[internet]<->[ISP modem/router]<->[Mikrotik]<->[VPN server (Raspberry Pi)]
ISP modem/router IP: 192.168.1.1
Mikrotik IP: 192.168.234.1 (RouterOs v6.49)
RPi IP: 192.168.234.3
From my smart phone -> connected to VPN and:
ping 192.168.1.1 = success.
open http://192.168.1.1 for modem admin page = success.
But, I can't do the same on my PC (desktop, laptop, any PCs).
From my PC connected to VPN and:
ping 192.168.1.1 = General failure..
open http://192.168.1.1 for modem admin page = Unable to connect
Here is my Mikrotik config:
Code: Select all
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
/ip pool
add name=default-dhcp ranges=192.168.234.20-192.168.234.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=\
30m name=default
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local hw=no interface=ether6
add bridge=bridge-local hw=no interface=ether7
add bridge=bridge-local hw=no interface=ether8
add bridge=bridge-local hw=no interface=ether9
add bridge=bridge-local hw=no interface=ether10
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
/ip address
add address=192.168.234.1/24 comment="default configuration" interface=\
bridge-local network=192.168.234.0
add address=1.1.1.1/24 interface=bridge-local network=1.1.1.0
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.234.2 client-id=1:90:9:d0:2d:a5:cf comment=\
"Log server (add by vee)" mac-address=90:09:D0:2D:A5:CF server=default
add address=192.168.234.3 client-id=1:dc:a6:32:c3:7c:ee comment=\
"Raspberry pi (add by vee)" mac-address=DC:A6:32:C3:7C:EE server=default
/ip dhcp-server network
add address=192.168.234.0/24 comment="default configuration" dns-server=\
192.168.234.1 gateway=1.1.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.234.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.1 comment="ISP modem router (add by vee)" list=\
"ISP modem router"
add address=192.168.234.3 comment=\
"Allowed access modem router & internal devices (add by vee)." list=\
"Allowed access internal devices"
add address=192.168.234.2 comment="Log server (add by vee)" list="Log server"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=log chain=forward comment="log to nas (add be vee)" \
connection-state=new disabled=yes dst-port=80,443 out-interface=\
ether1-gateway protocol=tcp
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Allow 8088 from WAN" dst-port=8088 \
protocol=tcp
add action=accept chain=input comment="Mikrotik API from WAN (add by vee)" \
dst-port=8728 protocol=tcp
add action=drop chain=forward comment=\
"Block access to modem router except from some device. (add by vee)" \
dst-address-list="ISP modem router" dst-port=80 protocol=tcp \
src-address-list="!Allowed access internal devices"
add action=drop chain=forward comment=\
"Block access to log server except from some device. (add by vee)" \
dst-address-list="Log server" dst-port=5000 protocol=tcp \
src-address-list="!Allowed access internal devices"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
to-ports=8080
add action=masquerade chain=srcnat comment="default configuration" log=yes \
out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.234.0/24
add action=dst-nat chain=dstnat comment="VPN on Raspberry pi (add by vee)" \
dst-address-type=local dst-port=51820 protocol=udp to-addresses=\
192.168.234.3 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8088
set ssh disabled=yes
set winbox address=192.168.234.3/32
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote