Hello to everybody,
i have a problem in my configuration of wAPGR LTE.
After configuring each of them i start to see strange error in log.
“login failure for user (here there are symbol or single letter) via local”
I though was the LTE, so if i reset the USB from the Routerboard menu, i stop to saw thi error.
As you can see, this happens quite a lot. I forgot something?
PS. apart of this strange behaviour, all the things are working fine, including LTE.
Somebody/something is trying to get into your device.
I hope your firewall is ok …
/export file=anynameyoulike
Remove serial and any other private info, post between code tags by using the </> button.
Here the conf.
/interface bridge add name=bridge_Wireless
/interface bridge add name=bridge
:delay 30;
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=ibox.tim.it ip-type=ipv4 name=Tim
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=Tim band="" \
sms-protocol=auto sms-read=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge_Wireless lease-time=10m name=\
defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge_Wireless interface=wlan1
add bridge=bridge_Wireless interface=wlan2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=lte1 list=WAN
add interface=bridge_Wireless list=LAN
:delay 20;
/ip address
add address=192.168.88.1/24 interface=bridge_Wireless network=192.168.88.0
add address=172.16.10.99/24 interface=bridge network=172.16.10.0
add address=10.10.10.99/24 interface=bridge network=10.10.10.0
add address=192.168.0.99/23 interface=bridge network=192.168.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=x.x.x.x comment=Fibra list=Pubblici
add address=x.x.x.x comment=FWA list=Pubblici
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Access from public " \
src-address-list=Pubblici
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.inrim.it
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This is not an export of config ?
Looks like a script to set config.
What ROS version are you using ? (I assume ROS7 since I see BTH )
add action=accept chain=input comment="Access from public " \
src-address-list=Pubblici
Do you really need to have ALL ports open for that public access ?
If Winbox, only use that port (better: change the port for winbox access and use that one).
And yet again better: only use a vpn to get in (you have BTH, it’s meant to be used for this). Don’t forget to add VPN to LAN interface list !
Hello, no i don’t even need this but i’m closing all ports after i can check that everything works correctly.
I already have some of them installed, with no more open port to the public, apart 8291
I’m on 7.17.2 version, arm.
# 2025-02-14 14:54:33 by RouterOS 7.17.2
# software id = GKR8-QF17
#
# model = wAPGR-5HacD2HnD
# serial number = xxxxxxx
/interface bridge
add name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireguard
add comment=back-to-home-vpn listen-port=20167 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=noDHCP
/interface lte apn
add apn=ibox.tim.it default-route-distance=5 name=TIM
add apn=m2mbis.vodafone.it default-route-distance=5 name=Vodafone_M2M
add apn=web.omnitel.it default-route-distance=5 name=Vodafone
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=TIM band=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.40-192.168.0.50
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/queue simple
add burst-limit=10M/10M burst-threshold=300k/300k burst-time=3m/3m max-limit=\
100k/100k name=Video target=192.168.0.108/32 time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default
/interface bridge filter
add action=drop chain=input comment="DISABLE DHCP Local ON ETH" disabled=yes \
dst-port=67-68 in-bridge=bridge in-interface-list=noDHCP ip-protocol=udp \
mac-protocol=ip
add action=drop chain=forward comment="DISABLE DHCP Remote ON ETH" disabled=\
yes dst-port=67-68 in-bridge=bridge in-interface-list=noDHCP ip-protocol=\
udp mac-protocol=ip
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether1 internal-path-cost=\
10 path-cost=10
add bridge=bridge comment=defconf hw=no interface=ether2 internal-path-cost=\
10 path-cost=10
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=\
WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=ether2 list=noDHCP
add interface=ether1 list=noDHCP
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=192.168.1.99/24 interface=bridge network=192.168.1.0
add address=172.16.10.88/24 interface=bridge network=172.16.10.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=x.x.x.x comment=Fibra list=Pubblici
add address=x.x.x.x comment=Eolo list=Pubblici
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Access from public" \
dst-port=8291 protocol=tcp src-address-list=Pubblici
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop SSH attackers" dst-port=22,23 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22,23 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,23 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="MANAGEMENT default" disabled=yes \
dst-port=80 protocol=tcp to-addresses=192.168.0.108 to-ports=80
add action=dst-nat chain=dstnat comment="MANAGEMENT DAHUA SAFIRE HIKVISION" \
dst-port=85 protocol=tcp to-addresses=192.168.0.108 to-ports=8885
add action=dst-nat chain=dstnat comment="DAHUA default" disabled=yes \
dst-port=37777 protocol=tcp to-addresses=192.168.0.108 to-ports=37777
add action=dst-nat chain=dstnat comment="DAHUA NVR" dst-port=37800 protocol=\
tcp to-addresses=192.168.0.108 to-ports=37800
add action=dst-nat chain=dstnat comment="DAHUA SAFIRE HIKVISION default" \
disabled=yes dst-port=554 protocol=tcp to-addresses=192.168.0.108 \
to-ports=554
add action=dst-nat chain=dstnat comment="DAHUA SAFIRE HIKVISION" dst-port=\
5554 protocol=tcp to-addresses=192.168.0.108 to-ports=5554
add action=dst-nat chain=dstnat comment="SAFIRE HIKVISION default" disabled=\
yes dst-port=8000 protocol=tcp to-addresses=192.168.0.108 to-ports=8000
add action=dst-nat chain=dstnat comment="SAFIRE HIKVISION" dst-port=8800 \
protocol=tcp to-addresses=192.168.0.108 to-ports=8800
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
"accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
"accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Rome
/system logging
add disabled=yes topics=lte
add disabled=yes topics=wireguard
add topics=queue
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.inrim.it
/system scheduler
add interval=1w3d name=schedule1 on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-01-02 start-time=10:36:03
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Also bad practice. The least you should do when you want direct winbox entry, is change the incoming port on public side ! (port mapping)
Makes it a lot harder to attackers to get in. 8291 is a well known port for MT devices.
Or use a VPN and come in via that way. No incoming ports open then.
You already have wireguard, I see ? Finish the setup and use it. You can even use Mikrotik’s Back To Home VPN.
Side note: doesn’t your device use CGNAT on LTE interface ? How do you get in then ?
Or does it have a normal dynamic or static IP ?
What kind of a clown takes default safe firewall rules and then opens the router to the WWW???
The only thing to do at this point is unplug the router, netinstall the latest firmware and start fresh!
Do not connect to the internet until the firewall rules are set!
Also recommend changing defaults for username, and even winbox port.
maybe i was misunderstood. the router is open only from my public ip.
there’s the rule that tells only ip in the public address list.
My question was also completely different. Even if i’m not connected to internet (sim not inserted) i still receive error of login from local.
What else is on the LAN side of that device ?
Me with my PC.
Check virus scanner.
Check your pc.
Not the first time I’ve seen reports about virus scanner doing such things.
Or you have an unwanted visitor on your pc in which case you also need to check that virus scanner.
Hello, i’m sure that i forgot to give you some details about.
I have many of these router with different password, different SIM card, some of them with dinamic public ip and some others Natted, even if i connect to those with another device, like my phone, my other computer, in local to from the customer site, i can see that there are a lot of system critical log about login failure. Since those logs are not telling me that the login come from public ip or interface, i’ve been able to unterstand that there is a problem with the LTE connection. If i disable the LTE, trough usb power reset, i don’t receive any error or login failure. I don’t know how a serial communication between LTE and the device, can turn this in a login Error.
Thanks for your effort.
is user via local, not user via winbox…
nothing to do with firewall, winbox port, internet, etc.
One hint (apart local)…
# model = wAPGR-5HacD2HnD
/port
set 0 name=serial0
Paste this on terminal and post on forum the results, except serial number:
/port export verbose
/system console export verbose
Ho il sospetto che, siccome la RouterBOARD wAPGR-5HacD2HnD non ha porte seriali,
veda la porta seriale per i comandi AT del modem EC200A-EU come una seriale per il terminale,
e, quando arrivano i parametri dalla porta del modem, li interpreti come username e password per l’accesso.
Disattivando la console su quella porta, dovrebbe smettere.
Thanks rextended.
At the default configuration, the only port that the device sees is the USB1, after removing the configuration, it creates the serial, how can i come back to USB1? Thanks
PS.
i remove the port from system console and everything is ok now.
Thanks a lot.
I still have some doubts about name of the ports and why routerboard creates a console from that port.
@rextended ho risolto su di un dispositivo facendo l’export verbose come consigliavi, c’è interesse che lo faccia su quelli che mi rimangono con l’errore?
Il nome della porta è solo un valore testuale o ha un significato? Perché di default si chiama usb1, mentre dopo il remove configuration si chiama serial0.
Grazie mille
system/console/export verbose
# 2025-02-17 15:43:34 by RouterOS 7.16.1
# software id = J575-3DYV
#
# model = wAPGR-5HacD2HnD
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
15:43:38 echo: system,error,critical login failure for user \1C via local
una volta rimosso da system console tutto è andato a posto
Se non sai a che serve, non lo cancellare…
Se RouterOS sente una nuova porta seriale la connette alla CPU perché pensa che la vuoi usare come terminale.
Se lasci sul posto “usb1” intente che la puoi usare come porta seriale per mandare i comandi AT verso il modem.
Non ho quella periferica, quindi non saprei come fare le prove per rimetterla a posto.
If you don’t know what it’s for, don’t delete it…
If RouterOS senses a new serial port it connects it to the CPU because it thinks you want to use it as a terminal.
If you leave “usb1” in place it means you can use it as a serial port to send AT commands to the modem.