I am trying to host a web, SSH and FTP server behind my Mikrotik router so I have configured to send all external traffic to the relevant ports on the local IP address (192.168.88.32). Then I followed advice given to someone else on this forum to set up a hairpin nat for port 80 so I could access the server locally. This worked a treat so I thought I’d do the same for port 21 and 22.
Of course now I can’t access the router either by the Web interface or by SSH in because I get natted to my server. I’ve tried telnet, I just get “connection refused”. I’ve tried using Winbox to access the router via the MAC address but I just get “ERROR: could not connect” even when not in secure mode.
So any ideas how I can access the configuration? It’s quite urgent as my colleagues rely on the network for the business, and since I’ve set the hairpin masquerades up something seems to be going very wrong - google.com will load, but when clicking a search I get “doesn’t exist on the server”.
I haven’t disabled the web configuration service, but the NAT bypasses it. And I feel haven’t exhausted Winbox options so I’m going to keep trying that but any advice would be very much appreciated!
I am very new to this, but yes, I do feel very stupid to have locked myself out like this!
Worse case, what happens if I press the reset button on the back of the box? Do I lose all configurations? The router configuration is quite complex and was not done by me so I want to avoid starting from scratch if possible! Thanks, I’m a little desperate!
I don’t know why, but few times I had problem connecting to MAC address through switch, even though I don’t see any reason why it wouldn’t work. Direct cable connection between RB and notebook helped. You may try that, if you didn’t already.
Also try different ports, you can have MAC server available only on some of them. And since MAC server has separate settings for Telnet and WinBox interfaces, it would be worth trying both, in case you have only one enabled. For MAC telnet, there’s MikroTik’s Neighbor Viewer (http://www.mikrotik.com/download/neighbour.zip), but for some reason it does not want to work here. I can’t find any alternative client for Windows, but if you have Linux, there is one (https://github.com/haakonnessjoen/MAC-Telnet), I just tested it and it works. Or you can use MAC telnet from another RouterOS device, if you have some.
I tried connecting laptop directly to the RB with a cable and get the same “ERROR: could not connect” with Winbox, and Neighbour Viewer times out soon after I enter the password. How do you telnet/winbox on a different port? What ports would I try?
I also tried SSHing into the server, then from the server to the RB, but I just get “permission denied” until I enter the server’s credentials and end up in loop both from external network and local. For example: external>ssh server>ssh RB from server > “permission denied”. Presumably this is because the masquerade is just sending all traffic on port 22 back to the server.
since I’ve set the hairpin masquerades up something seems to be going very wrong - google.com will load, but when clicking a search I get “doesn’t exist on the server”.
It turns out that I can visit IPv6 websites just not IPv4. This must mean RB is NATing just the IPv4 traffic? Can I ssh/telnet just using the IPv6 address? My guess is that this might have to be done externally as I think the local masquerade works on all port 22 traffic not just IPv4?
Unfortunately the management services for the MikroTik routers do not appear to be running on IPv6
Depending on the hardware model, you may still be able to access it on the RS232 port
And using IPv6 is great idea. If router has IPv6 enabled, it should be the answer. Here all router’s services work just fine on IPv6. In fact, it’s the one thing I like very much, that I can mess up IPv4 completely and still have backup connectivity on IPv6 (or other way around). It didn’t occur to me to suggest that, because IPv6 is disabled by default and not many people use it.
Hmm, I’ll have to investigate. When I connect to any IPv6 service on the router (ssh, http) it just closes the connection after initially accepting it. Apparently something is configured incorrectly.
Success! Although not before a couple of hours of messing with IPv6 syntax…
What worked in the end:
ssh admin@fe80::xxxx:xxxx:xxxx:xxxx%en1
Turns out that %en1 is pretty important. Now I’ve disable the masquerades and can SSH and Webfig with ease. Turns out the Winbox and Telnet services were disabled. Meanwhile RB is just sitting there wondering what all the fuss was about…
