Hello! I’m using hapLite with RouterOS 6.46.8 (long term).
I’ve accidentally turned off service with port 80 when I was turning off others. Internet connection is still working, but now I’m not having access to MikroTik from LAN.
However, api and api-ssl were left turned on.
How can I access admin panel to turn on service again without factory reset?
Telnet, SSH, Winbox are 3 other ways to connect.
Telnet and SSH from any standalone program like Putty,
Winbox as Windows program or Mikrotik APP on tablet or Smartphone.
I guess the easiest way if you disabled winbox and ssh as well is to try mac-winbox.
It is controlled by different menu, so if you didn’t have a chance to mess with it before proceeding to IP → Services it should still be open from the LAN by default.
Open winbox, go to the neighbours tab and wait for you device to appear, then click on it’s mac address and then “connect” button.
All services are disabled except api and api-ssl. I’ve been trying to login from winbox for Win, but no luck. Then I’ve downloaded Python and was trying to execute something like
/ip service www enabled=yes
but login system from 6.45 seems to have changed so old code in tutorial didn’t work (invalid username/password). Besides, I don’t even know where to put this single command to execute it like in terminal.
And you are sure that you tried to connect by MAC, not by IP?
I didn’t know that it’s possible to connect by MAC-address in Winbox, but thanks, I’ll try that
If MAC access didn’t work …
https://play.google.com/store/apps/details?id=com.winboxmobile4&hl=en_US&gl=US
seems api based. But no experience with it.
EDIT: Tested on old Android tablet. Works OK with ROS 6.47.7 via api. 7 days free trial.
By the way, is there any description of how such connection via MAC is done, how it is utilizing L2 capabilities.
The wiki https://wiki.mikrotik.com/wiki/Manual:Winbox says via broadcast. So computer and router need to be in the same (L2) broadcast domain.
So besides it’s mentioned that “MAC session uses network broadcasts and is not 100% reliable”, such features as AES encryption and ECSRP key exchange are not available for such session? (since the traffic is broadcast and we’re dealing with frames sequences)
Keep in mind that really the only thing you would do via MAC Winbox is to enable proper ways of accessing the router. Think of it as an “Ah crap, I messed up, let me fix my screwup”.
It’s not that MAC-telnet used by Winbox for MAX connections is plain text … But yes, it’s better to use some well known security protocols (such as IPsec or WireGuard) than some proprietary protocols that nobody knows what they are doing when working in hostile environment.
Who uses port 80 to connect to the router from the LAN?
Well, if you trust your LAN… But in general there are tons of routers besides Mikrotik that use http on port 80. Makes a good spot for honeypot on more advanced routers though.