No LAN access when connected to BTH

rjow2021 · Fri Apr 12, 2024 12:16 am

The only access I have while connected to BTH is to the router.

I have no access to any other LAN device.

"allow LAN" = yes

# 2024-04-11 21:37:04 by RouterOS 7.14.1
# software id = SKU-FU
#
# model = RB4011iGS+
# serial number = D4NKSERIAL4U
/interface bridge
add admin-mac=b0:l0:c5:55:77:d0 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] name=ether10-Management
/interface wireguard
add comment=back-to-home-vpn listen-port=33603 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether5 name=ether5-911 vlan-id=911
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether5-911 \
    keepalive-timeout=60 name=pppoe-wan user=\
    hardluck@isp.com
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Neighbours
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 force=yes name=AdGuard_99 value="'192.168.50.99'"
/ip ipsec policy group
add name=vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip kid-control
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
    7h-23h wed=7h-23h
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
    7h-23h wed=7h-23h
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
    7h-23h wed=7h-23h
add name=TEST tue=7h-20h
/ip pool
add name=dhcp ranges=192.168.50.150-192.168.50.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp interface=ether10-Management name=Management-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add fib name=""
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether9 untagged=ether10-Management vlan-ids=10
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=pppoe-wan list=WAN
add interface=ether10-Management list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.50.1/24 interface=bridge network=192.168.50.0
add address=192.168.100.1/24 interface=ether10-Management network=\
    192.168.100.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m \
    update-time=no
/ip cloud advanced
set use-local-address=yes
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-S916B" name=\
    "MikroTik_RB4011 | RB4011iGS+" private-key=\
    "80088008800880088008800880088008800880088008=" public-key=\
    "80088008800880088008800880088008800880088008="
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.3,1.0.0.3 \
    gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip firewall address-list
add address=192.168.50.2-192.168.50.254 list=allowed_to_router
add address=192.168.216.2-192.168.216.10 list=\
    back-to-home-lan-restricted-peers
add address=192.168.100.0/24 list=Management
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="IP's Allowed to Router" \
    src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Established, Related to FastTrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp profile
set *FEEEEEEEE local-address=192.168.89.1 remote-address=*2
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTik_RB4011
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=51.89.151.183
add address=178.62.250.107
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Neighbours

Any help appreciated.

erlinden · Fri Apr 12, 2024 8:56 am

By far the easiest (and in my opinion best) way is to add:

 /interface list member
add interface=back-to-home-vpn list=LAN

This way, all wireguard connections are handled as being part of the trusted LAN list.

rjow2021 · Fri Apr 12, 2024 11:49 am

By far the easiest (and in my opinion best) way is to add:
Code: Select all
 /interface list member
add interface=back-to-home-vpn list=LAN
This way, all wireguard connections are handled as being part of the trusted LAN list.

This already exists, although not shown in the config above.

Created Dynamically.

Just unsure why I have access to the router and nothing else.

erlinden · Fri Apr 12, 2024 1:09 pm

The only thing I see is an address list "back-to-home-lan-restricted-peers" that could indicate...something. And that list isn't used.
Is the export complete? Or did you perhaps redact it?

For your info: I configured Wireguard manually. And by looking at your config I'm surprised it is working at all...
Especially as a lot of the config can't be found, based on:
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Last check: do you see counters on the last forward firewall increasing when you try to connect to the LAN?

rjow2021 · Fri Apr 12, 2024 7:59 pm

The only thing I see is an address list "back-to-home-lan-restricted-peers" that could indicate...something. And that list isn't used.
Is the export complete? Or did you perhaps redact it?

Ran the command...

/export file=""

for the config and omitted sensitive stuff and the DHCP lease table.

For your info: I configured Wireguard manually. And by looking at your config I'm surprised it is working at all...
Especially as a lot of the config can't be found, based on:
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

I did have Wireguard working great a few months back. BTH was working then, but I'm trying to figure out what has changed to create this issue.

Last check: do you see counters on the last forward firewall increasing when you try to connect to the LAN?

Counters are increasing on the last forward firewall filter rule.

Individual BTH users have an option "Allow LAN". So there must be a dynamic entry created, in the Firewall Filter list maybe, for said BTH users when this option =yes. But this is not happening.

Note: I also have WAN connection while on BTH.

I'll continue to figure out the issue. Thanks for your input.

anav · Fri Apr 12, 2024 8:12 pm

Just to be sure I understand.
Your router has a non--public IP address. The wan is either like CGNAT or a private IP from an upstream ISP router (which you cannot forward a port on).

What you want to do is while away from home remote into the router, via wireguard, and access the LAN, and most likely be able to configure the router as well, if need be.

rjow2021 · Fri Apr 12, 2024 8:20 pm

Just to be sure I understand.
Your router has a non--public IP address. The wan is either like CGNAT or a private IP from an upstream ISP router (which you cannot forward a port on).

WAN is on a public IP address Sir (83.##,##,##) no CGNAT, and port forwarding all working fine.

What you want to do is while away from home remote into the router, via wireguard, and access the LAN, and most likely be able to configure the router as well, if need be.

BTH was working fine a few months back, when I was out and about I could remote back home to my server and nzb360 if need be.

anav · Fri Apr 12, 2024 8:24 pm

You do not need BTH.
Just configure Wireguard manually/properly.

For example, you have no ALLOWED IPs setup that I can see.

Also do you have the particulars of the setup of remote peer clients??

No LAN access when connected to BTH

No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Re: No LAN access when connected to BTH

Who is online