Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

My open ports: 443 & 1723

Fri Sep 23, 2022 1:33 pm

I ran a port scan from outside the network and see that ports 443 and 1723 are open.

I understand that 443 is HTTPS and 1723 is PPTP (VPN).

I do have ACCEPT firewall rules for both those ports enabled.

I assume I need 1723 open to allow for the VPN I have setup.

I also assume 443 is to allow router management via browser.

I use Winbox, but it would be nice to be able to use a browser in a pinch.

Is this the advised way to do this?

Thank you.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 2:28 pm

You do it wrong way:
- Do not use PPTP, it's an insecure protocol.
- Do not open management interface from outside the network.

The proper way:
- Establish secure OpenVPN/IPSEC/WireGuard channel.
- After, connect to the router by its internal IP address (Web, WinBox and so on, as you wish).
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 3:01 pm

Thank you.

I have disabled the firewall rule that opens 443.

The PPTP VPN is the one set up in Winbox's Quickset.

A quick search on how to set up IPSEC shows that I'm in over my head already.

WireGuard looks nice, but I think it requires a development version of the FW.

Ugh.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 3:39 pm

Ho joseph,
Software 7.5 is touted by MT as a stable firmware.
For home use it should be perfectly fine.
WIreguard is the better way for you to securely config the router remotely.
However, it assumes you have either
a. a public IP address from your ISP OR
b. an ISP modem/router where at least you can access to forward ports.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 4:21 pm

Good to hear. I downloaded and installed 7.5 and can now see the Wireguard options.

Internet connectivity is provided by Spectrum cable. Their modem provides a public IP (dynamically assigned, but I have DDNS set up).

I've been trying to set up Wireguard on the Mikrotik router and the client on my Win10 by following a YouTube tutorial, but so far it's not working. No more time this morning, but hopefully will play with it later.

https://www.youtube.com/watch?v=OGBWSpl1Wik

Thank you again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 6:38 pm

Please read this link.............
viewtopic.php?t=182340
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 10:20 pm

Thank you for the link to the write-up.

It is great of you to have taken the time to write that.

Unfortunately, it's just too complicated for me.

I have this on the router:
Screenshot 2022-09-23 151850.jpg
Screenshot 2022-09-23 151940.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 10:44 pm

I understand its scary at first, but one has to jump into the pool at some time...........

Please post your config /export ( minus the serial number and any public IP information as you have done on those diagrams).

(I will assume the other end of the connection is your windows laptop or IPHONE to connect to the home router remotely.)
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Fri Sep 23, 2022 10:57 pm

Thank you for the encouragement. I'm sure I could do it if I could find the time to work it through.
# sep/23/2022 15:54:23 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=\
    vpn
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.10.10.1/24 endpoint-address=192.168.88.1 \
    endpoint-port=13231 interface=wireguard1 public-key=\
    "b4xWJ41+IB8iaa1sZT3Ka0000000000qEvDUTY5NDT8="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=00000.dyndns.org list=00000
add address=11111.dyndns.org list=1111
/ip firewall filter
add action=accept chain=input src-address-list=00000
add action=accept chain=input src-address-list=111
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
    192.168.89.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface=ether1 protocol=gre
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow PPP" in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
    src-address-list=mtdale to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
    src-address-list=mtdale to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=9000 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
    src-address-list=mtdale to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
    src-address-list=mtdale to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
    src-address-list=mtdale to-addresses=192.168.88.35 to-ports=8035
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 12:36 am

Paste this on terminal, this fix some mess between updates of different RouterOS versions.
Then follow @anav ;)
{
/interface lte apn set [ find default=yes ] ip-type=auto use-network-apn=yes
/routing ospf area remove [find]
/routing ospf instance remove [find]
/ipv6 settings set max-neighbor-entries=16384
/interface detect-internet set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface ovpn-server server set auth=sha1,md5,sha256,sha512
/interface bridge set [find] protocol-mode=none
/interface bridge port set [find] ingress-filtering=yes
}
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 12:54 am

I don't know what I've done, but I followed your instructions and thank you for them.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 1:19 am

I've been trying for hours and can't get this to work.

I've looked at multiple instructions and guides and they are simply not clear what values go where.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 1:29 am

If you wonder why I don't help you with wireguard, it's very simple: I've never used it...

Wait for @anav to come back, take your time, it sure helps.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 1:23 pm

Many, many hours later.... I think I got it working (not 100% certain).

Here are the details of my config -- I left the first bunch of characters for the keys so readers can see which keys go where (I know, I know, it would be much better to have a deep and true understanding of why and how).

I don't know why the only firewall traffic is for the INPUT rule, and not the FORWARD rules, but it seems to work.

How did I do?

Screenshot 2022-09-24 062151.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Josephny on Sat Sep 24, 2022 2:12 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 2:01 pm

You have censored public key on last image, and not the private.....
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 2:12 pm

You have censored poblic key on last image, and not the private.....
Thank you!
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 2:33 pm

I posted too soon.

I thought it was working, but it's not.

From the router, I can ping 10.10.10.2 (Windows Wireguard interface IP).

But, I can't ping 10.10.10.1 from Windows.

Nor can I ping from Windows anything connected to the router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 3:20 pm

Post the latest complete config please.
/export (minus serial number, public WANIP or gateway IP or any keys LOL)

Working from generator power, lost power at 10:30Pm last night,, hopefully getting it back on tuesday.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 6:15 pm

# sep/24/2022 11:09:07 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:xxxxxxxxx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=\
    vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.10.10.2/32 endpoint-address=10.10.10.2 endpoint-port=\
    13231 interface=wireguard1 public-key=\
    "DcTp6igWYbPNfcrRxxxxxxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxx.dyndns.org list=xxxxm
add address=xxxxxx.dyndns.org list=xxxx2
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 log=yes src-address=\
    10.10.10.0/24
add action=accept chain=forward log=yes out-interface=wireguard1 src-address=\
    10.10.10.0/24 src-address-list=""
add action=accept chain=forward dst-address=10.10.10.0/24 in-interface=\
    wireguard1 log=yes
add action=accept chain=forward disabled=yes in-interface=wireguard1 \
    out-interface=all-ethernet
add action=accept chain=input src-address-list=mtdale
add action=accept chain=input disabled=yes src-address-list=2xxxxx
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
    192.168.89.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface=ether1 protocol=gre
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow PPP" in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address-list=192.168.88.1 \
    src-address-list=10.10.10.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
    src-address-list=mxxxxxe to-addresses=192.168.88.35 to-ports=9000
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
    src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam disabled=yes dst-port=8080 \
    protocol=tcp src-address-list=2xxxx2 to-addresses=192.168.88.35 to-ports=\
    8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
    src-address-list=mtxxxxxe to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=9000 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
    src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
    src-address-list=mxxxxx to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
    src-address-list=2xxxxx2 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
    src-address-list=mxxxxxxe to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
    src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
    src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
    src-address-list=mtxxxxx to-addresses=192.168.88.35 to-ports=8035
/ip route
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 6:25 pm

An interesting piece of information:

A ping initiated on my Windows PC to 10.10.10.1 (router's IP) fails UNLESS I first initiate a ping from the router to 10.10.10.2 (Windows PC) (which works), and then .1 to .2 will work.

Like the "established session" firewall is allowing it maybe?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sat Sep 24, 2022 10:47 pm

(1) Endpoint address does not seem correct probably a number you just stuck there.......... Leave these parts blank, not required on the router peer settings.
/interface wireguard peers
add allowed-address=10.10.10.2/32 endpoint-address=10.10.10.2 endpoint-port=\
13231
interface=wireguard1 public-key=\
"DcTp6igWYbPNfcrRxxxxxxxxxxxx="

(2) You need to state the IP address for the wireguard interface properly , you are missing /24!
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=255.255.255.0

(3) Your firewall chain are disorganized and should be put into contiguous chains if nothing else to make sense of them at a quick glance!!

a. The input chain is for traffic to the router.......... this rule does not apply maybe you wanted it in the forward chain??
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
192.168.89.0/24


b. This rule seems to serve no purpose, firstly there is no such firewall address list and secondly you already have a rule allowing all LAN traffic to the router, a rule to allow wireguard users to the router and a rule to allow VPN users to the router.
add action=accept chain=input src-address-list=mtdale

c. Lets get rid of all the other VPN noise that is cluttering your config.......... Got rid of all that see cleaned up config at end!
NOTE: I would never put the actual port I am using for wireguard on the forum same goes for winbox port, SO lets assume that the default ports you have on your config are NOT actually what you are using and just put here for representation. :-)

d. What is the purpose of this rule??
add action=accept chain=forward dst-address=10.10.10.0/24 in-interface=\
wireguard1 log=yes


Presumably if you are at the laptop or windows client, then who is going to be configuring the laptop from the router side?
Furthermore if you are at the router, the windows client computer (laptop?) would be with you anyway and what would configuring the laptop even mean??

e. Instead of the confusing and incomplete drop all WAN traffic except DST NAT traffic on forward chain much better is to
allow internet for LAN, allow internet for wireguard client, allow dst-nat and then DROP everything else!
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN
add action=accept connection-nat-state=dstnat \
add action=drop chain=forward comment="drop all else"


(4) This IP route is NOT required, it is created automatically by the proper wireguard IP address setup.
/ip route
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

You will see this in IP routes as:
<dac> dst-address=10.10.10.0/24 gwy=wireguard1 table=main

(5) MAC alone is not a secure protocol so be sure to set this to NONE.
/tool mac-server
set allowed-interface-list=LAN


(6) Source nat needs work.
Just keep the default and drop the others.................
add action=masquerade chain=srcnat out-interface-list=WAN

Also assuming your ISP connection provides you with a dynamic WANIP, the format for port forwarding rules is
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=XXXXX protocol=yyy\
to-adddress=IPofServer { to-ports not required if same as dst-ports! }

You do use source address list so that is good if you are limiting who can access your servers!
So lets see what your first rule would look like fixed up..........
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000 log=yes protocol=tcp \
src-address-list=mxxxxxe to-addresses=192.168.88.35


NOTE although we got rid of the other vpns, I did see you tried to port forward from a VPN once inside the router .89. Wrong, port forwarding like you were doing was from the WAN external,
once inside the router you dont need to port forward you are in already. For example wireguard you have direct access to the servers!

Finally, one can combine rules if the protocol and server is the same!! (just diff ports)

(7) HERE IS A CLEANED UP CONFIG.
...
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:xxxxxxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
"DcTp6igWYbPNfcrRxxxxxxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxx.dyndns.org list=xxxxm
add address=xxxxxx.dyndns.org list=xxxx2
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow incoming wireguard connections" dst-port=13231 protocol=udp
add action=accept chain=input in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24 comment="allow admin access via wireguard"
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24 dst-address=192.168.88.0/24  comment="allow wireguard to subnet"
add action=accept chain=forward in-interface-list=LAN  out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1  out-interface-list=WAN
add action=accept connection-nat-state=dstnat comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,8035,1935,554 log=yes protocol=tcp \
src-address-list=xxxxm to-addresses=192.168.88.35
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,8035,1935,554 log=yes protocol=tcp \
src-address-list=xxxx2 to-addresses=192.168.88.35
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 5:23 am

You are extremely generous with your help -- thank you so much.

I've spent the past many hours working on this and still can't get it.

This is my current config:
# sep/24/2022 22:19:13 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxx
/interface bridge
add admin-mac=DC:xxxxx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add interface=wireguard1 public-key=\
    "xxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxx
/ip firewall filter
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access via wireguard" \
    in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow wireguard to subnet" \
    dst-address=192.168.88.0/24 log=yes out-interface=wireguard1 src-address=\
    10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    WAN
add action=accept chain=\
    "add action=drop chain=forward comment=\"drop all else\"" comment=\
    "allow port forwarding" connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 log=yes \
    protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
    9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
    8080
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
EDIT by moderator: Please use proper tags in post .. added "code" ones to shorten listings of configurations.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 2:39 pm

I think I found my problem:

On the router, in the PEER config, I was missing the allowed address: 10.10.10.2/32

I can now ping from each side of the VPN to the other.

I would like to be able to use the 192.168.88.x network on the remote side of the VPN. I tried making firewall rules, but couldn't get it to work.

Thank you very much.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 2:45 pm

TWO GROSS Errors that are preventing success (1,5) and a couple of minor items.

(1) Missing allowed address on wireguard peer settings.
From:
/interface wireguard peers
add interface=wireguard1 public-key="xxxxx"

TO:
/interface wireguard peers
add add allowed-address=10.10.10.2/32 interface=wireguard1 allowed-address=public-key=\
"xxxxx"

(2) Absolutely NOT! firewall security mistake.
/ip firewall filter
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx

Lets think about this. You are allowing two public IP address, direct access to the router. Why not hire a good year blimp that says HACK ME?
The whole point about VPN and wireguard is so that we can safely access the Lan Side of the router and then access the config/router from there.
So delete those rules!

Remember we have rules in the input chain, (to the router) for your access via wireguard already, this rule is the way to do it.........
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24


Also if you are at home and not remote you have access to the router via this rule........... Which says, drop anything coming to the router that is NOT from the LAN. So your LAN PC will be able to reach the router. You can rely on your user name and password via winbox to make sure you are the only one that can config the router.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


I personally go one step further and only allow a src address list of LANIPs ( my desktop, laptop, ipad ) from the LAN to access the router, not other users.
But we can tackle that at a later date if you want...........


(3) MY MISTAKE APOLOGIES on the forward firewall rule to allow you to access the LAN resourcres :-( :-(
add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24


Should be:

add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\
10.10.10.0/24

(4) Remember the error you made on the format of dstnat rules regarding the case of simple port forwarding........
What is missing?
add action=dst-nat chain=dstnat ??????????? dst-port=9000,8080,554,1935,8035 log=yes \
protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
9000
add action=dst-nat chain=dstnat comment=cam ???????????? dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
8080


(5) YOu have jumbled together two rules by accident in the forward chain..........
add action=accept chain=\
"add action=drop chain=forward comment=\"drop all else\"" comment=\
"allow port forwarding" connection-nat-state=dstnat


Should be:
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(6) Remember from last post, the mac server by itself is not encyrpted and should be set to NONE. Only the mac-server mac-winbox is set to LAN.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN


+++++++++++++++++++++++++++++++++++++++++++++++++

In summary, the missing allowed address was preventing wireguard connectivity and the firewall rule in error would have prevented accessing the server.
The jumbled up end of the forward chain needs to be fixed as well.
Remove the dangerous input chain rules and you should be safe to go. Fix the format of port forwarding rules and that will work too.

Looks like
...
 sep/24/2022 22:19:13 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxx
/interface bridge
add admin-mac=DC:xxxxx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
    "xxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxx
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access via wireguard" \
    in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow wireguard to subnet" \
    dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\
    10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    WAN
add action=accept chain=forward  "allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"" comment=\
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,554,1935,8035 log=yes \
    protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
    9000
add action=dst-nat chain=dstnat comment=cam in-interface-list=WAN dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
    8080
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 5:29 pm

I am hopeless -- still doesn't work.

1) I found and fixed the ALLOWED-ADDRESS problem in the peer setup.

2) The router is 100 miles from my home, so I would like to keep the full access by the 2 public IPs for now. I understand the risk (somewhat), if I hadn't had them, I would have been locked out a long time ago.

3) Fixed the rule to read:

add action=accept chain=forward comment="Allow wireguard to subnet" dst-address=192.168.88.0/24 in-interface=\
wireguard1 log=yes src-address=10.10.10.0/24

4) Added the additional ports to the forwarding and it works.

add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 in-interface=wireguard1 log=yes protocol=tcp \
to-addresses=192.168.88.35

5) Fixed to:

add action=drop chain=forward comment="Drop all else"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat log=yes

6) Fixed:

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Here is the config:
# sep/25/2022 10:25:52 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxxxx
/interface bridge
add admin-mac=DC:xxxxxxx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
    "DcTpxxxxxxxxxxxc="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxxx
/ip firewall filter
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=13231 protocol=udp
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
    10.10.10.0/24
add action=accept chain=input comment="allow wireguard to subnet" \
    in-interface=wireguard1 log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=input comment="allow admin access via wireguard" \
    in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=2xxxx to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
add interface=wireguard1 name=tmon2
TWO GROSS Errors that are preventing success (1,5) and a couple of minor items.

(1) Missing allowed address on wireguard peer settings.
From:
/interface wireguard peers
add interface=wireguard1 public-key="xxxxx"

TO:
/interface wireguard peers
add add allowed-address=10.10.10.2/32 interface=wireguard1 allowed-address=public-key=\
"xxxxx"

(2) Absolutely NOT! firewall security mistake.
/ip firewall filter
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx

Lets think about this. You are allowing two public IP address, direct access to the router. Why not hire a good year blimp that says HACK ME?
The whole point about VPN and wireguard is so that we can safely access the Lan Side of the router and then access the config/router from there.
So delete those rules!

Remember we have rules in the input chain, (to the router) for your access via wireguard already, this rule is the way to do it.........
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24


Also if you are at home and not remote you have access to the router via this rule........... Which says, drop anything coming to the router that is NOT from the LAN. So your LAN PC will be able to reach the router. You can rely on your user name and password via winbox to make sure you are the only one that can config the router.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


I personally go one step further and only allow a src address list of LANIPs ( my desktop, laptop, ipad ) from the LAN to access the router, not other users.
But we can tackle that at a later date if you want...........


(3) MY MISTAKE APOLOGIES on the forward firewall rule to allow you to access the LAN resourcres :-( :-(
add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24


Should be:

add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\
10.10.10.0/24

(4) Remember the error you made on the format of dstnat rules regarding the case of simple port forwarding........
What is missing?
add action=dst-nat chain=dstnat ??????????? dst-port=9000,8080,554,1935,8035 log=yes \
protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
9000
add action=dst-nat chain=dstnat comment=cam ???????????? dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
8080


(5) YOu have jumbled together two rules by accident in the forward chain..........
add action=accept chain=\
"add action=drop chain=forward comment=\"drop all else\"" comment=\
"allow port forwarding" connection-nat-state=dstnat


Should be:
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(6) Remember from last post, the mac server by itself is not encyrpted and should be set to NONE. Only the mac-server mac-winbox is set to LAN.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN


+++++++++++++++++++++++++++++++++++++++++++++++++

In summary, the missing allowed address was preventing wireguard connectivity and the firewall rule in error would have prevented accessing the server.
The jumbled up end of the forward chain needs to be fixed as well.
Remove the dangerous input chain rules and you should be safe to go. Fix the format of port forwarding rules and that will work too.

Looks like
...
 sep/24/2022 22:19:13 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxx
/interface bridge
add admin-mac=DC:xxxxx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
    "xxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxx
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access via wireguard" \
    in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow wireguard to subnet" \
    dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\
    10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    WAN
add action=accept chain=forward  "allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"" comment=\
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,554,1935,8035 log=yes \
    protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
    9000
add action=dst-nat chain=dstnat comment=cam in-interface-list=WAN dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
    8080
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 6:13 pm

Ahh okay so the router you are configuring is not with you at home.
Now I see why the angst to be able to reach it for config.

WHY ARE YOU FRIGGING WITH THE ORDER OF RULES...............as you can see I put the input chain rules together and the forward chain rules together and within each chain a specific order that makes sense. Why do you insist on making the rules disorganized and hard to follow?? Thinks may NOT work properly when you do this....... I dont do it for giggles :-)) !!!


ip firewall filter
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=13231 protocol=udp
add action=accept chain=forward comment="Allow wireguard to subnet" \
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24
add action=accept chain=input comment="allow wireguard to subnet" \
in-interface=wireguard1 log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop all else"


Order Fixed:
.......
ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=13231 protocol=udp
add action=accept chain=input src-address-list=mxxxx comment="temp until wireguard works"
add action=accept chain=input src-address-list=2xxxx comment="temp until wireguard works"
add action=accept chain=input comment="allow wireguard to Routert" \
    in-interface=wireguard1 src-address=10.10.10.0/24 log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
    10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 6:32 pm

Until the config is properly set one cannot make conclusions on where else to look!
What are you using to connect to the server? laptop windows, iphone??
Be good to see the config of that as well.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 7:36 pm

Thank you -- sorry for the hassle regarding the filter order.

I have the rules ordered as you provided. I included the NAT rules also below.
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=13231 protocol=udp
add action=accept chain=input src-address-list=m
add action=accept chain=input src-address-list=2
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
    10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=2 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=m to-addresses=192.168.88.35

This is my local Windows laptop's Wireguard config:

[Interface]
PrivateKey = +Aoxxxxxx
ListenPort = 13231
Address = 10.10.10.2/24

[Peer]
PublicKey = zoZxxxxxxx
AllowedIPs = 10.10.10.1/24
Endpoint = 24.xxx.xx.xx:13231
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 8:09 pm

The settings on the laptop may be an issue!
(1) First its strange that you have private key on the interface settings, on all my clients
what is there is the public Key that you need to put on the Mikrotik router ( on its peer settings for your device).
More than anything its just sitting there so you can double check settings across devices.

The other public key setting found at the laptop PEER settings is the public key issued by the router.

FROM:
[Interface]
PrivateKey = +Aoxxxxxx
ListenPort = 13231
Address = 10.10.10.2/24

[Peer]
PublicKey = zoZxxxxxxx
AllowedIPs = 10.10.10.1/24
Endpoint = 24.xxx.xx.xx:13231


TO:
[Interface]
Public Key = xxxxxxx ( to be entered on the Router under the peer settings for this device )
ListenPort = 13231
Address = 10.10.10.2/32 { this is the wireguard IP address assigned to this client/laptop }

[Peer]
PublicKey = zoZxxxxxxx ( Should be the public key from the MT router )
AllowedIPs = 0.0.0.0/0 *****
Endpoint = 24.xxx.xx.xx:13231

If you dont intend at all to go out the internet of the router then put the following:
AllowedIPs=10.10.10.0/24,routersubnets ^^^^^

^^^^ If you plan on accessing the local routers lans/subnets then you need to add them to allowedIPs on your laptop peer settings.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 10:28 pm

I tried just adding 192.168.88.0/24 to the laptop's Wireguard peer allowed-ips list and it worked!

I now have full access to the devices on 192.168.0.x connected to the router.

Thank you so very much.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Sun Sep 25, 2022 10:54 pm

Awesome!!
Now make sure you made the other changes not just the subnet............

Confirm if you can wireguard in and access the router from your iphone or android.
just add another peer on the router
then try to connect using cellular.
Once thats confirmed then you can use your laptop to do it and you can remove the unsafe method with the address lists.

/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
"DcTpxxxxxxxxxxxc="

/interface wireguard peers
add allowed-address=10.10.10.5/32 interface=wireguard1 public-key=\
"DcTpxxxxxxxxxxxc=" comment="my ipad, or iphone or android"

with same settings as the laptop on the client device and give it an address=10.10.10.5/32
allowed-address=10.10.10.0/24,192.168.88.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My open ports: 443 & 1723

Mon Sep 26, 2022 4:24 am

Perhaps we should try and setup a backup SSTP connection in case wireguard hiccups on you. That way you can remove the unsafe access method.
 
Josephny
Member
Member
Topic Author
Posts: 470
Joined: Tue Sep 20, 2022 12:11 am

Re: My open ports: 443 & 1723

Tue Sep 27, 2022 1:15 am

Sure, that sounds good.

Because I am very reluctant to disable my public IP access.

I have 2 other sites that use Ubiquiti UDMPro machines and am super struggling with their VPN. It's not officially supported, but I read that Wireguard is a part of the UDMPro's kernel, so I'm thinking about tackling this also.

Who is online

Users browsing this forum: No registered users and 36 guests