Community discussions

MikroTik App
 
User avatar
kvee
newbie
Topic Author
Posts: 38
Joined: Mon Feb 13, 2023 7:59 pm

Access modem behind Mikrotik via VPN. Not working on PC but work on Smart phone

Sun Apr 09, 2023 10:12 am

I have devices connected like this.
[internet]<->[ISP modem/router]<->[Mikrotik]<->[VPN server (Raspberry Pi)]

ISP modem/router IP: 192.168.1.1
Mikrotik IP: 192.168.234.1 (RouterOs v6.49)
RPi IP: 192.168.234.3

From my smart phone -> connected to VPN and:
ping 192.168.1.1 = success.
open http://192.168.1.1 for modem admin page = success.
But, I can't do the same on my PC (desktop, laptop, any PCs).

From my PC connected to VPN and:
ping 192.168.1.1 = General failure..
open http://192.168.1.1 for modem admin page = Unable to connect

Here is my Mikrotik config:
/interface bridge
add name=bridge-local

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface list
add exclude=dynamic name=discover

/ip pool
add name=default-dhcp ranges=192.168.234.20-192.168.234.250

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=\
    30m name=default

/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local hw=no interface=ether6
add bridge=bridge-local hw=no interface=ether7
add bridge=bridge-local hw=no interface=ether8
add bridge=bridge-local hw=no interface=ether9
add bridge=bridge-local hw=no interface=ether10
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover

/ip address
add address=192.168.234.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.234.0
add address=1.1.1.1/24 interface=bridge-local network=1.1.1.0

/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway

/ip dhcp-server lease
add address=192.168.234.2 client-id=1:90:9:d0:2d:a5:cf comment=\
    "Log server (add by vee)" mac-address=90:09:D0:2D:A5:CF server=default
add address=192.168.234.3 client-id=1:dc:a6:32:c3:7c:ee comment=\
    "Raspberry pi (add by vee)" mac-address=DC:A6:32:C3:7C:EE server=default

/ip dhcp-server network
add address=192.168.234.0/24 comment="default configuration" dns-server=\
    192.168.234.1 gateway=1.1.1.1

/ip dns
set allow-remote-requests=yes servers=192.168.234.1,8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.1.1 comment="ISP modem router (add by vee)" list=\
    "ISP modem router"
add address=192.168.234.3 comment=\
    "Allowed access modem router & internal devices (add by vee)." list=\
    "Allowed access internal devices"
add address=192.168.234.2 comment="Log server (add by vee)" list="Log server"

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=log chain=forward comment="log to nas (add be vee)" \
    connection-state=new disabled=yes dst-port=80,443 out-interface=\
    ether1-gateway protocol=tcp
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="Allow 8088 from WAN" dst-port=8088 \
    protocol=tcp
add action=accept chain=input comment="Mikrotik API from WAN (add by vee)" \
    dst-port=8728 protocol=tcp
add action=drop chain=forward comment=\
    "Block access to modem router except from some device. (add by vee)" \
    dst-address-list="ISP modem router" dst-port=80 protocol=tcp \
    src-address-list="!Allowed access internal devices"
add action=drop chain=forward comment=\
    "Block access to log server except from some device. (add by vee)" \
    dst-address-list="Log server" dst-port=5000 protocol=tcp \
    src-address-list="!Allowed access internal devices"

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    to-ports=8080
add action=masquerade chain=srcnat comment="default configuration" log=yes \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.234.0/24
add action=dst-nat chain=dstnat comment="VPN on Raspberry pi (add by vee)" \
    dst-address-type=local dst-port=51820 protocol=udp to-addresses=\
    192.168.234.3 to-ports=51820

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8088
set ssh disabled=yes
set winbox address=192.168.234.3/32
set api-ssl disabled=yes

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
I have tried to disabled firewall on ISP modem/router and restart but not working, still can't access from PC.
 
User avatar
kvee
newbie
Topic Author
Posts: 38
Joined: Mon Feb 13, 2023 7:59 pm

Re: Access modem behind Mikrotik via VPN. Not working on PC but work on Smart phone

Fri Apr 14, 2023 11:30 pm

Problem solved.

Mikrotik configs.
/interface bridge
add name=bridge-local

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface list
add exclude=dynamic name=discover

/ip pool
add name=default-dhcp ranges=192.168.234.20-192.168.234.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=30m name=default

/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local hw=no interface=ether6
add bridge=bridge-local hw=no interface=ether7
add bridge=bridge-local hw=no interface=ether8
add bridge=bridge-local hw=no interface=ether9
add bridge=bridge-local hw=no interface=ether10
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover

/ip address
add address=192.168.234.1/24 comment="default configuration" interface=bridge-local network=192.168.234.0
add address=1.1.1.1/24 disabled=yes interface=bridge-local network=1.1.1.0

/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway

/ip dhcp-server lease
add address=192.168.234.2 client-id=1:90:9:d0:2d:a5:cf comment="Log server (add by vee)" mac-address=90:090:2D:A5:CF server=default
add address=192.168.234.3 client-id=1:dc:a6:32:c3:7c:ee comment="Raspberry pi (add by vee)" mac-address=DC:A6:32:C3:7C:EE server=default

/ip dhcp-server network
add address=192.168.234.0/24 comment="default configuration" dns-server=192.168.234.1 gateway=1.1.1.1


/ip dns
set allow-remote-requests=yes servers=192.168.234.1,8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.1.1 comment="ISP modem router (add by vee)" list="ISP modem router"
add address=192.168.234.3 comment="Allowed access modem router & internal devices (add by vee)." list="Allowed access internal devices"
add address=192.168.234.2 comment="Log server (add by vee)" list="Log server"

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=log chain=forward comment="log to nas (add be vee)" connection-state=new disabled=yes dst-port=80,443 out-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow 8088 from WAN" dst-port=8088 protocol=tcp
add action=accept chain=input comment="Mikrotik API from WAN (add by vee)" dst-port=8728 protocol=tcp
add action=drop chain=forward comment="Block access to modem router except from some device. (add by vee)" dst-address-list="ISP modem router" dst-port=80 protocol=tcp src-address-list="!Allowed access internal devices"
add action=drop chain=forward comment="Block access to log server except from some device. (add by vee)" dst-address-list="Log server" dst-port=5000 protocol=tcp src-address-list="!Allowed access internal devices"

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="default configuration" log=yes out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.234.0/24
add action=dst-nat chain=dstnat comment="VPN on Raspberry pi (add by vee)" dst-address-type=local dst-port=51820 protocol=udp to-addresses=192.168.234.3 to-ports=51820
add action=masquerade chain=srcnat src-address=192.168.172.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.234.3/32 port=8088
set ssh disabled=yes
set winbox address=192.168.234.3/32
set api-ssl disabled=yes

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
The problem is IP conflict on my home and destination where this MT is.

Change my home IP to 192.168.172.x
while Mikrotik on destination is 192.168.234.x
and ONU (ISP modem/router) on destination is 192.168.1.x then everything back to work.

Who is online

Users browsing this forum: gogle and 47 guests