Faces proublem to access mikrotik from my public ip address

ankur · July 8, 2018, 6:03am

Hello Mikrotik,
i have a mikrotik rb333.I am faceing proublem to access mikrotik from using public ip address in google chrome,firefox,ucbrowser etc.I am able to access this from any where by using the mikrotik app and winbox but unable to access from browsers and when i fill up my ip in browser and tap enter this show some firepro router please help me friends.i attach a screenshot of the proublem i face.
FirePro RouterOS Managing Webpage.pdf (72 KB)

sindy · July 8, 2018, 12:52pm

Congratulations, you have revealed the public address of the machine as the links in the pdf contain it

Other than that, use Winbox to check the /ip firewall settings and the /ip service settings. It seems that the firepro customization redirects the web access to the machine to a hotspot welcome page showing you what you’ve posted. Leaving http access to management interfaces open to the internet is definitely a bad idea, you should configure https and disable http as a minimum.

ankur · July 8, 2018, 6:41pm

sir,
i give access of teamviewer,anydesk and mikrotik to you.Can you help me please?

sindy · July 8, 2018, 6:55pm

I’m not sure it is the best way to go. First, what is the desired resulting configuration? Why is connection from internet using Winbox not sufficient for your needs?

ankur · July 9, 2018, 1:50am

Dear Sir,
when i am outoff station without laptop than i am unable to access router from my phone this is the proublem.8607242412 is my contact or whatsapp number if you know any solution then please help me sir.
thank you for giving your valuable time.

sindy · July 9, 2018, 10:08am

When you are connected to the LAN side of the router, can you connect using Webfig on http (port 80) or not? If yes, would a solution with http access via a L2TP/IPsec VPN (which both Android and iOS phones support natively) be OK for you?

While logged in using Winbox, can you press the Terminal button and then follow the instructions in my automated signature?

ankur · July 9, 2018, 11:48am

Dear Sir,
please give me instructions.

ankur · July 9, 2018, 11:56am

i press the terminal option,now?

sindy · July 9, 2018, 12:02pm

Yes. You press the “Terminal” button, write /export hide-sensitive in the window which opens, copy the output to a text editor and do what is written in my signature here. Then, you paste the result here.

ankur · July 9, 2018, 3:21pm

[admin@Kaluwas Office] > /export hide-sensitive

jul/09/2018 20:48:50 by RouterOS 6.42.5

software id = MBJC-DWSD

model = 333

serial number = 179801C21Q9A

/interface ethernet
set [ find default-name=ether2 ] name=Lan2
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether3 ] disabled=yes
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=Firepro
unicast-ciphers=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/port
set 0 flow-control=hardware
/queue simple
add max-limit=60M/60M name=home target=172.10.10.2/32
add max-limit=3M/5M name=mukesh target=172.10.10.3/32
add max-limit=5M/5M name=ashish target=172.10.10.4/32
add max-limit=2M/2M name=kuldeep target=172.10.10.6/32
add max-limit=1M/1M name=vikas target=172.10.10.7/32
add disabled=yes max-limit=1M/1M name=ombir target=172.10.10.8/32
add disabled=yes max-limit=2M/15M name=sunil target=172.10.10.9/32
add max-limit=5M/5M name=bintu target=172.10.10.10/32
/queue interface
set Lan2 queue=ethernet-default
set WAN queue=ethernet-default
set ether3 queue=ethernet-default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=111.223.3.61/26 interface=WAN network=111.223.3.0
add address=172.10.10.1/24 interface=Lan2 network=172.10.10.0
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=111.223.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system identity
set name="Kaluwas Office"
/system routerboard settings
set cpu-frequency=266MHz silent-boot=no
/tool graphing interface
add
/tool graphing queue
add allow-address=172.10.10.2/32 simple-queue=mukesh
add allow-address=172.10.10.3/32 simple-queue=ashish

sindy · July 9, 2018, 4:41pm

Assuming that you have posted the complete configuration, it seems that Firepro’s customization of RouterOS went further than I’ve expected (remember that I’m not associated to Mikrotikls SA in any way, I’m just a user like you). The http service is not disabled in /ip service, nor there is any redirection in the /ip firewall nat which would explain why access from public IP addresses is opening that informative page rather than the normal Webfig one, nor there is any /ip hotspot configuration which would explain that redirection. So I repeat my question - if you connect, using your browser, from the private network (via ether2), do you get the same page like the one you get via ether1 or you get a normal WebFig?

Another possibility could be that RB333 is so old that it doesn’t support WebFig at all, so it’s not a matter of Firepro’s customization but Mikrotik’s standard solution for PPC devices. No idea, honestly.

What bothers me most of all is that your firewall is nonexistent so you solely rely on impenetrability of the http server which is a really bad idea.

But there is a strange thing:

/tool graphing interface
add
/tool graphing queue

The empty add line suggests some copy-paste issues. Can you do /export hide-sensitive file=cfg-export, then download the file cfg-export.rsc and post it?

ankur · July 9, 2018, 5:04pm

how i remove customization?

sindy · July 9, 2018, 5:13pm

From where have you downloaded the 6.42.5, from Firepro’s pages or from Mikrotik’s? Or you’ve just used the auto-upgrade?

Sob · July 9, 2018, 5:36pm

Nope. RB333 is old, but still usable and has all standard RouterOS features, WebFig included.

I don’t know if it’s this, but some semi-secret “branding maker” (or similar name) exists, which allows to create customization package. I don’t know what all features it has, I’ve never seen it, because it’s not publicly available. But I’ve seen few routers with changed logos and such, so I guess it might be it. It’s relatively persistent, it survives config reset. But netinstall was able to deal with it.

raymondr15 · July 9, 2018, 7:05pm

Just add “/webfig” to the url and you’ll get the WebFig login.

Like: http://111.223.3.61/webfig

Sob · July 9, 2018, 8:04pm

In retrospect, it’s pretty obvious thing to try, isn’t it?

sindy · July 9, 2018, 9:21pm

Sure… I’m however seriously afraid we have another easy target here, as the OP seems to be concentrated on ability to access the device remotely and ignores the risks