Community discussions

MikroTik App
  4. RouterOS
  5. General

No wan access using back to home

Post Reply
 
wackamole
just joined
Topic Author
Posts: 2
Joined: Mon Dec 09, 2024 1:46 am

No wan access using back to home

Mon Dec 09, 2024 1:54 am

I'm not sure if WAN access is expected to work out of the box with back to home? I cannot browse the web on my iPhone when connected via back to home.
I see one other topic with a similar problem: viewtopic.php?t=207891
But i'm not sure i see the solution to the problem in that thread, maybe i just don't understand the answers correctly.

Here's my config:
Code: Select all
[myuser@MikroTik] > /export
# 2024-12-08 18:32:18 by RouterOS 7.16.2
# software id = 5TRY-6BL4
#
# model = RB5009UG+S+
# serial number = XXX
/interface bridge
add admin-mac=48:A9:8A:25:99:6C auto-mac=no comment=defconf name=deco port-cost-mode=short
/interface wireguard
add comment=back-to-home-vpn listen-port=48027 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=deco lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=deco comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=deco comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=deco list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=deco network=192.168.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m update-time=no
/ip cloud back-to-home-users
add allow-lan=yes comment="iPhone 12" name=RB5009UG+S+ private-key="xxx=" public-key=\
    "yyy="
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.10 client-id=1:98:1:a7:99:6f:cf mac-address=98:01:A7:99:6F:CF server=defconf
add address=192.168.0.5 client-id=ff:f8:ce:1b:a1:0:2:0:0:ab:11:a3:5f:3b:bf:fe:9c:ba:7f mac-address=00:1E:06:43:D2:C0 server=defconf
add address=192.168.0.6 client-id=1:0:1e:6:32:92:2f mac-address=00:1E:06:32:92:2F server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=mydomain.net list=cloudflare
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=\
    deco log=yes log-prefix=!public_from_LAN out-interface=!deco
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=\
    !public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=deco log=yes log-prefix=LAN_!LAN \
    src-address=!192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.0.0/24 src-address=192.168.0.0/24
# Some open ports left out...
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Copenhagen
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Any advice is appreciated, thanks in advance.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22089
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: No wan access using back to home

Mon Dec 09, 2024 2:10 pm

The only thing I can suggest is a shot in the dark but its the only idea I have.
add a firewall address list manually

/ip firewall address-list
add IPaddress-peer1 list=back-to-home-lan-restricted-peers
add IPaddress-peer2 list=back-to-home-lan-restricted-peers

However I do not know what that looks like to actually construct the address list properly
You can at least see it by NOT allowing wireguard users access to the LAN and then the router makes this list up dynamically and therefore this address list show up on a /ip/firewall/address-list print
etc.... Then copy it and make it a manually entered rule like above.

Then make the following firewall rule.

/ip firewall
add chain=forward action=accept src-address-list=back-to-home-lan-restricted-peers out-interface-list=WAN
Top
 
wackamole
just joined
Topic Author
Posts: 2
Joined: Mon Dec 09, 2024 1:46 am

Re: No wan access using back to home

Mon Dec 09, 2024 10:14 pm

Thank you for your suggestion - I tried it it, but it didn't help.
I was lucky to get closer to the issue. The wireguard peer2 (which is set dynamically) defaults to having a client DNS address as 192.168.216.1. That can be configured in the iOS app, and when it is changed to 8.8.8.8 i can browse WAN again... But if i set it to 192.168.0.1 (which is what my devices uses when connected on LAN), i get nothing. If i add 192.168.216.1 in WinBox > DNS Settings > Static > Name: router.vpn, Type: A, Value: 192.168.216.1 i also get nothing.
I can ofc. just go with 8.8.8.8, but would like the default one to work, if i share the back-to-home with family. Any thoughts on why it seems like i cannot get those addresses to work as DNS servers?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22089
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: No wan access using back to home

Mon Dec 09, 2024 10:33 pm

Okay here is the way.
On your router make a firewall address list like so
/ip firewall address-list
add 192.168.216.2 list=BTH-to-WAN
add 192.168.216.3 list=BTH-to-WAN
....
add 192.168.216.XX list=BTH-to-WAN

/ip firewall
add chain=forward action=accept src-address-list=BTH-to-WAN out-interface-list=WAN
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4382
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:
Contact Amm0

Re: No wan access using back to home

Mon Dec 09, 2024 11:20 pm

Hmm, not 100% without more inspection.... But I think 192.168.216.0/24 needs to be in the "allowed_to_router" list.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22089
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: No wan access using back to home

Mon Dec 09, 2024 11:46 pm

Hmm, not 100% without more inspection.... But I think 192.168.216.0/24 needs to be in the "allowed_to_router" list.
That would be for remote user access to the config of the router, I thought he was asking for access to the LAN subnets......
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4382
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:
Contact Amm0

Re: No wan access using back to home

Tue Dec 10, 2024 12:13 am

Hmm, not 100% without more inspection.... But I think 192.168.216.0/24 needs to be in the "allowed_to_router" list.
That would be for remote user access to the config of the router, I thought he was asking for access to the LAN subnets......
Now that I look, correct. But I read the OP as internet bound traffic. I still think it's the firewall, But I'm not 100% sure myself — I just don't know what line may be dropping BTH traffic since it unclear what path is broken & the non-default "address-list" firewall with hairpin NAT rule make it bit confusing to sort out what's going on.
Top
Post Reply

Who is online

Users browsing this forum: benonet, infabo, the2masters and 45 guests
  4. RouterOS
  5. General