Community discussions

MikroTik App
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Remote winbox into wAP LTE and LtAP over SSTP VPN

Thu Sep 19, 2019 8:51 pm

I've got a CHR on AWS acting as a SSTP server with wAP LTE and LtAPs as clients on subnet 10.10.80.0/24. I've got DUDE setup there as well. I am able to monitor the devices via DUDE well. I would like to remotely Winbox into the LTE devices. On the clients I've allowed Winbox access from WAN/SSTP Interface. Someone help with the way forward.
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Sun Sep 22, 2019 10:23 am

Anyone?
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Tue Oct 01, 2019 8:44 pm

Anyone to help?
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Thu Oct 10, 2019 4:29 am

yes, anyone can help you. Example is "I am".
When you connect to CHR then CHR see the connected to it LTE clients in
ppp active print
If yes then you see the IP address of them.

You should connect to them from:
  • CHR Terminal via Telnet/SSH to them
  • Your PC WinBox when you allow to it in CHR forward chain
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Thu Oct 10, 2019 9:08 am

Many thanks for the reply.
ppp active print command brings up all the units.
I would prefer using My PC Winbox. Could you please help with the specific firewall rule on CHR to enable this?
Thanks again!
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Fri Oct 11, 2019 9:29 am

I assume:
AWS subnet is 10.10.80.0/24 with CHR have got 10.10.80.1.
Your LTE devices connect by SSTP to CHR and they have got 10.10.80.100-101.
Your PC have got 192.168.1.100 and your local router=gateway is 192.168.1.1

In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
* CHR must have firewall rule in chain=forward to allow that traffic after accepting established&related and before rule two have action like drop/deny/tarpit
ip firewall filter add chain=forward src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"
* at LTE you have got accept in Input chain after accepting established&related but before action like drop/deny/tarpit
ip firewall filter add chain=input src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"
and in IP>Service the WinBox service must be active and the IP must be 0.0.0.0/0 or/and your specific
and in System > Users your user not must restricion from logon from not your IP

Of course classic testing like
* ping 10.10.80.101
* tools traceroute 10.10.80.101
* ip firewall connections (=connection tracking, conntrack) and filter traffic to 10.10.80.101 show you what is blocked in firewall, one dirrection like Tx works but no Rx etc...
* tools torch show similar to conntrack

I hope I give you hint in this way.
This is like that easy that should just work out-of-box.

And If your LTE devices receive other IP like 10.20.30.100-101 then just change the 10.10.80.0/24 to 10.20.30.0/24 in firewall rules.
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Fri Oct 11, 2019 2:11 pm

On my home router, I have added a route where dst address is 10.10.80.0/24 and gateway as sstp interface. I however still can't access CHR over Winbox. I can however access CHR via public IP Winbox.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Fri Oct 11, 2019 2:36 pm

On my home router, I have added a route where dst address is 10.10.80.0/24 and gateway as sstp interface. I however still can't access CHR over Winbox. I can however access CHR via public IP Winbox.
This means first point of my howto... is not working.
In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
What address exist at your PC sstp-interface when you connect to SSTP ? 10.10.80.x?
You should receive 2 address like Remote 10.10.80.1 AND Local 10.10.80.103 or other. In WinBox you must use this remote site one.
You not provide any more details and I must assume. Write more.
Check in Firewall if you not block a WinBox port.
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Tue Oct 15, 2019 12:55 pm

This means first point of my howto... is not working.
Sure, Below is what the SSTP server logs when I attempt to log in from SSTP client home router.
Winbox SSTP Server Log.png
I have also added route on the home router as below
Home Router SSTP Route.png
What address exist at your PC sstp-interface when you connect to SSTP ? 10.10.80.x?
You should receive 2 address like Remote 10.10.80.1 AND Local 10.10.80.103 or other. In WinBox you must use this remote site one
SSTP on home router.png
Check in Firewall if you not block a WinBox port
I have firewall rule on SSTP server to allow all ppp tcp 8291 input
SSTP Server allow Winbox.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN  [SOLVED]

Tue Oct 15, 2019 9:58 pm

Still you not provide a proper information at your full setup.
Look, I do in 5m at gliffy.com, a free online diagram from current information what you provide but still some stuff are not proper.
Look at diagram and write what is not proper, correct this for me.
firefox_Sremqed4Dx.png
You write about 2xLTE devices, 1xHomeRouter, 1xCHR.
LTE device should have 10.10.80.x but in screen I see 10.10.10.x network.
One of screenshot with LTAP is LTAP mini, is your home router ? If yes then you should connect to 10.10.10.51 if CHR have got route to your home router via sstp_connection.

You see. We loose time to write a post to understand your situation.
Remember that you can constant me directly and we can do a remote_access and finish this in minutes.
.
I have firewall rule on SSTP server to allow all ppp tcp 8291 input
Then this is bad rule. You should have got the "NEW" tcp connection state select, not established and related - this two should be upper rule but this is not topic about how to do a proper firewall rules.
You do not have the required permissions to view the files attached to this post.
 
DSK
newbie
Topic Author
Posts: 45
Joined: Sat Jun 30, 2018 12:57 am

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Wed Oct 16, 2019 5:04 pm

I am happy to inform you that I can now successfully log into both the remote devices and CHR SSTP Server via the SSTP VPN tunnel from PC Winbox. I had only added a route on the home router. After adding a route on the CHR for Dst. 192.168.0.0/24 it now works. My network layout is attached below though for further advice if any. I have made a little changes to appear abit organised.
Thanks alot for your time and advice
Image
You do not have the required permissions to view the files attached to this post.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Remote winbox into wAP LTE and LtAP over SSTP VPN

Wed Oct 16, 2019 7:47 pm

If you have that many devices who can be accessable by PublicIP then please look at simple secure your Input chain - this is always should be checked, monitor, safe.
You collect some PublicIP you manage as safe to connect to all other devices. Look, I have >200mtk online now and can reach it from only 8 places remotely but via proper vpn without limit.
You should check RoMon, backup login via ssh, port knocking etc.

List of your safe public IP at home/work/work2/customer1/customer2 as backup entry to other customers.
/ip firewall address-list
add address=10.0.0.0/8 comment="LAN_private Class A" list=LAN_private
add address=172.16.0.0/12 comment="LAN_private Class B" list=LAN_private
add address=192.168.0.0/16 comment="LAN_private Class C" list=LAN_private
add address=169.254.0.0/16 comment="LAN_private APIPA" list=LAN_private
add address=a.a.a.a/a comment="ISP CustomerN" list=YourSafeISP-Admins
add address=b.b.b.b/b comment="ISP Home" list=YourSafeISP-Admins
add address=c.c.c.c/c comment="ISP CHR" list=YourSafeISP-Admins
add address=10.10.10.0/24 comment="ISP CHR" list=YourSafeISP-Admins
example of simple input chain with ISP at eth1 and eth2
/ip firewall filter
add action=accept chain=input comment="established & related" connection-state=established,related place-before=0
add action=accept chain=input comment="L2TP - Dst.Port & Nat-Traversal" dst-port=500,1701,4500 protocol=udp place-before=0
add action=accept chain=input comment="L2TP - esp" protocol=ipsec-esp place-before=0
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp src-address-list=YourSafeISP-Admins place-before=0
add action=accept chain=input protocol=icmp place-before=0
add action=drop chain=input dst-port=53 in-interface=[/interface ethernet find default-name=ether1] protocol=udp place-before=0
add action=drop chain=input in-interface=[/interface ethernet find default-name=ether1] place-before=0
add action=drop chain=input dst-port=53 in-interface=[/interface ethernet find default-name=ether2] protocol=udp place-before=0
add action=drop chain=input in-interface=[/interface ethernet find default-name=ether2] place-before=0
not use default admin login, remove it.
user add group=full name=DSK password="longer_then_100char_with_special_char" disabled=no comment="MyOwnUserName YourCompanyName"
user remove [find name=admin]

Who is online

Users browsing this forum: GalZoltan, Google [Bot] and 62 guests