MikroTik RB5009 setting up remotely first time

Question:
I have two houses with separate internet connections:

House 1: Uses an ISP connection with CGNAT.

House 2: Has an internet connection with a sticky public IP.

House 2 runs a VPN server (WireGuard) on a Brume 2 router.

House 1 has an Android phone acting as a VPN client (WireGuard) and a proxy server (EverProxy).

House 2’s Edge browser is configured to use the proxy from House 1, allowing me to access House 1’s router remotely.

I just bought a MikroTik RB5009 and want to configure it remotely from House 2. A non-technical person at House 1 will connect the RB5009 to the ISP router via Ethernet.

My Questions:
Which port on RB5009 should they use for the connection to the ISP router to ensure I can access WebFig remotely?

Can I reach RB5009’s WebFig interface from House 2 using my existing VPN + proxy setup?

What MikroTik settings should I check/modify to ensure remote access works?

The requirement is to configure the RB5009 remotely using the existing setup and set it up as a VPN client to connect to the VPN server at House 2. Once the setup is complete, we can disconnect the Android phone at House 2 and access the RB5009 directly from there. The RB5009 will function as a VPN client to House 2 and as a proxy server at House 1, effectively replacing the Android phone. This means all internet traffic from House 2 should be routed through the RB5009 at House 1.

Now, the question is: Is this feasible? If so, how can it be implemented within the current setup?

Any guidance on the correct steps would be appreciated!

Diagram

HOUSE 1 (ISP Network)
┌─────────────────────────────────────────────────────────┐
│ [ ISP Router ] ──:play_button: [ MikroTik RB5009 (ether1) ] │
│ ▲ │
│ │ │
│ WiFi │
│ │ │
│ [ Android Phone ] │
│ │ │
│ VPN Client (WireGuard) │
│ │ │
│ [ EverProxy App ] │
└─────────┬─────────────────────────────────────────────┘
│
│ VPN Tunnel (WireGuard)
│
┌─────────┴─────────────────────────────────────────────┐
│ HOUSE 2 (VPN Server) │
│ [ Brume 2 Router (VPN Server) ] │
│ │ │
│ Local Network │
│ │ │
│ [ PC Running Edge Browser ] │
│ │ │
│ Proxy Configured (Pointing to EverProxy at House 1) │
└───────────────────────────────────────────────────────┘

Have you ever used Mikrotik and configured it before?

No

The requirement is to configure the RB5009 remotely using the existing setup and set it up as a VPN client to connect to the VPN server at House 2. Once the setup is complete, we can disconnect the Android phone at House 2 and access the RB5009 directly from there. The RB5009 will function as a VPN client to House 2 and as a proxy server at House 1, effectively replacing the Android phone. This means all internet traffic from House 2 should be routed through the RB5009 at House 1.

Now, the question is: Is this feasible? If so, how can it be implemented within the current setup?

https://mikrotik.com/consultants

I am an enthusiast who likes DIY. I am in this forum for guidance sorry, I’m not looking for hiring or paid service. Apologies.

Guidance provided based on your answer above!!
You have lots to learn prior to trying to remotely configuring a 5009.
If you are truly DYI then get GNS3 or EVE-NG and setup a lab type setting where you can practice learning about RoS.

I appreciate your enthusiasm. I am a relatively recent user of Mikrotiks myself so I am still learning, with several set up in quite different configurations

Having read your queries, the answers already imply some prior knowledge of RoS. You are trying to bootstrap from nothing.

If you would prefer not to hire assistance then spend some peanuts on a Hex Refresh and quite a lot of time learning and practising before you expose all your systems for actors on the internet to use as they please. Questions are answered here, consultancy from scratch costs money. To DIY, work incrementally.

While it exaggerates the complexity, it is analogous that they do not teach advanced surgery in Medicine 101. You need first to know the moving parts, their interactions and their importance.

Thanks for the note truly appreciate it. At the moment focus is to solve the current challenge. Keeping high hopes to be able to achieve what I want to achieve. I will keep posted in this forum. My last option is always to have MSTC to the remote computer to which RB5009 is connected and then configure and place it in the existing setup. But I am trying to solve it without MSTSC. Thanks

Thanks for note appreciate it. In age of AI and youtube video I am utilising it to learn. If you see I have been able to remote access the ISP router page at house1 under CGNAT this arrangement I did myself as DIY, that too remotely I didn’t have any access to remote lan. Probably this time too will be able to achieve with brilliant mind like yours. Thanks

What others tried to pass to you is that ROS does have quite a bit steeper learning curve than most of other vendors’ devices OS (at least in the same market segment which, according to prices, is SoHo). ROS is pretty unforgiving when it comes to errors in configuration and it’s very easy to cut oneself from device being configured. And local access to device in such case is vital. OTOH it’s very easy to mess with firewall rules and open ROS device to remote attackers. Since default firewall configuration is very restrictive when it comes to remote access, one is tempted to “unblock himself” but if one doesn’t know very well what he’s doing, he will likely widely open device to remote attacks.

So in short: get yourself a cheap ROS device (all ROS devices have all the functionality, they differ in minor details) and practice configuration before attempting to do it remotely.

No experience, the very first Mikrotik router, no own public address @Home1, Android VPN client, proxy … it’s like asking “how to get on the top of K2” when your climbing experience are trips to the attic.

Mail the router to house 2. Configure it there. Once done, mail it to house 1 and tell your parents or whoever what to plug in where.

I appreciate Mikrotik’s power and flexibility, but learning Mikrotik for the first time while trying to set up a new router behind CGNAT is a torture I wouldn’t wish on anybody.

To directly answer the OP’s main question:

Different MikroTik router models come with different default out-of-box configurations. Most home/SOHO models will have a default config that treats first copper ethernet port (ether1) as “WAN”, and the remaining ports as a single common switched “LAN”. The “WAN” port will not have an IP address configured on it, but will be running a DHCP client. It also will have some default firewall rules installed, including ones that prevent you from accessing any kind of management interface on the router (no web/WebFig, no WinBox, no SSH, not even MAC-WinBox or MAC-Telnet). The “LAN” side will typically have a default IP address of 192.168.88.1/24, and be running a DHCP server as well.

I’d guess an RB5009 likely falls into the category of device that MikoTik pre-loads such a default config on.

What you are likely going to want to do, therefore, is 1) initially plug into anything other than ether1, 2) WinBox/WebFig/whatever to it, 3) the very first time you log in, it is going to tell you what default config it is running and give you an opportunity to accept or reject it; reject it so that you can get a clean slate! This will leave the router with NO IP addresses or DHCP clients or servers running, but also no firewall rules, either, so at this point you can use ether1 to get into the device, so you can now (optionally) move the ethernet connection over to ether1.

At the same time, being left without any IP address means your management access is going to be limited initially to MAC-WinBox, or a serial console (which RB5009 appears to not have). But you can now connect up to it, and start building up your config from there.

Another thing to note is that MikroTik has recently started setting the out-of-box ‘admin’ password to a random string that is printed on a sticker somewhere on the device, rather than to an empty string. So you will need to obtain that password from the resident of House 1 before you can do anything.

Best of luck, and don’t let the naysayers get you down, though I can completely understand their expressed caution about attempting to do this remotely if this is your first time working on the platform, given the relative complexity of ROS.

Better the naysayers of those who implicitly suggest deleting the default configuration and therefore the firewall with all that it entails because is more easy,
creating yet another machine that will cause, in one way or another, DDoS…

Did you ACTUALLY read OP’s post? Because it was pretty clear that this router was not going to be handling direct gatewaying to the internet at all (not going to be getting a public routable address on WAN from ISP).

It’s going to sit on the inside of an existing LAN, acting as a VPN client in place of an existing Android device that is currently performing that same function.

Thank you very much you very well understood my requirement. And yes I am not exposing the RB5009 to the internet because it will be behind ISP provided router which is again behind CGNAT. Today I tried to connect the RB5009 to the ISP router

Observation:-

1. if I connect the RB5009 to ISP router via ether1 then ISP router assigns an IPV4 and I can see the LAN client in the ISP router (through VPN and android proxy as described in original post) but when I type the assigned IP of ether1 as assigned by the ISP router I get bad gate way. If I I try to access 192.168.88.1 I too get bad gateway

2)If I connect the RB5009 to ISP router via ether2 then ISP router do not assign any IP. so cant access RB5009

3. There is another device connected to ISP router when I type that address in web-browser in house2 I can access it so the android vpn-proxy solution is working

My understanding is webfig is disabled in wan port. But I presumed that accessing it through lan address may allow the access. But looks like it does not.

Given the above situation what best I can do given I do not have laptop in house1. How can I enable webfig in wan port. (note I dont want to reject the default configuration but I just want to enable webfig,winbox ssh in wan port) Once I can access it through wan port then will do all other config like VPN zero tier or tailscale. Keeping all this in mind can you help how to enable the webfig remotely in wan port. Can we use mikrotikPro mobile app to configure RB5009 which does not have wifi module. if yes how given my existing setup. Thanks

Paragraf 22 on the way.
You connect default secured on WAN port device using that port and ask how to unsecure device via this external port that is secured just to protect that device from such actions.

Sorry Ididnt understand can you explain in details what you mean

I think I got you after thinking a bit. You mean the router is meant to block wan port remote access. Ok agreed now given by scenrio I am not in house1 where the rb5009 is there all that I can do is taking remote of the android or instruct by screen presenting android. If you can let me know if RB5009 can reconfigured first time using mikrotik pro mobile app even though rb5009 do not have wifi module I will try the same but how do the phone connect to Rb5009 is it that I connect the isp router to rb5009 to wan port (ether1) or to ether2 Please note connecting rb5009 to ether2 do not let ISP router to assign IP to the rb5009 but if I connect rb5009 to isp router with ether1 the rb5009 gets IP from isp router. any advice would be much apriciated

You ask us how to bypass protection which is set to protect your router from being configured remotely. Wish you luck.

As NathanA wrote

At the same time, being left without any IP address means > your management access is going to be limited initially to MAC-WinBox> , or a serial console (which RB5009 appears to not have). But you can now connect up to it, and start building up your config from there.

You have to:

1. connect this device using port other than WAN
2. manage to have WinBox access to it via your current connection
3. remove access protection from WAN port → enable WinBox access on WAN port
4. connect it with WAN port with assigned IP from your current local DHCP
5. cross your fingers that you do not screw configuration up to the point that only the full reset could help.

Or

1. get the router home
2. configure all things locally
3. send it to Home1