Remote acces to webinterface

Hi, pretty new in this area to start with

Problem 1: no access from external location to webinterface using external ip adres (strange enough using winbox on ddns seems no problem)

Below my config, tx for any feedback!

[admin@MikroTik] > /export hide-sensitive
# 2024-01-12 17:20:04 by RouterOS 7.11.2
# software id = BCG6-T1CJ
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=48:8F:5A:2E:25:AF auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Winbox remote" dst-port=8291 protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8091 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.88.50 to-ports=80
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
[admin@MikroTik] >

Well your first firewall rule allows you to access router by winbox via external IP address. (I wouldn’t put that rule first but after “drop invalid” rule)

Why would you want to access webfig if you have winbox ? Also i would consider using vpn for accessing router config over internet, for eg wireguard and if you don’t have public IP then BTH if available on your router is a great solution to add layer of security when configuring your router over the internet.

EDIT: You can’t use BTH, you are using unsupported CPU.

I am aware of the security part, this is just fase 1
However since I encountered some strange behaviour I would pop up some questions since in some cases I was able to acces the webinterface with very slow response but after the login the router was not giving any reply anymore.

Is there anything that can be misconfigured on the port forwarding part?

With the previous router, server on the inside could be reached through external ip like for instance 5.189.145.143/control and now 5.189.145.143:8091/control seems the only way to reach the server however the server is reporting strange connection errors we are trying to investigate.

TX

Do you want to access your server from your internal network via public IP or DDNS ?

Public IP (that was the previous way) and they would like to keep it that way

Access to a server via port forwarding ( and wanip ) is the normal way.
Access to winbox or the router directly from the WANIP is just plain dumb.
Should only be accessed after entering the router securely via VPN, wireguard, L2TP ispec, Ovpn etc…

Well in that case you need something called hairpin nat: http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1

Hairpin is only in case of the internal server cannot be reached from the LAN side right? My problem is only from the WAN side.

From LAN 192.168.88.50/console works fine, from WAN external ip:8091/console the server (which is a server from climatecontrol vendor, reports a “Failed to connect to the login destination centralized controller” after I can see the logo from the vendor appearing and a kind of processing animation).

Now I am not completely sure if there is something wrong with my router / port forwarding settings or something else is wrong.

TX

OK, in the mean time I have just forwarded port 80 from WAN to port 80 internal and now it works through wanip/control

Anyone who knows why this will not work by a port forward form 8091 from WAN and using wanip:8091/control? it seems that /control does not get forwarded in this case.

Just driving me crazy why it only works with port 80 to 80

What are the ISP providers filtering?
Many public wifi only allow 80, 443,53, and some secure mail ports/protocols as outgoing ports.(eg blocking port 25 and all high ports >1024).
What is your local ISP filtering , as incoming ports?

Try to access with e.g. Telnet, with software like “Putty” that allows to select a port for interactive connection.

security: “shodan.io” will catalog and reveal your open ports to anyone who asks (including hackers).

Use VPN. If VPN can not be used, following this would help some:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything.
6. Upgrade firmware to latest stable release
7. ++++