Need help with Remote management/DSL in Transparent Bridge mode

RouterOS Beginner Basics
1

I recently started implementing Mikrotik RouterOS devices on my client deployments.

My goal is to be able to remotely administer client router with Winbox and telnet.

My first client location, I am having trouble getting remote management to work. I have a DSL circuit with a static address. The modem is set into Transparent Bridge mode. Modem connects to Mikrotik RB2011 via onboard switch port

I can ping the static address off-site of client premise.
I created a firewall rule, see below;


[admin@MikroTik] > ip firewall filter export

jan/03/1970 01:24:59 by RouterOS 6.18

software id = T1SI-5IY6

/ip firewall filter
add chain=input dst-address=192.168.88.1 dst-port=8291 protocol=tcp src-address=0.0.0.0/0 src-port=8291
add chain=input dst-address=192.168.88.1 dst-port=23 protocol=tcp src-address=0.0.0.0/0 src-port=23
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
[admin@MikroTik] >

Here is the output of nat

/ip firewall nat export>[admin@MikroTik] > ip firewall nat export

jan/03/1970 01:25:27 by RouterOS 6.18

software id = T1SI-5IY6

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

When testing offsite of client premise with Winbox, it times out.

My questions. It will be a few weeks before I can get back onsite to reconfig.

  1. Does the firewall routes look appropriate? I dont need to specify interface do I?

  2. Even though the DSL modem is in transparent-bridge mode, do I still need to port forward to Mikrotik?

2

Try this instead of your rule…
/ip firewall filter
add chain=input dst-port=8291 protocol=tcp

Should work

3

Agreed. This does open Winbox from anywhere on the Internet, which you may not like, though.
(see below)

No, you don’t. In fact you really can’t because the modem is no longer doing anything with IP.

As for firewall rules, I like using interfaces if possible. It allows IP address changes, etc to be much more fluid and less places to remember to update configurations.

I like this for input chain firewall myself:
allow established / related
allow in-interface=!wan
; now only new connections from WAN are considered.
allow icmp
allow src-address-list = ADMIN-WHITELIST
drop all

This list is a good starting point.
It blocks the Internet from everything but pings on the WAN.
It allows everything from the LAN, regardless of the src IP address.
(You can re-number the LAN if you want and won’t have to go fix the addresses in the firewall rules.)

Finally, It allows anything from a list of trusted IP addresses. Just put your office’s IP address, your monitoring server, etc into the IP > Address List named ADMIN-WHITELIST. Anything in that list can use any service on the Mikrotik.

4

This worked and I was able to gain access at least. +1


Zerobyte, your suggestion for access list is great. I will do some lab testing and work my way towards this method.