I am trying to remotely access my RBLHGR&R11e-LTE-US MikroTik via the WAN IP address of the mikrotik in Winbox, but it is not working.
I have created the firewall rule to allow port 8291 to accept all traffic using an old forum page.
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
Even after doing this and putting it at the top of my firewall rules list, I still cannot access the Mikrotik using Winbox???
Not a safe or advised practice.
It would be like giving all your bank information to hackers and letting them play with password crackers to eventually get into your system.
The way to access your router remotely via winbox is to
a. preferably use IPSEC VPN or IKEv2 VPN
b. from a PC or your smart phone using the MT app.
c. or use port knocking as a less secure but still better method than the almost zero security of what you wish to do.
Also suggest changing winbox port from default to something else.
NEVER open up your winbox port to the internet!!!
(delete any such rule asap… )
In fact in the input chain the only rules to allow port access externally are VPN ports to establish initial connectivity.
Okay, thanks for the advice.
Is it possible to use the MikroTik App to remotely login to the MikroTik? I have used it using LAN inside the network, but have not tried it using the WAN IP address?
Yes, I have done it
a. with IKEV2 VPN
b. wireguard vpn
The only other way one would want to do it, not as secure as proper VPN, is port knocking.
https://mum.mikrotik.com/presentations/US10/discher.pdf
https://mum.mikrotik.com/presentations/ … tknock.pdf
https://systemzone.net/securing-mikroti … -knocking/
In this example below it looks like they use port knocking to then access other security protocols that are not quite as secure as standard VPN (like older pptp vpn and SSH etc…)
http://forum.mikrotik.com/t/how-to-make-port-knocking-working-on-vpn-pptp-connection/140021/22
SSH can also be a “VPN” of sorts:
$ ssh -L 8291:192.168.88.1:8291 my.public.host.name.example.com
This presumably connects to a NAT-forwarded public port, which in turn connects to a host behind the firewall that accepts your SSH connection. You may want to change the ports to add a bit of obscurity, saving you from a lot of script kiddie traffic, but I’m keeping the concept simple for this example.
You can then run WinBox on the same machine as you SSH’d from and point it at “localhost”. It will connect to the local port 8291, and that will be forwarded through the presumed secure SSH tunnel back inside the LAN to the router at 192.168.88.1.
RouterOS itself can be this SSH-receiving host, but you have to set “/ip ssh forwarding-enabled=yes” to allow the tunnel. Regular SSH servers typically enable this by default. If you set strong SSH keys for the users, this tunnel will be all but impervious to brute force attacks short of DDoS.
I would not consider SSH to be on the same level as VPN, so I would port knock and then SSH in from there as per the fourth link provided.
Not sure if this is accurate enough regarding SSH. but
2. Because SSH operates on an application level, only traffic from your applications gets encrypted. This means that any application on your device you want to protect will have to be configured separately for the SSH tunnel. On the other hand, a VPN connection automatically encrypts all your traffic, and some let you choose which apps you don’t want to encrypt through the VPN.
SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic
It doesn’t have protection against DNS leaks.
Thus the quotes around “VPN” above. I’m not trying to tell you to use SSH instead of IPsec or Wireguard. It’s simply a useful tool to have in your pocket when you only need a small number of ports to be securely forwarded through the firewall. One short command, and with pre-configuration in ~/.ssh/config, it’s even shorter. Tell me that’s not valuable to know.
a VPN connection automatically encrypts all your traffic
Some do by default, but that practice isn’t universal, nor is it always wanted. Tell me again how great it is to run everything through the VPN when I’m trying to copy a file from my local NAS to a host on the remote side. Thus this question.
SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic
ISPs can’t detect IPsec?
OpenVPN (which is TCP-based) isn’t a VPN?
This feels like gate-keeping to me. Needless quibbling over what a “VPN” is or must be. What it needs to be is what the user needs it to be, no more, no less.
It doesn’t have protection against DNS leaks.
I’m pretty sure OP isn’t worried if “localhost” leaks. 
Here is my default answer to user who like to access their router from a remote site.
My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:
I did test RemoteWinbox http://forum.mikrotik.com/t/remotewinbox-review/140626/1 but I will not use it.
I do not trust anyone, so that is why I never will use an online password service for example.
Can you explain how I can setup a IPsec tunnel on my mikrotik?