Community discussions

MikroTik App
 
User avatar
chrisknight
just joined
Topic Author
Posts: 17
Joined: Wed Mar 09, 2022 9:24 pm

Access Mikrotik web interface from Wireguard tunnel

Sun May 01, 2022 6:53 pm

Hello,
I was able to get my Android phone connected via a wireguard tunnel to my Mikrotik with help from here https://youtu.be/YZGHf70Eyj4.
However, I am unable to access the Mikrotik web GUI by its LAN IP or its tunnel address. Is that normal? I can get to other things on the LAN, just not the router itself.
Does anyone know what I might look for?
Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Sun May 01, 2022 7:19 pm

It's probably firewall. You can try something like this:
/ip firewall filter
add chain=input in-interface=<WG interface> protocol=tcp dst-port=80 action=accept
You can skip protocol and dst-port, if you want to allow any access from tunnel.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Mikrotik web interface from Wireguard tunnel

Sun May 01, 2022 7:54 pm

Further if you have multiple peers coming in on the wireguard interface you will probably want to narrow it down to the admins mobile device IP.
/ip firewall filter
add chain=input action=accept in-interface=<WG interface> protocol=tcp dst-port=80 src-address=wireguard_IP_Admin_mobiledevice
................................

More on wireguard here....... (para 5 covers firewall rules in general for wireguard)
viewtopic.php?t=182340
 
User avatar
chrisknight
just joined
Topic Author
Posts: 17
Joined: Wed Mar 09, 2022 9:24 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 6:46 pm

Oh yes. That works. Thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 7:39 pm

Oh yes. That works. Thank you!
What important is that you understand why it works and why it wasnt working before. :-)
 
User avatar
chrisknight
just joined
Topic Author
Posts: 17
Joined: Wed Mar 09, 2022 9:24 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 9:24 pm

I see why the new rule would make it work. However, I don't really understand why it didn't work to start with since the Wireguard interface is an RFC1918 address in IP-->Addresses. All my other LANs routed between other LANs with no further action. My guess is that it has something to do with the "LAN" traffic coming inbound on the external interface?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 10:26 pm

There's no special handling for different kinds of addresses (public/private). What makes the difference, assuming that you have default firewall, is that LAN interface is in "LAN" interface list and firewall blocks new connections from elsewhere. And your new WG interface is also "elsewhere". So you need either firewall rule, or you could add WG interface to LAN list.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 11:16 pm

Thus, its understanding how the firewall rules work or dont work on the MT device. Which is what you need to learn........
Without any firewall rules in place, by the way, all traffic is allowed. :-)
 
User avatar
chrisknight
just joined
Topic Author
Posts: 17
Joined: Wed Mar 09, 2022 9:24 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 11:20 pm

OK, I see. Thanks guys for the information. I did look for a LAN list but I didn't really find a list in the GUI that actually listed out the LAN interfaces. I'll have another look when I get a chance.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Mon May 02, 2022 11:38 pm

Interfaces->Interface List
 
p3ter
just joined
Posts: 19
Joined: Fri Jul 16, 2021 3:17 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Tue May 03, 2022 12:22 am

I just went through this problem recently and found a few places where Wireguard clients could get blocked from the WWW or Winbox access. I do like the encouragement here to understand WHY - and for me, I had been relying on following https://wiki.mikrotik.com/wiki/Manual:S ... our_Router so went back there to figure out the "why"... These suggestions are only helpful if you (like me) followed the 'Securing your Router' suggestions' but maybe did not fully understand them at the time :-)

1) You can stop the www & winbox services from being accessible by IP Address range - I had limited winbox to my local 192.68.0.x range and therefore Router WWW and Winbox sessions could not connect:
https://wiki.mikrotik.com/wiki/Manual:S ... S_services
"...each /ip service entity might be secured by allowed IP address..."
i.e. IP -> Services -> Service Name (winbox/www) -> Available From ( x.x.x.x/yy)
Solution: Add the wireguard IP Range to the 'Available From' (or remove all entries and have a lot less security...)

2) If you followed 'Securing Your Router' you may have created a list 'Allowed_to_Router' and disallowed any IP range outside your local network from talking to your router at all:
https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router
"...create address-list for IP addresses, that are allowed to access your router"
i.e. IP -> Firewall -> Accept Input -> Address List 'Allowed_to_Router'
Since I had followed this advice, the IP range of my Wireguard clients was not in my 'Allowed_to_Router' list, and they were therefore blocked by this rule.
Solution: IP -> Firewall -> Address List -> Allowed_to_Router (Add Wireguard range) - this would be exactly the problem solved by @Sob's 'accept input from WG Interface' firewall rule - but solved in a prettier way by adding the Wireguard IP Range to the 'Allowed_to_Router' list, instead of prohibiting access with one rule, and reinstating access with another...

3) Finally, you could have stopped your Admin user logging in from the Wireguard Address range:
https://wiki.mikrotik.com/wiki/Manual:S ... IP_address
"...it is possible to restrict username access for the specific IP address..."
System -> Users -> {your admin user} --> Allowed Address --> x.x.x.x/yy

Maybe this will help someone finding this post in future!
 
User avatar
chrisknight
just joined
Topic Author
Posts: 17
Joined: Wed Mar 09, 2022 9:24 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Tue May 03, 2022 12:32 am

Interfaces->Interface List
I saw that. When you click LAN, it just says list = LAN. If you click "lists" and then click "LAN", it's empty.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access Mikrotik web interface from Wireguard tunnel

Tue May 03, 2022 12:49 am

Button "Lists" shows another window where you define lists. And main window shows lists and their member interfaces.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Mikrotik web interface from Wireguard tunnel

Tue May 03, 2022 2:52 am

interfacelists.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Mikrotik web interface from Wireguard tunnel

Tue May 03, 2022 3:02 am

Yes P3tr, there are multiple areas to control access to winbox.

1. Firewall Rules - Input chain controls ACCESS TO the router (or at least to Services on the router such as winbox).

2. TOOLS MAC Server ---> MAC WinBox Server - can limit which interface list is authorized to access winbox!

3. SYSTEM--> Users ---> ALLOWED ADDRESSES - which IP addresses etc are permitted to attempt to login to the Router.

4. IP -- IP SERVICE LIST -----> Specific PORTS allocated for Services and ALLOWED IP addresses if desirec.


( THUS authorized or allowed IPs for winbox CAN be entered in 3/4 options above (firewall rules via firewall address list). They all have different purposes and care must be taken to use them in concert with each other. )

Who is online

Users browsing this forum: nik247 and 24 guests