Access Winbox with starting configuration

Geoholz · March 1, 2017, 7:54am

Hello,

I have a hAP with default configuration (switch eth2-3-4-5-wifi, dhcp server, dhcp client on eth1)

I would like to reach Winbox since eth1 ( internet )

Default configuration of firewall :

/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1

With default configuration, it is not possible to access the router with Winbox from internet (eth1)

So i add this rules :
add action=accept chain=input comment=“Winbox from Internet” dst-port=8921 protocol=tcp

But it doesn’t works..

Can you help me ?

shailparmar · March 1, 2017, 8:23am

Remove this rule

interface=ether1
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1

Geoholz · March 1, 2017, 8:44am

Yes i know this will work if i remove this rule

But it is more secure no ?

Is it possible to drop all exept 8921 ?

And if i put my rule before the drop all, why doesn’t works ??

janus20 · March 1, 2017, 10:29am

Hi,

Just a guess:

a. put your input before any drop rule

/ip firewall filter
add action=accept chain=input comment="Winbox from Internet" dst-port=8921 protocol=tcp in-interface=ether1

b. disable rule

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

Does it work now ?

kind regards,

Geoholz · March 1, 2017, 10:39am

No,
It works only when i disable : add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1

nescafe2002 · March 1, 2017, 10:43am

Port number is 8291..

janus20 · March 1, 2017, 10:45am

Hi,

Sharp eyes… i did not notice it

/ip firewall filter
add action=accept chain=input comment="Winbox from Internet" dst-port=8291 protocol=tcp in-interface=ether1

kind regards,

Geoholz · March 1, 2017, 10:47am

OMFG !
2 days !!

RTFM slowly..

Sorry and thanks

janus20 · March 1, 2017, 10:51am

Hi,

No problem. Anytime

kind regards,