Community discussions

MikroTik App
 
rbrtre
just joined
Topic Author
Posts: 5
Joined: Thu Mar 07, 2019 6:34 am

Accessing NVR and home automation server

Tue May 17, 2022 3:26 pm

Hi, Mikrotik community! After 4 years of using Mikrotik products on my home network, experimenting with Hairpin NAT, using L2PT VPN with Mikrotik cloud service, I need some guidance.

I have a fairly complicated home automation system in my house, controlling most of the electric devices together with software NVR, PLEX and SAMBA.
For about two years I used the Hairpin NAT to access the local network from the outside which worked great but, it just didn't feel right.
I decided to use L2PT VPN (from the quick set) and it worked but after a few minutes, it used to block the internet access to the phone I was using to access my home network through the VPN.
Recently I changed the phone and there is no option for the insecure VPN connection. The only options are IKE2/IPSec MSCHAPv2, IKEv2/IPSec PSK and IKE2/IPSEC RSA.
I'm learning this stuff as I'm using it so here I am, trying to save myself some time wasted chasing some dead ends. Any opinion, or advice will be very helpfull. Thanks!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Accessing NVR and home automation server

Tue May 17, 2022 3:55 pm

Hello,
L2TP/IPsec PSK is secure enough when using a strong pre-shared key for home and it is supported by iOS and Android. However, if you prefer IKEv2 you can use RSA with v6 or EAP with v7 RouterOS.

IKEv2 EAP-MSCHAPv2
https://help.mikrotik.com/docs/display/ ... outerOSv7)

IKEv2 RSA
https://help.mikrotik.com/docs/display/ ... entication
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Accessing NVR and home automation server

Tue May 17, 2022 5:36 pm

I decided to use L2PT VPN (from the quick set)
Keep in mind that once you have done any config manually, you should NEVER touch QuickSet again - it will likely blow away any changes that you previously made.
 
rbrtre
just joined
Topic Author
Posts: 5
Joined: Thu Mar 07, 2019 6:34 am

Re: Accessing NVR and home automation server

Wed May 18, 2022 3:31 am

I decided to use L2PT VPN (from the quick set)
Keep in mind that once you have done any config manually, you should NEVER touch QuickSet again - it will likely blow away any changes that you previously made.
I did learn that the hard way. It was a valuable lesson.
 
rbrtre
just joined
Topic Author
Posts: 5
Joined: Thu Mar 07, 2019 6:34 am

Re: Accessing NVR and home automation server

Sat Jun 04, 2022 2:26 am

I tried to set up the VPN on my current configuration without any success. Whatever I have tried it did not establish the connection.
Then I decided to do a factory reset and start all over. Currently, I have the PPPoE internet running with CAP and a working VPN.
The server runs a network shared RAID drive, Blue Iris NVR, Home Assistance VM, Plex server and Node-Red.
Everything seems to be working but whatever I do, I cannot access the Node-Red UI from another device in the network as if something is blocking its 1880 port.
Tried to add passthrough and accept the rule for the top 1880 in firewall settings but still no luck.
Any thoughts?
In the meantime, I will keep banging my head against the wall.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Accessing NVR and home automation server

Sat Jun 04, 2022 2:39 am

Without seeing your configuration, we would only be guessing.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
rbrtre
just joined
Topic Author
Posts: 5
Joined: Thu Mar 07, 2019 6:34 am

Re: Accessing NVR and home automation server

Sat Jun 04, 2022 5:44 am

Node Red started to load on other computers and then it stopped. This is all after restoring this new configuration. When kids go crazy I keep returning to the old configuration so it is constant back and forth.
I have checked the clock and the time was wrong. Set up the ntp but it would not sync. Checked if I can do the update and noticed: ERROR could not resolve dns name
# may/30/2022 20:26:44 by RouterOS 6.48.6
# software id = 0D1A-DYBK
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=something@wba.nbnonline.com.au
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=cap_security
/caps-man configuration
add country=australia datapath.bridge=bridge1 name=cap_config security=\
    cap_security ssid=Greetings
add country=australia datapath.bridge=bridge1 name=cap_config_5GHz security=\
    cap_security ssid=Greetings5G
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,!dude,!tikapp"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cap_config \
    name-prefix=2.4_
add action=create-dynamic-enabled master-configuration=cap_config_5GHz \
    name-prefix=5GHz_
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.1.1.1/24 interface=bridge1 network=10.1.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
...
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
    established,related dst-port=53 protocol=udp
add action=accept chain=input comment=icmp protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked disabled=yes
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/ppp secret
add name=robs service=l2tp
/system clock
set time-zone-name=Australia/Brisbane
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system package update
set channel=long-term
/tool netwatch
add down-script=down host=1.1.1.1 interval=5s up-script=up

Who is online

Users browsing this forum: jharig and 55 guests