Community discussions

 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Cant access WebFig when router is connected to VPN

Tue Jul 10, 2018 2:01 pm

Hi,

I have a rather confusing problem.

I have a Mikrotik connected to the Internet and it gets a public IP from my ISP.
The Mikrotik is configured to accept inbound connections to WebFig (443) and Winbox (8291) and I also have some other ports open and forwarded to my server.

I also use the Mikrotik as a VPN PPTP client, so all new outbound traffic from the LAN clients are routed to the VPN.
I have also added a static route to my WAN (public ip) so that I can route certain outbound traffic to the WAN if needed.

The problem I have is that sometimes when the VPN is reconnected I can't access WebFig, Winbox, or the server services via the public IP.
To solve this I have to reconnect the VPN a couple of times until I get connected to another VPN endpoint i.e. i get a new VPN IP.
The services can also be accessed if I disconnect the VPN.

So the question is why does the Mikrotik stop the respond on the Public IP (WAN) when the VPN is connected to the "wrong" endpoints?
From what I understand, if the Mikrotik firewall is configured to accept input on port 443 and 8281, the WebFig and Winbox should always be reachable even if the VPN is connected.

Best regards,
Bregell
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant access WebFig when router is connected to VPN

Tue Jul 10, 2018 4:33 pm

This cannot be answered without seeing your configration, see my automated signature. The most likely cause is that an established VPN connection modifies the routing table so responses to requests coming in via the WAN are routed out via the VPN, so the remedy should be to use policy routing and mark connections initiated by packets coming in through the WAN so that the responses to these requests would bypass the default routing table and be sent out via the same interface through which the request has come in.

Why it only happens for some VPN connection instances and not for others is unexplainable without seeing the output of /ip route print in both the working and non-working case, together with the public IP from (behind) which you connect to the 'Tik's services.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Re: Cant access WebFig when router is connected to VPN

Tue Jul 10, 2018 5:23 pm

I will post an export as soon as I am inside the network again!
 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Re: Cant access WebFig when router is connected to VPN

Wed Jul 11, 2018 1:22 am

Here is my export:

# jul/11/2018 00:02:21 by RouterOS 6.43rc42
# software id = YTX4-4S66
#
# model = RouterBOARD 750G r3
# serial number = SNR
/interface bridge
add admin-mac=mac arp=proxy-arp auto-mac=no name=LAN-Bridge
/interface ovpn-server
add name=ovpn-johan user=johan
/interface ethernet
set [ find default-name=ether2 ] name="LAN - 1- Master" speed=100Mbps
set [ find default-name=ether3 ] name="LAN - 3" speed=100Mbps
set [ find default-name=ether4 ] name="LAN - 4" speed=100Mbps
set [ find default-name=ether5 ] name="LAN - 5" speed=100Mbps
set [ find default-name=ether1 ] name=WAN speed=100Mbps
/interface pptp-client
add add-default-route=yes connect-to=vpn.integrity.st default-route-distance=0 disabled=no keepalive-timeout=disabled name="PPTP VPN" user=vpn_username
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer proposal
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des name=proposal_1
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.254
add name=vpn ranges=192.168.88.80-192.168.88.99
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=LAN-Bridge name=defconf
/ppp profile
add bridge=LAN-Bridge local-address=vpn name=l2tp remote-address=vpn use-encryption=required
add local-address=vpn name=ovpn remote-address=vpn use-encryption=required
set *FFFFFFFE use-encryption=required
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=LAN-Bridge interface="LAN - 1- Master"
add bridge=LAN-Bridge interface=ovpn-johan
add bridge=LAN-Bridge interface="LAN - 3"
add bridge=LAN-Bridge interface="LAN - 4"
add bridge=LAN-Bridge interface="LAN - 5"
/ip firewall connection tracking
set tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=yes
/interface list member
add interface="LAN - 1- Master" list=discover
add interface="LAN - 3" list=discover
add interface="LAN - 4" list=discover
add interface="LAN - 5" list=discover
add interface="PPTP VPN" list=discover
add interface=LAN-Bridge list=discover
add interface="O VPN" list=discover
add interface=ovpn-johan list=discover
add interface=pptp-out1 list=discover
add interface="LAN - 1- Master" list=mactel
add interface="LAN - 1- Master" list=mac-winbox
/interface ovpn-server server
set certificate="OVPN - Mikrotik" cipher=aes256 default-profile=ovpn enabled=yes keepalive-timeout=disabled mode=ethernet require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface="LAN - 1- Master" network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server lease
add address=192.168.88.240 client-id=1:38:2c:4a:a4:5b:18 comment="WLAN AP" mac-address=mac server=defconf
add address=192.168.88.254 client-id=1:78:24:af:32:6a:4e comment=SERVER mac-address=mac server=defconf
add address=192.168.88.203 always-broadcast=yes client-id=1:14:da:e9:f:87:7f mac-address=mac server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=my_public_dns list=WAN-IP
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="L2TP Server" dst-port=500,1701,4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="IPSec Server" in-interface=WAN protocol=ipsec-esp
add action=accept chain=input comment="Remote Access" disabled=yes dst-port=80 in-interface=WAN protocol=tcp
add action=accept chain=input comment="Remote Access" dst-port=443 in-interface=WAN protocol=tcp
add action=accept chain=input comment=OVPN dst-port=1194 in-interface=WAN protocol=tcp
add action=accept chain=input comment=Winbox dst-port=8291 in-interface=WAN protocol=tcp
add action=accept chain=forward comment=VNC dst-port=5900 in-interface=WAN log-prefix=vnc protocol=tcp
add action=accept chain=forward comment=Minecraft dst-port=25565 in-interface=WAN protocol=tcp
add action=accept chain=forward comment=Plex dst-port=32400 in-interface=WAN protocol=tcp
add action=accept chain=forward comment="The Forest" dst-port=8766,27015,27016 in-interface=WAN protocol=udp
add action=accept chain=forward comment="Outgoing VPN Traffic" out-interface="PPTP VPN"
add action=accept chain=forward comment="VPN Killswitch" dst-port=80,443,8008 out-interface=WAN protocol=tcp
add action=drop chain=forward comment="VPN Killswitch" log=yes log-prefix=drop out-interface=WAN
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN
add action=drop chain=input in-interface="PPTP VPN"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface="PPTP VPN"
/ip firewall nat
add action=masquerade chain=srcnat comment=Harpin dst-address=192.168.88.0/24 out-interface=LAN-Bridge src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=VNC dst-address-list=WAN-IP dst-port=5900 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment=VNC2 disabled=yes dst-address-list=WAN-IP dst-port=5901 protocol=tcp to-addresses=192.168.88.203 to-ports=5900
add action=dst-nat chain=dstnat comment=Plex dst-address-list=WAN-IP dst-port=32400 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment=Minecraft dst-address-list=WAN-IP dst-port=25565 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment="The Forest" dst-address-list=WAN-IP dst-port=8766,27015,27016 protocol=udp to-addresses=192.168.88.254
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="PPTP VPN"
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override proposal=proposal_1
/ip route
add check-gateway=ping distance=1 gateway=WAN routing-mark=eth
/ip service
set www-ssl certificate=my-rtr-ca disabled=no
set api-ssl certificate=my-rtr-ca
/ip smb shares
set [ find default=yes ] directory=/pub
/ip traffic-flow
set interfaces=WAN
/ip upnp interfaces
add interface="PPTP VPN" type=external
add interface="LAN - 1- Master" type=internal
add interface="LAN - 3" type=internal
add interface="LAN - 4" type=internal
add interface="LAN - 5" type=internal
/ppp secret
add name=johan profile=l2tp service=l2tp
add name=johan profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Stockholm
/system package update
set channel=release-candidate
/system resource irq rps
set WAN disabled=no
set "LAN - 1- Master" disabled=no
set "LAN - 3" disabled=no
set "LAN - 4" disabled=no
set "LAN - 5" disabled=no
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant access WebFig when router is connected to VPN

Wed Jul 11, 2018 2:21 am

Well...

/interface pptp-client
add add-default-route=yes connect-to=vpn.integrity.st default-route-distance=0 ...

so you definitely modify the routing table as soon as the VPN session comes up.

default-route-distance=0 is wrong, you should set it to 1 here and to 2 in /ip dhcp-client interface=WAN configuration so that the default route provided by the VPN client would win whenever the VPN is up (or even do something harder if sending something from your actual address rather than the VPN one can cause some trouble), but that's not the reason why the ssh and winbox services stop responding.

You do have the default route with routing-mark there:
/ip route
add check-gateway=ping distance=1 gateway=WAN routing-mark=eth


But there are no /ip firewall mangle rules which would assign that routing-mark, so that route is never used - I'm actually surprised that your PPTP connection doesn't get up and fall down cyclically, I guess credits for that go to routing cache which keeps sending the PPTP transport packets via the WAN's gateway even though the default route changes as the PPTP gets up, but routing cache gets flushed every now and then.

Plus an interface name can be configured as route's gateway only if the interface is a point-to-point one, so this route would not work.

So have a look at policy routing, e.g. here, and also add an individual route to the VPN server so that the PPTP transport packets don't eventually get redirected to the PPTP tunnel once the routing cache gets flushed. You can use the script parameter of /ip dhcp-client to host a script which will, after each renewal of DHCP lease, copy the received gateway IP address to that individual route and to the marked default route.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Re: Cant access WebFig when router is connected to VPN

Wed Jul 11, 2018 2:58 am

I am not to bright when it comes to this but as far as I understand I need to do a couple of things.
1. Change the PPTP default-route-distance to 1
2. Change the WAN default-route-distance to 2
3. Keep route with routing-mark=eth as is
4. Add rules to Mangle to mark packets intended for WAN with routing-mark=eth

I have done steps 1-3 but I do not really grasp what rules I need for redirecting specific traffic to WAN.
I added:
/ip firewall mangle
add action=accept chain=prerouting connection-mark=no-mark connection-state=established,related
add action=accept chain=prerouting connection-state=established,related in-interface=WAN
add action=mark-routing chain=prerouting connection-mark=eth-con new-routing-mark=eth passthrough=no
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=eth-con passthrough=yes src-address=192.168.88.1
add action=mark-routing chain=prerouting connection-mark=eth-con new-routing-mark=eth passthrough=no

But as you are saying in the other post:
"if the various handlings are used to control multi-WAN arrangements, and if the router itself or devices on its LAN should act as servers accessible by clients in the internet, it is necessary to assign connection marks also to initial packets coming in via the WAN interface, so that the response packets would be routed through the same WAN interface."

Could you give me an example for the WinBox service?

Best regards,
Bregell
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant access WebFig when router is connected to VPN

Wed Jul 11, 2018 11:06 am

1.,2. - correct, 3 - wrong, I've written that as the WAN interface is an ethernet one (point-to-multipoint), its name cannot be used as a gateway and instead an IP address of a particular device in that subnet must be used, as the dhcp-client does, /ip route print shows the result to you (export shows the configuration set manually, print shows the actual running configuration including dynamically created items). So to all routes other than the default one in the default ("main") routing table which should send packets via WAN, you have to copy, using a script, the gateway IP address from the default route in the default table each time it can eventually be changed, i.e. at each DHCP renewal. RouterOS provides a convenience measure for this which is the script parameter of /ip dhcp-client.

But as you've simplified the rules in point 4 as compared to the generic case described in the other post, I deduce that you don't need to prepare the complete infrastructure for policy routing of all.kinds of traffic.

Therefore, you can simplify things a lot by making use of the fact that PPTP-VPN is a point-to-point interface so its name can be used as a gateway.

So instead of using the default routing table (consisting of routes with no routing-mark) for the traffic of LAN devices, and only using marked routing tables for responses to requests coming in via WAN and for the PPTP transport packets, you can do the reverse and let all traffic outgoing from the 'Tik itself be routed using the default routing table (so you don't need to update the gateway IP address in other routes each time it might eventually change) and let the traffic from LAN use the PPTP-VPN whenever that interface is active.

So you would do the following:
  • remove the route with routing-mark=eth and all the /ip firewall mangle rules
  • set add-default-route to no on the pptp-client interface (and keep defaut-route-distance=1 in the dhcp-client)
  • add a route dst-address=0.0.0.0/0 gateway=PPTP-VPN routing-mark=vpn
  • instead of /ip firewall mangle rules, add the following:
    /ip route rule
    add src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=lookup table=main
    add src-address=192.168.88.0/24 action=lookup table=vpn
That way, all packets sent by devices in the LAN subnet and all your VPN clients, which also get addresses from 192.168.88.0/24, will be routed via the PPTP-VPN, except those for other devices in the same subnet (i.e. between LAN devices and your VPN clients). All the remaining packets, which actually means only packets sent by Mikrotik itself, will use the default routing table.

When the PPTP-VPN will eventually be down, the route with routing-mark=vpn will be down too, and the routing will thus fall back to the default routing table "main".

Regarding the "example for the WinBox service", the only point in real multi-WAN arrangements is that the device can receive requests on several WAN interfaces and it has to send the response the same way back, so the only thing you need is to "remember", for each connection initiated from outside, the WAN interface through which the connection was initiated. So no specific arrangement is required for Winbox or another service in particular; it is a job of /ip firewall nat rules to eventually forward some requests to servers on LAN and of /ip firewall filter rules to let through only requests to some services and/or from some remote clients. So you would only mark connections based on in-interface=WAN, nothing else. But if you use the approach above, you don't need this at all.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Re: Cant access WebFig when router is connected to VPN

Wed Jul 11, 2018 11:41 am

Hi

So I did what you suggested and it seems to work as it should i.e. I can access Mikrotik services from WAN IP and traffic from LAN goes to PPTP VPN.
/ip route
add check-gateway=ping distance=2 gateway="PPTP VPN" routing-mark=vpn

/ip route rule
add dst-address=192.168.88.0/24 src-address=192.168.88.0/24 table=main
add src-address=192.168.88.0/24 table=vpn


However, the Server services are not accessible.
I guess I need some kind of mange rules to mark the incoming connections to services to be routed to the main table.
Can you give me a hint on how to do that?

Best regards,
Bregell
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant access WebFig when router is connected to VPN

Wed Jul 11, 2018 1:41 pm

If the server at 192.168.88.254 does not need to access anything via the PPTP VPN as a client, it is sufficient to add another ip route rule at the right place, i.e. in between the existing ones:

/ip route rule
print
add src-address=192.168.88.254/32 action=lookup table=main place-before=1


Otherwise you need to roll out the complete policy routing solution with /ip firewall mangle to which I've pointed you before, because you would need to handle different connections to/from 192.168.88.254 using different routing tables. So the routing tables would remain unchanged, but instead of /ip route rule, you would use mark-connection and mark-routing rules in /ip firewall mangle to choose the right routing table for internet-bound packets of each connection.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Re: Cant access WebFig when router is connected to VPN

Thu Jul 12, 2018 1:10 am

So I think I have solved all my issues now thanks to you Sindy :)

Could you just take a last look at my configuration so that I have not done anything stupid?
Also for anyone interested here is my configuration.
/ip firewall mangle
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=prerouting connection-state=established,related
add action=mark-connection chain=input connection-mark=no-mark connection-state=new in-interface=WAN new-connection-mark=eth passthrough=no
add action=mark-routing chain=output connection-mark=eth log-prefix=out new-routing-mark=eth passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark connection-state=new in-interface=WAN new-connection-mark=eth passthrough=no
add action=mark-routing chain=prerouting connection-mark=eth log-prefix=fw-route new-routing-mark=eth passthrough=no src-address-list=LAN

/ip firewall address-list
add address=dns_record list=WAN-IP
add address=192.168.88.0/24 list=LAN

/ip route
add check-gateway=ping distance=2 gateway=gateway_ip routing-mark=eth

/ip dhcp-client
add comment=defconf default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=WAN

/interface pptp-client
add add-default-route=yes connect-to=vpn.integrity.st default-route-distance=1 disabled=no keepalive-timeout=disabled name="PPTP VPN" user=vpn_username

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related in-interface="PPTP VPN" log-prefix=fast
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="L2TP Server" dst-port=500,1701,4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="IPSec Server" in-interface=WAN protocol=ipsec-esp
add action=accept chain=input comment="Remote Access" disabled=yes dst-port=80 in-interface=WAN protocol=tcp
add action=accept chain=input comment="Remote Access" dst-port=443 in-interface=WAN protocol=tcp
add action=accept chain=input comment=OVPN dst-port=1194 in-interface=WAN protocol=tcp
add action=accept chain=input comment=Winbox dst-port=8291 in-interface=WAN protocol=tcp
add action=accept chain=forward comment=VNC dst-port=5700 in-interface=WAN log-prefix=vnc protocol=tcp
add action=accept chain=forward comment=VNC2 disabled=yes dst-port=5901 in-interface=WAN protocol=tcp
add action=accept chain=forward comment=Minecraft dst-port=25565 in-interface=WAN protocol=tcp
add action=accept chain=forward comment=Plex dst-port=32400 in-interface=WAN protocol=tcp
add action=accept chain=forward comment=AirVideo disabled=yes dst-port=45633 in-interface=WAN protocol=tcp
add action=accept chain=forward comment="The Forest" dst-port=8766,27015,27016 in-interface=WAN protocol=udp
add action=accept chain=forward comment="Outgoing VPN Traffic" out-interface="PPTP VPN"
add action=accept chain=forward comment="VPN Killswitch" dst-port=80,443 out-interface=WAN protocol=tcp
add action=accept chain=forward out-interface=WAN protocol=icmp
add action=accept chain=forward dst-port=53 out-interface=WAN protocol=udp
add action=drop chain=forward comment="VPN Killswitch" log=yes log-prefix=kill-switch out-interface=WAN
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN
add action=drop chain=input in-interface="PPTP VPN"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface="PPTP VPN"

The configuration in bullet format:
  • Routes all new traffic from LAN IPs to the PPTP VPN inteface
  • If PPTP VPN is down all traffic is routed to WAN
  • In case of PPTP VPN being down only port 53, 80, and 443 can be used on WAN (Kill-switch)
  • Services on the Mikrotik (Input) from WAN is accepted, marked, and routed back to WAN
  • Services on the LAN (Forward) from WAN is accepted, marked, and routed back to WAN
  • PPTP VPN traffic is fast-tracked

Hopefully this will help someone in the future.

Best regards,
Bregell
 
Emilia
just joined
Posts: 1
Joined: Thu Jul 12, 2018 1:10 pm
Contact:

Re: Cant access WebFig when router is connected to VPN

Thu Jul 12, 2018 1:21 pm

Thank you very much for the info, it's been very helpful. :)
 
bregell
just joined
Topic Author
Posts: 7
Joined: Tue Jul 10, 2018 12:38 pm
Location: Sweden

Re: Cant access WebFig when router is connected to VPN

Sat Jul 14, 2018 12:15 am

Glad it could help!

I had to make some adjustments though!

To get all services vorking for both Mikrotik and Server I had to modify the mangle rules as follows.
I also changed from eth to WAN for the routing mark to make it more understandable.
This config works with the Hairpin as well, so for all internal services the external IP or DNS-name can be used.

/ip firewall mange
add action=accept chain=prerouting connection-mark=no-mark connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=mark-routing chain=prerouting connection-mark=WAN new-routing-mark=WAN passthrough=no src-address-list=LAN
add action=mark-connection chain=forward connection-mark=no-mark connection-state=new dst-address-list=LAN in-interface=WAN new-connection-mark=WAN passthrough=no
add action=mark-connection chain=input connection-mark=no-mark connection-state=new in-interface=WAN new-connection-mark=WAN passthrough=no
add action=mark-routing chain=output connection-mark=WAN dst-address-list=!LAN new-routing-mark=WAN passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment=Harpin dst-address=192.168.88.0/24 log-prefix=hairpin src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=VNC dst-address-list=WAN-IP dst-port=5700 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment=VNC2 disabled=yes dst-address-list=WAN-IP dst-port=5901 protocol=tcp to-addresses=192.168.88.203 to-ports=5900
add action=dst-nat chain=dstnat comment="Dont Starve Together" dst-address-list=WAN-IP dst-port=10999 protocol=udp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment=Minecraft dst-address-list=WAN-IP dst-port=25565 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment=Plex dst-address-list=WAN-IP dst-port=32400 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment="Air Video" disabled=yes dst-address-list=WAN-IP dst-port=45633 protocol=tcp to-addresses=192.168.88.254
add action=dst-nat chain=dstnat comment="The Forest" dst-address-list=WAN-IP dst-port=8766,27015,27016 protocol=udp to-addresses=192.168.88.254
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="PPTP VPN"
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN

Cheers!
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant access WebFig when router is connected to VPN

Sat Jul 14, 2018 3:35 pm

Glad it could help!
You can safely ignore Emilia's post, it is a clickbait - the very purpose of it is to make people click at the link.

Could you just take a last look at my configuration so that I have not done anything stupid?
I've checked the updated one. What surprises me a bit is that you took the burden of moving from /ip route rule to /ip firewall mangle rules although you don't need to mark the connections selectively depending on ports. Another remark is that some of the mangle rules are not necessary at all, namely all the three rules add action=accept chain=**** connection-mark=no-mark connection-state=established,related - because the subsequent action=mark-connection rules check connection-state=new, so shadowing them by those I deem useless is, well, useless :-)

Also, you don't need to connection-mark the packets coming from WAN separately in forward and input chains, you can as well use a single rule in chain=prerouting with the same effect, this picture says it all if you read it carefully.

So all in all, the result would be as follows:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=WAN new-connection-mark=WAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN new-routing-mark=WAN passthrough=no src-address-list=LAN
add action=mark-routing chain=output connection-mark=WAN dst-address-list=!LAN new-routing-mark=WAN passthrough=no
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: B2Admin and 40 guests