Id like to place my new RB750GL in a ceiling about 30 meters away from my 4port ADSL modem where 4 pc’s (not belonging to me) will connect to its remaining 4 LAN ports. (the first being used to power it by POE and feed it and the 4 pc’s internet.
In this scenario how do I access my RB750GL as from what Ive read port1 can only be used to power the device and not to gain access to it?
Thanks
Hi,
Would you introduce your reference about 1’st port of RB750GL?
I read the quick guide and it says first port accept Passive PoE. Is it mean that can’t access to LAN?
Did you try it?
I’ll search about passive PoE and hope find good result!!!
http://wiki.mikrotik.com/wiki/Manual:First_time_startup
Overview
After you have installed the RouterOS software, or turned on the Router for the first time, there are various ways how to connect to it:
Accessing Command Line Interface (CLI) via Telnet, ssh, serial cable or even keyboard and monitor if router has VGA card.
Accessing Web based GUI (WebFig)
Using WinBox configuration utility
Every router is factory pre-configured with IP address 192.168.88.1/24 on ether1 port. Default username is admin with empty password.
Additional configuration may be set depending on RouterBoard model. For example, RB750 ether1 is configured as WAN port and any communication with the router through that port is not possible. List of RouterBOARD models and their default configurations can be found in this article.
RB750 ether1 is configured as WAN port and any communication with the router through that port is not possible
It says by default configuration, the RB can not be accessible via first port. just this.
Did you try that?
What was the result?
Yes; with no luck.
Below are my default settings:
The following default configuration has been installed on your router:
ether1 is renamed ether1-gateway, rest of interfaces are switched
IP address 192.168.88.1/24 is on switch
DHCP client is on ether1-gateway
DHCP server is on switch, with address pool 192.168.88.10-192.168.88.254
masquerade on ether1-gateway
You can click on “Show Script” to see the exact commands that are used to add and remove this default configuration.To remove this default configuration click on “Remove Configuration” or click on “OK” to continue.
NOTE: If you are connected using the above IP and you remove it, you will be disconnected.
What must I change to be able to access my RB750GL on port1 while powering it over Ethernet / using port1 as WAN port?
You need to open up the firewall rules to allow external traffic on the input chain.
See this tutorial: http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
Thanks.
Can I simply change port one to master port (but still use as PoE) and the remaining 4 to slaves thus doing away altogether with using port1 as WAN port with out compromising anything?
I don’t need DHCP or any firewall rules anywhere on this switch as I use static IP’s and so will assign port1 a static IP
The RB750GL will then (on my side) connect to a desktop switch which has an internet feed connected to it. (from an ipcop box)
of course you can use it as a dumb switch. all the 5 ports are linked to the same chip inside.
i don’t understand what is the point in buying a router when you need a switch.
First lets clear up some misconceptions. The fact that the PoE port and the WAN port are the same is coincidental. The PoE is a physical “that’s where the extra wiring is”, but the fact that it’s also the WAN port is just a role assignment. If the configuration assigned port 5 as the WAN port you’d see the same verbiage about limited access.
The access limitation is part of what makes a firewall router what it is. You really do not want to defeat that. You want to do something more subtle which is to allow limited administrative access to the router. The wiki page I pointed you to implements a “safe” address list for remote admin machines and a port knocking scheme for adding arbitrary remote hosts to that list. I’d recommend starting with a simplified version of that with just the address list. Something like this:
# These addresses are bogus. Replace them with the ones you need
/ip firewall address-list
add address=10.0.0.1 list=AdminHosts comment="Trusted remote machines which are allowed admin access"
add address=10.0.0.2 list=AdminHosts comment="Trusted remote machines which are allowed admin access"
add address=10.0.0.3 list=AdminHosts comment="Trusted remote machines which are allowed admin access"
# You'll need to move this up in the chain to before the rule that says action=drop in-interface=ether1-gateway
/ip firewall filter
add action=accept chain=input src-address-list=AdminHosts comment="Allow trusted machines remote access"
Fewi has written an excellent and very detailed tutorial on doing various bits of interesting configuration here on the wiki: http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router
Thanks.
How does having ports 2-5 open and port 1 closed make it more secure when 2-5 are going to be used by “clients” where as port 1 is going to be linked directly to me?
you can change the firewall rule. limit access to router via 2-5 instead port 1 which is connected to your PC 
Will configure it so.
Thanks.
Where to begin…
Out of the box (or after a hard reset) a RB750GL is configured as a firewall router with a public WAN side on port 1 and private LAN side on ports 2-5.
This is obviously only a partial match for your situation. On the other hand you still have a WAN input coming from the ADSL modem and you should firewall and treat that as such. In part that means that you should have a firewall between the ADSL modem and your PC and you should have the untrusted clients on one or more other ports. Something like this:
modem -----+ firewall +----- your "management" pc
+----- untrusted client 1
+----- untrusted client 2
+----- untrusted client 3
Here the modem would be connected to port 1, management to port 2 and so on. You might want to remove all the ports from the switch group to isolate clients from each other, and definitely would want to remove your PC from it.
Another option would be to use port 1 WAN, port 2 your personal LAN, and hang a managed switch like a RB250GS off port 3 to handle client traffic. (Using that you can again isolate the clients from each other).
Fewi has a excellent configuration tutorial which discusses setting up a DMZ which is only a little different than setting up an untrusted client zone.
http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router
You can power and use Port1 of RB750GL with POE-injector. Port1 will be accessible through the poe-injector, but only in 100MBit-Mode because passive poe uses the 4 unused wires of 100MBit-Mode. This is not possible in 1GBit-Mode because all 8 wires are used for data-transmission. So everything works fine, you don’t have to reconfigure your routerbox.