Problem to access routerboard via browser from remote host

blk2001 · April 4, 2018, 6:35am

Hi, I have a rb3011 routerboard (ROS 6.39.2) and have a problem in remote access via browser, In local lan I can login to rb3011 via both winbox and browser,but if I use remote host to login to public ip of rb3011, I can only access from winbox, and failed from browser, I have added the remote IP address to “available from” in winbox and www of IP Service list, and also added a rule to accept remote ip access from wan in ip firewall filters, anyone meet the same problem? Is there any other config to use browser?

here is the ip firewall filter rules (only part of input chain), suppose the remote ip is 100.100.100.101

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

1 X ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp in-interface=!ether1-wan log=no log-prefix=“”

2 chain=input action=accept src-address=100.100.100.101 log=no log-prefix=“”

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1-wan log=no log-prefix=“”

solar77 · April 4, 2018, 2:50pm

added a rule to accept remote ip access from wan in ip firewall filters

No you have not.

src-address=100.100.100.101

change src-address to dst-address, add tcp and port 80
and this is really not recommended to open port 80 on your public interface. if you have to do it, at least upgrade to the latest firmware.

2frogs · April 4, 2018, 4:20pm

No you have not.
src-address=100.100.100.101
change src-address to dst-address, add tcp and port 80
and this is really not recommended to open port 80 on your public interface. if you have to do it, at least upgrade to the latest firmware.

This is not correct! There is nothing wrong with the OP’s rule or the way he is opening port 80 for a specific IP.

solar77 · April 4, 2018, 4:27pm

100.100.100.101 is his public IP address.

2frogs · April 4, 2018, 4:36pm

suppose the remote ip is 100.100.100.101

Remote IP…

2frogs · April 4, 2018, 4:45pm

Do you have a dst-nat on port 80? Or any output filters?

solar77 · April 4, 2018, 5:24pm

OK if it’s the IP address of the router where OP dials from remotely, then you are opening up not just port 80 but everything to that IP address.
Very bad idea! but it should work. I wonder why Winbox works but browser doesn’t
can you post your config for us to have a look? use

 export hide-sensitive

blk2001 · April 5, 2018, 4:01am

Thanks everyone for help，there are no dst-nat on port 80 and any output filters, and if I disable the rule: chain=input action=accept src-address=100.100.100.101 log=no log-prefix=“” ,then winbox access and icmp ping form remote ip is blocked, so I think this rule is working, and because it’s a testing config, and I test it with ping,winbox,www browser, so I didn’t limit any protocals and ports in the rule, there are some other firewall filter rules on forward chain and three nat rules : an srcnat accept rule from lacal lan ip to remote lan ip for ipsec tunnel, a normal srcnat masquerade for local lan,a dstnat on port 9920 for access to a local server. I’m out from office these days, later I’ll try to export the config.

2frogs · April 5, 2018, 4:47am

Some ISP’s block access to port 80, you might try changing the port for WebFig under IP>Services to 8080 or some other port and test again.

blk2001 · April 5, 2018, 5:13am

Thanks, I’ll try it when I’m back to office

Anumrak · April 5, 2018, 7:34am

Uhhh…
Guys.
Rule is correct. If you google the range of 100.100.100.101 you’ll find network 100.64.0.0/10. Means 100.64.0.0 - 100.127.255.255. It is Carrier Grade NAT. User is behind NAT of his ISP. Means that global IP in Internet is not 100.100.100.101. It’s defferent. So, he can’t do port forwarding to his local IP of ISP from Internet.

blk2001 · April 5, 2018, 8:21am

it’s right, 100.100.100.101 is not my real remote public ip, I replaced it with 100.100.100.101 just for example.