RouterOS Remote Access Winbox doesnt workout

Hello guys,
i feel a bit stupid to get help for my issue…

I have an router in the datacenter with an public ip.
I enabled ssh as a service and created a input accept rule for my custom ssh port.
==> its working.

Now i did the same for winbox but thats not working. The rule even does not stats any packets…

These are my rules:

0 ;;; #ALLOW established/related
chain=input action=accept connection-state=established,related log=no log-prefix=“”

1 ;;; #ALLOW_SSH_WINBOX for List “ALLOW_SSH_WINBOX”
chain=input action=accept protocol=tcp in-interface-list=ALLOW_SSH_WINBOX dst-port=27299,8291 log=no log-prefix=“”

2 ;;; #ALLOW SSH from any
chain=input action=accept protocol=tcp dst-port=27299 log=no log-prefix=“”

3 ;;; ALLOW DNS for DNS List
chain=input action=accept protocol=tcp in-interface-list=ALLOW_DNS dst-port=53 log=no log-prefix=“”

4 ;;; ALLOW DNS for DNS List
chain=input action=accept protocol=udp in-interface-list=ALLOW_DNS dst-port=53 log=no log-prefix=“”

5 ;;; ALLOW WINBOX FROM source
chain=input action=accept protocol=tcp src-address=X.X.X.X/32 dst-port=8291

And services

NAME PORT PROTO CERTIFICATE VRF MAX-SESSIONS LOCAL REMOTE

0 X ftp 21 tcp main 20
1 X telnet 23 tcp main 20
2 D resolver 53 tcp
3 D resolver 53 udp
4 D dhcp 67 udp
5 D dhcpclient 68 udp
6 X www 80 tcp main 20
7 X www-ssl 443 tcp none main 20
8 winbox 8291 tcp main 20
9 X api 8728 tcp main 20
10 X api-ssl 8729 tcp none main 20
11 ssh 27299 tcp main 20
12 D c ssh 27299 tcp X.X.X.X X.X.X.X:51106 (same as i use for src-address)

RouterOS 7.14.1

Any idea?

Have you tried to enable 8291 port for everything? Same as for SSH (rule 2).

yeah did.

Okay that was weird. I sniffed the interface but only saw ssh traffic (and other things).
However. no traffic for port 8291. I tried even from diffrent location…
Now i chanced the winbox port and its working.

I dont know but somehow the packets didnt arrived at the router…

The rule looks fine, but there’s quite a few things that you’re not telling us:

  • Quite clearly this is not your complete fw config. Not even the complete input chain. If there’s just a drop at the end, that’s okay. If there are drops in between, well: investigate.
  • Is there a dstnat rule that could catch the winbox connection?

To debug: add a rule that tries to catch tcp 8291 right at the top of the input chain, action passthrough. Watch the counter.

Some isps, dc providers feel zealous and block the winbox port. Make sure that’s not the source of things. Winbox had a nasty auth vulnerability some (many) years ago. Long since fixed. It allowed dumping passwords by unauthenticated attackers. (This is only from vague memory, please correct me if I’m wrong. I don’t want to spread false rumors.)

This is not what you ask, but if you’re already exposing ssh, it would be best to allow winbox only through ssh with port forwarding. This requires that you allow winbox access from lo (loopback) and enable ssh port forwarding (at least local).

This would almost certainly fix your current problem and result in a better security posture.