Hi Everyone,
I am new here and hoping I can get some ideas from here.
I set up sslvpn on the fortigate firewall and tried to access a Mikrotik site through winbox and the connection was denied.
To test, I added the current IP of my laptop and also tried removing it. No change.
/ip firewall filter
add action=accept chain=input comment="Allow access to Mikrotik" dst-port=8291 \
protocol=tcp
When I press connect on the winbox I can see logs from FG Firewall & Mikrotik so it is hitting the interface but not sure why it is being denied.
Please let me know if you need more info I will provide here. Thanks in advance~!
Re: Winbox connection denied through VPN
WIthout seeing any config, it's hard to tell where the problem exactly is.
That firewall rule should be above any drop rule on input chain or it will not do a lot.
That firewall rule should be above any drop rule on input chain or it will not do a lot.
Re: Winbox connection denied through VPN
The input chain should not be open to the internet except for handshaking for a VPN.
ONe does not directly acccess winbox aka the router (input chain) for config purposes, instead you make the tunnel connection via VPN and then allow that vpn interface or subnet etc access the input chain. In other words, access to winbox should be from behind the router ( either from a local subnet, or once in the router on a secure VPN, wireguard being the easiest ).
This is a very unsafe rule and should be removed
/ip firewall filter
add action=accept chain=input comment="Allow access to Mikrotik" dst-port=8291 \
protocol=tcp
ONe does not directly acccess winbox aka the router (input chain) for config purposes, instead you make the tunnel connection via VPN and then allow that vpn interface or subnet etc access the input chain. In other words, access to winbox should be from behind the router ( either from a local subnet, or once in the router on a secure VPN, wireguard being the easiest ).
This is a very unsafe rule and should be removed
/ip firewall filter
add action=accept chain=input comment="Allow access to Mikrotik" dst-port=8291 \
protocol=tcp
-
-
Techsystem
Member
- Posts: 357
- Joined:
Re: Winbox connection denied through VPN
do you have a firewall rules in your Mikrotik ..?
if yes please publish it.
if yes please publish it.
Re: Winbox connection denied through VPN
Hi All,
Please see the current firewall rules.
/ip firewall filter
add action=fasttrack-connection chain=forward dst-address=xx.xx.xx.xx \
dst-port=80,443 protocol=tcp src-address=172.18.192.0/20
add action=drop chain=forward in-interface=ether6-MGMT
add action=drop chain=forward out-interface=ether6-MGMT
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward out-interface="Client Transit"
add action=drop chain=input comment="The MAC address keep trying to use BitTor\
rent and tried to block by MAC address." disabled=yes log=yes \
src-mac-address=xx.xx.xx.xx.xx.xx
add action=drop chain=input comment="BitTorrent user block" disabled=yes log=\
yes src-mac-address=xx.xx.xx.xx.xx.xx
As your advice, I have removed p8291 input rule. There are not many rules configured and not sure why I can' make this.
Please let me know if you need more info. Thanks in advance~~!!
Please see the current firewall rules.
/ip firewall filter
add action=fasttrack-connection chain=forward dst-address=xx.xx.xx.xx \
dst-port=80,443 protocol=tcp src-address=172.18.192.0/20
add action=drop chain=forward in-interface=ether6-MGMT
add action=drop chain=forward out-interface=ether6-MGMT
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward out-interface="Client Transit"
add action=drop chain=input comment="The MAC address keep trying to use BitTor\
rent and tried to block by MAC address." disabled=yes log=yes \
src-mac-address=xx.xx.xx.xx.xx.xx
add action=drop chain=input comment="BitTorrent user block" disabled=yes log=\
yes src-mac-address=xx.xx.xx.xx.xx.xx
As your advice, I have removed p8291 input rule. There are not many rules configured and not sure why I can' make this.
Please let me know if you need more info. Thanks in advance~~!!
Re: Winbox connection denied through VPN
The fact that you have nothing at all that looks like the default firewall rules there are two possibilities
a. you are very experienced and the rules are great and you dont need help
b. you copied them from various places and really need lots of help.
If it the latter case keep reading, if its a. then I cannot help.
a. post complete config
/export file=anynameyouwish (minus router serial number, any public WANIP information keys etc.)
1. identify all user(s)/device(s0 / groups of users and devices and yourself as admin
2. identify all the traffic required to pass.
In terms of stopping bittorent, one cannot stop apps with MT devices and mac address is L2 not L3 and thus firewall rules will not help
If you know the mac address ensure the IP address is statically set to that mac address.
Then consider adding queuing to that IP address so it gets very little traffic flow ( making torrenting useless but allowing simple browsing)
a. you are very experienced and the rules are great and you dont need help
b. you copied them from various places and really need lots of help.
If it the latter case keep reading, if its a. then I cannot help.
a. post complete config
/export file=anynameyouwish (minus router serial number, any public WANIP information keys etc.)
1. identify all user(s)/device(s0 / groups of users and devices and yourself as admin
2. identify all the traffic required to pass.
In terms of stopping bittorent, one cannot stop apps with MT devices and mac address is L2 not L3 and thus firewall rules will not help
If you know the mac address ensure the IP address is statically set to that mac address.
Then consider adding queuing to that IP address so it gets very little traffic flow ( making torrenting useless but allowing simple browsing)
Re: Winbox connection denied through VPN
People if it was the firewall it wouldn't know about the connection ... forget the firewall
he told you this
The actual service has restricted IP ranges that are allowed to login and the VPN isn't one of them.
If couldn't tell you any more clearly WHY IT IS REFUSING CONNECTION
OP go to the Ip/service screen and add your VPN ip range to allowed IP list you are trying to login on
there is an example of restricting telnet to an IP range in the manual
https://wiki.mikrotik.com/wiki/Manual:IP/Services
he told you this
Code: Select all
When I press connect on the winbox I can see logs from FG Firewall & Mikrotik so it is hitting the interface but not sure why it is being denied.If couldn't tell you any more clearly WHY IT IS REFUSING CONNECTION
OP go to the Ip/service screen and add your VPN ip range to allowed IP list you are trying to login on
there is an example of restricting telnet to an IP range in the manual
https://wiki.mikrotik.com/wiki/Manual:IP/Services
Re: Winbox connection denied through VPN
Hi All,
Thank you for all your feedback~!!!
I found the issue and resolved the problem.
As you can see the Mikrotik has nothing and I realized it is directly connected Fortigate firewall and found the one of firewall rules related to this and once enabled NAT it worked!!
Thanks again everyone
Thank you for all your feedback~!!!
I found the issue and resolved the problem.
As you can see the Mikrotik has nothing and I realized it is directly connected Fortigate firewall and found the one of firewall rules related to this and once enabled NAT it worked!!
Thanks again everyone
Who is online
Users browsing this forum: smirgo and 41 guests