Community discussions

MikroTik App
 
Musti
just joined
Topic Author
Posts: 5
Joined: Mon Jan 30, 2023 4:22 pm

No router menagement possible while connected via VPN

Mon Jan 30, 2023 4:29 pm

Hello,

I cannot access any RouteBoard management (ssh/web/winbox), when I am remotely connected using L2TP/IPSec VPN.
I can access any other hosts on the remote LAN except the router. I can ping the router.

MikroTik model is RB2011UiAS, RouterOS version is 6.48.6.

What could be the problem?


REGARDS
Musti
 
Musti
just joined
Topic Author
Posts: 5
Joined: Mon Jan 30, 2023 4:22 pm

Re: No router menagement possible while connected via VPN

Thu Feb 02, 2023 4:43 pm

WAN/ether1 is linked to ISP using PPPoE.

Here is config:

# jan/27/2023 19:20:50 by RouterOS 6.48.6
# software id = B06R-8NB4
#
# model = RB2011UiAS
# serial number = ***********
/interface bridge
add admin-mac=18:FD:74:D2:EF:D3 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=********** use-peer-dns=yes user=*******@**********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=vpn_pool ranges=192.168.1.97-192.168.1.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 local-address=192.168.1.1 remote-address=vpn_pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=******* use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=1.1.1.1,8.8.4.4 \
gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,4500,1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.8.1
/ppp secret
add name=********* password=************
add local-address=192.168.1.1 name=************* password=************* \
remote-address=192.168.1.99
add local-address=192.168.1.1 name=************* password=************* \
remote-address=192.168.1.98
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: No router menagement possible while connected via VPN

Thu Feb 02, 2023 4:48 pm

The firewall is probably blocking because the VPN clients are not on the LAN address list:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No router menagement possible while connected via VPN

Thu Feb 02, 2023 6:10 pm

(1) Concur somewhat with erlinden.......... I believe you need specific firewall rules for the subnet or IP address you have designated/assigned for ispec as to my limited knowledge (peer address??), an ipsec interface cannot be added to an INTERFACE LIST. So it doesnt matter about LAN INTERFACE list.

suggesting in this order............
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add chain=input action=accept src-address=IPSEC SUBNET OR IPSEC IP-ADDRESS
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


(2) Not required should be disabled or removed as IP dhcp client settings are handled through pppoe.
/ip dhcp-client
add comment=defconf interface=ether1


(3) default static dns rule should be removed.
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan


(4) Should be sent to NONE as mac-server by itself is not a secure access method
/tool mac-server
set allowed-interface-list=LAN
 
Musti
just joined
Topic Author
Posts: 5
Joined: Mon Jan 30, 2023 4:22 pm

Re: No router menagement possible while connected via VPN

Fri Feb 03, 2023 3:05 pm

Thank you guys,

remote ip adressess are from LAN IP address space (192.168.1.97-99), so the rule:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
shoudn't be blocking vpn tunnel traffic. I am able to get to other LAN addresses via vpn, except the 192.168.1.1.

WAN IP address is getting by PPPoE, are you sure I should disable dhcp-client on ether1 interface?
/ip dhcp-client add comment=defconf interface=ether1

REGARDS
Musti
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No router menagement possible while connected via VPN

Fri Feb 03, 2023 3:32 pm

I am not an ipsec expert but I think its a mistake to use your LANIPs for your ipsec, use something else anything
10.10.10.X for example use the firewall rule I provided and it should work.

No the pppoe is doing the client work you dont need IP dhcp client settings.
 
Musti
just joined
Topic Author
Posts: 5
Joined: Mon Jan 30, 2023 4:22 pm

Re: No router menagement possible while connected via VPN

Fri Feb 03, 2023 4:34 pm

OK, I added new user:

add local-address=172.16.10.1 name=****************** password=************ remote-address=172.16.10.99

and inserted new firewall rule:

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=172.168.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN


as you suggested.

However, I still cannot access router IP; all other LAN hosts and Internet are available.


REGARDS
Robert
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No router menagement possible while connected via VPN  [SOLVED]

Fri Feb 03, 2023 11:17 pm

Check it out.......
OK, I added new user:
add local-address=172.16.10.1 name=****************** password=************ remote-address=172.16.10.99


and inserted a new firewall rule.......
add action=accept chain=input src-address=172.168.0.0/24



Try with
add action=accept chain=input src-address=172.168.10.0/24
 
Musti
just joined
Topic Author
Posts: 5
Joined: Mon Jan 30, 2023 4:22 pm

Re: No router menagement possible while connected via VPN

Tue Feb 07, 2023 10:59 am

Oh... of course! :) My bad.

I had to reconfigure the router from the scratch due to some problem with PPPoE address assigning.

I have used following config:

....
/ppp secret
add local-address=10.10.10.1 name=******* password=*********** remote-address=10.10.10.11 service=l2tp
...
/ip firewall filter
...
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
...



and now I am able to access router management.

Thank you anav for your help!

Who is online

Users browsing this forum: FlowerShopGuy, nepotu, tangent and 53 guests