Hello,
I’m having problems in configuring rb3011.
I have WAN1 (10mbps) which is a Leased Line with static public IP and WAN2 (500mbps) which is fiber connection with dynamic IP.
I have configured the WAN2 to provide internet on LAN with Distance 1 and WAN 1 with Distance 2. No mangle rules.
The problem is that i am unable to connect to winbox using WAN1 public ip from outside the network as WAN 2 is working as Primary Internet Gateway (Route distance 1). If i put WAN1 as primary gateway by changing the route to 1 then i am able to connect to winbox but the LAN speed gets slow as internet changes to 10mbps gateway.
I just want that i should be able to connect to winbox from WAN1 using public IP and LAN users get internet from WAN2. I don’t need load balance but need failover just in case.. Please i would be very grateful if someone provide a solution. Thanks.
I tried the pcc method but as both wan are insanely unequal so it failed giving a decreased bandwidth for lan usage. That’s why I figured to use wan 1 for connecting to winbox & vpn from outside the network and wan 2 for lan.
My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
You have no business promoting an unsafe method for new users or any user for that matter to access the router without appropriate security.
A source address list is nice but is not security but obscurity as any IP address can be spoofed…
Not my business to tell you what to do with your own system, but sure as heck not going to be quiet when you advise others so negligently.
Would fully expect to be corrected if I did the same disservice to other OPs…
I followed some videos on Youtube.. I guess I missed something thing. I’ll follow the link you have provided and reconfigure my rb. Then I’ll comeback with the results. Thanks for your help
I totally agree with you. But my concern was that if I am able to connect to winbox basically from outside then I’ll configure vpn for connecting and accessing the router either via vpn or any other means keeping in mind the security scenario.
Hi himanshu, using winbox works very well using VPN.
For example I have used IKEv2 VPN from my IPhone to establish a secure tunnel to the Router. I then used my MT app on the phone to configure the router which is akin to using winbox, same type of settings etc… Works well.
For example using wireguard (disclaimer is only available on beta firmware at the moment) I can access the router acting as a client wireguard device at a remote location via winbox from my location.
The nice thing about vpn is that winbox has nothing to do with the input chain rules (dont need to make any allow rules etc - not exposed) One only opens a VPN connection (allows incoming traffic on vpn port) to the router, then the VPN tunnel is created.
Then one ensures that the interface one creates behind the router for the VPN traffic is allowed to access the router. When this is true winbox on your laptop or MT app on smart phone will be able to access and configure the router.
Got me, I am not a network engineer, I am a life engineer, and until I understand Rp-flitering and spoofed packets to the degree you I will refrain from using such techniques until I do understand and thus am comfortable with what I am doing.
PS. If this is an accepted and utilized technique by professionals why bother using VPN to configure the router externally??
In other words until i hear professionals I trust, with deep experience in MT, like MKX or sindy for example recommending such techniques, my response is no thankyou!
However you bring up a good point, I have set RP as loose not strict from the getgo based on either MT docs or advice from the very beginning,
Perhaps now is a good time to revisit that setting and revise my configs with more understanding of its purpose and uses…
