Do you have any conflicting DST-nat rules on port 443 under the nat table? What if you change the https service port number to something different than 443 such as 4443 and then update your filter rule to match?
I didn’t set up any NAT rules and also couldn’t find any default rules, however I read somewhere that there should at least be some default firewall filter rules, which I also can’t see (with /ip firwall filter print), only the ones I created.
Changing the port also didn’t help.
Here’s an export of my config:
# sep/14/2018 14:45:56 by RouterOS 6.43
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/snmp community
set [ find default=yes ] read-access=no
add addresses=0.0.0.0/0 authentication-protocol=SHA1 encryption-protocol=AES \
name=librenms security=private
/system logging action
add bsd-syslog=yes name=graylog remote=XXX remote-port=5140 \
target=remote
/ip neighbor discovery-settings
set discover-interface-list=none
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input comment="allow ping" protocol=icmp
add action=accept chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=accept chain=input comment="allow https" dst-port=4443 \
protocol=tcp
add action=accept chain=input comment="allow ftp" dst-port=21 protocol=tcp
add action=accept chain=input comment="allow snmp" dst-port=161 protocol=udp \
src-address=XXX
add action=drop chain=input comment="drop everything else" log=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no port=4443
set api disabled=yes
set api-ssl certificate=https-cert
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system identity
set name=mikrotik
/system logging
add action=graylog topics=info
add action=graylog topics=error
add action=graylog topics=warning
add action=graylog topics=critical
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
When a router is defaulted, it normally has a set default config which includes firewall rules. When you first connect, you have the option to retain the config or start clean. I’d have to think you chose to start clean.
I’m not sure why you can’t connect on 443 or 4443. I’d suggest using Winbox on port 8291 anyway. I find it to be a more responsive and useful method for administration.
I deployed the “Cloud Hosted Router” 6.43 Stable version yesterday via the VMDK on OpenStack, maybe that version doesn’t have those defaults?
Winbox also didn’t work for me, it get’s stuck on “Downloading descriptors…”
I’ll try deploying a different disk format and see if that behaves differently.
In my experience physical Mikrotik hardware has a default set of rules but CHR is normally blank. This would explain the reason you didn’t have any rules.
Did you check your cloud providers security rules? What cloud provider are you using?
I think I’ve figured it out , it’s just missing a route for the / path of the URL, if I add /webfig it seems to be working, but only on HTTP (extremely slowly and missing 90% of the ressources), on HTTPS I’m getting a timeout, could the 1mbit default license be just TOO slow? That might also be the reason why winbox seemingly got stuck “downloading descriptors”.
Trying to aquire a new or trial license i’m getting a new error, even after disabling the DROP from the firewall chain:
I very much doubt the 1Mb limit is the issue unless you have other traffic saturating it. I use CHR in the free mode for all my GNS3 labs and have no issues with connecting on any method
Okay.. it seems to be something caused by OpenStacks network routing, it works perfectly fine on a proxmox cluster
Weirdly enough I only have this problem with RouterOS, all “normal” Linux distros work without any issues.
Derp.. MTU was on 1500 by default, but according to the tech team MTU of 1450 is required, it’s working now, thanks for the help everyone
Open the router up the router on the internet side is very dangerous.
Here are some thing that you could do.
Do not use standard port. Change to other ports than default, example 34022 for SSH
Secure access, so only specific IP can reach you,
Us portknocking (search for it)
Do not open port at all, use VPN, best option
