Unable to login to CCR2004 with I/P address, Mac only access

JazzMaster · March 30, 2026, 12:41pm

My Lab CCR2004 has a strange issue. I am able to connect to it via MAC but not with I/P address. I can submit my configuration is below.

myconfig.rsc (5.4 KB)

CGGXANNX · March 30, 2026, 1:47pm

Are you connecting to the ether1 port of the router for management? If yes, that interface has no IP address assigned and only MAC WinBox will work.

If otherwise you are connected to LAN Bridge (one of the SFP+ ports other than sfp-sfpplus1) with the computer having an IP address in the 10.1.1.0/24 range, then WinBox with IP address should work.

Not related to that, but with the first rule of your input chain looking like this:

/ip firewall filter
add action=accept chain=input comment="Default Configuration" \
    connection-mark="" connection-state=established,related

Then the router itself might not have proper internet connectivity (e.g. it cannot check for updates or synchronize time with NTP). You need to edit that rule and remove the connection-mark="" condition (so that it's greyed out in WinBox / disappears from export).

JazzMaster · March 30, 2026, 10:41pm

My WAN connection is on SFP+1 I do have a connection to my Management port.

JazzMaster · March 31, 2026, 8:46pm

Can someone analyse my firewall setup and let me know if I need to change anything at all? I am stumped about some settings.

johnson73 · April 6, 2026, 10:03am

Your configuration is a bit mixed up and has a lot of unnecessary stuff. To make your router traffic flow correctly, fix the configuration as shown in this description: Firewall

JazzMaster · April 6, 2026, 1:58pm

Since this is a lab setup I am open to doing this right. Thank you

johnson73 · April 6, 2026, 4:52pm

As experience tells us, "Good practice" is to use a configuration where everything is prohibited and only what you allow is allowed. This is also visible in the example I provided. Use the Input chain for traffic entering your router and always specify the final roll as Input=drop All In the Forward section, specify everything that passes through your router and always specify the final roll as Forward=drop All. Mikrotik rules policy is executed from top to bottom and it is important how you place the rules, because it can change the traffic flow, security and everything else. You can safely use this method in your "production" environment and everything will work very well.

I don't know your experience with router configuration, but Mikrotik is a bit different from, for example, CheckPoint or Fortigate routers, because their firewall policy is a bit different. The principle is the same, but there is no - Input chain and Forward chain. There are NGFW (next generation firew) policy based routings, which already combine this input+forward. Well, that's it, just as an example..

JazzMaster · April 7, 2026, 8:58pm

I thank you for the input. I think I will wipe the CCR and start over with your ideas.

jaclaz · April 7, 2026, 9:06pm

Rule #8:
The twelve Rules of Mikrotik Club

JazzMaster · April 8, 2026, 2:10pm

CCR 2004-1G-12S+2XS does not have a default configuration.

jaclaz · April 8, 2026, 2:40pm

I know, hence in Corollary of Rule #8 a link is given to the default configuration of SoHo devices:

The twelve Rules of Mikrotik Club

[8] The firewall is your only defense against the bad guys out there, think twice before changing anything in the default one, which is good enough in most cases. Only some Mikrotik devices come with a default configuration including the firewall, and even on those in some cases of reset or netinstall it is possible that these firewall rules are deleted, so better check and double check their existence before connecting to the internet. Even if not strictly speaking part of the firewall, the default settings make use of the categorization of interfaces (WAN and LAN in /interface list and actually used interfaces in /interface list member) and these should be checked to be correct and reflecting the actual WAN and LAN status of the interfaces, failing to do so may result in exposing the network to the outside and/or preventing access to the device. For those devices shipped with no default configuration, the first step should be to copy to them the default configuration taken from one of the Soho devices and published on the forum: Buying - RB1100AHx4 Dude Edition - Questions about Firewall - #4 by rextended , such configuration will need of course to be adapted to the device number of interfaces and settings of the bridge(s) if any.