Community discussions

MikroTik App
 
quasar66
just joined
Topic Author
Posts: 9
Joined: Fri Apr 22, 2022 6:22 pm

Need assistance with SSTP

Sun Aug 21, 2022 2:12 pm

Hi..

I have two Mikrotik RB3011 routers that each work independently very well. I am just above a newbie in Networking.
I need to travel around, and I want to carry one (the "client", Identity set to Travel) so that I can connect to the other one, server ("Identity" set to Home), so I enabled up the SSTP protocol, following the wiki, and then modifying as per various forum indicators. But on testing the pings are not working. Need help.
The server side settings export is here :
# aug/21/2022 06:16:50 by RouterOS 6.49.6
# software id = AGEK-8YNP
#
# model = RB3011UiAS
# serial number = E7EA0E3205F9
/interface bridge
add name=home-bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.16.2-192.168.16.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=home-bridge lease-time=30m name=dhcp1
/interface bridge port
add bridge=home-bridge interface=ether2
add bridge=home-bridge interface=ether3
add bridge=home-bridge interface=ether4
add bridge=home-bridge interface=ether5
add bridge=home-bridge interface=ether6
add bridge=home-bridge interface=ether7
add bridge=home-bridge interface=ether8
add bridge=home-bridge interface=ether9
add bridge=home-bridge interface=ether10
/interface list member
add interface=ether1 list=WAN
add interface=home-bridge list=LAN
add interface=sfp1 list=LAN
/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes force-aes=yes pfs=yes verify-client-certificate=\
    yes
/ip address
add address=192.168.16.1/24 interface=home-bridge network=192.168.16.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.16.1 name=home-lan
add address=8.8.8.8 name=google
/ip firewall address-list
add address=192.168.16.2-192.168.16.254 list=within-home
add address=0.0.0.0/8 list=not-internet
add address=172.16.0.0/12 list=not-internet
add address=192.168.0.0/16 list=not-internet
add address=10.0.0.0/8 list=not-internet
add address=169.254.0.0/16 list=not-internet
add address=127.0.0.0/8 list=not-internet
add address=224.0.0.0/4 list=not-internet
add address=100.64.0.0/10 list=not-internet
add address=198.18.0.0/15 list=not-internet
add address=198.51.100.0/24 list=not-internet
add address=203.0.113.0/24 list=not-internet
add address=240.0.0.0/4 list=not-internet
add address=255.255.255.255 list=not-internet
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input log-prefix=icmp protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=!LAN
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid log-prefix=!fw
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward connection-state=established,related,untracked
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall address-list
add address=::1/128 list=not-internet-ipv6
add address=::/128 list=not-internet-ipv6
add address=64:ff9b::/96 list=not-internet-ipv6
add address=::ffff:0.0.0.0/96 list=not-internet-ipv6
add address=100::/64 list=not-internet-ipv6
add address=2001:2::/48 list=not-internet-ipv6
add address=2001:10::/28 list=not-internet-ipv6
add address=2002::/16 list=not-internet-ipv6
add address=fc00::/7 list=not-internet-ipv6
add address=fe80::/10 list=not-internet-ipv6
add address=2001::/32 list=not-internet-ipv6
add address=2001:5::/32 list=not-internet-ipv6
/lcd
set default-screen=stats-all
/ppp profile
add local-address=192.168.16.1 name=vpn_profile remote-address=*2
/ppp secret
add local-address=192.168.32.1 name=quasar66 remote-address=192.168.32.2 routes=\
    "192.168.24.0/24 192.168.32.1 1" service=sstp
/system clock
set time-zone-name=America/New_York
/system identity
set name="US Home"
The corresponding client side settings are as below :
# aug/21/2022 06:28:03 by RouterOS 6.49.6
# software id = IJ0H-KR40
#
# model = RB3011UiAS
# serial number = HCT084QBYPZ
/interface bridge
add name=home-bridge
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.24.2-192.168.24.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=home-bridge lease-time=30m name=\
    dhcp1
/interface sstp-client
add authentication=mschap2 certificate=client connect-to=100.19.64.235 \
    disabled=no name=sstp-client pfs=yes profile=default-encryption user=\
    quasar66 verify-server-certificate=yes
/interface bridge port
add bridge=home-bridge interface=ether2
add bridge=home-bridge interface=ether3
add bridge=home-bridge interface=ether4
add bridge=home-bridge interface=ether5
add bridge=home-bridge interface=ether6
add bridge=home-bridge interface=ether7
add bridge=home-bridge interface=ether8
add bridge=home-bridge interface=ether9
add bridge=home-bridge interface=ether10
/interface list member
add interface=ether1 list=WAN
add interface=home-bridge list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.24.1/24 interface=home-bridge network=192.168.24.0
add address=100.19.64.235 interface=ether1 network=100.19.64.235
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.24.0/24 gateway=192.168.24.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 list=not-internet
add address=172.16.0.0/12 list=not-internet
add address=192.168.0.0/16 list=not-internet
add address=10.0.0.0/8 list=not-internet
add address=169.254.0.0/16 list=not-internet
add address=127.0.0.0/8 list=not-internet
add address=224.0.0.0/4 list=not-internet
add address=100.64.0.0/10 list=not-internet
add address=198.18.0.0/15 list=not-internet
add address=198.51.100.0/24 list=not-internet
add address=203.0.113.0/24 list=not-internet
add address=240.0.0.0/4 list=not-internet
add address=255.255.255.255 list=not-internet
add address=192.168.24.2-192.168.24.254 list=within-home
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=input connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none
/ip route
add distance=1 gateway=100.19.64.1
add distance=1 dst-address=192.168.16.0/24 gateway=sstp-client
add distance=1 dst-address=192.168.16.0/24 gateway=sstp-client
/ip service
set www-ssl disabled=no
/ipv6 firewall address-list
add address=::1/128 list=not-internet-ipv6
add address=::/128 list=not-internet-ipv6
add address=64:ff9b::/96 list=not-internet-ipv6
add address=::ffff:0.0.0.0/96 list=not-internet-ipv6
add address=100::/64 list=not-internet-ipv6
add address=2001:2::/48 list=not-internet-ipv6
add address=2001:10::/28 list=not-internet-ipv6
add address=2002::/16 list=not-internet-ipv6
add address=fc00::/7 list=not-internet-ipv6
add address=fe80::/10 list=not-internet-ipv6
add address=2001::/32 list=not-internet-ipv6
add address=2001:5::/32 list=not-internet-ipv6
/system clock
set time-zone-name=America/New_York
/system clock manual
set time-zone=-04:00
/system identity
set name=Travel
Certificates :
On the server side I created CA certificate, a server certificate, and a client certificate. The only difference between server cert and client cert is that server cert contains key usage : tls_server tick checked.
Screenshot all certs.png
The CA certificate is attached as screenshot_CA - the CN is set to the IP address provided by the ISP. The key usage is key.cert sign, & clr sign, and its trusted. Thereafter all three certs were signed.
Screenshot CA.png
After import at the client side, the certificates were visible with private keys.
Screenshot all certs client side.png
Secrets and SSTP server on server side :
Created the user/login, and set the Local address as 192.168.32.1 & remote address as 192.168.32.2.
Screenshot PPP secrets.png
The corresponding SSTP server was enabled, and the certificate "server" was selected.
Screenshot SSTP server.png
On Client side, same credentials (user/password) and the connect to (erased) is set to the public IP address of the server side of the router.
Screenshot SSTP client.png
Lastly, the route list : server side
Screenshot route server side.png
and the route on the client side
Screenshot route client side.png
Problem : cannot ping either from the other

Please advise.
Thanks...
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Sun Aug 21, 2022 3:42 pm

Does the device at home (not travelling) have an accessible public IP. If so suggest you use wireguard instead.
 
quasar66
just joined
Topic Author
Posts: 9
Joined: Fri Apr 22, 2022 6:22 pm

Re: Need assistance with SSTP

Sun Aug 21, 2022 6:15 pm

Yes, it has an accessible public IP - not completely static but hasn't changed over last 6 months type ...

I have wiped it off at most places that I could do.

Thanks...
 
quasar66
just joined
Topic Author
Posts: 9
Joined: Fri Apr 22, 2022 6:22 pm

Re: Need assistance with SSTP

Sun Aug 21, 2022 6:15 pm

Sorry, but what is a wireguard ?
 
tangent
Forum Guru
Forum Guru
Posts: 1353
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Need assistance with SSTP

Sun Aug 21, 2022 6:35 pm

Sorry, but what is a wireguard ?

This.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Sun Aug 21, 2022 7:13 pm

Since you are on version 6 firmware, wireguard is not possible one would have to move to 7.4.1 firmware.
Nothing wrong with SSTP, I just prefer wireguard as in I find it easier.
 
quasar66
just joined
Topic Author
Posts: 9
Joined: Fri Apr 22, 2022 6:22 pm

Re: Need assistance with SSTP

Sun Aug 21, 2022 7:22 pm

I see.. the Wireguard is interesting, but I chose SSTP because many parts of South and Far East Asia are trying to block VPN access. SSTP at least handles it as a port 443 call that's far more challenging to block. My travels usually take me there.

Also,its my understanding is that RB3011 does not support RouterOS 7.x, so have to operate on 6.46 - is this not correct ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Sun Aug 21, 2022 7:27 pm

Not correct, where did you hear that?
Since you are dealing with VPN blocking issues, it would be good to have wireguard as a backup.
You can use any port with wireguard. Not sure what countries tend to block ???
 
quasar66
just joined
Topic Author
Posts: 9
Joined: Fri Apr 22, 2022 6:22 pm

Re: Need assistance with SSTP

Sun Aug 21, 2022 10:12 pm

Okay - but will experiment with 7.4.1 & WireGuard after I return - don't want to unsettle the otherwise running installations ...

Can you help me get the SSTP on 6.49.6 work smoothly please ?

Thanks as always...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Mon Aug 22, 2022 1:22 am

Would love to but I know less about SSTP than you do. I only have used it to try a third party SSTP service as a backup to reach my router (Remote Winbox) and it works great.
However if you want to start using the whole set of parameters its beyond my scope of experience and I tend to shy away from blind advice. Hopefully somebody else will chime in.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Mon Aug 22, 2022 1:30 am

I can speak about your forward chain, why bother with VPN you have left your router wide open to internet access??
Okay my bad you do drop all but not LAN, but such a bass ackwards way of stating it LOL............ see below for clear config rules!!!


So keep these ones.. and for gods sakes keep the chains together............... input chain rules then forward chain rules for example.
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input log-prefix=icmp protocol=icmp
+++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&


NOW where the +++++ symbols are ADD:
add action=accept chain=input in-interface-list=LAN
NOW where the &&&&& symbols are ADD:
add action=drop chain=input comment="drop all else"

I am suggesting keeping the port 53 rules as down the road you will probably not want to give the whole LAN access to the router but only to the LAN for services such as DNS which you have done with those two rules.
So eventually you should change the first rule to
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized

Where authorized is a firewall address list of LANIPs that should have access to the router for config purposes (admin desktop, laptop, iphone, smartphone, SSTP IP coming across etc....)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Mon Aug 22, 2022 1:38 am

Take this with a grain of salt as not from experience!
Now the biggest problem I see with your server INPUT CHAIN RULES, is NO RULE TO ALLOW SSTP coming in!!
add chain=input action=accept dst=port=443

Also from minimal reading you need a route out on the client MT with the SSTP interface as gateway.....
 
quasar66
just joined
Topic Author
Posts: 9
Joined: Fri Apr 22, 2022 6:22 pm

Re: Need assistance with SSTP

Mon Aug 22, 2022 1:50 am

Firewall changes done - Thanks for the idea .. especially the idea of being able to reconfigure ONLY from a specific authorized set of allocated IP is a thoughtful help - I can then allocate a static lease to the one laptop that will have the access to modify...
I understand your SSTP concern - but on the whole, have decided to move the RB3011s to 7.4.1 and then try the WireGuard on the router set this night EST .. Your comment on which authority is blocking exactly what and how makes lot of sense..
Let's hope for the best...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with SSTP

Mon Aug 22, 2022 2:33 am

viewtopic.php?t=182340

Basic concept is the Router acting as a server for the initial handshake
Wireguard IP address something like 10.10.10.1/24 interface=wginterfacename

The client (road) MT, something like 10.10.10.2/24

Your iphone so you can configure either router also remotely
10.10.10.3/32

Set input chain rule on Server Router
Ensure wireguard parameters are correct on all devices
Ensure firewall rules permit traffic flow on both MTs
Ensure routes available to guide traffic flow on both MTs

Who is online

Users browsing this forum: CJWW, G00dm4n and 15 guests