Hello, I describe my configuration. Mikrotik RB2011UiAS-2HnD-IN router
ETHER3 192.168.1.0/24
ETHER5 192.168.12.0/24
PC with W2016 ip 192.168.0.16
The administration panel of the non-microtik router (actually it is being used as an AP) is at 192.168.12.2
When I try to enter from a PC with W2016 with Firefox browser to 192.168.12.2 error page cannot be displayed.
When I ping from PC with W2016 to 192.168.12.1 responds OK
When I ping 192.168.12.2 from the microtik it responds OK
I already tried Disabling the W2016 firewall and it didn’t fix the problem.
I would appreciate a help. Thanks!
Simply: some device for protection do not accept access on web interface from different LAN.
If your PC Server is 1.16 and the non-mikrotik-router is 12.2, the webpage refuse to display the configuration page for security.
Thanks! Any way to solve it?
yes, using src-nat to make the connection appear as if it came from the routerboard which has the IP on the same subnet
This work on both http and https
Thanks! Create the action but I still have the same problem, it does not respond to ping 192.168.12.2 from Windows and the admin page of the ap says time out.
Add this on top of NAT, remove previous.
/ip firewall nat
add action=dst-nat chain=dstnat src-address=192.168.1.16 dst-address=192.168.12.1 dst-port=8808 protocol=tcp \
to-addresses=192.168.12.2 to-port=80 comment="test"
add action=dst-nat chain=dstnat src-address=192.168.1.16 dst-address=192.168.12.1 dst-port=44430 protocol=tcp \
to-addresses=192.168.12.2 to-port=443 comment="test"
add action=src-nat chain=srcnat src-address=192.168.1.16 dst-address=192.168.12.2 protocol=tcp \
to-addresses=192.168.12.1 comment="test"
and use this:
http://192.168.12.1:8808
or this
https://192.168.12.1:44430
Extraordinary! I imagine that the “Forum Guru” is well run.
Thanks!
Thanks to you!
Hello, I wanted to ask you one more question.
I have configured:
ETHER2 192.168.13.0/24
In that network I have an AP brand Tp-link ip to manage it is 192.168.13.2. Create the 3 rules as you indicated by changing the corresponding parameters. However I see the login screen of the AP Tp-link at http://192.168.13.1:8808/ I enter the credentials and I get a white screen. I notice in the address bar that it says http://192.168.13.1:8808/userRpm/LoginRpm.htm?Save=Save
Any clue what may be happening? Thanks a lot
You must use DNS for access that devices, because it refuse to use IP, “for security”, like tplinklogin.net (read under the device the correct dns)
If you ask again monday when I’m on office, I write something for you.
Hello, the problem AP model on a Tp-link TL-WR841HP V1. According to the manual to access its web configuration http://tplinklogin.net is used. How should the rules be to be able to access this way? Thanks
This cannot be solved by firewall rules alone, you have to involve also a static DNS record.
The thing is that when you fill in the url into the address field of a browser, it
- gets resolved to an IP address using DNS, and
- is used in the header of the HTTP request sent to the server.
And I don’t know any way to tell the browser separately what url to place into the HTTP header and to what IP address to send the request.
So you have to make sure that the PC you use to connect to the TP-link uses the Mikrotik as its DNS server, and create a static DNS record on the Mikrotik:
ip dns static add name=tplinklogin.net address=the.ip.of.the.tp-link
Alternatively, you can use the hosts file on the PC itself to implement the translation of the domain name to IP number - %SystemRoot%\System32\drivers\etc\hosts on a Windows PC, /etc/hosts on a Linux PC.
There may also be a problem with the port numbers, as these device management pages often use absolute links. However, the dst-nat rules doing the port translation as suggested by @rextended are actually only necessary if you want to access the device in LAN entering the own address of the Mikrotik, e.g. for remote access via Mikrotik’s public WAN address (which only makes sense in specific scenarios). But that’s not your case - you enter the actual IP address of the target device. So the src-nat rule alone is sufficient.
Hello, I already created the static dns. When you want to enter http://tplinkwifi.net/ through the browser, the screenshot that I attach appears. I also attach the DNS that the PC and the Microtik Thank you very much!
The IP on DNS must be 192.168.1.16, and the DNS must be what is wrotten under the tp-link router (tplinkwifi.net or tplinklogin.net? simply create both and try both)
and you must use port 80 instead of 8808 on firewall rule,
but on /ip service change www mikrotik port for webfig to 88
then just use simply http://tplinkwifi.net or http://tplinklogin.net witout :8808 or other things.
On this way “tp-link idiotic security for dummies” is defeated.
Paste this script: (on firewall NAT remove the already placed rules for do that)
/ip service
set www port=88
/ip firewall nat
add action=dst-nat chain=dstnat src-address=192.168.1.16 dst-address=192.168.13.1 dst-port=80 protocol=tcp \
to-addresses=192.168.13.2 to-port=80 comment="tptest"
add action=src-nat chain=srcnat src-address=192.168.1.16 dst-address=192.168.13.2 protocol=tcp \
to-addresses=192.168.13.1 comment="tptest"
/ip dns static
remove [find where name~"tplink"]
add address=192.168.1.16 name=tplinkap.net ttl=5m
add address=192.168.1.16 name=tplinkextender.net ttl=5m
add address=192.168.1.16 name=tplinklogin.net ttl=5m
add address=192.168.1.16 name=tplinkmodem.net ttl=5m
add address=192.168.1.16 name=tplinkrepeater.net ttl=5m
add address=192.168.1.16 name=tplinkrouter.net ttl=5m
add address=192.168.1.16 name=tplinkwifi.net ttl=5m
@rextended, why do you insist on use of the dst-nat rule and redirection from 192.168.0.16:something to 192.168.13.1:80 rather than using the src-nat rule alone and resolving tplinkxyz.net to 192.168.13.1 directly? What am I missing?
@merced25, the basic idea of that TPlink thing is that if the DNS query for tplinkxyz.net is not intercepted by the TPlink device acting as a DNS server, it reaches the global DNS network and gets resolved to a public IP address of some server in TPlink cloud, which returns the page you have posted. So to beat this, you have to add a static DNS record for every tplinkxyz.net name the TPlink router pushes to you until you get them all. Optionally, you may be able to use a single static DNS row with regexp=tplink.*.net rather than many rows with exact names.
The printout from the PC shows that two DNS servers are configured, 192.168.1.1 and 8.8.8.8, so the query may get to 8.8.8.8 and be responded from the global DNS which is not what you want.
8.8.8.8!!!
Ah, nice catch, I do not have noticed it…
Simply, I do not know all the other router settings, like if forward is enabled, if is already masqueraded, other rules etc.
On this way I explicytly do them.
I did all the configuration pointed out but I continue with the same screen of tp-link. Two comments, one, I was wrong in the first post, the IP of the PC is 192.168.1.16. I took this into account when making the proposed configuration. On the other hand I have 2 AP Tplink, one in the 192.168.1.X network that I can access and the other in the 192.168.13.X network (the latter is the one that I cannot manage via browser) both use http: / /tplinkwifi.net/ Thanks and sorry I'm a newbie to networks and microtik!
It’s not so much a Mikrotik issue, it is a TP-link one. Have you managed to get rid of 8.8.8.8 as a DNS in the PC configuration? What do you get if you run the commandline on the PC and enter nslookup tplinkwifi.net there?
