Community discussions

MikroTik App
 
ynblpb
just joined
Topic Author
Posts: 2
Joined: Tue Feb 14, 2023 11:04 pm

Cannot access to webfig from internet

Tue Feb 14, 2023 11:20 pm

Hello! Such a stupid question, i know, but I lost a lot of hours trying to solve it

I have CHR on digitalocean.
CHR used for private VPN

So, I have:
ether1 - public network
ether2 - private DO network (not configured)
l2tp-danny - server L2TP

I can not access to webfig using public network (ether1)
But can access to webfig only if I connected to VPN

Here is my configs:

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface l2tp-server
....
add name=l2tp-danny user=danny
....
/interface list
add name=VPN
/ip pool
add name=vpnclients ranges=192.168.111.2-192.168.111.200

/ppp profile
add local-address=vpnclients name=vpnclients remote-address=vpnclients \
    use-compression=yes use-encryption=yes use-ipv6=no
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
....
add interface=l2tp-danny list=VPN

/ip address
add address=46.101.*.*/18 interface=ether1 network=46.101.*.*
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 use-doh-server=\
    https://1.1.1.1/dns-query

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow connections to VPN Server" \
    dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input src-address=192.168.111.0/24
add action=accept chain=input dst-port=80 protocol=tcp - added this rule while testing
add action=accept chain=forward comment="Allow connections to VPN Server" \
    in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=8888 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow connections to VPN Server" \
    in-interface=ether1 protocol=gre
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input in-interface-list=VPN
add action=accept chain=forward in-interface-list=VPN
add action=accept chain=input src-address=93.92.*.* - my home IP
add action=drop chain=input comment="drop all"
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip route
add gateway=46.101.*.*
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.111.0/24,93.92.*.*/32 - I've added local VPN clients and my home IP address (default port 80)
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes





What's wrong? :)
 
markKn
just joined
Posts: 5
Joined: Sun Jan 18, 2015 7:02 am

Re: Cannot access to webfig from internet

Wed Feb 22, 2023 4:55 pm

There is a setting under tools that states what interfaces the confiiguration will allow connections from--wan and lan for example. I don't know about vpns, so can't speak to that.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Cannot access to webfig from internet

Wed Feb 22, 2023 5:08 pm

DANGER! DANGER! Will Robinson! DANGER! DANGER!!
Without some additional security, leaving Webfig accessible from the internet is just asking to get hacked. At the very least use some combination of: Port Knock, restricting access to specific known IP addresses, using non-standard ports. FAR better yet is setting up VPN access into it.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Cannot access to webfig from internet

Wed Feb 22, 2023 5:38 pm

Don't bother allowing direct access from internet into your box.

Access through VPN sounds just about perfect to me.
That's how it is supposed to be done.

Who is online

Users browsing this forum: 4l4R1, CodeAlpha, Majestic-12 [Bot], shadarim and 37 guests