Hi,
this my first post here , anyway i have mikrotik network that consist of one RB1200 (IP=1.1.1.1) as a core for the network and this RB1200 is connected with two RB912(10.10.10.1,10.10.10.2) and two SXT(10.10.10.3,10.10.10.4).
OK here is the problem :
I can access the RB1200 remotely through public IP ex(1.1.1.1) and from terminal i can ping to the connected devices , but HOW to access these devices remotely through the public IP ?
i tried the following but didn’t reach the expected result
I always like to use the inbound interface rather than the external IP address. If you have a static public IP, you should be able to use dst-address, but I don’t have that option since I personally don’t have a static IP for my environment.
I could be wrong, but I also think that if a packet matches a NAT rule, the packet is then passed onto the FORWARD chain in the firewall. Make sure you don’t have any rules that would then interfere with the packets reaching their destination.
No need to render your firewall into a sieve, support for both L2 and L3 communication, etc.
You’ll need to enable RoMON on all devices on your network (ROS >= 6.29).
To enable this, do it either from Winbox Tools > RoMON, or access the rest of devices from CLI then issue
/tool romon set enabled=yes
From outside, connect to your PE router using the “Connect to RoMON” button, Winbox will switch to a “Romon Neighbors” tab, where all Romon enabled neighbors the PE router can “see” will be displayed.
You can select these entries, fill in appropiate credentials, a note, then add them to your managed addreses.
Next time you can directly click on these entries; you will be transparently and “directly” connected to devices inside your network, even if they’re unreachable by L3, as long as they have RoMON enabled.
Thanks guys especially “pukkita” , RoMON works like a charm
I thought that RoMON only work with local network and only on L2 .
thanks for your advice .
I also managed to get around this by using VPN and setting my core router as PPTP server .
I’m not a paranoid security freak, but I have felt the same way about RoMON. It just seems… 'sploitable.
Heck - a friend of mine wrote an exploit for Winbox (he hasn’t tried Winbox3) where he puts a fake Winbox service that sends the “mikrotik” dll to the winbox client, but the dll executes arbitrary code (he’s a white-hat, so his demonstration just made the user’s screen turn upside-down, but it is pretty serious that such a vulnerability exists…
Obviously I cannot guarantee anything as I am not a Mikrotik engineer, all I know is:
RoMON is just the transport/discovery protocol
Encryption is provided at the application level (Winbox or ssh)
RoMON secrets are used for message authentication, integrity check and replay prevention.
Best practice is of course to setup a good, secure, VPN tunnel to PE router, and access it (and then its romon neighbors) through it.
From a Internet external security point of view, cannot see making direct holes to each device winbox/ssh ports as being more secure, but exactly the opposite, is easier to concentrate on maintaining high levels of security on a single border router (banning scanners), than on all devices inside, and dst-natting them will in fact expose them directly to the internet; imagine an unwanted reset leaves a system w/o admin password…
I don’t mean anything special. I am just a bit suspecting. The fact that somewhere is used some password doesn’t ensure me that romon is secure. I asked mikrotik many years ago to publish security principles of the secured winbox protocol but they didn’t. For example. I am not expert in this but keeping those things closed is not good sign for me.
How does “problem with dst-nat” topic is related to how secure winbox connection is? Cause winbox secure connection is running on Romon, so Romon or not you need to handle that connection. I suggest to create separate discussion with proper topic name.
So I believe using RoMON is on-topic… I understand your reasoning however as the thread drifted into security aspects of RoMON, but still, maybe of interest for others visiting the thread.
IMHO best thing would be changing thread title to just that “HOW to access internal devices remotely through the public IP ?” as posts related to this topic and RoMON are noticeable fewer than generic dst-nat posts, thinking on usefulness for forum visitors here…
