make the MT invisibly??

franco · April 25, 2005, 12:34pm

Hello,

sorry for my english, ist not the best.

I have a question about the MT.
I have the version 2.8.26. When the clients, which have the ip addresse 192.168.1.xxx, open the Internet explorer and tap the IP from the Router (192.168.0.254) they can see the Mikrotik info page.
The same one is over Internet. When anybody tab the IP from the Mikrotik router, they can see the info page, too.

Can I avoid this??

thank.

Eugene · April 25, 2005, 12:48pm

Disable www service.
http://www.mikrotik.com/docs/ros/2.8/ip/service

or add drop rules to the input chain.

franco · April 25, 2005, 2:02pm

thank you for your answer.

I use winbox from my office to the MT over internet.
If I disable the service, i can’t access to the MT. It`s wrong?

I use a VPN connection with a static IP.
If I add my IP in the Firewall, cann I access than??

sorry, but I’m a beginner.

yancho · April 25, 2005, 4:16pm

Or change www service port, or add your computer ip in “available from”

franco · April 25, 2005, 4:56pm

i have resolve the problem with firewall rules.
But now i can’t access to MT.
Can I use a trick to log in??
I have permitted only Network with IP 192.168.3.0/24.
I had made a backup before i change the setting.
My last possibility is to install the MT new, if it gives no trick.

andrewluck · April 25, 2005, 5:47pm

Login via the serial port.

Regards

Andrew

franco · April 25, 2005, 6:31pm

about Telnet?
and how??

Hugh_Hartman · April 25, 2005, 8:08pm

download neighbor viewer from: http://www.mikrotik.com/download.html
it’s at the bottom of the page,then you can MAC telnet into the MT,as it bypassess firewall rules.

franco · April 27, 2005, 5:04am

I have done this.
no problem, i can access again.

i had written this in the Firewall rle.

/ip firewall rule input add connection-state=invalid action=drop
comment=“Drop invalid connections”
/ip firewall rule input add connection-state=established
comment=“Allow established connections”
/ip firewall rule input add connection-state=related
comment=“Allow related connections”
/ip firewall rule input add protocol=udp comment=“Allow UDP”
/ip firewall rule input add protocol=icmp comment=“Allow ICMP Ping”
/ip firewall rule input add src-address=10.0.0.0/24
comment=“Allow access from our local network. Edit this!”
/ip firewall rule input add src-address=192.168.0.0/24 protocol=tcp dst-port=8080
comment=“This is web proxy service for our customers. Edit this!”
/ip firewall rule input add action=drop log=yes
comment=“Log and drop everything else”

My config is:
Internet Interface 62...**
Clients Interface 192.168.1.1
Clients IP static 192.168.2.1 - 192.168.2.254
my VPN connection 192.168.1.99

how i must config the command above, so that i can access from internet with Winbox over VPN and over the clients Interface.
i hope your can understand my question.

I write a bad english

cmit · April 27, 2005, 7:15am

As you don’t state action=accept in your accept-rules: What is the default policy of your firewall chain(s)?

franco · April 27, 2005, 7:58am

Can we talk in German?
I have many problems with the english language.

Hugh_Hartman · April 27, 2005, 10:30am

Try This

change this :
ip firewall rule input add src-address=10.0.0.0/24
comment=“Allow access from our local network. Edit this!”

to this:
ip firewall rule input add src-address=192.168.2.0/24
comment="Allow access from our Clienst IPs. "

this will give you winbox from your clients IP’s

add this rule after above:
ip firewall rule input add src-address=192.168.1.0/24
comment="Allow access from Clients interface/VPN. "

this will allow acces from VPN and clients interface

you do not want to allow acces from the net–that is the purpose of protecting the routers access,however I would delete your first rule as you drop and log everything else in the last rule.

franco · April 27, 2005, 11:15am

thank you for your answer.

It’s OK.
I would access from Internet, too over VPN.
At the moment i can this.
But when anyone ping the Router IP over internet, can see the Mikrotik default Page.
Can i make it, that only i can access from Internet over VPN.
Home ----------------Internet----------------MT

At home i have dsl line with dynamic IP.

Hugh_Hartman · April 27, 2005, 11:21am

change the www service from port 80 to another port in the MT.

franco · April 27, 2005, 2:10pm

thank.
work fine.
I have an other question.
Can i use the MT and a Radius Server in the same PC and at the same time?

I would like use the Radius Server for Accounting pppoe Clients.
So i can see the traffic for each individual client.

cmit · April 27, 2005, 2:41pm

No, you can’t add any custom software to a system running MikroTik RouterOS. You have to use a separate machine for a RADIUS server.