Remote use of WinBox

citrusblast · November 30, 2011, 5:53pm

EDIT: Found the problem. I added default routes for each VLAN to use with marked routing, but had removed the “default” default route for Eth1, and that, for whatever reason, killed all incoming traffic.

There’s probably a simple answer to this, but I’ve spent the last few hours trying to get remote access from winbox to work on my 493AH. Is it a NAT or Filter rule that has to be added/modified? Right now, it’s taking traffic from ports 2-8 and mangling it to different VLANs on Eth1. Outgoing seems to work fine, but I need to be able to connect to the router via Winbox from outside, and to enable WAN ping as well.

Feklar · November 30, 2011, 6:17pm

You’re going to have to post your firewall rules at a minimum for anyone to help. The 400 series don’t have any firewall filter rules on them by default, so if you can’t access it remotely, or ping it, then you have a firewall rule on input that is blocking it, or you are forwarding more than what you want to with a NAT rule.

citrusblast · November 30, 2011, 6:55pm

Here is my current firewall config; I have tried disabling all the rules at once, but I still cannot get to the WAN interface via WinBox, nor can I ping it.

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=
10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment=“drop invalid connections” connection-state=invalid disabled=yes protocol=tcp
add action=accept chain=forward comment=“allow already established connections” connection-state=established disabled=yes
add action=accept chain=forward comment=“allow related connections” connection-state=related disabled=yes
add action=drop chain=forward comment=“Block Bogon Networks” disabled=yes src-address=0.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=drop chain=input disabled=yes dst-port=80 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=VLAN40 passthrough=yes src-address=10.0.20.0/22
add action=mark-routing chain=prerouting disabled=no new-routing-mark=VLAN41 passthrough=yes src-address=10.0.16.0/22
add action=mark-routing chain=prerouting disabled=no new-routing-mark=VLAN42 passthrough=yes src-address=10.0.12.0/22
add action=mark-routing chain=prerouting disabled=no new-routing-mark=VLAN43 passthrough=yes src-address=10.0.8.0/22
add action=mark-routing chain=prerouting disabled=no new-routing-mark=VLAN72 passthrough=yes src-address=10.0.4.0/22
add action=mark-routing chain=prerouting disabled=no new-routing-mark=VLAN100 passthrough=yes src-address=10.0.0.0/22
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.0.0.0/8
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes

Feklar · December 1, 2011, 3:07pm

Ok, it looks like you don’t have any rules to force the router to remember what interface connections came in on. I’m assuming based off of your mangle rules that you have 6 WAN connections and each is going out using a different VLAN?

If my assumptions are right (no way to tell without you providing the necessary information) then the problem comes into play because without making mangle rules for the router to remember what interface a connection came in on and to make it reply back over it, then it falls through to the main routing table.

From the PCC Wiki, adjust the rules to fit your needs.

add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
    new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
    new-connection-mark=ISP2_conn
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

If my assumptions are wrong, provide /ip route print detail, /ip address print detail, and /interface print detail for more help.