Configuring a dedicated management port

RouterOS Beginner Basics
1

Hey folks, I dove into Mikrotik about 2 years ago but then life took me in a different direction just as I was learning, so now I am starting from scratch again.

OK I am going crazy trying to figure out the simplest thing. I’m new at Mikrotik and have an RB5009UPr+S+ and the first thing I did was rename some ports, set up some networks and stuff, and then I want to turn Port 8 into a dedicated management port so that I always have easy access no matter what I screw up.

But Winbox is not connecting!

I removed Port 8 from the default bridge, and created its own network 10.0.254.0/24 and DHCP seems to work fine I get an address when I plug into that port. In IP->Services I have that subnet set for Winbox access. But dangit Winbox will not connect! When I switch to one of the bridge ports (2 through 7) Winbox connects fine to 192.168.88.1. And in fact from here it even connects to 10.0.254.1.

But when plugged into Port 8 I can’t connect to Winbox!

Another more minor thing bothering me is I can’t get a response from ping no matter what port I am plugged into.

Here is a dump of my config.

[admin@MikroTik] > export

feb/03/1970 04:12:16 by RouterOS 7.8

software id = 4CAA-WNVT

model = RB5009UPr+S+

serial number = HF709ARMFCN

/interface bridge
add admin-mac=78:9A:18:8B:AD:EB auto-mac=no name=br-main
/interface ethernet
set [ find default-name=ether1 ] name=P1-WAN
set [ find default-name=ether2 ] name=P2-free
set [ find default-name=ether3 ] name=P3-Switch
set [ find default-name=ether4 ] name=P4-CAP03
set [ find default-name=ether5 ] name=P5-CAP02
set [ find default-name=ether6 ] name=P6-CAP01
set [ find default-name=ether7 ] name=P7-Router
set [ find default-name=ether8 ] name=P8-MGMT
/interface vlan
add interface=br-main name=vl-guest-wifi vlan-id=66
add interface=br-main name=vl-guest-wired vlan-id=77
add interface=br-main name=vl-iot vlan-id=55
add interface=br-main name=vl-kids-wifi vlan-id=33
add interface=br-main name=vl-kids-wired vlan-id=44
add interface=br-main name=vl-mgmt vlan-id=11
add interface=br-main name=vl-server vlan-id=22
add interface=br-main name=vl-tr-wifi vlan-id=99
add interface=br-main name=vl-tr-wired vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-dhcp-temp ranges=172.30.99.22-172.30.99.222
add name=pool-dhcp-mgmt ranges=10.0.254.100-10.0.254.110
add name=pool-dhcp-br-wired ranges=10.1.88.22-10.1.88.33
add name=pool-dhcp-vl-mgmt ranges=10.2.11.100-10.2.11.110
add name=pool-dhcp-vl-srvr ranges=10.2.22.100-10.2.22.120
add name=pool-dhcp-vl-iot ranges=10.2.55.2-10.2.55.222
add name=pool-dhcp-vl-guest-wifi ranges=10.2.66.22-10.2.66.222
add name=pool-dhcp-vl-guest-wired ranges=10.2.77.22-10.2.77.222
add name=pool-dhcp-vl-tr-wired ranges=10.2.88.22-10.2.88.222
add name=pool-dhcp-vl-tr-wifi ranges=10.2.99.22-10.2.99.222
add name=pool-dhcp-vl-kids-wifi ranges=10.2.33.100-10.2.33.200
add name=pool-dhcp-vl-kids-wired ranges=10.2.44.100-10.2.44.200
/ip dhcp-server
add address-pool=default-dhcp interface=br-main name=defconf
add address-pool=pool-dhcp-mgmt interface=P8-MGMT name=dhcp-mgmt
add address-pool=pool-dhcp-vl-mgmt interface=vl-mgmt name=dhcp-vl-mgmt
/interface bridge port
add bridge=br-main interface=P2-free
add bridge=br-main interface=P3-Switch
add bridge=br-main interface=P4-CAP03
add bridge=br-main interface=P5-CAP02
add bridge=br-main interface=P6-CAP01
add bridge=br-main interface=P7-Router
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=br-main list=LAN
add interface=P1-WAN list=WAN
add interface=P8-MGMT list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=br-main network=192.168.88.0
add address=10.0.254.1 interface=P8-MGMT network=255.255.255.0
/ip dhcp-client
add comment=defconf interface=P1-WAN
/ip dhcp-server network
add address=10.0.254.0/24 dns-server=10.0.254.1 gateway=10.0.254.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.254.0/24 list=SN-MGMT
add address=10.2.254.0/24 list=SN-VL-MGMT
add address=10.2.22.0/24 list=SN-VL-SRVR
add address=10.2.33.0/24 list=SN-VL-KIDS-WIFI
add address=10.2.44.0/24 list=SN-VL-KIDS-WIRED
add address=10.2.55.0/24 list=SN-VL-IOT
add address=10.2.66.0/24 list=SN-VL-GST-WIFI
add address=10.2.77.0/24 list=SN-VL-GST-WIRED
add address=10.2.88.0/24 list=SN-VL-TR-WIRED
add address=10.2.99.0/24 list=SN-VL-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface=P8-MGMT
add action=accept chain=input in-interface-list=MGMT
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input in-interface-list=WAN
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip service
set winbox address=192.168.88.0/24,10.0.254.0/24,10.2.254.0/24
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

2

I was just able to configure MAC address admin for port 8 which is good but still does not solve either of my 2 problems.

Help me Obi-wan Kenobi, you’re my only hope!

3

This address entry is wrong:


/ip address
add address=10.0.254.1 interface=P8-MGMT network=255.255.255.0

It should be changed into


/ip address
add address=10.0.254.1/24 interface=P8-MGMT network=10.0.254.0
4

Oh that is interesting last night I was reviewing my configs and I noticed that this network did the “network=” bit differently from the other network I have configured. Both were done in the GUI so I’m not sure why it would do those differently. I ended up going to bed before trying to change that and then totally forgot about it today - thanks! I will try that right now.

5

Well that does not seem to have done the trick - still not connecting

/ip address
add address=192.168.88.1/24 comment=defconf interface=br-main network=192.168.88.0
add address=10.0.254.1 interface=P8-MGMT network=10.0.254.0

Another thing I noticed when reviewing a basic sample configuration on the website is that they specifically list port 8291 but nowhere in my GUI-generated config does it list that port number not even for the bridge which works.

add chain=input in-interface=ether1 action=accept protocol=tcp port=8291 comment=“allow Winbox”;

6

I added that same rule right here and I can see the byte count in Winbox incrementing as the rule is being hit, but it is still not connecting.

add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 in-interface=P8-MGMT protocol=tcp
add action=accept chain=input in-interface=P8-MGMT

7

Your interface list for p8 is MGT but winbox access is restricted to list LAN.

It seems to me.

8

You are missing the /24 (look at my previous post for the full value of address)


.

I think this only relevant for Winbox access using MAC address, and according to OP he has later corrected this.

9

No, remove this rule please, because it opens your Winbox port to the whole internet, that’s why you see the counter increasing, because there are always rogue parties on the internet doing port scans.

Your firewall already has this:


/ip firewall filter
add action=accept chain=input in-interface=P8-MGMT
add action=accept chain=input in-interface-list=MGMT

And that’s enough. Actually, one of the two already suffices. If you want to only keep one, keep the rule using interface-list=MGMT.

10

Two errors

/ip neighbor discovery-settings
set discover-interface-list=LAN

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Should be
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

11

Thanks everyone I am working through these recommendations right now.

12

Well thanks everyone I decided to factory reset and start over - and I am making progress but have hit a different issue.

Also I am now working with 2 laptops so I can continue to monitor Winbox with one while using the other to test the networking.

I think this might now be the same issue but expressed a bit differently - but when I get a DHCP address on the MGMT network I get a 10.0.254.0/24 address just fine, and then I ping the router 10.0.254.1. But I don’t get a response.

When I do this I see the FW rule being hit - the counter going up. I also see RX going up on the P8-MGMT interface, but TX is still at zero. So now I am thinking hmmm, maybe the Mikrotik doesn’t know how to route traffic back to that network.

Is this normal? It doesn’t look like it knows how but I’m not sure how to read that last /32 entry

[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 192.168.88.0/24 br-main 0
DAc 255.255.255.0/32 P8-MGMT 0



[admin@MikroTik] /ip/address> print
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

;;; defconf
0 192.168.88.1/24 192.168.88.0 br-main
1 10.0.254.1/32 255.255.255.0 P8-MGMT

13

Wait that is a /32 address! Maybe I just answered my own question … and someone told me this in the previous config too!

14

OMG that was it! Thanks so much for all your patience everyone I think I am on my way a little bit further here!

15

Having the 2nd laptop was a HUGE help in debugging!

16

OK false alarm - partial success.

I can finally get a ping response from 10.0.254.1 but I still cannot connect to Winbox on that address. But when I’m on that interface and have a 10.0.254.0/24 address I can still connect to Winbox on 192.168.88.1. I have an idea where to look to solve this one though so I’ll dig in a bit.

17

We might need to see more of your firewall export (/ip firewall export) too see why it’s currently not possible to use the 10.0.254.1 address while 192.168.88.1 works. Maybe you have some dst-nat rule somewhere.

If while connected to ether8, your device obtains an IP address within 10.0.254.0/24, as well as can connect to Winbox using 192.168.88.1 then the followings are already correct:

  • /ip address config for ether8
  • DHCP server config for ether8
  • /ip services restrictions for winbox (available from)
  • Firewall input rules
18

I got it all working now! Everything went well after my factory reset and I started from scratch.

19

Can you share all the things that you had to do to make it work, and if possible, the config? It could help somebody else

20

I will definitely do that tonight - one of them is already listed above and someone recommended it to me in my first config.

I had the 10.0.254.1 network defined but neglected to put /24 at the end of it in the GUI so it made it into a /32.

Then getting the Winbox working that was also something someone else suggested.

I could not figure out where to set these in the GUI so I did it in terminal

/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

I am rushing to a Dr appointment right now but I’ll post my full config a bit later.