HEX POE+ Any hope of copying my router configuration after being locked out?
Thanks for any help
Bump
Has anyone got any ideas of what might get me back in?
Thanks for the help
‘Closed ports’ as in firewalled tcp and udp ports? As long as you haven’t disabled the physical ports and you did not disable MAC WinBox server, you should be able to connect via MAC address.
https://wiki.mikrotik.com/wiki/Manual:Winbox#Starting_Winbox
To connect to the router enter MAC address of the router
…
From list of discovered routers you can click on IP or MAC address column to connect to that router. If you click on IP address then IP will be used to connect, but > if you click on MAC Address then MAC address will be used to connect to the router.
I don’t know what hEX PoE**+** means, but for normal hEX PoE, your last chance is an USB to serial converter, a null modem cable, and a PC with a serial port or another USB to serial converter.
Two pieces of advice when configuring.
- USE SAFE MODE.
- USE one spare port OFF the bridge to enable another access method as configuring the bridge can be tricky…
(at least until you have the bridge stable)
https://forum.mikrotik.com/viewtopic.php?t=181718
This sounds interesting. I do have a few USB to RS232 adapters. So this physical connection bypasses the need to have port 22 or 23 open ? I guess I would then use Putty or similar terminal.
Assuming I can do this, what commands would I need issue from the terminal to open port 80?
No way. This was far too easy. 
Still thinking I am going to try that serial hack just for giggles and future reference.
Thanks so much
You guys are bunch of geniuses
To re-enable access to TCP port 80 via Ethernet in emergency situations, the following commands should do - only do that while the device is physically disconnected from the internet, and clean the firewall up properly before connecting the uplink(s) back:
/interface ethernet enable [find]
/interface bridge port enable [find]
/tool mac-server set allowed-interface-list=all
/tool mac-server mac-winbox set allowed-interface-list=all
/ip firewall filter print chain=input where !dynamic
/ip firewall filter add place-before=0 chain=input protocol=tcp dst-port=80 action=accept
/ip firewall filter print chain=output where !dynamic
/ip firewall filter add place-before=0 chain=output protocol=tcp src-port=80 action=accept
I’ve probably misread your OP and got a feeling that it didn’t work even by MAC address (as access to the mac-server can be controlled using the two interface lists as shown above). You can also disable the serial console access, though.
Last point - reset to defaults doesn’t delete files from flash. So if you save the backup (or export) of the configuration before doing changes and the changes go wrong, you can reset the machine to defaults and then restore the backup file or run the export file to get to the “last known-good” state.
Bridge VLAN filtering can also easily lock you out, according my experience.
Now I understand why - there’s a similar topic: wrong filter add cant login mikrotik