Community discussions

MikroTik App
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

VPN Access via *mynetname.net

Sat Jan 15, 2022 9:16 pm

Maybe dumb question but I haven't found any explanation regarding to this.

I can connect to Mikrotik over VPN if I use LAN IP for VPN connection Server name or address in Windows client.
But If I use *.myname.net or WAN IP instead of LAN IP, I receive this error:

The remote connection was denied because the username and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote server.

This article is of no help: https://docs.microsoft.com/en-us/troubl ... t-t-device

Is it possible the problem is on the router between, on which at every attempt occurs error in console "pptp, ppp, error: user vpn authentication failed"?

Thank You!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Sat Jan 15, 2022 9:27 pm

What's "router between"? If you see an error every time you try to connect, but it's on wrong router, then maybe you forgot to forward some ports?
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Sat Jan 15, 2022 9:51 pm

Router between is actually main router for internet access. The other one, which I would like to acces it is on local LAN.

I didn't forward any port but I have idea which.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Sat Jan 15, 2022 10:31 pm

Your explanation is weak.
Please provide a network diagram showing both ends of the connections and relevant devices.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Sat Jan 15, 2022 10:35 pm

Then you're connecting to VPN server on main router.

Required ports depend on used VPN type. Based on the error message, PPTP uses TCP port 1723 and protocol GRE (so two things). But PPTP is also terribly outdated, so it's not recommended. Even if you do use different type, there can still be problem, if you let client choose automatically (it's possible in Windows), because client then can try PPTP (and connect to main router) before the other type (but I don't know what order it uses, it's just a possibility).
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Mon Jan 17, 2022 12:57 pm

@anav excuse me, here is explanation:

I would like to connect to Mikrotik router on customer's LAN because I need access to LoRaWAN gateway. Gateway is connected to my Mikrotik.
Customer's router is not always Mikrotik.

I'm facing with 2 problems:
- customer's IP is not fixed
- changes on customer's router are always problematic

What is the most appropriate way to realize such connection? BTW: it is not neccessary to use strictly Microsoft VPN client.

@Sob you've pointed to right problem. VPN client trying to connect to main (edge) router and not to my Mikrotik on LAN. Thank You for an explanation.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Tue Jan 18, 2022 1:10 am

You'd have to provide more details, if you want good answer. For example, you do need to be connecting to router in customer's LAN (that may be the case if you want to connect from random places), or could the router in customer's LAN be connecting to you (for a static tunnel to your site)? The latter would solve both dynamic IP and problematic access to customer's router.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Tue Jan 18, 2022 1:58 am

Wireguard can do what you want.
A clear set of detailed requirements are required.
For example look at my post here..... It talks about three routers ..........

So read that page, then create a network diagram that details your devices and answer the questions!!
Being organized and clear will help you get yourself well on your way!!!
posting.php?mode=quote&p=906268
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Tue Jan 18, 2022 7:15 pm

@Sob I would like to connect to Mikrotik, which is on customer's LAN, from random places. Connection has to be on demand from my side. So the best way will be to use client, I guess.

@anav I would like to publish picture of network diagram but I have no idea how to do on this forum. What you wrote on the beggining of your post about requirements is more or less the same as I need. The same situation is for accessing gateways from all networks. Wishes are:
- connect from different places
- connect through ISP router to my Mikrotik, connected to customer's LAN
- on-demand connection instead of permanent connection is preffered due to security
- customer doesn't have fixed IP always
- it would be fine if protocol won't be PPTP

Wishes are intentionaly narrowed, to have more space for appropriate solution
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Tue Jan 18, 2022 7:44 pm

If you want RB as server and you as client connecting to it, you'll always need at least one port forwarded from client's router to RB. But it needs to be done only once. Dynamic address shouldn't be a problem, RouterOS has built-in DDNS, as you already discovered.

The question is what type of VPN to use. Big hit of the current season is Wireguard, which is very robust and needs only single udp port (any number). Small downside is that Windows don't support it natively, but it's not difficult to install client. Also, it's only supported in RouterOS v7 and not everyone may want to upgrade yet. Other usually foolproof solutions are SSTP (supported by Windows) or OpenVPN (needs to install client). Unfortunately, both use certificates, which can be a bit annoying for people who don't have experience with that. IPSec IKEv2 is good too, but it's also not exactly beginner friendly.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Tue Jan 18, 2022 10:11 pm

There is also zerotier built into ver7. It is a third party service but its free and you dont have to do port forward anything........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 11:12 am

@Sob I agree with some changes on ISP router. As long as they are clearly defined, every admin should be able to implement it. Wireguard seems really big hit and missing Windows support shouldn't be obstacle, particularly for such purpose as mine is. As I see, @anav is also on Wireguard side.

Please, correct me if I'm wrong but for my purpose is the best way to choose between Wireguard and OpenVPN. Andi f I take into account use of client, Wireguard could easily win.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 3:36 pm

OVPN UDP and MT are bad ideas for now :d
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 3:55 pm

Wireguard is the winner ...

But for Wireguard on Mikrotik, ROS version should be 7. Could version 7 be installed on small Mikrotik also? For example Routerboard 951, hAP ac lite, ...

I've tried once but I had problems. I'm not sure if I've messed something
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 3:58 pm

B951Ui-2HnD no problem HAP AC 2 no problem. HAP lite is not a good idea.
Oh, it's HAP Ac lite. as the board is RB952Ui-5ac2nD I don't think you will counter any problem with that too.
Last edited by own3r1138 on Thu Jan 20, 2022 4:01 pm, edited 1 time in total.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
pe1chl
Forum Guru
Forum Guru
Posts: 8381
Joined: Mon Jun 08, 2015 12:09 pm

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 3:58 pm

When you want to have access to a MikroTik at a customer location without bothering the customer with port forwardings in their router, I would recommend to setup a MikroTik at your own location (on a fixed address and with the proper internet connectivity) and have all customer routers connect to that (setup a client on the customer router, e.g. L2TP/IPsec).
Of course, security is important, you probably do not want to be a gateway between different customers. But you can arrange that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 5:51 pm

pelchi, isnt that a practical use of zerotier.
YOu activate on the clients device and done...............
but do agree with your idea of an MT SERVER HOST at the admins location regardless (as a focal point )
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 6:02 pm

B951Ui-2HnD no problem HAP AC 2 no problem. HAP lite is not a good idea.
Oh, it's HAP Ac lite. as the board is RB952Ui-5ac2nD I don't think you will counter any problem with that too.
I haven't found any official statement but by my experience RB951-2n is really to weak to drive ROS v7. I've upgraded one 951 two times but at the end restored back to 6.
It seems RB951 is out of the game when we speaking about Wireguard.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 6:05 pm

I recommend a Net-Install.
I have every device that I named and they are all running 7.1.1
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Thu Jan 20, 2022 6:30 pm

You're right - RB951 works with Net-Install. Thank You!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Fri Jan 21, 2022 4:10 pm

Finally got idea how to publish picture of the network.
This picture is from https://www.youtube.com/watch?v=OGBWSpl1Wik

I have similar situation. The main difference is, my network has no Mikrotik for HQ router (in the middle of the picture).
What should I do on router in the middle? Forward port 13231? Anything else if eth1 of HQ router (ISP router) has no fixed WAN address?

Thank You.
You do not have the required permissions to view the files attached to this post.
 
afuchs
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Wed Jul 03, 2019 11:10 am

Re: VPN Access via *mynetname.net

Fri Jan 21, 2022 4:39 pm

You could forward the VPN -related ports or end the VPN on the main router.
If you use the main Router for the VPN you have to choices:
- extent the target network to the main router or
- let the VPN end in a transfer network between the two routers,
so you get a separate way for the VPN - clients.

I use yed https://www.yworks.com/products/yed with the Cisco Icons from https://github.com/danger89/yEd_cisco_network_icons to draw network plans, its freeware.
But there was recently a own Topic in this forum viewtopic.php?p=863939&hilit=Lucidchart#p863939 about programs to draw network diagrams..
Last edited by afuchs on Fri Jan 21, 2022 4:48 pm, edited 1 time in total.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Fri Jan 21, 2022 4:43 pm

I've forgot to mention - VPN should be from client to site-router
 
afuchs
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Wed Jul 03, 2019 11:10 am

Re: VPN Access via *mynetname.net

Fri Jan 21, 2022 5:24 pm

Than you have only the option of port forwarding if the site-router has no public ip.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: VPN Access via *mynetname.net

Fri Jan 21, 2022 11:48 pm

@Roberto69
This might help you.
This example explains how it is possible to establish a secure and encrypted GRE tunnel between two RouterOS devices when one or both sites do not have a static IP address.
https://wiki.mikrotik.com/wiki/Manual:I ... _using_DNS
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Sun Jan 23, 2022 4:32 am

If you want to use WG, then:

- configure WG server (you probably want to test it somewhere else at first, if you didn't do it before)
- on main router forward one udp port to RB, either 13231 used as default by ROS, or any other number you configure
- on RB enable DDNS in IP->Cloud (it will warn that router is behind NAT, but that's ok, you know that) and you'll get hostname pointing to main router's current public address
- configure client to connect to <hostname>:<port> (add it as peer)
- almost done, you should be able to connect to RB
- to access other devices in RB's LAN, you'll probably need to add srcnat/masquerade
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Tue Feb 01, 2022 6:08 pm

@Sob thank you for your advice. So far I can connect to RB WAN port but not through ISP router. I'm afraid port forwarding is not OK. Would you please check this:

General/Chain: dstnat
Protocol: 17 (udp)
Dst. Port: 12234
Action/dst-nat
To Addresses: copied DNS Name from RB
To ports: 13234

Also, when vpn channel is up, I can't ping for example 8.8.8.8 neither ISP addresses

Thank You
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Tue Feb 01, 2022 6:32 pm

Its still not clear to me what it is going on, but what I hear is.

A. You have a bunch of customer sites that are impossible for you to connect to using Wireguard as they all have challenges (ISP variety).
B. Its clear that they have to act as clients and thus will send out traffic to establish a connection.
C. Complicating the scenario is the fact that you want to be able to connect to them from random location, lets say with your IPAD at a coffee shop.

SOLUTION1:
a. Set up all customer MT LAN devices as wireguard clients
b. Set up your MT SERVER router at home.
c. Establish wireguard tunnels (up at all times) from clients to home Server Router.
d. Establish wireguard tunnel on demand from IPAD to home MT Server Router
e. with appropriate routing rules and firewall rules access all local customer MT devices (for config purposes) and LORAN server

Is that about it??

SOLUTION2:
a. Create a zerotier instance of every MT router at customer LAN sites and leave it connected/on.
b. Create a zerotier instance for your IPAD,
c. turn on IPAD, and zerotier and you are connected like a switch to all other MIKROTIKS
d. The parts I dont know how to do yet
(i) use the connection to configure the router (aka get winbox to work on this connectio)
(ii) use the connection to reach a server on a subnet.

If I knew how to manipulate zerotier that would be my first choice.
If you didnt want to rely on a third party, then wireguard would be my first choice.
If this was a business situation I would probably ensure I had both working one as a backup.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Tue Feb 01, 2022 7:20 pm

IP address of IPad in wireguard settings, used in remote locations 192.168.90.5
IP address of admin PC when at Home. 192.168.60.3

MT Server Router
WG Interface1
Normal - WG-C

WG Peers
Peer1 - customer 1
Normal allowed address=LORAN subnet.
keep alive 20 seconds

Peer2 - customer 2
Normal allowed address=LORAN subnet.
keep alive 25 seconds

PeerX - customer X
Normal allowed address=LORAN subnet.
keep alive 30 seconds

WG INTERFACE 2 - ADMIN
Normal - WG-A different listening port.

PEER
IPad - Admin
allowed IP=192.168.90.5

Firewall rules
input chain
-standard for listening port
-add chain=input action=accept src-address=192.168.90.5 (to config the Server Router from coffee shop)
One could also ensure the WG-A interface is part of the LAN interface especially if one wants to be able to config home MT Server Router from the IPAD.
add chain=input action=accept in-interface-list=LAN or whatever authorize schema you use. could be firewall address list as well for example

Forward chain
-add chain=forward action=accept in-interface=WG-A out-interface=WG-C

IP Routes.
add dst-address= LORANsubnet1 gwy=WG-C table=main (directs traffic into tunnel)
add dst-address= LORANsubnet2 gwy=WG-C table=main
add dst-address= LORANsubnetX gwy=WG-C table=main
add dst-address=192.168.90.5/32 gwy=WG-A table=main (provides replies to traffic originating on the IPAD )

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MT DEVICE LETS SAY at LORAN1 CUSTOMER

WG SETTINGS
WG INTERFACE name WG-L1

Peer Settings
allowed IPs=192.168.90.5/32, 192.168.60.3/32 (in case one is at home doing config of Customer MT devices)

Firewall Rules
input chain
add chain=input action=accept in-interface=WG-L1 src-address-list=authorized
where
add IP=192.168.90.5/32 list=authorized
add IP=192.168.60.3/32 list=authorized

forward chain
add chain=forward action=accept in-interface=WG-L1 dst-address=IP subnet of LORAN

IP routes
dst=192.168.90.5/32 gwy=WG-L1 table=main
dst=I192.168.60.3 gwy=WG-L1 table=main

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 12:10 am

Port forwarding on the other router:

Dst. Port: 12234 - external port, to which client is connecting to
To Addresses: copied DNS Name from RB - wrong, it should be internal address of your router
To ports: 13234 - internal port, the one that WG listens at
Also, when vpn channel is up, I can't ping for example 8.8.8.8 neither ISP addresses
It depends on what you configured. If you told all traffic from client to go to tunnel, and if tunnel doesn't really work yet, it won't get far.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 1:53 pm

"To Addresses: copied DNS Name from RB - wrong, it should be internal address of your router" - yes, of course, my mistake ...

"It depends on what you configured. If you told all traffic from client to go to tunnel, and if tunnel doesn't really work yet, it won't get far." - VPN tunnel is up and running, I can ping 8.8.8.8, also LAN IP of ISP router, but not anything else on ISP LAN.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 2:11 pm

A. You have a bunch of customer sites that are impossible for you to connect to using Wireguard as they all have challenges (ISP variety).
B. Its clear that they have to act as clients and thus will send out traffic to establish a connection.
C. Complicating the scenario is the fact that you want to be able to connect to them from random location, lets say with your IPAD at a coffee shop.
@anav thank you for advices - I have to go through. You've started at the right point. I've took a pencil and paper again ... ;-)

A: Yes, some of the customer sites has fixed IP, some not
B: due to security reason, it is much better to initiate connection from my side
C: actually no; I can connect to my site over VPN and from there I would like to access customer sites. So, it is enough if connections are made only from my site with fixed IP
D: some customers have Mikrotik, but most of them not. Some customers have experienced network administrators, but not all - that's why simple solution (in terms of customer's ISP router) would be appreciated
E: secret wish is, WAN of inside RB is DHCP client ...
Last edited by Roberto69 on Wed Feb 02, 2022 4:50 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 2:27 pm

Other devices in target LAN won't have route to your VPN client, so you need to use srcnat/masquerade, to make all connections look as if they are from router.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 2:44 pm

If, for example:
- IP of tunnel is 10.10.14.0/28 (client 10.10.14.2/32)
- LAN IP is 192.168.6.0/24 (router 192.168.6.1/24)

How NAT rule should be configured?
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 2:56 pm

You can use simple:
/ip firewall nat
add chain=srcnat out-interface=<LAN interface> action=masquerade
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 3:33 pm

Thank You. I'm afraid there is still something missing. I've applied NAT rule on inside RB, not ISP.
I can PING from client:
- everything on 192.168.6.0
- WAN inferface of RB (10.10.6.74)
- both ends of VPN (10.10.14.1 and 2)

But on WAN of RB (10.10.6.x) nothing is reachable. Neither 8.8.8.8
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 3:43 pm

You can use simple:

/ip firewall nat
add chain=srcnat out-interface=<LAN interface> action=masquerade
TYPO ????
According to the MT docs.............

/ip firewall nat add chain=srcnat action=masquarade out-interface=WAN
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 3:57 pm

If I use ether1, counters of NAT rule rising by pinging RB WAN port. Otherwise not.
But still can't go outside of RB (from client ping devices on WAN or 8.8.8.8 )
PINGing from RB terminal is OK, as well as from RB's LAN.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 5:14 pm

@anav: No, the idea was to have RB as VPN server inside LAN behind another router, and use it to access this LAN.

But there may be some misunderstanding, I assumed it would be just a device in remote LAN, with one interface and one subnet. So some updated more detailed description would be useful.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 5:18 pm

My apologies sob, will get out of the pool before I drown LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 5:29 pm

@anav: No, the idea was to have RB as VPN server inside LAN behind another router, and use it to access this LAN.
Almost exactly - but I can access LAN of RB already. I would like to access devices on LAN of ISP (outside) router (what is the same as devices on WAN of RB) as well as internet.
In fact - at least internet.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 6:39 pm

Ok, so that someone else's LAN I was thinking about is actually connected to RB's WAN, and you have another LAN of your own I didn't know about? In that case the flaming animal was right with out-interface=WAN. But you must already have that, if your LAN can access internet. And if you'd want to access internet via this router also from VPN client, it should probably already work too, if client properly routes that traffic to RB, and if you didn't add any firewall rules that would block it.

Perhaps it's time for exporting and posting your config. And if you have any more detailed description, it can't hurt either.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN Access via *mynetname.net

Wed Feb 02, 2022 10:09 pm

Right for the wrong reasons, so not so right really....... also an accurate diagram would be helpful.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Roberto69
just joined
Topic Author
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: VPN Access via *mynetname.net

Thu Feb 03, 2022 12:04 pm

@Sob "and if you didn't add any firewall rules that would block it" ... magic words ... FW drop everything else rule on RB ...
So far so good - PING is OK, internet is accessible from the client. Net diagram is attached. There is one open question. How to change config of RB if:
- ISP router has no WAN static IP and
- ISP router is not Mikrotik
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Access via *mynetname.net

Thu Feb 03, 2022 12:24 pm

It doesn't matter what kind of ISP router there is, only that it has some public address, and it's able to forward one port to RB. If the address is dynamic, then use built-in DDNS to get updated hostname (if you want something nicer and you have own domain, you can point CNAME to this one):
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
Choose some sane update interval, depending on how often the address changes and how quick response you need (don't hammer DDNS server every few seconds or so, it's not nice).
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.

Who is online

Users browsing this forum: TheGrovesy and 29 guests