Remote winbox into wAP LTE and LtAP over SSTP VPN
I've got a CHR on AWS acting as a SSTP server with wAP LTE and LtAPs as clients on subnet 10.10.80.0/24. I've got DUDE setup there as well. I am able to monitor the devices via DUDE well. I would like to remotely Winbox into the LTE devices. On the clients I've allowed Winbox access from WAN/SSTP Interface. Someone help with the way forward.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
Anyone to help?
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
yes, anyone can help you. Example is "I am".
When you connect to CHR then CHR see the connected to it LTE clients in If yes then you see the IP address of them.
You should connect to them from:
When you connect to CHR then CHR see the connected to it LTE clients in
Code: Select all
ppp active printYou should connect to them from:
- CHR Terminal via Telnet/SSH to them
- Your PC WinBox when you allow to it in CHR forward chain
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
Many thanks for the reply.
ppp active print command brings up all the units.
I would prefer using My PC Winbox. Could you please help with the specific firewall rule on CHR to enable this?
Thanks again!
ppp active print command brings up all the units.
I would prefer using My PC Winbox. Could you please help with the specific firewall rule on CHR to enable this?
Thanks again!
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
I assume:
AWS subnet is 10.10.80.0/24 with CHR have got 10.10.80.1.
Your LTE devices connect by SSTP to CHR and they have got 10.10.80.100-101.
Your PC have got 192.168.1.100 and your local router=gateway is 192.168.1.1
In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
* CHR must have firewall rule in chain=forward to allow that traffic after accepting established&related and before rule two have action like drop/deny/tarpit
* at LTE you have got accept in Input chain after accepting established&related but before action like drop/deny/tarpit
and in IP>Service the WinBox service must be active and the IP must be 0.0.0.0/0 or/and your specific
and in System > Users your user not must restricion from logon from not your IP
Of course classic testing like
* ping 10.10.80.101
* tools traceroute 10.10.80.101
* ip firewall connections (=connection tracking, conntrack) and filter traffic to 10.10.80.101 show you what is blocked in firewall, one dirrection like Tx works but no Rx etc...
* tools torch show similar to conntrack
I hope I give you hint in this way.
This is like that easy that should just work out-of-box.
And If your LTE devices receive other IP like 10.20.30.100-101 then just change the 10.10.80.0/24 to 10.20.30.0/24 in firewall rules.
AWS subnet is 10.10.80.0/24 with CHR have got 10.10.80.1.
Your LTE devices connect by SSTP to CHR and they have got 10.10.80.100-101.
Your PC have got 192.168.1.100 and your local router=gateway is 192.168.1.1
In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
* CHR must have firewall rule in chain=forward to allow that traffic after accepting established&related and before rule two have action like drop/deny/tarpit
Code: Select all
ip firewall filter add chain=forward src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"Code: Select all
ip firewall filter add chain=input src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"and in System > Users your user not must restricion from logon from not your IP
Of course classic testing like
* ping 10.10.80.101
* tools traceroute 10.10.80.101
* ip firewall connections (=connection tracking, conntrack) and filter traffic to 10.10.80.101 show you what is blocked in firewall, one dirrection like Tx works but no Rx etc...
* tools torch show similar to conntrack
I hope I give you hint in this way.
This is like that easy that should just work out-of-box.
And If your LTE devices receive other IP like 10.20.30.100-101 then just change the 10.10.80.0/24 to 10.20.30.0/24 in firewall rules.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
On my home router, I have added a route where dst address is 10.10.80.0/24 and gateway as sstp interface. I however still can't access CHR over Winbox. I can however access CHR via public IP Winbox.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
This means first point of my howto... is not working.On my home router, I have added a route where dst address is 10.10.80.0/24 and gateway as sstp interface. I however still can't access CHR over Winbox. I can however access CHR via public IP Winbox.
What address exist at your PC sstp-interface when you connect to SSTP ? 10.10.80.x?In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
You should receive 2 address like Remote 10.10.80.1 AND Local 10.10.80.103 or other. In WinBox you must use this remote site one.
You not provide any more details and I must assume. Write more.
Check in Firewall if you not block a WinBox port.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
Sure, Below is what the SSTP server logs when I attempt to log in from SSTP client home router. I have also added route on the home router as belowThis means first point of my howto... is not working.
What address exist at your PC sstp-interface when you connect to SSTP ? 10.10.80.x?
You should receive 2 address like Remote 10.10.80.1 AND Local 10.10.80.103 or other. In WinBox you must use this remote site one
I have firewall rule on SSTP server to allow all ppp tcp 8291 inputCheck in Firewall if you not block a WinBox port
You do not have the required permissions to view the files attached to this post.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN [SOLVED]
Still you not provide a proper information at your full setup.
Look, I do in 5m at gliffy.com, a free online diagram from current information what you provide but still some stuff are not proper.
Look at diagram and write what is not proper, correct this for me. You write about 2xLTE devices, 1xHomeRouter, 1xCHR.
LTE device should have 10.10.80.x but in screen I see 10.10.10.x network.
One of screenshot with LTAP is LTAP mini, is your home router ? If yes then you should connect to 10.10.10.51 if CHR have got route to your home router via sstp_connection.
You see. We loose time to write a post to understand your situation.
Remember that you can constant me directly and we can do a remote_access and finish this in minutes.
.
Look, I do in 5m at gliffy.com, a free online diagram from current information what you provide but still some stuff are not proper.
Look at diagram and write what is not proper, correct this for me. You write about 2xLTE devices, 1xHomeRouter, 1xCHR.
LTE device should have 10.10.80.x but in screen I see 10.10.10.x network.
One of screenshot with LTAP is LTAP mini, is your home router ? If yes then you should connect to 10.10.10.51 if CHR have got route to your home router via sstp_connection.
You see. We loose time to write a post to understand your situation.
Remember that you can constant me directly and we can do a remote_access and finish this in minutes.
.
Then this is bad rule. You should have got the "NEW" tcp connection state select, not established and related - this two should be upper rule but this is not topic about how to do a proper firewall rules.I have firewall rule on SSTP server to allow all ppp tcp 8291 input
You do not have the required permissions to view the files attached to this post.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
I am happy to inform you that I can now successfully log into both the remote devices and CHR SSTP Server via the SSTP VPN tunnel from PC Winbox. I had only added a route on the home router. After adding a route on the CHR for Dst. 192.168.0.0/24 it now works. My network layout is attached below though for further advice if any. I have made a little changes to appear abit organised.
Thanks alot for your time and advice
Thanks alot for your time and advice
You do not have the required permissions to view the files attached to this post.
Re: Remote winbox into wAP LTE and LtAP over SSTP VPN
If you have that many devices who can be accessable by PublicIP then please look at simple secure your Input chain - this is always should be checked, monitor, safe.
You collect some PublicIP you manage as safe to connect to all other devices. Look, I have >200mtk online now and can reach it from only 8 places remotely but via proper vpn without limit.
You should check RoMon, backup login via ssh, port knocking etc.
List of your safe public IP at home/work/work2/customer1/customer2 as backup entry to other customers.
example of simple input chain with ISP at eth1 and eth2
not use default admin login, remove it.
You collect some PublicIP you manage as safe to connect to all other devices. Look, I have >200mtk online now and can reach it from only 8 places remotely but via proper vpn without limit.
You should check RoMon, backup login via ssh, port knocking etc.
List of your safe public IP at home/work/work2/customer1/customer2 as backup entry to other customers.
Code: Select all
/ip firewall address-list
add address=10.0.0.0/8 comment="LAN_private Class A" list=LAN_private
add address=172.16.0.0/12 comment="LAN_private Class B" list=LAN_private
add address=192.168.0.0/16 comment="LAN_private Class C" list=LAN_private
add address=169.254.0.0/16 comment="LAN_private APIPA" list=LAN_private
add address=a.a.a.a/a comment="ISP CustomerN" list=YourSafeISP-Admins
add address=b.b.b.b/b comment="ISP Home" list=YourSafeISP-Admins
add address=c.c.c.c/c comment="ISP CHR" list=YourSafeISP-Admins
add address=10.10.10.0/24 comment="ISP CHR" list=YourSafeISP-Admins
Code: Select all
/ip firewall filter
add action=accept chain=input comment="established & related" connection-state=established,related place-before=0
add action=accept chain=input comment="L2TP - Dst.Port & Nat-Traversal" dst-port=500,1701,4500 protocol=udp place-before=0
add action=accept chain=input comment="L2TP - esp" protocol=ipsec-esp place-before=0
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp src-address-list=YourSafeISP-Admins place-before=0
add action=accept chain=input protocol=icmp place-before=0
add action=drop chain=input dst-port=53 in-interface=[/interface ethernet find default-name=ether1] protocol=udp place-before=0
add action=drop chain=input in-interface=[/interface ethernet find default-name=ether1] place-before=0
add action=drop chain=input dst-port=53 in-interface=[/interface ethernet find default-name=ether2] protocol=udp place-before=0
add action=drop chain=input in-interface=[/interface ethernet find default-name=ether2] place-before=0Code: Select all
user add group=full name=DSK password="longer_then_100char_with_special_char" disabled=no comment="MyOwnUserName YourCompanyName"
user remove [find name=admin]