CANNOT GET TO ROUTER VIA HTTP PORT

oceanmaster · August 7, 2011, 9:15pm

Hi,

Problem is I can’t access my web interface from the outside (internet) ip via the web interface.

I can ping the external (pppoe) ip, from a remote location on the internet, I can winbox into the router also through the ppoe ip, but I can’t access the router’s web interface from the outside. From the internal IP ranges I can access the web interface fine. Using a routerboard 750 with version 5.5.

I disabled the Hotspot functionality incase it was that, I don’t have any ip firewall rules and only the masqrule rule.

I wouldn’t usually care but I also can’t port forward to anything (I have three camera’s I would like to get connected to the internet which aren’t working).

I have a feeling if I solve the web interface access problem I will be able to port forward too.

I have all ip/firewall service ports and ip/services list enabled.

Any suggestions?
Can give read only access or config. Been trying to figure this out for hours and have run out of time…

fewi · August 7, 2011, 9:31pm

Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.

skillful · August 7, 2011, 9:32pm

Please post the output of

/ip service print
/ip firewall filter print

oceanmaster · August 7, 2011, 10:09pm

Thanks for the quick reply guys:

[zenon@Montagus] > /ip service print
Flags: X - disabled, I - invalid 
 #   NAME                                     PORT ADDRESS                                                                      CERTIFICATE                                 
 0   telnet                                     23
 1   ftp                                        21
 2   www                                        80
 3   ssh                                        22
 4   www-ssl                                   443                                                                              none                                        
 5   api                                      8728
 6   winbox                                   8291

and

[zenon@Montagus] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   chain=input action=accept

and

[zenon@Montagus] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   ;;; masquerade 192.168.1.0/24
     chain=srcnat action=masquerade src-address=192.168.1.0/24 
     out-interface=MWEB 

 2   ;;; masquerade 192.168.0.0/24
     chain=srcnat action=masquerade src-address=192.168.0.0/24 
     out-interface=MWEB 

 3   ;;; masquerade all 10.10.10.0/24
     chain=srcnat action=masquerade src-address=10.10.10.0/24 
     out-interface=MWEB 

 4   ;;; Rule for RDC to server on TCP
     chain=dstnat action=dst-nat to-addresses=10.10.10.254 to-ports=3389 
     protocol=tcp dst-port=3389 

 5   ;;; Rule for RDC to server on UDP
     chain=dstnat action=dst-nat to-addresses=10.10.10.254 to-ports=3389 
     protocol=udp dst-port=3389 

 6   ;;; Rule for Camera1
     chain=dstnat action=dst-nat to-addresses=192.168.1.51 protocol=tcp 
     dst-port=8851 

 7   ;;; Rule for Camera2
     chain=dstnat action=dst-nat to-addresses=192.168.1.52 protocol=tcp 
     dst-port=8852 

 8   ;;; Rule for Camera3
     chain=dstnat action=dst-nat to-addresses=192.168.1.53 protocol=tcp 
     dst-port=8853 

 9   ;;; Rule for Camera4
     chain=dstnat action=dst-nat to-addresses=192.168.1.54 protocol=tcp 
     dst-port=8854 

10   ;;; TightVNC Route from port 8855 to 1.166 on port 5900 - udp
     chain=dstnat action=dst-nat to-addresses=192.168.1.166 to-ports=5900 
     protocol=udp dst-port=5900 

11   ;;; TightVNC Route from port 8856 to 1.166 on port 5900 - tcp
     chain=dstnat action=dst-nat to-addresses=192.168.1.166 to-ports=5900 
     protocol=tcp dst-port=5900 

12   ;;; masquerade 192.168.1.0/24
     chain=srcnat action=masquerade out-interface=MWEB

and

[zenon@Montagus] /ip address>> print     
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.0.249/24   192.168.0.0     ether3                                   
 1   192.168.1.253/24   192.168.1.0     ether2                                   
 2   192.168.1.249/24   192.168.1.0     ether3                                   
 3   192.168.0.254/24   192.168.0.0     ether4                                   
 4   10.10.10.2/24      10.10.10.0      ether4                                   
 5 D 41.133.4.154/32    41.132.40.1     MWEB

and

[zenon@Montagus] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          41.132.40.1               1
 1 ADC  10.10.10.0/24      10.10.10.2      ether4                    0
 2 ADC  41.132.40.1/32     41.133.4.154    MWEB                      0
 3 ADC  192.168.0.0/24     192.168.0.254   ether4                    0
                                           ether3            
 4 ADC  192.168.1.0/24     192.168.1.249   ether3                    0

and

[zenon@Montagus] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                               TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1                             ether             1500  1526
 1  R  ether2                             ether             1500  1524       1524
 2  R  ether3                             ether             1500  1524       1524
 3  R  ether4                             ether             1500  1524       1524
 4     ether5                             ether             1500  1524       1524
 5  R  MWEB                               pppoe-out         1480

Still cantfigure it out… weird as this is only like my 50th board I am configuring…

oceanmaster · August 7, 2011, 10:34pm

I have several other routerboards working perfectly.
U can access these web interfaces from the internet fine.. and port forwarding works fine too.

damn wtf I just made a long post and hit submit and everything dissapeared .. mmmm

Anyway, access to the this board specifically seems to be the problem.

fewi · August 7, 2011, 11:01pm

I don’t see anything wrong with the configuration. The IP pings so it’s clearly live from across the WAN. There’s nothing in IP services or the firewall that would block tcp/80 from across the WAN. I can also SSH to that IP address (at least I get a password prompt, though of course I don’t have any login information), so other TCP based services are working in addition to ICMP.

Can you use the built in tools like torch or traffic monitor to verify the router ever sees the packets?
Or maybe use a filter rule like this to log traffic:

/ip firewall filter add chain=prerouting in-interface=MWEB protocol=tcp dst-port=80 dst-address-type=local action=log

Then try to connect to the web interface via the WAN and see if anything shows up in the logs.

Even if you say the provider usually allows those services, right now that’s the logical explanation - other services work, and you’re not blocking tcp/80 specifically according to the configuration output you posted. Also the web service works from another interface, so the service itself is up and running.
If you don’t see any packets being logged or in the traffic monitor, that’s another indicator that it’s a fault with the ISP before things ever hit your router, so that’s the next logical test to run.

oceanmaster · August 8, 2011, 12:04am

In the end you were correct. The ISP has instituted a new security measure that has to be disabled that prevents inward http requests:

ADSL Protected Access

Helps to keep your ADSL connection safe from hackers who may try to steal your bandwidth. If you are unsure, we recommend enabling this service.

If you are unsure, we recommend enabling this service.

PROTECTED ACCESS: [DISABLED ]

Change Setting

More ADSL Security Info

I had to change this.

Much appreciated..

oceanmaster · August 8, 2011, 12:45am

strange thing I don’t get any traffic showing in the firewall rule you posted.. even when logged in remotely via web interface.

fewi · August 8, 2011, 12:48am

Do the packet counters increase on that rule? If it’s just not showing up in the logs you might not have a logging action for the relevant topics.

SurferTim · August 8, 2011, 10:20am

I have used the www service on another port to get around the residential block on port 80.
8080 or 8088 seem to work in most cases.

Would that be ok?

/ip service
set www port=8080

Then access with
http://xx.xx.xx.xx:8080

ramin2772 · July 5, 2016, 5:11am

IP>Services>
Enable www