vpn ranges=192.168.16.2-192.168.16.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.16.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.15.1/24 comment=defconf interface=bridge network=\
    192.168.15.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.15.254 mac-address=A0:43:B0:32:00:A4 server=defconf
add address=192.168.15.253 client-id=1:1c:3b:f3:93:e1:ea mac-address=\
    1C:3B:F3:93:E1:EA server=defconf
add address=192.168.15.251 client-id=1:92:60:ab:92:37:58 mac-address=\
    92:60:AB:92:37:58 server=defconf
add address=192.168.15.252 client-id=1:a8:a1:59:51:54:98 mac-address=\
    A8:A1:59:51:54:98 server=defconf
add address=192.168.15.249 mac-address=E8:68:E7:4D:9A:76 server=defconf
/ip dhcp-server network
add address=192.168.15.0/24 comment=defconf gateway=192.168.15.1 netmask=24
/ip dns static
add address=192.168.15.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.15.2-192.168.15.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" connection-state=\
    established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes \
    log-prefix=LAN_!LAN src-address=!192.168.15.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.16.0/24
/ip kid-control device
add mac-address=A8:A1:59:51:54:98 name="DESKTOP-58VOIBT;1"
add mac-address=92:60:AB:92:37:58 name="OnePlus-7T-Pro;2"
add mac-address=A0:43:B0:32:00:A4 name="RM4-32-00-a4;6"
add mac-address=1C:3B:F3:93:E1:EA name="Archer_C80;5"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=\
    192.168.15.252/32,192.168.15.251/32,192.168.16.207/32,192.168.16.208/32
set api disabled=yes
set winbox address=\
    192.168.15.252/32,192.168.15.251/32,192.168.16.207/32,192.168.16.208/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add disabled=yes name=vpn
add local-address=192.168.16.1 name=mihaifp remote-address=192.168.16.207
add local-address=192.168.16.1 name=simonah remote-address=192.168.16.210
add local-address=192.168.16.1 name=horeab remote-address=192.168.16.211
add local-address=192.168.16.1 name=dianab remote-address=192.168.16.212
add local-address=192.168.16.1 name=artcore remote-address=192.168.16.208
add local-address=192.168.16.1 name=garajpc remote-address=192.168.16.213
add local-address=192.168.16.1 name=etaj1pc remote-address=192.168.16.214
/system clock
set time-zone-name=Europe/Bucharest
/system scheduler
add name="LEDs off" on-event="system leds settings set all-leds-off=immediate" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/04/2021 start-time=22:00:00
add name="LEDs on" on-event="system leds settings set all-leds-off=never" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/04/2021 start-time=06:00:00
/system script
add dont-require-permissions=no name=wol-pc owner=mihai policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=bridge mac=A8:A1:59:51:54:98"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Any help is greatly appreciated.
Thanks!
Top
 
mihaifpopa
just joined
Topic Author
Posts: 10
Joined: Wed Jul 28, 2021 1:21 pm

Re: Cannot access VPN clients from LAN

Thu Aug 05, 2021 5:43 pm

Found out that this firewall rule blocks access, but why?
Code: Select all
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Cannot access VPN clients from LAN

Thu Aug 05, 2021 6:26 pm

What does the rule say?

It says that whatever goes in your Bridge interface and wants to go out from any interface other than your Bridge, that could be the VPN in your case, and if the address you try to reach belongs to the address list you have configured and if the chain is the forward one ( traffic going through the Router) then Drop it ...
Top
 
mihaifpopa
just joined
Topic Author
Posts: 10
Joined: Wed Jul 28, 2021 1:21 pm

Re: Cannot access VPN clients from LAN

Thu Aug 05, 2021 7:07 pm

What does the rule say?

It says that whatever goes in your Bridge interface and wants to go out from any interface other than your Bridge, that could be the VPN in your case, and if the address you try to reach belongs to the address list you have configured and if the chain is the forward one ( traffic going through the Router) then Drop it ...
Thank you for the explanation! Very clear.
Another question: should I add an exception for the VPN (and if so, how could I do that?) or turn off the rule altogether?

Thank you very much!
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Cannot access VPN clients from LAN  [SOLVED]

Thu Aug 05, 2021 7:12 pm

It seems that the VPN address space you re trying to reach through yout Lan belongs to that address list...
Can you confirm that ?
If that is the pool of the VPN we re talking about 192.168.16.2-192.168.16.200, then it is obviously added to that address list (192.168.0.0/16)
Top
 
mihaifpopa
just joined
Topic Author
Posts: 10
Joined: Wed Jul 28, 2021 1:21 pm

Re: Cannot access VPN clients from LAN

Thu Aug 05, 2021 7:42 pm

It seems that the VPN address space you re trying to reach through yout Lan belongs to that address list...
Can you confirm that ?
If that is the pool of the VPN we re talking about 192.168.16.2-192.168.16.200, then it is obviously added to that address list (192.168.0.0/16)
Yes, I actually followed https://wiki.mikrotik.com/wiki/Manual:S ... our_Router to secure my router. Yes, the VPN pool is 192.168.16.2-192.168.16.200, but I don't use the pool, since I manually add secrets outside of that pool (I started doing that yesterday; I added secrets between 192.168-16.207-192.168.16.214). In theory, removing that address list (192.168.0.0/16) should solve the issue. I will test in a few minutes.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Cannot access VPN clients from LAN

Thu Aug 05, 2021 7:48 pm

192.168.16.x/24 belongs to 192.168.0.0/16... so that is why it is dropped by the firewall ...
Top
 
mihaifpopa
just joined
Topic Author
Posts: 10
Joined: Wed Jul 28, 2021 1:21 pm

Re: Cannot access VPN clients from LAN

Thu Aug 05, 2021 7:59 pm

192.168.16.x/24 belongs to 192.168.0.0/16... so that is why it is dropped by the firewall ...
I should definitely learn address netmask. Or read beforehand.
Indeed, I tested it and it's working just fine. Owning a MikroTik is indeed a journey, but very enjoyable. I really enjoy tinkering with it.

Thank you very much for your help!
Top
Post Reply

Who is online

Users browsing this forum: sinateifouri and 213 guests
  4. RouterOS
  5. General