i can’t open webfig via internet, but it is ok in Intranet(Both IP).
i have enable all ip-service, disable all mangle rule and only default firewall rule is used.
confusing…thanks for help
The input filter is probably set to drop all packets on the WAN interface.
I just try disable all filter, but it does not work
(it is same to usermanager, but is ok to use the ip address to access winbox through internet.)
Try this:
/ip service export
I’m guessing that you’ll see something like this:
[admin@MikroTik] > /ip service export
# nov/18/2012 13:47:41 by RouterOS 5.17
# software id = 1BS6-EST0
#
/ip service
set telnet address=192.168.1.0/24 disabled=yes port=23
set ftp address=192.168.1.0/24 disabled=yes port=21
set www address=192.168.1.0/24 disabled=no port=80
set ssh address=192.168.1.0/24 disabled=no port=22
set www-ssl address=192.168.1.0/24 certificate=none disabled=no port=443
set api address=192.168.1.0/24 disabled=yes port=8728
set winbox address=192.168.1.0/24 disabled=yes port=8291
which limits access to your LAN.
Here it is
[quote=“tjc”]Try this:
/ip service export
[admin@MikroTik] > ip service export
# nov/19/2012 19:48:44 by RouterOS 5.21
# software id = BD0B-6TGV
#
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=no
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
established disabled=no
add action=accept chain=input comment="default configuration" connection-state=\
related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1
api and winbox access is work
post full export, maybe you have some NAT rules?
/export compact
[admin@MikroTik] > export compact
# nov/20/2012 22:49:42 by RouterOS 5.21
# software id = BD0B-6TGV
#
/interface bridge
add admin-mac=D4:CA:6D:6E:96:0A auto-mac=no l2mtu=2290 name=bridge-local \
protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=china disabled=no \
distance=indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge \
wireless-protocol=any
/interface ethernet
set 0 disabled=yes name=sfp1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 master-port=ether6-master-local name=ether10-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=NR*** user=0755***@163.gd
add add-default-route=yes disabled=no interface=ether2 name=pppoe-out2 \
password=KMV*** user=0755***@163.gd
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
wpa-pre-shared-key=24****** wpa2-pre-shared-key=24******
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=Admin_Pool ranges=192.168.88.10-192.168.88.99
add name=Tenant_Pool ranges=192.168.6.10-192.168.6.99
add name=VPN_Pool ranges=192.168.100.10-192.168.100.99
add name=Eth5_Pool ranges=192.168.5.10-192.168.5.99
/ip dhcp-server
add address-pool=Admin_Pool disabled=no interface=bridge-local name=default
/ppp profile
add change-tcp-mss=yes local-address=192.168.6.1 name=TenantProfile only-one=\
yes rate-limit=103K/2320K remote-address=Tenant_Pool session-timeout=0s
add local-address=192.168.88.1 name=VPNProfile rate-limit="" remote-address=\
Admin_Pool
add local-address=192.168.5.1 name=Eth5_Profile only-one=yes remote-address=\
Eth5_Pool
/queue tree
add max-limit=650k name=Total_Up parent=ether1
add max-limit=13M name=Total_Down parent=ether5
add name=Normal_down packet-mark=normal_traffic parent=Total_Down priority=1
add name=Heavy_down packet-mark=heavy_traffic parent=Total_Down priority=7
add name=Heavy_up packet-mark=heavy_traffic parent=Total_Up priority=7
add name=P2P_Down packet-mark=P2P parent=Total_Down
add name=P2P_Up packet-mark=P2P parent=Total_Up
add name=HTTP_Up packet-mark=HTTP parent=Total_Up priority=2
add name=HTTP_Down packet-mark=HTTP parent=Total_Down priority=2
add disabled=yes name=Small_Down packet-mark=Small parent=Total_Down priority=1
add disabled=yes name=Small_Up packet-mark=Small parent=Total_Up priority=1
add name=Normal_Up packet-mark=normal_traffic parent=Total_Up priority=3
/queue type
add kind=pcq name="Type_Down(12)" pcq-burst-rate=3100k pcq-burst-threshold=\
1200k pcq-burst-time=8s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-limit=100 pcq-rate=1600k pcq-src-address6-mask=64 pcq-total-limit=1200
add kind=pcq name="Type_Up(12)" pcq-burst-rate=155k pcq-burst-threshold=58k \
pcq-burst-time=8s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-limit=100 pcq-rate=78k pcq-src-address6-mask=64 pcq-total-limit=1200
add kind=pcq name=Type_Up pcq-burst-time=8s pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-limit=100 pcq-rate=100k pcq-src-address6-mask=\
64 pcq-total-limit=2400
add kind=pcq name=Type_Down pcq-burst-time=8s pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-limit=100 pcq-rate=2300k \
pcq-src-address6-mask=64 pcq-total-limit=2400
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password=24**** \
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no time-zone=-00:00
/tool user-manager profile
add name=Profile_Tenamt name-for-users=Profile_Tenant override-shared-users=1 \
owner=admin price=0 starts-at=logon validity=0s
add name=Admin name-for-users=Admin override-shared-users=off owner=admin \
price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=Limitation1 \
rate-limit-min-rx=60000B rate-limit-min-tx=1700000B rate-limit-rx=100000B \
rate-limit-tx=3300000B transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=\
Limitation2_Admin transfer-limit=0B upload-limit=0B uptime-limit=0s
/interface bridge port
add bridge=bridge-local disabled=yes interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local disabled=yes interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/interface l2tp-server server
set default-profile=VPNProfile enabled=yes
/interface pppoe-server server
add authentication=pap,chap default-profile=TenantProfile disabled=no \
interface=ether6-master-local service-name=PPPoE_tenant
add default-profile=Eth5_Profile disabled=no interface=ether5 service-name=\
Mikrotik
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPNProfile enabled=\
yes keepalive-timeout=disabled
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
bridge-local
add address=192.168.6.1/24 interface=ether6-master-local
add address=192.168.5.1/24 interface=ether5
add address=192.168.2.2/24 interface=ether2
add address=192.168.2.1/24 interface=ether2
/ip dhcp-client
add comment="default configuration" interface=sfp1-gateway
add comment="default configuration" disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=202.96.134.33,202.181.202.10,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.5.95-192.168.5.99 list=First_5
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=input comment=\
"Dual-Wan \A4J (\A6^\B5{\B8\F4\A5\D1)" in-interface=ether1 \
new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=ether2 new-connection-mark=\
WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.1.0/24 in-interface=ether5
add chain=prerouting dst-address=192.168.2.0/24 in-interface=ether5
add action=mark-connection chain=prerouting comment="\A5X (\B0\F2\A9\F3PCC)" \
dst-address-type=!local in-interface=ether5 new-connection-mark=WAN1_conn \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=ether5 new-connection-mark=WAN2_conn \
per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=ether5 new-connection-mark=WAN2_conn src-address-list=\
First_5
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add action=mark-connection chain=forward comment=PCQ disabled=yes \
new-connection-mark=Tenant_Conn
add action=mark-packet chain=forward connection-mark=Tenant_Conn disabled=yes \
new-packet-mark=ALL passthrough=no
add action=mark-connection chain=forward comment=Winbox new-connection-mark=\
Winbox_Conn port=8291 protocol=tcp
add action=mark-packet chain=forward connection-mark=Winbox_Conn \
new-packet-mark=Winbox passthrough=no
add action=mark-connection chain=prerouting comment=P2P new-connection-mark=\
P2P_Conn p2p=all-p2p
add action=mark-packet chain=forward connection-mark=P2P_Conn new-packet-mark=\
P2P passthrough=no
add action=mark-connection chain=forward comment=Small disabled=yes \
new-connection-mark=Small_conn packet-size=1-64
add action=mark-packet chain=forward connection-mark=Small_conn disabled=yes \
new-packet-mark=Small passthrough=no
add action=mark-connection chain=forward comment=HTTP dst-port=80 \
new-connection-mark=HTTP_Conn protocol=tcp
add action=mark-packet chain=forward connection-mark=HTTP_Conn new-packet-mark=\
HTTP passthrough=no
add action=mark-connection chain=forward comment=Traffic connection-mark=\
!heavy_traffic_conn new-connection-mark=all_conn
add action=mark-connection chain=forward connection-bytes=250000-0 \
connection-mark=all_conn connection-rate=50k-1G new-connection-mark=\
heavy_traffic_conn protocol=tcp
add action=mark-connection chain=forward connection-bytes=250000-0 \
connection-mark=all_conn connection-rate=50k-100M new-connection-mark=\
heavy_traffic_conn protocol=udp
add action=mark-packet chain=forward connection-mark=all_conn new-packet-mark=\
normal_traffic passthrough=no
add action=mark-packet chain=forward connection-mark=heavy_traffic_conn \
new-packet-mark=heavy_traffic passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=pppoe-out2
/ip neighbor discovery
set ether1 disabled=yes
set wlan1 disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=to_WAN2
add check-gateway=ping comment=Fst. distance=2 gateway=192.168.1.1
add check-gateway=ping comment=Sec. distance=3 gateway=192.168.2.1
/ip service
set www-ssl disabled=no
set api disabled=no
/ppp aaa
set use-radius=yes
/ppp secret
add disabled=yes name=1009 password=7128 profile=TenantProfile service=pppoe
/radius
add address=192.168.5.1 secret=test service=ppp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Asia/Hong_Kong
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set pppoe-out2 disabled=yes display-time=5s
set pppoe-out1 disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether10-slave-local disabled=yes display-time=5s
set ether9-slave-local disabled=yes display-time=5s
set ether8-slave-local disabled=yes display-time=5s
set ether7-slave-local disabled=yes display-time=5s
set ether6-master-local disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set sfp1-gateway disabled=yes display-time=5s
set <pppoe-305> disabled=yes display-time=5s
set <pppoe-806> disabled=yes display-time=5s
set <pppoe-403> disabled=yes display-time=5s
set <pppoe-603> disabled=yes display-time=5s
set <pppoe-409> disabled=yes display-time=5s
/system ntp client
set enabled=yes mode=unicast primary-ntp=218.75.4.130 secondary-ntp=\
133.100.11.8
/system routerboard settings
set boot-device=nand-only
/system scheduler
add interval=15m10s name=DDNS_Scheduler on-event="/tool dns-update name=connectt\
o.myDDNS.com address=204.16.170.40 key-name=kladmin key=24****\r\
\n" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup
add disabled=yes interval=5m name=Queue on-event=\
"/system script run SimpleQueue" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup
add disabled=yes interval=5m name=DualWan_Scheduler on-event=\
"/system script run DualWan" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup
/system script
add name=SimpleQueue policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":local count1 0\r\
\n:local UpRate 650000\r\
\n:local DownRate 13000000\r\
\n:local UpAverage 78000\r\
\n:local DownAverage 1600000\r\
\n:set count1 [:len [/ppp act find]]\r\
\n:set UpAverage (\$UpRate/\$count1)\r\
\n:set DownAverage (\$DownRate/\$count1)\r\
\n:if (\$UpAverage < 78000) do={:set UpAverage 78000}\r\
\n:if (\$DownAverage < 1600000) do={:set DownAverage 1600000}\r\
\n:local LimitAt ((\$UpAverage*80/100/1000*1000).\"/\".(\$DownAverage*80/100\
/1000*1000))\r\
\n:local MaxLimit (\$UpAverage.\"/\".\$DownAverage)\r\
\n:local BurstLimit ((\$UpAverage*200/100/1000*1000).\"/\".(\$DownAverage*20\
0/100/1000*1000))\r\
\n:local BurstThr ((\$UpAverage*75/100/1000*1000).\"/\".(\$DownAverage*75/10\
0/1000*1000))\r\
\n:local BurstTime \"4s/4s\"\r\
\n/queue sim\r\
\nset [find dynamic=true] queue=default/default limit-at=\$LimitAt max-limit\
=\$MaxLimit burst-limit=\$BurstLimit burst-threshold=\$BurstThr burst-time=\
\$BurstTime\r\
\n"
add name=DualWan policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":global oldaddress\r\
\n:global newaddress\r\
\n:global newnetwork\r\
\n:global status\r\
\n:global x\r\
\n:global i\r\
\n:set x 2\r\
\n:for i from=1 to=\$x do={\r\
\n:set status [/interface get [/interface find name=(\"pppoe-out\" . \$i)] r\
unning] \r\
\n:if (\$status=true) do={\r\
\n:set newaddress [/ip address get [/ip address find dynamic=yes interface=(\
\"pppoe-out\" . \$i)] address]\r\
\n:set newaddress [:pick \$newaddress 0 [:find \$newaddress \"/\"]]\r\
\n#:put (\"newaddress:\" . \$newaddress)\r\
\n:set newnetwork [/ip address get [/ip address find dynamic=yes interface=(\
\"pppoe-out\" . \$i)] network]\r\
\n#:put (\"newnetwork:\" . \$newnetwork)\r\
\n:set oldaddress [/ip address get [/ip address find dynamic=no interface=(\
\"ether\" . \$i)] address]\r\
\n:set oldaddress [:pick \$oldaddress 0 [:find \$oldaddress \"/\"]]\r\
\n#:put (\"oldaddress:\" . \$oldaddress)\r\
\n\r\
\n:if (\$oldaddress != \$newaddress) do={\r\
\n/ip route set [/ip route find routing-mark=(\"to_WAN\" . \$i)] gateway=\$n\
ewnetwork\r\
\n/ip route set [/ip route find comment=(\"to_WAN\" . \$i)] gateway=\$newnet\
work\r\
\n/ip address set [/ip address find interface=(\"ether\" . \$i)] address=\$n\
ewaddress network=\$newaddress broadcast=\$newaddress\r\
\n\r\
\n}\r\
\n}\r\
\n}"
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
/tool netwatch
add host=192.168.1.1
/tool user-manager profile profile-limitation
add from-time=0s limitation=Limitation1 profile=Profile_Tenamt till-time=\
23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.5.1 log=\
auth-ok,auth-fail,acct-ok,acct-fail name=Mikrotik shared-secret=test \
use-coa=no
/tool user-manager user
add customer=admin disabled=no name=demo password=demo shared-users=1 \
wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=201 password=0198 shared-users=1 \
wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
i have a masquerade on interface=pppoe-out1. Does it matter?
(can’t try it now…)
when i login to the Webfig through a User credentials who has restricted rights why can’t i see the PPPoE interface??
