Community discussions

MikroTik App
 
peterab
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 11:15 am

VPN + acces to local network

Thu Mar 09, 2023 11:35 am

Hello,
I apologize if my question is repetitive, but until now I couldn't find a solution myself in the forum.
I also asked for assistance from the place where I bought the router, but they refused to assist me.
The situation is this, we have a HAP AC³ RBD53IG-5HACD2HND router that is in the office and I want to run a VPN server on it. All the laptops have VNC server installed and when I am on the local network there is no problem to access them over hostname. It's important to only access them by hostname because all laptops use an external docking station with a built-in LAN (there is one at every workstation), often times employees change docking stations and workstations and there is no way to put a fixed IP address on every laptop.
I managed to install a VPN server myself with access to the main network (dhcp) without needing to use a standalone. However, the problem is this: when I am out of the office and connect to the VPN server I can only access the laptops by IP address but not by hostname.
Can I also set up the router so that when I connect to the office with the VPN I can connect to the VNC servers on the laptops only by hostname?
I am applying my configuration at the moment, there may be things that are not right, but this is the first time I am encountering Mikrotik.
Thanks in advance for the assistance!

# mar/08/2023 16:30:33 by RouterOS 7.6
# software id = A9C8-6NKS
#
# model = RBD53iG-5HacD2HnD
# serial number = HCQ08234SS7
/interface bridge
add admin-mac=18:FD:74:2F:8B:A9 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=5C:1A:6F:D6:53:30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-n frequency=2412,2432,2462 name=2.4GHz width=20/40mhz
add band=5ghz-ac name=5GHz skip-dfs-channels=all width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes group-key-update=1h name=sec1
/interface wifiwave2 configuration
add chains=0,1 channel=2.4GHz country=Bulgaria mode=ap name="Conf 2.4GHz" security=sec1 ssid=PPViva1 tx-chains=0,1
add chains=0,1 channel=5GHz country=Bulgaria mode=ap name="Conf 5GHz" security=sec1 ssid=PPViva1 tx-chains=0,1
/interface wifiwave2
set [ find default-name=wifi1 ] channel=2.4GHz configuration="Conf 2.4GHz" configuration.mode=ap disabled=no security=sec1
set [ find default-name=wifi2 ] channel=5GHz configuration="Conf 5GHz" configuration.mode=ap disabled=no security=sec1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE bridge=bridge dns-server=192.168.88.1 local-address=192.168.88.1 remote-address=dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.74 mac-address=00:21:04:0D:59:B6 server=defconf
add address=192.168.88.147 client-id=1:0:e0:4c:36:4d:a5 mac-address=00:E0:4C:36:4D:A5 server=defconf
add address=192.168.88.227 client-id=1:14:98:77:7a:c1:80 mac-address=14:98:77:7A:C1:80 server=defconf
add address=192.168.88.204 client-id=1:0:e0:4c:36:55:f8 mac-address=00:E0:4C:36:55:F8 server=defconf
add address=192.168.88.237 client-id=1:68:ff:7b:83:50:d6 mac-address=68:FF:7B:83:50:D6 server=defconf
add address=192.168.88.44 client-id=1:0:e0:4c:36:41:60 mac-address=00:E0:4C:36:41:60 server=defconf
add address=192.168.88.165 client-id=1:0:e0:4c:36:16:d0 mac-address=00:E0:4C:36:16:D0 server=defconf
add address=192.168.88.59 client-id=1:0:e0:4c:36:f6:33 mac-address=00:E0:4C:36:F6:33 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2244
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add name=vpn profile=default-encryption service=l2tp
/system clock
set time-zone-name=Europe/Sofia
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN + acces to local network

Thu Mar 09, 2023 5:59 pm

Sounds like you need level2 mac address connectivity for hostname? or some level2 broadcast recognition??

Two options use zerotier, or perhaps EOIP tunnel within VPN tunnel???
 
peterab
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 11:15 am

Re: VPN + acces to local network

Thu Mar 09, 2023 6:15 pm

I apologize for the stupid question, but how would it be easiest to do? I'm unfortunately not an IT admin, but I'm trying to do everything I can myself.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN + acces to local network

Thu Mar 09, 2023 7:04 pm

I also apologize for stupid question, why on earth do you want to look at people laptops??
If you wanted to access servers/databases etc......... that would make sense to me.

In any case your best bet is setting up zerotier on the AC3 and on your mobile device that you use when remote (laptops/ipads/smartphones etc.)
 
peterab
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 11:15 am

Re: VPN + acces to local network

Fri Mar 10, 2023 9:48 am

I also apologize for stupid question, why on earth do you want to look at people laptops??
If you wanted to access servers/databases etc......... that would make sense to me.

In any case your best bet is setting up zerotier on the AC3 and on your mobile device that you use when remote (laptops/ipads/smartphones etc.)
The reasons are many, but I will list the most interesting:
- my program won't load
- I cannot send an email
- I don't receive email
- my Voip phone headset is not working
- I can't take a screenshot
The employees in the office do a variety of work and sometimes some of them have difficulty with basic tasks and this is how I help them, for the moment we are not considering using paid services (TeamViewer, AnyDesk), I am basically in the office helping them. But sometimes I have to be away from the office, so it's hard to do without a VPN. We bought this router on the recommendation of the company that offers us VOIP calls, we bought it from them, but they don't want to assist with additional settings and I have to do it.
I am the office support but as I said I am not a specialist in this, my job is to assist with the software we use and help colleagues with setup, installation and workflow assistance with WIndows, MS Office and basic software.
That's why I'm looking for help here, but if no one here is willing to assist me either - then I've come across the same people we bought the router from.
Have a nice day.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN + acces to local network

Fri Mar 10, 2023 1:54 pm

Your attitude is horrible, no wonder they didnt help.
I gave you excellent advice and that is to use zerotier, its perfect and you router is capable of it.

This is a forum where people take their free time to help others.
Suggest you go the consultant route (pun intended) for instant gratification.
 
peterab
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 11:15 am

Re: VPN + acces to local network

Fri Mar 10, 2023 2:40 pm

I'm sorry if I offended you, that wasn't my point - you asked and I answered.
I guess you are aware that if I were an expert in this field I would not have sought assistance, I would have done everything myself.
I also spend some of my spare time in other forums where I can be useful and I understand your point of view very well.
I just needed quick and easy assistance (if there is any for my case) without engaging someone to spend hours helping me for free.
Still, this is a forum - no one is obligated to assist, but whoever is willing to help will.
Thanks again for writing and I will try to resolve this issue myself.

Who is online

Users browsing this forum: No registered users and 34 guests