Hello For all MT Users and professionals…!
i am trying to access my MT router through public IP, so sometime i get this message -(as the picture below)- just logging in and it remain just like that without log in.
i dont have a firewall rule to block login from a public address…also as i mentioned that sometime i login normaly without any problem.
so why this happen..? anyone encounter this problem before..!?
how can i know that my ISP provider is not a part of this problem..?
First off: it’s a bad idea to allow winbox access from WAN. In past there were a few exploits of winbox access.
Second: winbox saying “logging in” and nothing more very probably means some device is (silently) dropping packets and winbox is re-trying to establish connection. As you can login sometimes, this either means that your firewall/winbox service config is slightly selective or that some entity (either of ISPs) blocks winbox access. To verify if it’s your router blocking it, you could run sniffer to see if winbox packets arrive to your WAN interface or not.
But, as I wrote in first paragraph, allowing winbox access from WAN is a bad idea in the first place. You should set up some secure tunnel (wireguard if you’re running ROS v7 or IPSEC otherwise) and run winbox through that tunnel.
You need to follow MikroTik Advice as stated in the following otherwise you are asking for serious hacking trouble … and its got nothing to do with your ISP …
Securing Your Router
Follow mkx’s advice.
No direct access.
Only via VPN.
so if i run a sniffer, what interface will be the target and if i opened using wireshark what i have to look in the sniffer file to identify the problem..?
i hear alot of people out there that say you shouldn’t login to your MT router using your public ip but actually until now no one tell me why..!!
so where is the risk in this case ..?
Anyone getting hands on your password can get in.
Simple.
Obviously it’ll be WAN interface (if your winbox access is open). And the sniffer contents? Let me google that for you …
You need a rule to allow 8291 on input before any drops. But given you’re saying it works sometimes, do you have multiple WANs? Because the router input traffic to router has to specially treated.
But I note that Mikrotik’s default don’t allow by default as an indicator of risk & listen to the advice here. And if troubleshooting winbox access is hard, I’d stick to the default and setup a VPN like WireGuard or ZeroTier. ZeroTier works particular well for winbox, since winbox will show any discovered routers in the login screen.
Now I’m not a fan of the “password leaks out” is why winbox is a bad idea. That’s always a problem, winbox isn’t special there. e.g. if WG keys becomes known, you may be actual worse since WG given a tunnel to a network – no need for malware to muck/understand ROS, with a likely larger attack surface at the other end of the VPN…
My view
I don’t like a single line of defense.
If a real hacker wants to get in, they will.
Just make it a bit more difficult and they might lose interest.
So a second line of defense…
Mikrotik’s “winbox encryption” algorithm isn’t public, so it’s not subject to any meaningful scrutiny. And since it support a variety of older versions, its fixed/dated encryption is likely more and more decryptable as CPU power increases by the day. Which is how the password can become known, and then used in an attack, now or later.
No argument against layers. And since Mikrotik only has “single factor” authentication be another one…
lol…very interesting ..!! 
yes i have two WAN interface..!
you are right..! i agree with that .. what i always did in my network config that i put a very hard password -(sometime a hash pass with salt)- and i change the winbox port and closed all the others, i think that make some sence..well at lest for me .