I have CHR on digitalocean.
CHR used for private VPN
So, I have:
ether1 - public network
ether2 - private DO network (not configured)
l2tp-danny - server L2TP
I can not access to webfig using public network (ether1)
But can access to webfig only if I connected to VPN
Here is my configs:
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface l2tp-server
....
add name=l2tp-danny user=danny
....
/interface list
add name=VPN
/ip pool
add name=vpnclients ranges=192.168.111.2-192.168.111.200
/ppp profile
add local-address=vpnclients name=vpnclients remote-address=vpnclients \
use-compression=yes use-encryption=yes use-ipv6=no
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
....
add interface=l2tp-danny list=VPN
/ip address
add address=46.101.*.*/18 interface=ether1 network=46.101.*.*
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 use-doh-server=\
https://1.1.1.1/dns-query
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow connections to VPN Server" \
dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input src-address=192.168.111.0/24
add action=accept chain=input dst-port=80 protocol=tcp - added this rule while testing
add action=accept chain=forward comment="Allow connections to VPN Server" \
in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=8888 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow connections to VPN Server" \
in-interface=ether1 protocol=gre
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input in-interface-list=VPN
add action=accept chain=forward in-interface-list=VPN
add action=accept chain=input src-address=93.92.*.* - my home IP
add action=drop chain=input comment="drop all"
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add gateway=46.101.*.*
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.111.0/24,93.92.*.*/32 - I've added local VPN clients and my home IP address (default port 80)
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
What's wrong?