Locked out of 2 routers!

Hi Everyone,

Home - RB2011Ui - RouterOS 6.45.2 - WinBox 3.18 - IP 192.168.88.1
Work - CCR1016-12G - RouterOS 6.45.2 WinBox 3.18 - IP 192.168.0.1

I have managed to lock myself out of 2 routers. Both are fully functional. IP addresses are being assigned, Internet is working. Everything looks good when I run ipconfig. However I cannot ping either router. This means that I cannot login via WinBox. I should also mention the routers are not showing up under the Neighbors tab either. However I ran Advanced IP scanner at home and it does find the routers IP and Mac Address. I tried to manually enter the Mac Address and login via WinBox but no joy. Let me explain what happened in both cases.

On the Home unit, I made a change to my wireless settings via Quick Set. I think I had the wrong mode selected. I think I made the change under mode CPE when I should of been using HomeAP mode. I applied my changes and thought all was well. Once I logged off, I can no longer login.

On the Work unit, I was working on a dual wan setup. I was trying to start over and clean up the routes for the secondary wan. I removed the network cable from secondary wan ether2. However I could not remove the routes. So I looked at the Address List entries. I noticed that I had 2 that were the same except for the interface. They both had an address of 192.168.0.1/24 and network of 192.168.0.0. The first one had an interface of bridge and the second of ether2. I removed the second one with the ether2 interface since this is the interface that connect to my secondary wan device. I still was not able to remove the routes for the secondary wan ether2. So I decided to reboot the router to see if they would go away. Once again just like the home unit, I can no longer login.

I suspect in both cases that I have lost the default lan route with gateway of bridge and Preferred Source of router IP. Perhaps the Address List entry for lan bridge as well.

Both of these routers have the LCD touch screen. On the home unit, I tried to enter an address of 192.168.88.1/24 on a spare ether interface. I cannot find a way to make the interface bridge from the touch screen interface. This did not fix my problem. Is there anything I can do from the touch screen to fix this? The work unit has a serial interface. Do I have to use it?

I can do a reset on the home unit if necessary because it is pretty much stock. However the work unit has been customized quite a bit so I really do not want to reset it. Any help would be greatly appreciated! Thanks for the support…

I don’t know what’s possible with touch screen, but if you can connect using serial port, you’re good. Command line is less intuitive than WinBox, but config structure is the same, so it shouldn’t be too hard to either find what’s wrong, or add some temporary address to free interface, firewall exception, etc… and then connect with WinBox and fix the rest.

Hi SOB,

Thanks for your reply. The touch screen does allow me to add addresses to any interface except bridge. What I do not no is whether it will also create a route for an added address. https://wiki.mikrotik.com/wiki/Manual:LCD_TouchScreen#Reboot_and_Reset_Configuration. Can you suggest a fix using the touch screen?

As I stated, the work unit does have a serial RJ45 console port. However I am not familiar with it. I have found this document https://wiki.mikrotik.com/wiki/Serial_Port_Usage. However it seems to require preparations which require access to the RouterOS which I do not have. The three options for access in the document all require access to the RouterOS for configuration. Can you shed some light on how I can use the console port to gain access? Thanks for your support…

Connected route is created automatically. So if you have unused port, add address to it that you don’t use anywhere else, so it won’t conflict (192.168.88.1/24 is not good choice if it’s already on bridge, use e.g. 192.168.99.1/24 if it’s not anywhere), then connect your PC/laptop/whatever to this port with manually configured 192.168.99.x/24 and hopefully you’ll be able to connect.

Serial port should be used by console by default (that’s what you need), and changes should only be required if you want to use it for something else.

Hey.

Serial port is direct access, any IP settings etc, don’t matter.
If you connect your PC to serial port, open serial terminal at the right speed (usually 115200 but not on all models), and press enter in the terminal, you will see a RouterOS username prompt immediately.
It is possible to disable the serial console but it’s not easy and not something you’d do by accident.

PS. After initial “first run setup” it’s better to not use QuickSet, only the “full” webfig/winbox/CLI interface.
Otherwise there’s a big chance quickset will mess up other parts of the config.

Thanks SOB! That is just what I was looking for. I am not home now but I am on my way. I will use the LCD screen to add 192.168.99.1/24 on an unused port. The do a manual config on my pc as you suggest. I will let you know what happens…

Hi sob and wrkq,

Sob, that did not work for me on my home unit. I did exactly as you said. New address 192.168.99.1/24 on spare ether4. Then set a static on my pc of 192.168.99.10 with subnet 255.255.255.0 and gateway 192.168.99.1. The connect the nic cable to ether4 and PC. ipconfig looks good but unfortunately ping 192.168.99.1 is not reachable and therefor no WinBox login. I will try the same on the work router tomorrow. Any other ideas? If not I will have to reset the home unit because it does not have a serial console port.

wrkq, for the work unit with the serial console, if the above does not get me in, I will use putty to try and connect. Do I need a crossover network cable? Thanks both of you for your support.

If your device has an RJ45 serial port, you need a cable with RJ45 plug on one end, and 9-pin serial port plug on the other.
If you ask around for a “Cisco serial cable” or generally “RJ45 to serial cable” you can find one easily - just about everyone in the networking business follows the same wiring standard as originally slapped together by Cisco.
https://webobjects2.cdw.com/is/image/CDW/3718050
https://community.cisco.com/legacyfs/online/legacy/5/2/1/9125-ciscoconsolecable.jpg

If your device has the standard serial port, you will most probably need a “null-modem serial cable” - the equivalent of cross-over ethernet cable, with Rx wired to Tx and vice versa.
With female plugs on both ends instead of male on one and female on the other.
https://webobjects2.cdw.com/is/image/CDW/3575479

You will also need a 9-pin serial port in your PC, which tend to be kinda rare nowadays, but a basic USB-serial adapter can be had for ten bucks.
(If you can find out what chip a particular cheap ebay adapter is based on, choose one based on FT232 over the ones based on PL2303 - tends to work better).
https://webobjects2.cdw.com/is/image/CDW/324158
https://c1.neweggimages.com/ProductImage/12-200-964-06.jpg

After you plug in the USB converter (and install driver) check Windows Device Manager for the COMxx number that got assigned to the new serial port.
Switch Putty to serial mode, enter that COMxx (e.g. COM4) and 115200 for speed, and if you get the blank terminal window instead of some initialization error, hit Enter.
RouterOS will announce its version and ask you for username, then password.
(If you will see some junk, restart putty and try different speeds - but MT typically uses 115200).

PS. If your devices have USB port, yet another option might be plugging a Woobm into it, and connecting through Woobm.
https://mikrotik.com/product/woobm

wrkg,

Thanks for spending your time on this. My device has an RJ45 serial port for console access. With that being said. I wonder if I could use a crossover network cable with software. I found this https://www.virtual-serial-port.org/article/best-serial-over-ethernet-tools/. What do you think?

Nope, that’s completely different thing. Even if it has confusing RJ45 port, it has nothing to do with network, don’t plug it there.

About the home device, it’s possible that it’s something with firewall. You can’t get into that using LCD, can you? Connection to MAC address doesn’t work either, I guess?

No, you can’t.
The port has RJ45 shape (technically “8P8C shape” because RJ45 is a telecom wiring standard for phone cables, just the name got stuck in common speak).
But the electrical signals on it are not Ethernet, they are RS232.

If you plug it into a network interface in a PC or a switch it’ll just tell you “the cable is not connected” because there’ll be no recognizable Ethernet signal on the wires.
Same deal if you’d have an RJ45 port running analog phone or ISDN phone - plug may fit but it’s not Ethernet so computer won’t recognize it.
(And if you’re super unlucky something may burn because most of those other technologies tend to use higher voltages than Ethernet).

https://en.wikipedia.org/wiki/Modular_connector#8P8C
https://en.wikipedia.org/wiki/TIA/EIA-568#T568A_and_T568B_termination
https://en.wikipedia.org/wiki/RS-232
https://wiki.mikrotik.com/images/3/3a/Rj45-pinout.gif.png

Hey guys, sob the firewall is not accessible via the LCD. I cannot access the device via mac address either. As I stated earlier the device does not even show up under the Neighbors tab in WinBox. It is looking like a reset is inevitable. Not a big deal because it is pretty much a stock box.

As for the work box it is this one https://mikrotik.com/product/CCR1016-12G. As you can see it has the RJ45 serial port for console access. sob are you saying this port is not for terminal access? wrkg, it looks like the serial over ethernet software is a no go. I will come up with a RJ45 to serial cable. I have an older workstation that has a serial port on it. So no problem there.

Guys, I am wondering if ether12 can help me out. It is labeled as Boot. I know this port can be used for NetInstall "https://wiki.mikrotik.com/wiki/Manual:Netinstall but can it help me get into the box to resolve this issue? Thanks…

No, I’m saying that if you get the right serial cable, it should work. I understood you previous post as that you wanted to connect ethernet there and then use some software for virtual serial port to access, that would not work.

I don’t know this exact device, if there’s anything special about ether12, but I guess not.

This is a bug of 6.45, it has happened to my with three different units. Factory default and rolling back 6.44 has been the solution it my cases. You can know for sure it really is a bug when the MAC addressing based connection in winbox also stops working, then it simply isn’t an IP config issue

Hi folks,

I thought I would update this topic…

dnordenberg - Thanks for your post. That is very interesting indeed. I am wondering if you can recall what changes you made to the 3 units that you were locked out of? Have you emailed support about this problem?

sob - On the work unit, I tried the same attempt as the home unit. Assigned an address via the touch screen and a static on a laptop. Unfortunately the result was the same. I was hoping it might work since I did it on ether2 which is not a part of the bridge. The home unit has all ports on the bridge except ether1 wan port.

sob and wrkq - I found a serial cable in the original box. It is a Cisco style with RJ45 on one end DB9 female on the other. However when I look at my unit (CCR1016-12G), it has a DB9 male connector console port. Yesterday, I was fooled by the gallery pics. I have Rev. 1 and the gallery pics on the products page are for Rev. 2. What a kick in the pants that the device was shipped with a Cisco style console cable for Rev. 2 when the device in the box is Rev. 1. So what I need is a serial null modem cable with female on both ends. I picked one up this evening. I will try and connect with a laptop tomorrow.

sob - If I get in via the console tomorrow, I will try and figure out what is wrong. If I cannot figure out the problem, I would like to post some details using print. What would you like to see? How can I output to a file instead of the terminal window? Can you please provide the commands to generate everything you would like to see?

Thanks to all for your support…

Honestly, seeing some other support posts around here, it’s a pleasure to work with you - even if you’re not familiar with some things, you’re patient and very keen to understand.
Not just “no worky, give me magic spells to fix!”.
That said, mega bummer with the mismatched cable. Sorry you ran into that.

After you log in to the CLI, just do
/export hide-sensitive
and plain text config should spill into the terminal.
Then you can right-click Putty’s title bar, “Copy All To Clipboard”, and paste to Notepad or your favourite plain-text editor for any cleanup.
Consider redacting things like device serial and license numbers, any public IPs, company/etc names in comments to preserve your privacy.

Then paste the rest in here between [ code ] … [ /code ] tags.

Thanks wrkq,

I really need to learn more about the CLI commands. All of the online manual pages are written with CLI examples. Also most folks that really know the RouterOS, seem to use the CLI exclusively. Will the /export hide-sensitive command export everything (i.e. routing table, address list, etc.)? Or do I have to do this…

[admin@MikroTik] ip route > export hide-sensitive
[admin@MikroTik] ip address > export hide-sensitive
[admin@MikroTik] ip firewall > export hide-sensitive
etc…

Config is hierarchical, same way how folders on disk are. So if you do /export (with “/” indicating root), it exports everything. If you need only some part, add prefix (e.g. “/ip route export”).

And I don’t think most people use CLI. It’s just that even small part of config that can be expressed with few text lines would require several screenshots otherwise. And both CLI and GUI have same structure, so it’s easy to read text config and add it using WinBox/WebFig.

Thanks sob. I understand. Your comments about CLI vs GUI makes perfect sense as well. If I cannot solve this problem tomorrow, I will export everything and post it. Excluding sensitive material of course.

Hi Sob and wrkq,

I have good news! I have fixed the work router! The console port rules! So do you guys because without you, I would of never been able to fix the device.

I should actually be calling work router, client site router. I am an IT tech. I should also mention that I have another client site with the same device and a very similar config. That was very helpful in resolving the issue. Let me explain how I fixed it.

I was able to get in via the console port with my null modem cable. I checked the config of the serial port on my other clients device which was helpful. Here are the settings for the server com port and Putty.

Baud Rate - 115200 (thanks wrkq)
Data Bits - 8
Parity - none
Stop Bits - 1
Flow Control - none

FYI, I will change the router serial console port Baud Rate from auto to 115200 since that what worked for me. I will also have the owner of the company purchase a longer null modem cable. I will leave it connected to the server at all times. This way if I mess up again, I can get back in.

I will explain the reproducible problem and how I caused it. The problem was directly related to changes I had made to Address List and Firewall entries and the use of Quick Set. I know I said that I did not use Quick Set on the work unit, but I am now sure that I did. Sorry for the misinformation guys.

To accommodate my dual wan setup, I made changes to the firewall. I created Interface List entries (wan - ether1,ether2) and (lan - bridge). I changed firewall entries to use wan and lan Interface Lists. I changed the Local Network Address List entry from (ether2) to (bridge). This config was working perfectly until I used Quick Set. I did not make any changes but I must of clicked the OK button before closing out. This caused the problem. Here is why.

Quick Set creates an Address List entry for the Local Network settings. It uses (ether2) by default. I then had 2 Address List entries for Local Network. One with Interface (bridge) the other with (ether2). It also changed my Interface List entries. I found that lan was now pointing to (ether2). I also had a rouge entry with no List Name and interface of (bridge). Of course I had no idea this was occurring. I think the fatal blow is when I deleted the Address List entry for Local Network with Interface (ether2). This broke the Firewall.

I was able to fix everything via the console. The export command made it all possible. Thanks guys! I decided to make the Interface for Local Network Address List entry (ether2). This way if Quick Set is ever used again, it will not mess things up. I cleaned up the Rouge entry in the Interface List and changed lan back to bridge. I will now use (ether12) for the secondary wan.

I am sure a similar thing has occurred on my home device. I also made wan and lan Interface Lists and changed the firewall rules and made changes using Quick Set. Unfortunately I do not have a console port on the home device. I do not think there is any way to boot the device with the firewall disabled. So I will have to do a reset.

I am sure that I will have some questions about my dual wan setup in the near future. Please look for my topic.

Helping folks out on the forums is not an easy thing to do and can be very time consuming. I thank you both for donating your time and your patience…