Winbox does not find hAP ac

superman71 · January 13, 2023, 9:36pm

Hi, this is my configuration:
The mikrotik is connected to a modem router (router 1) on the wan port and receives the ip from the router 1.(dhcp client)
Another router (router 2) is also connected to the modem via the wan and also receives an ip from router 1.
All devices are in the 192.168.88.0/24 network.
The Mikrotik has its own dhcp server where it manages 192.188.0.1/24
The router 2 has its own dhcp server where i t manages 192.188.1.0/24
I have to use winbox from the router 2 network (192.188.1.0/24) and be able to connect to the mikrotik.
What configuration do I have to do to be able to connect to mikrotik?

Thanks.
P.S. Sorry for my poor english

erlinden · January 13, 2023, 10:10pm

As described you would have to make available access on the WAN port of the MikroTik. Just open the Winbox port on the WAN port input chain…that is it.

rextended · January 13, 2023, 10:20pm

another zombie for botnets…

superman71 · January 14, 2023, 8:48am

I opened the input port to the WAN but it doesn’t work.

broderick · January 14, 2023, 10:44am

what about exporting your setup file? Hide sensitive data before you post it here

superman71 · January 14, 2023, 11:10am

My configuration:

 jan/14/2023 12:01:39 by RouterOS 7.7
 software id = xxxxxx

 model = RB962UiGS-5HacT2HnT
 serial number = xxxxxx
/interface bridge
add name=LAN
/interface wireless
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=xxx \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=xxxxx \
    default-forwarding=no disabled=no mode=ap-bridge security-profile=xxx \
    ssid=xxxxx wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=wlan1
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.253 comment="xxxxx" \
    mac-address=xxxxxx server=dhcp1
add address=192.168.1.252 comment="xxxxxx=\
    xxxxx server=dhcp1
add address=192.168.1.251 comment="xxxxxx=\
    xxxxxxx server=dhcp1
add address=192.168.1.250 comment="xxxxxx=\
    xxxxxx server=dhcp1
add address=192.168.1.249 comment="xxxxxx" mac-address=\
    xxxxxxx server=dhcp1
add address=192.168.1.248 comment="xxxxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.247 comment="xxxxx" mac-address=\
    xxxxx server=dhcp1
add address=192.168.1.246 client-id=1:xxxxxx comment=xxx \
    mac-address=xxxxxxx server=dhcp1
add address=192.168.1.244 comment="xxxxx" mac-address=xxxxxxx \
    server=dhcp1
add address=192.168.1.242 comment="xxxxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.240 comment="xxxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.239 comment="xxxxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.238 comment="xxxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.237 comment="xxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.236 comment="xxxxx" mac-address=\
    xxxxxx server=dhcp1
add address=192.168.1.233 client-id=1:xxxxx comment=\
    xxxxx mac-address=xxxxxx server=dhcp1
add address=192.168.1.232 client-id=1:xxxxx comment=Rxxxxx \
    mac-address=xxxxx server=dhcp1
add address=192.168.1.231 client-id=1:xxxxx comment=xxxxx \
    mac-address=xxxxxx server=dhcp1
add address=192.168.1.235 client-id=1:xxxxx comment=xxxxx \
    mac-address=7xxxxxxxx server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip firewall address-list
add address=192.168.88.0/24 list=ACCESSO-RB
add address=192.168.0.0/24 list=ACCESSO-RB
/ip firewall filter
add action=accept chain=input comment=ACCESSO-RB dst-port=22,80,8291 \
    protocol=tcp src-address-list=ACCESSO-RB
add action=drop chain=input comment="DROP SERVIZI RB" dst-port=\
    22,80,8291 protocol=tcp
add action=accept chain=input comment="ACCEPT ENSTABIBLISHED RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ACCEPT ECHO REQUEST" icmp-options=8:0 \
    protocol=icmp
add action=drop chain=input comment="DROP EVERYTHING ELSE" in-interface=\
    ether1
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward dst-address-list=192.168.88.0/24 \
    src-address-list=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=80
set ssh port=22
set api disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/system clock
set time-zone-name=xxxxxxx
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org

holvoetn · January 14, 2023, 3:12pm

My guess: check your address list ACCESSO-RB in the first firewall rule

/ip firewall filter
add action=accept chain=input comment=ACCESSO-RB dst-port=22,80,8291 \
    protocol=tcp src-address-list=ACCESSO-RB

As a test: disable that firewall rule, see if it works then. If it works, you know the problem is there.
Check the connection list for winbox access then to see which subnets you need to add.

rextended · January 14, 2023, 3:45pm

E’ tutto un pasticcio…

comunque incolla questo nel terminale:

/ip firewall address-list
add address=192.168.1.0/24 list=ACCESSO-RB

superman71 · January 14, 2023, 4:10pm

Grazie. Cosa intendi per tutto un pasticcio? Come posso sistemare il tutto? Ho seguito una guida ma il Firewall proprio non riesco a digerirlo.

rextended · January 14, 2023, 4:40pm

Fatti aiutare da @anav, ha scritto pure una guida, cercala sul forum
Prima che ci riprendano, scriviamo in inglese…

superman71 · January 14, 2023, 5:49pm

Sorry, but not work.
Could the problem be that it has to connect to the WAN?

anav · January 14, 2023, 6:17pm

Translation your firewall rules SUCK!
Keep the default rules, add user needed rules, drop all else.

From the link - https://forum.mikrotik.com/viewtopic.php?t=180838

Recommend:

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(user rules)
add action=accept chain=input src-address=list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=tcp { access to dns and ntp services }
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" *****
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward

Note1: Where _Authorized i_s a firewall address list for the admin to access the router and consists of
add ip of admin (at desktop) list=Authorized
add ip of admin (at ipad ) list=Authorized
add ip of admin ( remote vpn like wireguard ) list =Authorized

Let me get this straight,
a. you do not have a public IP address.
b. you have two routers attached to the ISPs modem router.
c. R1 which you have access too is the mikrotik hapac2 but the router you are trying to reach it from is a big UNKNOWN and we dont even know if you can access it.??????

Q. WTF model of router is at R2? and if its a mikrotik where is the config..........??? you only provide config of R1.

In any case,..........
Access is predicated by a few things..............
-winbox service allowed addresses, if left blank all addresses are permitted
-mac-winbox setting in the config should include an interface list which may be blocking access depending
-firewall rules in the input chain could be an issue.

So, Your config is missing the settings..........
/tool mac-server mac-winbox
set allowed-interface-list=LAN ** or any interface list you create.................. If missing not sure what the outcome is.............. But it probably defaults to ALL, which is fine in terms its not causing issues in your case.

Finally being in a different subnet with no real linkages, winbox via mac may not find the hapac.............. without some additional help and thats assuming both routers are MT.

+++++++++++++++++++++++++++
Consider rejigging your setup, why use three routers......

superman71 · January 14, 2023, 8:09pm

Let me get this straight,
a. you do not have a public IP address.

My public ip is provided to me by the isp router.

b. you have two routers attached to the ISPs modem router.

Yes.

c. R1 which you have access too is the mikrotik hapac2 but the router you are trying to reach it from is a big UNKNOWN and we dont even know if you can access it.???
I have three routers.

Isp 2. Mikrotik 3. Fritzbox
I have access to all

My network was split with two cascading routers from the ISP to split the home network (PCs and phones) with Fritzbox, and from an external IoT network Mikrotik.
IoT network just needs to connect to the internet.
But I need to reach some IPs in the Fritzbox router network via Netwatch.

From the internal network of the Fritzbox I need to connect to the Mikrotik via the winbox.

The fritzbox and the mikrotik are connected to the WAN towards the ISP.
Do you think this is possible?

In the meantime, I change the firewall configuration. Thanks for everything.

anav · January 14, 2023, 11:11pm

Okay then the confusion is your use of Modem Router, it is not a router and ONLY a modem which can spit out more than one public IP. If it was also a router you would get private IPs from the Router.

The fritz has its own public IP and the MT had its own public IP.

You wish to reach some fritzbox IPs from the MT.

Sadly this is only possible if configured at the fritz box is my understanding…

superman71 · January 15, 2023, 9:24am

No, I have only one public IP and the ISP modem router has it.
The Mikrotik and the Fritzbox are in the local network with the modem router.
The modem router have a DHCP server. 192.168…

holvoetn · January 15, 2023, 9:32am

Make a drawing please indicating what is where.

BartoszP · January 15, 2023, 9:33am

Suggestion: one picture is sometimes worth more than thousends words.

broderick · January 15, 2023, 10:15am

It must be probably something like this:

But I am at loss as to put the right IPs in the diagram.
superman71 should be a bit clearer about that.
Diagramma senza titolo.jpg

superman71 · January 15, 2023, 10:22am

Attached is my network configuration
Configuration.pdf (12.8 KB)

holvoetn · January 15, 2023, 11:53am

With all due respect but that drawing doesn’t match AT ALL with the info in the first post …