Hi!
Can anyone tell me how i need to configure mikrotik firewall so that i can use winbox to access it over internet ???
i use 2.8.17 mikortik !
i opened ports 8081 and 3986 but when i try to connect to router
xxx.xxx.xxx.xxx:8081 , the winbox displays message
‘‘downloading plugins from xxx.xxx.xxx.xxx…’’’
and just waits for eternity 
it looks that i need to open one more port so winbox can download plugins from router but i cannot figure out wich one…
any ideas???
make sure that www has 8081 port under ‘/ip service’ and you can ping that router from the PC.
Edgars
its all like you said but it still does not work…
i must tell you that im running wireless hotspot on this router…
and my firewall input rules are just like mikrotik-howto’s manual says:
/ip firewall rule input add protocol=tcp connection-state=established
comment=“Allow established TCP connections”
/ip firewall rule input add protocol=tcp connection-state=related
comment=“Allow related TCP connections”
/ip firewall rule input add protocol=udp comment=“Allow UDP”
/ip firewall rule input add protocol=icmp comment=“Allow ICMP Ping”
/ip firewall rule input add protocol=89 comment=“Allow OSPF”
/ip firewall rule input add src-address=10.5.50.0/24
comment=“Allow access from our local network. Edit this!”
/ip firewall rule input add src-address=10.5.50.0/24 protocol=tcp dst-port=8080
comment=“This is web proxy service for our customers. Edit this!”
/ip firewall rule input add action=drop log=yes
comment=“Log and drop everything else”
but before this rules i added rules to open ports 8081 and 3986 …
and it still does not work…
im 99% sure that its problem in firewall settings…
please help…
what did logs say about this?
can you put here a printout of firewall input chain?
Edgars
here are my input chain firewall rules:
x.x.x.x is my public adress of ruter
192.168.1.2 is my local web server
10.5.50.1 is my hotspot gateway
[slobo@Kula1] ip firewall rule input> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; winbox from web #1
dst-address=x.x.x.x/32:8081 protocol=tcp action=accept log=yes1 ;;; winbox from web #2
dst-address=x.x.x.x/32:3986 protocol=tcp action=accept log=yes2 ;;; emule #1
in-interface=web dst-address=x.x.x.x/32:4662 protocol=tcp
action=accept3 ;;; emule #2
src-address=10.5.50.0/24 dst-address=:4662 protocol=tcp action=accept4 ;;; emule #3a
dst-address=x.x.x.x/32:4672 protocol=udp action=accept5 ;;; emule #3b
src-address=10.5.50.0/24 dst-address=:4672 protocol=udp action=accept6 ;;; emule #4
src-address=10.5.50.0/24 dst-address=:4661 protocol=tcp action=accept7 ;;; emule #5
src-address=10.5.50.0/24 dst-address=:4665 protocol=tcp action=accept8 src-address=192.168.1.0/24 dst-address=10.5.50.0/24 action=accept
9 src-address=10.5.50.0/24 dst-address=192.168.1.0/24 action=accept
10 in-interface=web dst-address=x.x.x.x/32:22 protocol=tcp
action=accept11 ;;; account traffic from hotspot clients to hotspot servlet
in-interface=wlan1 dst-address=:80 protocol=tcp action=jump
jump-target=hotspot12 ;;; accept requests for hotspot servlet
in-interface=wlan1 dst-address=:80 protocol=tcp action=accept13 ;;; accept requests for local DHCP server
in-interface=wlan1 dst-address=:67 protocol=udp action=accept14 ;;; limit access for unauthorized hotspot clients
in-interface=wlan1 action=jump jump-target=hotspot-temp15 ;;; Allow established TCP connections
protocol=tcp connection-state=established action=accept16 ;;; Allow related TCP connections
protocol=tcp connection-state=related action=accept17 ;;; Allow UDP
protocol=udp action=accept18 ;;; Allow ICMP Ping
protocol=icmp action=accept
19 ;;; Allow OSPF
protocol=ospf action=accept20 ;;; Allow access from our local network. Edit this!
src-address=10.5.50.0/24 action=accept21 ;;; This is web proxy service for our customers. Edit this!
src-address=10.5.50.0/24 dst-address=:8080 protocol=tcp action=accept22 ;;; Log and drop everything else
action=drop log=yes
any ideas?
seems ok. What do you see under '/log pr ’ when trying access the router?
Edgars
in log it looks like this…
nov/12/2004 15:27:01 input->ACCEPT, in:web, out:(local), src-mac
00:e0:5c:46:08:15, prot TCP (ACK,PSH),
80.74.168.131:49525->x.x.x.x:8081, len 80
nov/12/2004 15:27:02 input->ACCEPT, in:web, out:(local), src-mac
00:e0:5c:46:08:15, prot TCP (ACK),
80.74.168.131:49525->x.x.x.x:8081, len 40
it seems that my packets from winbox pass the input chain but gets lost somewhere else, or maybe router cannot reply to winbox because of some forward rule or something???
anyway, tnx for the effort i appreciate it man…
Greets
Slobo
What does your output chain look like? Isn’t that secure port 3987, not 3986?
[slobo@Kula1] ip firewall rule output> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; account traffic from hotspot servlet to hotspot clients
src-address=:80 out-interface=wlan1 protocol=tcp action=jump jump-target=hotspot
??? any ideas… im clueless…
1 ;;; winbox from web #2
dst-address=x.x.x.x/32:3986 protocol=tcp action=accept log=yes
Try port 3987 instead of 3986.
GREAT !!!
now its working… i only needed to open port 3987 !!!
Tnx alot to everybody that posted replyes and specially to user JAROSOUP !!!
Thumbs up man!!!