Can but cannot login Winbox from WAN

Laurens · July 2, 2016, 11:16am

Hi,

I have a strange problem with one of the HAP AC’s. It is configured in standard home AP mode (bridge with dhcp-server on eth 2-5 and firewalled eth1 as WAN with dhcp client, masquerading is on outgoing traffic on eth1). This would be a just fine configuration in basics.

Since I need to have this unit available from the outside, I added a firewall rule to allow access to Winbox on port 8291, but strange things happen. I cannot seem to login, yet I can. Once I try to login with winbox (the unit is on LAN right now and I have just put a “allow all from eth1” as the first rule) I can see that the line is struggling with its data transfer (connecting takes time and downloading plugins sometimes hangs). It then finally connects, but all screens in Winbox are empty. For example the interfaces window should always display stuff… after a minute or so, the connection is dropped and winbox closes.

So the port is not being firewalled, but yet cannot seem to stay stable. Connecting using the MAC address instead of the ip doesn’t seem to work at all.

I have already completely reset the configuration and started from scratch - removed all scripts and other firewall rules, but without any luck. If I login from one of the bridged ports (2-5) or via Wifi, I can connect without any problems.

If I can’t get it to work on the LAN I’m sure it won’t work going over internet. What can I do to get this going? Or is the unit faulty?

screenshot: empty windows

screenshot: firewall rules

Revelation · July 2, 2016, 6:43pm

I think leaving your management open to the outside world is a bad idea. A better idea would be to configure a VPN between the two devices and access the management of the device via that VPN tunnel.

Laurens · July 3, 2016, 9:36am

Sure you’re right. But strengthening the setup is something of later concern (the minimum would be that only my own ip woild be allowed, but setting up VPN is also an option).

But that does not fix this problem. I should be able to manage it over the WAN interface, speicially now its on the LAN. I’m wondering if the device is broken or not and how I could verify such…

Edit: it appears that I’m suffering from this problem: http://forum.mikrotik.com/t/hap-ac-faulty-seriers-very-poor-lan-performance-switch-problem/96655/1
Cooling the unit down in the fridge turns it into a working wan interface again. The question is: for how long? And what can I do to sustain it?

Laurens · July 6, 2016, 7:46am

Anyone else with bright ideas? The referred topic doesn’t state a solution to the problem and putting the unit in the fridge every hour also doesn’t sound right…
In the meantime, after a few reboots I seem to be able to login on the unit from the WAN side. But performance over WAN still is terrible, there seems to be huge packet loss. I hope someone can point me in the right direction as to where to look to pinpoint this problem vs. decide that it needs RMA…

Thanks.