I just got my RB711-2Hn and thay are running ROS 5.6. I set them up the usual way. I have my entire network running 4.17 and have good luck with them. With this new board and Ros I am having problems. I can’t ping the CPE (711) or telnet or connect with winbox.
I don’t know if it is the RB711 or the new ROS. I suspect the new ROS is the problem. I am sure I just don’t have some setting correct. the cpe works fine I just can’t get to it remotely to manage it.
Any help will be welcome.
There’s something wrong with your config. What exactly is wrong is hard to troubleshoot without seeing the configuration. Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip service print detail”, and “/ip firewall export” together with a network diagram and a detailed explanation of how you’re trying to access the CPE (from what source IP to what destination IP, protocol used, etc).
is there a way to cut and past from terminal? all I can do is a screen capture and inport to PAINT. not sure how to attach the jpeg to this post.
Of course. Select the text, right click, copy, then paste here. Just like any other text.
[admin@MikroTik] > ip add pr det
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether1-local actual-interface=ether1-local
1 address=74.113.211.8/27 network=74.113.211.0 interface=wlan1-gateway actual-interface=wlan1-gateway
[admin@MikroTik] > ip rou pr det
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=74.113.211.30 gateway-status=74.113.211.30 reachable wlan1-gateway distance=1 scope=30
target-scope=10
1 ADC dst-address=74.113.211.0/27 pref-src=74.113.211.8 gateway=wlan1-gateway gateway-status=wlan1-gateway reachable
distance=0 scope=10
2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1-local gateway-status=ether1-local reachable
distance=0 scope=10
[admin@MikroTik] > int pr det
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="wlan1-gateway" type="wlan" mtu=1500 l2mtu=2290
1 R name="ether1-local" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=2030
[admin@MikroTik] > ip ser pr det
Flags: X - disabled, I - invalid
0 name="telnet" port=23
1 name="ftp" port=21
2 name="www" port=80
3 name="ssh" port=22
4 X name="www-ssl" port=443 certificate=none
5 X name="api" port=8728
6 name="winbox" port=8291
[admin@MikroTik] > ip fire exp
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=wlan1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=wlan1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
[admin
@Mikro
Tik] >
[admin@MikroTik] >
I have this one on my test bench connect to my Mikrotik AP here at the office. it's real address is shown so you can try to winbox or telnet in. 74.113.211.8 admin and no password
i even down graded one of my live 711-2hn in the field to 4.17 and it does the same thing. it works fine but you can’t ping or telnet to it. i still suspect some setting stayed the same even after I down graded it to 4.17. I need to see what setting is causing this.
Thanks for your help!
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=wlan1-gateway
That means “don’t accept any management connection to the router when they come into the router via the wlan1-gateway interface”. You need to add a firewall filter above the drop rule that permits traffic sourced from the IPs that your management traffic would come from.
You should also look into using SSH over telnet if you’re going to do management access via the WAN. telnet transmits usernames and passwords in clear text and is very insecure.
can you give me an example of the code to use? I have a block of Assigned address from ARIN and would like to allow access from them.
/ip firewall address-list
add list=management address=1.1.1.0/24
add list=management address=2.2.2.0/24
/ip firewall filter
add chain=input src-address-list=management action=accept
Then move the filter rule above the existing drop rule.
Also refer to the manual: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter - these are very basic questions.
And again: look into SSH. Seriously. telnet is very, very insecure.
thanks it works!. I guess the new boards come with filter rules that block incoming from wlan port. I never had that problem with boards that came with 4.x ROS.
Thanks
David
Those rules were part of 4.x, too. The different is the kind of board you use. http://wiki.mikrotik.com/wiki/Manual:Default_Configurations documents the different default configurations of a variety of RouterBOARDs.
thanks 1 last question. I can telnet and winbox now but not ssh to it. I looked at services and telnet and ssh are enabled. also tools and wireless in winbox don’t have ssh as an option. from my unix server i can’t ssh to it.
thanks
david
According to what you posted SSH is enabled.