Router: MikroTik hAP ac2 (updated to latest version OS 7.8 Stable)
I have Bitvise SSH Server installed on my PC and everything works fine (access to the server from the LAN and from the Internet). A few days ago I set up a WireGuard server on MT and have access to the LAN and the Internet through a VPN tunnel. I use phone to acces to the server. The problem occurs when I want to access the SSH server via WireGuard. The same problem is when I try to access via OpenVPM and L2TP
What is strange is that via WireGuard or other VPVs I have access to the server through SFTP protocol while through FTP protocol I have no access.
I think the problem is related to the operation of the passive port 20020. Sometimes when you try to connect to the server via FTP, it shows the contents of the foldef but when you try to refresh the view, everything disappears and the message "Loading error! Check your network connection" appears. I don't know what the problem is and I'm out of ideas. Can you guys look at my configuration, maybe you can help me. Is there something in my configuration that could be causing the problem? Maybe something is missing?
I configured the MT Router based on various tutorials on the Internet, so my knowledge of how the network works is not great.
Code: Select all
# mar/07/2023 11:24:06 by RouterOS 7.8
# software id = 46XI-U957
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxx
/interface bridge
add comment="Home Network" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=poland \
disabled=no frequency=2427 installation=indoor mode=ap-bridge rate-set=\
configured ssid=Maki_52 station-roaming=enabled supported-rates-b="" \
tx-power-mode=all-rates-fixed wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
20/40/80mhz-Ceee country=poland disabled=no frequency=auto installation=\
indoor mode=ap-bridge ssid=Maki_52_5G station-roaming=enabled \
tx-power-mode=all-rates-fixed wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
add parent=usb1 partition-number=1 partition-offset="1 048 576" \
partition-size="61 504 225 280" type=partition
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add comment="Serwer DHCP" name=dhcp_pool ranges=172.16.0.100-172.16.0.254
add comment=L2TP name=l2tp_pool ranges=10.0.1.2-10.0.1.5
add comment=OpenVPN name=openvpn_pool ranges=10.0.0.2-10.0.0.5
/ip dhcp-server
add address-pool=dhcp_pool interface=bridge1 lease-time=1h name=dhcp1
/ppp profile
add change-tcp-mss=yes comment=L2TP local-address=10.0.1.1 name=l2tp \
remote-address=l2tp_pool use-encryption=yes
add comment=OpenVPN dns-server=62.179.1.62,8.8.8.8 local-address=10.0.0.1 \
name=openvpn remote-address=openvpn_pool use-encryption=required
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
add name=logowanie target=memory
add name=l2tp target=memory
add disk-file-name=disk1/ovpn disk-stop-on-full=yes name=usbovpn target=disk
add disk-file-name=disk1/l2tp name=usbl2tp target=disk
add disk-file-name=disk1/logowanie disk-stop-on-full=yes name=usblogowanie \
target=disk
add memory-stop-on-full=yes name=ovpn target=memory
add name=Blocked target=memory
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256-cbc default-profile=openvpn \
enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard1 public-key=\
"nNSNTQF61O1IrtyuUtLCS0is+F9BAM6mhmBBEoZ4Cg="
/ip address
add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0
add address=10.10.0.1/29 comment=WireGuard interface=wireguard1 network=\
10.10.0.0
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
/ip firewall address-list
add address=test001.ddns.net list=domena
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accept all LAN traffic" in-interface=\
bridge1
add action=accept chain=input comment=\
"Accept LAN access via VPN (L2TP and OpenVPN)" in-interface=all-ppp \
src-address=10.0.0.0/23
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
"Accept all LAN traffic for WireGuard connections" in-interface=\
wireguard1
add action=accept chain=input comment=\
"Accept established and related connections" connection-state=\
established,related
add action=drop chain=input comment="Block hosts that scan ports" \
in-interface=ether1 log=yes log-prefix="BLOCKED SCANER" src-address-list=\
port_scanners
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=23h59m59s chain=input comment=\
"Port scanning detection" in-interface=ether1 log=yes log-prefix=\
"ADDED SCANER" protocol=tcp psd=21,5s,3,1
add action=add-src-to-address-list address-list=knock_1 address-list-timeout=\
30s chain=input comment="Port Knocking" dst-port=3311 in-interface=ether1 \
protocol=tcp
add action=add-src-to-address-list address-list=knock_2 address-list-timeout=\
30s chain=input dst-port=1289 in-interface=ether1 protocol=tcp \
src-address-list=knock_1
add action=add-src-to-address-list address-list=TRUSTED_LIST \
address-list-timeout=1h chain=input dst-port=2328 in-interface=ether1 \
protocol=tcp src-address-list=knock_2
add action=accept chain=input comment="Accept connections on selected ports, i\
f the address is on the list: TRUSTED_LIST (FTP; Webfig)" dst-port=\
2321,4433 protocol=tcp src-address-list=TRUSTED_LIST
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 protocol=\
udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Accept WinBox" dst-port=8451 protocol=\
tcp
add action=drop chain=input comment="Block everything other"
/ip firewall nat
add action=masquerade chain=srcnat comment=Maskarada out-interface=ether1
add action=masquerade chain=srcnat comment="Maskarada Hairpin NAT" \
dst-address=!172.16.0.1 src-address=172.16.0.0/24
add action=dst-nat chain=dstnat comment="Bitvise SSH Server - SSH" \
dst-address=!172.16.0.1 dst-address-type=local dst-port=2271 protocol=tcp \
src-address-list="" to-addresses=172.16.0.10 to-ports=2271
add action=dst-nat chain=dstnat comment="Bitvise SSH Server - FTP" \
dst-address=!172.16.0.1 dst-address-type=local dst-port=2171 protocol=tcp \
to-addresses=172.16.0.10 to-ports=2171
add action=dst-nat chain=dstnat comment="Bitvise SSH Server - Passive Port" \
dst-port=20020 protocol=tcp to-addresses=172.16.0.10 to-ports=20020
add action=dst-nat chain=dstnat comment="foobar2000 - Beefweb Remote Control" \
dst-address=!172.16.0.1 dst-address-type=local dst-port=8880 protocol=tcp \
to-addresses=172.16.0.10 to-ports=8880
add action=dst-nat chain=dstnat comment="Wake on LAN" dst-port=9 protocol=udp \
to-addresses=172.16.0.10 to-ports=9