Hey guys, today installed ROS latest build on proxmox, after finishing the setup (like 5 hours) lol and everything working fine, beside i seem lost some admin power? like cant even use the terminal inside winbox nor on web interface? what could be the issue? it seems i cant do much of low level changes? like cant even change the password or add users? any insight guys? im really confused like im the admin and the owner but being locked out ahh!
thanks,
Apparently you have created a group “admin” that has less permissions than the group “full”, and you made “admin” member of that group instead of its default group “full”.
Now you have locked yourself out! (at least out of creating new users)
This is terminal.
Fortunately you can still login, so you need to do:
/export show-sensitive file=backup
Then you download that file backup.rsc to your computer.
Now you have to start again from scratch, installing a new ROS instance, and re-configure it using your export file.
Do not blindly import it and cause the same issue, but cut/paste important/complicated sections of your network config.
It seems that @OP created another user System with full permissions. So he has to use that user to perform certain tasks. Which is exactly the point of creating non-default user with full permissions (as means of strenghtening security of a device).
i didn’t create the second user ahh, i guess i was dumb.
i let my router open to the whole internet with just admin user facepalm as im used to pfsense/opnsese. I thought there are some standard rules to only allow web gui/winbox only from lan, but there was no rules at allon fresh CHR install.
So i deleted the whole VM and redid the whole setup as there was no way to recover lol not even with console access, and first thing i did is creating another user with full access and deleted the admin user, and after only 10 mins of connecting the wan and while setting up the rules inside the terminal i started seeing failed access from outside IPs using admin user lol WTF. it did not even take that much?
Anyhow i disabled API access also to avoid further headache, and implanted the below rules as per the mikrotik guides.
They should be enough? any other rules i should add? i tried to add the raw rules as per the guide but it killed my internet so i disabled them, are they that important?
34 messages not shown)
2024-08-24 11:22:17 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:18 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:18 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:18 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:19 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:19 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:19 system,error,critical login failure for user admin from 103.102.230.2 via api
2024-08-24 11:22:19 system,error,critical login failure for user admin from 103.102.230.2 via api
11:31:09 echo: system,error,critical login failure for user admin from 193.41.206.142 via api
11:33:17 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:18 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:19 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:19 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:19 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:19 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:19 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:19 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:20 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:21 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:22 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:22 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:22 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:22 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:22 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:22 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:23 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:33:24 echo: system,error,critical login failure for user admin from 193.41.206.23 via api
11:34:17 echo: system,error,critical login failure for user admin from 193.41.206.156 via api
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP after RAW
chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
3 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
4 ;;; defconf: accept all that matches IPSec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
5 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related log=no log-prefix=""
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related log=no log-prefix=""
6 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked
7 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
8 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
9 ;;; defconf: drop bad forward IPs
chain=forward action=drop src-address-list=no_forward_ipv4 log=no
log-prefix=""
10 ;;; defconf: drop bad forward IPs
chain=forward action=drop dst-address-list=no_forward_ipv4 log=no
log-prefix=
Flags: X - DISABLED, I - INVALID
Columns: NAME, PORTS
# NAME PORTS
0 X ftp 21
1 X tftp 69
2 X irc 6667
3 X h323
4 X sip 5060
5061
5 X pptp
6 X rtsp 554
7 udplite
8 dccp
9 sctp
Flags: X - DISABLED, I - INVALID
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME PORT CERTIFICATE VRF
0 X telnet 23 main
1 X ftp 21
2 www 80 main
3 ssh 22 main
4 X www-ssl 443 none main
5 X api 8728 main
6 winbox 8291 main
7 X api-ssl 8729 none main
check my reply lol, it was kinda my fault.
also i disabled the fastrack rules as it seemed killing the WG client speed.
You need to understand that MikroTik routers, and especially the CHR and CCR, are for network experts.
These two models come completely without configuration and you need to setup your own firewall rules.
Other models have a default firewall ruleset that you found, but when you blindly apply it to another use case (not a NAT router at someone’s home with 1 port connected to internet and the others to internal systems) they may not be correct and/or safe either.
That also goes for “fasttrack”. It is a method to speedup forwarding in underpowered consumer routers, but you need to fully understand how it works before you can use it in complicated scenarios with VPN and other special handling (multiple route tables, mangling rules, etc).
So I always disable that as first thing when using a MikroTik router in such situations…