New to MikroTik

terminal205 · March 22, 2016, 3:04pm

I got my first MikroTik and while I’m happy with the overall features I’m seeing in the WinBox interface, I am having some problems getting this router to be deployable in one of our standard VoIP situations.

I was able to quickly configure the WAN and LAN addressing schemes. I got on the internet and could browse anything I needed from behind the firewall. Basic router functionality works great. That’s where the issues start: I need to be able to both PING the WAN interface and remotely access the router using WinBox from any IP (I can lock it down in the future). After that, I need to configure for SIP/SCCP prioritization, but I’ll post another topic on that later.

I could use some help with these items: WAN PING response and remote accessibility

terminal205 · March 22, 2016, 3:10pm

I should note that I have been browsing the forums and have tried several of the methods mentioned. I even went as far as factory resetting my equipment and only allowed PING, but to no avail.

Sob · March 22, 2016, 3:18pm

If ping is blocked by something on your router, it’s firewall rules in IP->Firewall->Filter, chain “input”.

Morpheus1607 · March 22, 2016, 3:47pm

could you post your config to have a look?

i think it would be a little bit easier to look what the problem should be.

pcunite · March 22, 2016, 10:07pm

Welcome to the world of MikroTik, you’ll love it here. Okay, you’ll occasionally pull out your hair, but you’ll love it again. Here is a very basic setup (delete all current rules).

Create a bridge, put everything you want in there (except eth1 which should be your WAN), name it bridge-LAN.

Paste this into a terminal:

/ip firewall filter
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add chain=input comment="Remote Winbox" dst-port=8291 protocol=tcp
add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
add chain=input comment="Allow connections that originated from LAN" connection-state=established,related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment="Disallow all other input"

add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
add chain=forward comment="Allow connections that originated from LAN" connection-state=established,related
add action=drop chain=forward comment="Disallow all other forward"

nxs02 · March 23, 2016, 4:13am

add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN

u dont need anyone in LAN have access to router.

add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN

is it really need to specify conn-state is new?
also u need to specify output interface so not everyone have access to router.

pcunite · March 23, 2016, 4:19am

I imagine our friend would like to be able to connect into his own router from his LAN. The other rules I have specified will block access from WAN. Try the rules and see.

terminal205 · March 23, 2016, 1:39pm

What do I need to do to post this information?

pcunite · March 23, 2016, 2:13pm

run this command:
/export verbose file=MyFile.rsc

then paste the output between the forums’ code blocks.

terminal205 · March 28, 2016, 9:04pm

Sorry this is taking me so long. A lot of projects came up at work.

So I ran the /export command. Where does this file live so I can open it?

terminal205 · March 28, 2016, 9:15pm

Nevermind. I found it through the WinBox interface. IP Filter Post coming…

terminal205 · March 28, 2016, 9:16pm

Edit** With the below rules I am able to PING the interface now, however I still am unable to connect from a remote IP address: either WebGUI, WinBox, or Telnet

/ip firewall filter
add action=accept chain=input comment="Remote Winbox" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=8291 \
    !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=input comment=\
    "Allow LAN access to router and Internet" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=new !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=bridge1 \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=input comment=\
    "Allow connections that originated from LAN" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=input comment="Allow ping ICMP from anywhere" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmp !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=new !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=bridge1 \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=forward comment=\
    "Allow connections that originated from LAN" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=drop chain=input comment="Disallow weird packets" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=input comment="Disallow all other input" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=forward comment="Disallow weird packets" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=forward comment="Disallow all other forward" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
/ip firewall nat
add action=masquerade chain=srcnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port out-interface="WAN (Rise)" \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \
    !time !to-addresses !to-ports !ttl

Sob · March 28, 2016, 10:53pm

You don’t allow web interface (tcp/80) and telnet (tcp/23) from WAN. But WinBox (tcp/8291) should be allowed from anywhere by first rule.

Btw, “verbose” option for export is not a good idea. It exports all options, including those with default values, and result is too long and very hard to read.

terminal205 · March 29, 2016, 3:46am

add chain=input comment=“HTTP Access” dst-port=80 protocol=tcp
add chain=input comment=“Telnet Access” dst-port=23 protocol=tcp

Hrm, apparently my firewall in the office is blocking the access as I can hit my lab from home… weird… yet another firewall to troubleshoot >.>

terminal205 · March 29, 2016, 3:53am

Here is my updated firewall settings. Everything is working swimmingly now. Guess I need to tackle why this isn’t working from the office. Then I get to tackle QoS policies. Thank you everyone for your help.

/ip firewall filter
add action=drop chain=input comment="Disallow weird packets" \
    connection-state=invalid
add chain=input comment="Remote Winbox" dst-port=8291 protocol=tcp
add chain=input comment="HTTP Access" dst-port=80 protocol=tcp
add chain=input comment="Telnet Access" dst-port=23 protocol=tcp
add chain=input comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge1
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=established,related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge1
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=established,related
add action=drop chain=input comment="Disallow all other input"
add action=drop chain=forward comment="Disallow weird packets" \
    connection-state=invalid
add action=drop chain=forward comment="Disallow all other forward"

sash7 · March 29, 2016, 7:28am

It’s really bad idea to open winbox, http and telnet from all internet.
Put “related, established” rule on second place in input chain right behind ‘invalid’ rule. And this is not from “connection orginated from lan”. This rule accept most traffic in input chain, so, move it ahead.
In forward chain move rule for “invalid” in first place, or remove it, now it’s just pointless - you drop everything in next (last) line.