I have a problem with accessing a Groove (firmware 6.39.2) that has an internet address when connected to the hotspot. In the firewall the following rule is on top:
And in services the Winbox is also limited to that source address and local:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set api disabled=yes
set winbox address=192.168.0.0/16,83.240.xxx.xxx
When I telnet on port 8291 in Windows then I get a black screen indicating that I am waiting to get access.
Wireshark gives 20 lines of output on a connection attempt.
I can’t think of anything why it should not work. I am running my Winbox on a WindowsPC connected to my Mikrotik and reaching out to a Groove in Station mode on the internet.
As message Winbox gives: wrong username or password. The sitting is, username is admin and no password.
Packet of data are sent between the Winbox and Groove when I look in Wireshark.
Reading on I remember not seeing any packets in screen prints of the firewall rules being counted despite having an exchange of traffic with the Groove. However it can be that I get connected to an other Mikrotik device before the ISP Hotspot or even the hotspot itself. That could explain also the failure on the username and/or password.
Will check tomorrow the IP of the WLAN1 interface and I expect now that it will be something like: 10… and not 203…
The 1 is not used here and I found this option later after Jorge moved the line in Winbox manually. I used 1 instead of 0 because normally the fastrack line is on position 0.
Jorge tried to install teamviewer on the MacBook but did not run on that old system so that is also a dead end…we had a lot of dead end the last weeks because I have a hEX and no WiFi on it so I can’t prepare a working config out of the box that Jorge can upload.
update: and today I checked the sn.mynetname.net IP again after I ask execute: /ip cloud advanced set use-local-address=yes and the real address is 10.1.xxx.xxx and a private addres not directly accessible from the internet.
With this configuration you should be able to connect to router through Winbox only from LAN side.
If you want to connect from public internet, then copy of icmp rule with changed protocol to tcp and dst-port specified as 8291 should work. If you did specify src-address when you tried such rule, then please make sure that address was correct.
Thanks Strods, Jorge put that in also an extra line with source-address=local to cover the external IP of the Groove 10.1.130.111 that gives sn.mynetname.net
The problem is that there the hotspot of the ISP is probably also a Mikrotik reacts to my Winbox connect attempts…however I don’t want to connent or am allowed to connect to that ISP hotspot.
I can ping 10.1.130.111 from the winbox but not from my PC and I see traffic on the SSTP go toward the Groove but not returning. Returns I only get when I ping from the winbox.
I have now access to the Groove and the interface is really fast like you are working on your own Mikrotik.
SSTP is not that easy and the last piece in the puzzle was the route back to my local network at the client side. Next time the hotspot is reconnected I can change my settings again to what is coming in as SSTP requests IP.
/ip route add dst-address=192.168.124.0/24 gateway=sstp-out1 was the route command. It would be easier if that could be entered on the server side and sent to the client. The server knows the local network range and the client only has to determine the sstp-out1 part.
To reach what we archived today is a big step in a period of many weeks communicating through the forum and it accelerated when I could contact Jorge by e-mail and not have to do it through postings in the forum.
? Post all firewall and nat please.