Remotely access Mikrotik router

irfanhamidi · March 23, 2019, 9:32am

Hello everyone!

I have a Mikrotik RB951g router in office which we are using internet. sometimes I have to login to the router from home using another connection so I would like to know how to configure the router so I can accessed from home remotely?

Jotne · March 23, 2019, 10:05am

This has been discussed many time.
Best option, setup a VPN from Mikrotik to your home. (This will also work of your router is behind nat)

If that can not be done, take care. Open up a router from outside add a huge risc for attack on it.

Use access list
Do not use default port
Use port knocking
Log all access
+++

neutronlaser · March 23, 2019, 10:05pm

PPTP good too

anav · March 24, 2019, 2:22am

Brain dead?
The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.

Jotne · March 25, 2019, 9:11am

I do agree with anav here, why in the world use obsolete PPTP when you can use a much better L2TP with IPsec?

Joni · March 25, 2019, 7:43pm

There is a much simpler way… dynamic whitelisting

Get a DynDNS client (or URL) on your client device (hint: could also be another Mikrotik device on the same client network https://wiki.mikrotik.com/wiki/Manual:IP/Cloud )
Add that DynDNS name (not IP address) to Firewall address list in the router you wish to access (hint: timeout recommended but not required https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list )
Add a firewall exception rule for that address list
Result = Secure (with no open ports at all to attack) authenticated encrypted (Winbox / HTTPS) remote access, to as many sites (devices) or users your like with zero overhead

Hint: https://www.cloudns.net/features/ is Google recommended and has non-authenticated dynamic DNS for free ( https://www.cloudns.net/wiki/article/255/ ), including the free domain.

Something along the lines of:

/ip firewall address-list add address=xxxxxxxxxxxx.sn.mynetname.net list=whitelisted-admin comment="some other Mikrotik device with Cloud IP"
/ip firewall address-list add address=mydyndnsclient.dyn.com list=whitelisted-admin comment="some other DynDNS client"
/ip firewall filter add action=accept chain=input comment="Allow whitelisted-admin" in-interface-list=WAN src-address-list=whitelisted-admin

Please note: if the two DNS names resolve to the same IP address then only one item is added on the list.

anav · March 25, 2019, 7:47pm

How does dddn and address list provide secure encrypted connections?

anav · March 25, 2019, 7:48pm

You could also setup IKEv2 and access via the MT mobile App from anywhere, home, coffee shop or via cellular data.

neutronlaser · March 25, 2019, 9:25pm

Mikrotik’s implementation of PPTP is secure. It’s the Windows one you’re mocking my mental disability with.

anav · March 26, 2019, 1:40pm

https://www.youtube.com/watch?v=MMzd40i8TfA

krisjanisj · March 26, 2019, 2:02pm

As much as I hate to intervene in this discussion, I must remind to @anav and everyone else to keep it civil and lets not throw insults around.

Ok? Ok!

anav · March 26, 2019, 2:08pm

Thanks for the reminder kris, I have modified my previous post.