Accessing Mikrotik devices

Joseph79 · April 9, 2015, 10:46pm

Hi there
Does anyone know how to access through winbox all mikrotik devices BEHIND the mikrotik router I can access it after an interface on the routerboard I have a RB2011 with wireless devices attached to it but I can only access the RB2011 itself although its sees the the rest of MT devices in neighbours and do a mac-telnet but I want to be able to access the whole network as such. Id like to access it by my wifi version of RB2011 and via VPN.

Any help is appreciated.

J

Joseph79 · April 10, 2015, 1:46pm

anyone??

jarda · April 10, 2015, 2:35pm

Map the ports if there is a nat used and use that ports when connecting by winbox from outside.

gotsprings · April 10, 2015, 4:14pm

Simple portforwards in
/ip firewall nat

Forward ports to 8091 at each device.

CsXen · April 10, 2015, 6:27pm

Hi.

For each MT Router you must choose an external port (like 8292, 8293, etc…) In the main router, simply forward these ports to the inner routers IP address, to TCP/8291 port (winbox service port).

Regards: Xen

Joseph79 · April 11, 2015, 12:41am

so locally and remotely to access all mikrotik devices from a main mikrotik router i have to map ports on each device or just from the main router itself.
Its knowing how to do this properly so when i go into winbox i can choose a device at will. do i have to go in and configure all the ports of each wireless device and port forward on main router seems a lot to do as i have 20 odd in network.

ZeroByte · April 11, 2015, 1:34am

You could always use a site-specific private IP address range for management, and route that network to the Mikrotik but perform no NAT translation on that prefix. You could use a filter rule to limit access based on certain trusted sources like your NOC or your home router…

So router above Mikrotik sends 10.1.1.0/24 → mikrotik’s public IP.
Mikrotik adds 10.1.1.1/24 as secondary address to LAN (bypass the range from any hotspot you may be using)
Mikrotik makes sure not to do masquerade/src-nat on 10.1.1.0/24
Mikrotik puts forward rule → out-interface=lan, dst-address=10.1.1.0/24, src-address-list=!management_access action=drop

Even better would be to do this, but use a tagged vlan for the customer lan, and untagged = management vlan.
That way, you don’t have hotspot to worry about on the management network, and no customer could just assign a management IP to their device, etc.

troffasky · April 11, 2015, 9:07am

Not sure what the first bit means, but if you have a VPN to the site where all the kit is located, surely you just access it by its IP address? If you’ve done the work of getting a VPN working then you don’t need to use port forwards.

CsXen · May 1, 2015, 8:41pm

Hi.

do i have to go in and configure all the ports of each wireless device and port forward on main router seems a lot to do as i have 20 odd in network.

No. You should confgure only the main router to properly portforward incoming connections to exact routers.
(for example: 8292 to 10.0.0.2/8291, 8293 to 10.0.0.3/8291, etc… if you are on 10.0.0.0/24)

If you manage this size of network, why don’t you use Dude ?

Regards: Xen

IntrusDave · May 2, 2015, 4:12am

I do believe this is exactly what the new RoMon is for. You connect to the first via RoMon, then all the routers that the first unit can see are now accessible.