Community discussions

MikroTik App
  4. RouterOS
  5. General

Make ssh/web reachable from VPN network  [SOLVED]

Post Reply
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Mar 10, 2016 9:48 pm

Make ssh/web reachable from VPN network

Sat Oct 16, 2021 12:24 pm

  • My MikroTik is reachable on 192.168.10.1 for ssh and web, the LAN is 192.168.10.0/24
  • Clients connecting from the internet via MikroTik's VPN are getting an IP from 192.168.89.0/24
I'd like to make 192.168.10.1 reachable on 22/tcp, 80 and 443 tcp from 192.168.89.0/24, how can I do it? As of now I can ping 192.168.10.1 when on VPN but can't connect via desired ports.
Code: Select all
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  192.168.1.0/24     192.168.1.11    ether1                    0
 2 ADC  192.168.10.0/24    192.168.10.1    bridgeVLAN10              0
 3 ADC  192.168.89.10/32   192.168.89.1    <l2tp-ppp..               0
Top
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 767
Joined: Mon May 27, 2013 2:05 am

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 1:07 pm

Mikrotik management services listen on all addresses by default.

What will be stopping access is either IP ACL on the service or username itself
OR
Firewall rules blocking access to anything but specific IP's

Post /export hide-sensitive so we can help determine what the issue is.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5491
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 1:13 pm

Apart from the valid answer to post your config, in the default firewall rules only LAN interfaces are allowed to access through whatever.
Is your VPN interface part of the LAN list ?

Alternative (since some VPN interfaces have dynamic nature): change the relevant firewall rule from accepting only LAN to accept when it's not WAN. This way your VPN interfaces will also be allowed.
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Mar 10, 2016 9:48 pm

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 2:31 pm

Understood, please see the export below, I did remove a few irrelevant lines:
https://private.sparky.red/?24f0434ef0e ... Qe7yWtRKET
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Mar 10, 2016 9:48 pm

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 2:33 pm

Maybe it's line 75 that's blocking the connection?
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5491
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Make ssh/web reachable from VPN network  [SOLVED]

Sat Oct 16, 2021 2:39 pm

Maybe it's line 75 that's blocking the connection?
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Yes. Change that to WAN. Don't forget to remove the NOT-tick.

And Safe Mode to be sure !
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Mar 10, 2016 9:48 pm

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 2:45 pm

I changed it like this:
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="accept all not coming from WAN" in-interface-list=!WAN
Now it works! Yay, thank you!
Yes, safe mode is awesome, ty!
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5491
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 2:56 pm

Errrmm... you opened everything now.
All not coming from Lan is blocked but coming from WAN is accepted now. Which is basically ... all accepted.

Second line should be this.
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN

Remove first line.
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Mar 10, 2016 9:48 pm

Re: Make ssh/web reachable from VPN network

Sat Oct 16, 2021 6:06 pm

You are right, I made the swap:
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="accept all not coming from WAN" disabled=yes in-interface-list=!WAN
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN
The first two lines are going to be deleted, just pasting here to show the change

Errrmm... you opened everything now.
All not coming from Lan is blocked but coming from WAN is accepted now. Which is basically ... all accepted.

Second line should be this.
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN

Remove first line.
Top
Post Reply

Who is online

Users browsing this forum: che, lubara, pajapatak, raiser, Velos and 88 guests
  4. RouterOS
  5. General