/ip services settings not working

RouterOS General
1

I have recently expanded my local home network from 192.168.21/24 to 192.168/16.
I initially set my /ip services settings to include the new expanded range, so it says this:

[admin@MikroTik] > /ip service print
Flags: X - disabled, I - invalid
 #   NAME    PORT ADDRESS                                          CERTIF...
 0 XI telnet    23 xx.xx.xx.xx/xx
                  192.168.0.0/16
                  xx.xx.xx.xx/xx
 1   ftp       21 xx.xx.xx.xx/xx
                  192.168.0.0/16
                  xx.xx.xx.xx/xx
 2   www       xx.xx.xx.xx/xx
                  xx.xx.xx.xx/xx
                  192.168.0.0/16
 3   ssh       22 xx.xx.xx.xx/xx
                  192.168.0.0/16
                  xx.xx.xx.xx/xx
                  192.168.0.0/16
 4 XI www...   443                                                  none
 5 XI api     8728
 6 XI winbox  8291
 7 XI api...  8729                                                  none

However, if I try to login to the www or ssh interface from outside 192.168.21.xxx, I can still access the page (so there aren’t any firewall filter rules getting in the way) but I always get the error
“Authentication failed: invalid username or password.”
even though I know the password is correct.
If I login with the exact same password from 192.168.21.xxx it lets me in fine.

Any ideas how I fix this?

I now have, running the latest “bugfix” release (v6.38.7):

  1. I can’t edit any /ip firewall filter rules in the web interface,
  2. I can’t edit any /ip dns static entries in the web interface,
  3. I can’t even login via www or ssh from any machine that isn’t in what used to be my home network subnet.

This is all getting to be a real pain. How can I solve any of this lot? Please?
This used to be a wonderful router, but I’m starting to run out of patience as features keep gradually breaking.

Many thanks for any ideas at all that might possibly help.
Jules.

2

Hello Jules,

Stupid question here. When coming in from another subnet where it doesn’t work, are you hitting another router?? I’ve seen this with people playing with NAT rules. I can see no reason why you’d get an invalid UID/PWD combination from one door and not the other. Either it works or not. Period! Even if you had firewall filters, it would not give you a PWD error. Trick: when inside, open the log window and see if you have errors indicating a bad pwd combination or other access related error. If not, it gives credibility to my “other router” theory.

As you know, in IP/Services, the available-from field only indicate the allowed IPs and subnets.

BTW, I’m seeing public addresses “Me cringing” yuck! I hope you know what you’re doing :wink:

Ciao,

AC

3

I finally found the settings in /users. I had put a very tight set of subnets on the open services. If you fail that particular test, you apparently just get a login error.

Yes, I just noticed that one too. I carefully removed them from the other entries, and missed the last one. Ho hum… :slight_smile:

So I can now log in to the router remotely. Next problem is my L2TP/IPSec VPN server will only tell connecting clients that it has a /24 behind it (which is what all the examples show), and not the /16 that it really has.

Thanks! Jules.