Hi
i have a problem accessing my router remotely using Winbox or API from any of my Public IP Addresses.
i used a very basic setup with routing marks to send the traffic from Internal users out of one WAN and the Hotspot Traffic out of the other WAN connection. The traffic from the inside is going out of the correct WAN interfaces but no access for myself from the outside into the router. The last resort was to setup a PPTP server but even that’s not working.
Can i ask you guys to have a look at my config and tell me what i did wrong or whats missing?
x.x.x.x is just my one Public IP i`m just hiding.
Config:
/interface bridge
add name=“Hotspot - Interface”
add name=“Internal - Interface” protocol-mode=stp
/interface ethernet
set [ find default-name=ether1 ] comment=Yaclick
set [ find default-name=ether2 ] comment=Fiber/Trunk
set [ find default-name=ether3 ] comment=“Card Machine”
set [ find default-name=ether4 ] comment=Unifi
set [ find default-name=ether5 ] comment=“to Switch”
/interface pptp-server
add name=pptp-in1 user=“”
/ip neighbor discovery
set ether1 comment=Yaclick discover=no
set ether2 comment=Fiber/Trunk
set ether3 comment=“Card Machine”
set ether4 comment=Unifi
set ether5 comment=“to Switch”
/interface vlan
add interface=ether2 l2mtu=1594 name=“vlan10 - Fiber/Trunk” vlan-id=10
add interface=ether4 l2mtu=1594 name=“vlan10 - Unifi” vlan-id=10
add interface=ether2 l2mtu=1594 name=“vlan100 - Newtec” vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed name=profile1 supplicant-identity=“”
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=profile2
supplicant-identity=“” wpa-pre-shared-key=jacis1234 wpa2-pre-shared-key=
jacis1234
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290
mode=ap-bridge security-profile=profile1 ssid=Guest
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:DE:4E:57 master-interface=
wlan1 name=wlan2 security-profile=profile2 ssid=JacisLodges
wds-cost-range=0 wds-default-cost=0
/ip hotspot profile
add dns-name=10.54.101.1 hotspot-address=x.x.x.x login-by=
cookie,http-chap,trial name=hsprof1 trial-uptime=20m/1d use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.150-192.168.1.199
add name=hs-pool-10 ranges=10.54.101.21-10.54.101.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=“Internal - Interface”
lease-time=1d name=dhcp1
add address-pool=hs-pool-10 disabled=no interface=“Hotspot - Interface”
lease-time=1h name=dhcp2
/ip hotspot
add address-pool=hs-pool-10 disabled=no interface=“Hotspot - Interface” name=
hotspot1 profile=hsprof1
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw password=
password
/tool user-manager profile
add name=250MB name-for-users=250MB override-shared-users=off owner=admin
price=0 starts-at=logon validity=1w
add name=500MB name-for-users=500MB override-shared-users=off owner=admin
price=0 starts-at=logon validity=1w
add name=1Gig name-for-users=1Gig override-shared-users=off owner=admin
price=0 starts-at=logon validity=2w
/tool user-manager profile limitation
add address-list=“” download-limit=262144000B group-name=“” ip-pool=“” name=
250MB owner=admin transfer-limit=262144000B upload-limit=262144000B
uptime-limit=1w
add address-list=“” download-limit=524288000B group-name=“” ip-pool=“” name=
500MB owner=admin transfer-limit=524288000B upload-limit=524288000B
uptime-limit=1w
add address-list=“” download-limit=1073741824B group-name=“” ip-pool=“” name=
1Gig owner=admin transfer-limit=1073741824B upload-limit=1073741824B
uptime-limit=2w
/interface bridge port
add bridge=“Hotspot - Interface” interface=“vlan10 - Fiber/Trunk”
add bridge=“Hotspot - Interface” interface=“vlan10 - Unifi”
add bridge=“Internal - Interface” interface=ether2
add bridge=“Internal - Interface” interface=ether3
add bridge=“Internal - Interface” interface=ether4
add bridge=“Internal - Interface” interface=ether5
add bridge=“Hotspot - Interface” interface=wlan1
add bridge=“Internal - Interface” interface=wlan2
/ip address
add address=10.54.101.1/24 comment=“Hotspot Interface” interface=
“Hotspot - Interface” network=10.54.101.0
add address=192.168.1.201/24 comment=“Internal Interface” interface=
“Internal - Interface” network=192.168.1.0
/ip dhcp-client
add add-default-route=no comment=Yaclick dhcp-options=hostname,clientid
disabled=no interface=ether1 use-peer-ntp=no
add add-default-route=no comment=Newtec dhcp-options=hostname,clientid
disabled=no interface=“vlan100 - Newtec” use-peer-ntp=no
/ip dhcp-server network
add address=10.54.101.0/24 comment=“hotspot network” dns-server=
5.11.11.5,5.11.11.11 gateway=10.54.101.1
add address=192.168.1.0/24 comment=“Local Network” dns-server=192.168.1.201
gateway=192.168.1.201
/ip dns
set allow-remote-requests=yes servers=172.30.184.130,172.30.184.131
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=10.54.101.0/24 list=“Hotspot Network”
add address=192.168.1.0/24 list=“Internal Network”
add address=192.168.0.0/16 list=RFC1819
add address=172.16.0.0/12 list=RFC1819
add address=10.0.0.0/8 list=RFC1819
/ip firewall filter
add chain=input comment=“Allow Winbox from Newtec” dst-port=8291
in-interface=“vlan100 - Newtec” protocol=tcp
add action=drop chain=input comment=“drop external DNS” dst-port=53
in-interface=ether1 protocol=udp
add action=drop chain=forward comment=“block hotspot to internal”
dst-address-list=“Internal Network” src-address-list=“Hotspot Network”
add chain=input comment=“allow PPTP access” dst-port=1723 protocol=tcp
add action=drop chain=forward comment=“drop all p2p” p2p=all-p2p
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
/ip firewall mangle
add chain=prerouting dst-address-list=RFC1819 src-address-list=RFC1819
add action=mark-routing chain=prerouting comment=“to Yaclick”
new-routing-mark=to_yahclick src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment=“to Newtec”
new-routing-mark=to_Newtec src-address=10.54.101.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=src-nat chain=srcnat comment=“to Yahclick” out-interface=ether1
to-addresses=10.229.5.214
add action=src-nat chain=srcnat comment=“to Newtec” out-interface=
“vlan100 - Newtec” to-addresses=x.x.x.x
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip hotspot user
add name=admin password=Admin321!
/ip route
add distance=1 gateway=x.x.x.x routing-mark=to_Newtec
add distance=1 gateway=10.229.5.209 routing-mark=to_yahclick
add check-gateway=ping distance=1 gateway=10.229.5.209
add check-gateway=ping distance=2 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.1.30 name=petrus password=petrus321!
remote-address=192.168.1.31 service=pptp
/radius
add address=127.0.0.1 secret=password service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=469C02A9EC2F
/system leds
set 5 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wlan1
add
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=250MB profile=250MB till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=500MB profile=500MB till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Gig profile=1Gig till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=
auth-ok,auth-fail,acct-ok,acct-fail name=Hotspot shared-secret=password
/tool user-manager user
Thanks in Advance.