Well i just tried to access my mikrotik from internet side and without success …
Probably I need some rules in firewall … how I see winbox is running on 8291 tcp port …
Any ideas what Im doing wrong?
Please post your firewall configuration!
Here is firewall filter … some is disabled … for testing only … other is from hotspot walles garden and something is for blocking viruses …from demo mikrotik…
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=no
add action=accept chain=input comment="winbox from wan" disabled=no dst-port=\
8291 in-interface=adsl protocol=tcp
add action=accept chain=forward comment="winbox from wan" disabled=no \
dst-port=8291 in-interface=adsl protocol=tcp
add action=accept chain=input comment=\
"accept requests for local time server port 67 - udp" disabled=no \
dst-address=192.168.3.10 dst-port=123 protocol=udp
add action=jump chain=input comment="!!! Check for well-known viruses !!!" \
disabled=no jump-target=virus
add action=jump chain=forward comment="!!! Check for well-known viruses !!!" \
disabled=no jump-target=virus
add action=add-src-to-address-list address-list=users-with-virus-BlasterWorm \
address-list-timeout=1d chain=virus comment="Add user with Blaster Worm" \
disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
135-139 protocol=tcp
add action=add-src-to-address-list address-list=\
users-with-virus-Messenger-Worm address-list-timeout=1d chain=virus \
comment="Add user with Messenger Worm" disabled=no dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=add-src-to-address-list address-list=users-with-virus-Blaster-Worm \
address-list-timeout=1d chain=virus comment="Add user with Blaster Worm" \
disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=add-src-to-address-list address-list=users-with-virus \
address-list-timeout=1d chain=virus comment="Add user with________" \
disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=add-src-to-address-list address-list=users-with-virus-MyDoom \
address-list-timeout=1d chain=virus comment="Add user with MyDoom" \
disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=add-src-to-address-list address-list=users-with-virus-screencast \
address-list-timeout=1d chain=virus comment="Add user with screen cast" \
disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=add-src-to-address-list address-list=users-with-virus-Sasser \
address-list-timeout=1d chain=virus comment="Add user with Sasser" \
disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=add-src-to-address-list address-list=users-with-virus-BagleVirus \
address-list-timeout=1d chain=virus comment="Add user with Bagle Virus" \
disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=add-src-to-address-list address-list=users-with-virus-MyDoom \
address-list-timeout=1d chain=virus comment="Add user with MyDoom" \
disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=input comment="suppress DoS attack from 1 IP" \
connection-limit=10,32 disabled=yes protocol=tcp src-address-list=\
black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack 1 IP" \
connection-limit=10,32 disabled=yes protocol=tcp src-address=\
!192.168.11.200
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \
disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=forward comment="Detect and add-list SMTP virus or spammers" \
connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=input comment="NOT a Open Proxy" disabled=no dst-port=\
3130 in-interface=adsl protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" \
disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment="detect ftp brute forcers" \
content="530 Login incorrect" disabled=no protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="detect ssh brute forcers 1" \
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="detect ssh brute forcers 2" \
connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="detect ssh brute forcers 3" \
connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment=\
"detect ssh brute forcers 4" connection-state=new disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=accept chain=forward comment="" disabled=yes dst-port=25 protocol=\
tcp src-address-list=spammer
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment=\
"Port scanners to list (problems with ftp\?)" disabled=yes protocol=tcp \
psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=yes \
src-address-list="port scanners"
add action=drop chain=forward comment=\
"limit total news connections (all news server) to 20" connection-limit=\
20,0 disabled=yes dst-port=119 protocol=tcp
add action=drop chain=forward comment=\
"limit total news connections (local news server) to 4" connection-limit=\
4,0 disabled=yes dst-address=192.168.11.200 dst-port=119 protocol=tcp
add action=drop chain=forward comment="limit total http connections to 100" \
connection-limit=100,0 disabled=yes dst-port=80 protocol=tcp
add action=drop chain=forward comment="limit total p2p connections to 150" \
connection-limit=150,0 disabled=yes p2p=all-p2p protocol=tcp
add action=drop chain=forward comment="Layer 7 filter MSN" disabled=yes \
layer7-protocol=MSN
add action=drop chain=forward comment="Layer 7 filter MSN FT" disabled=yes \
layer7-protocol="MSN FT"
add action=drop chain=forward comment="Layer 7 filter skype" disabled=yes \
layer7-protocol=Skype
add action=drop chain=forward comment="Layer 7 filter skype-to-phone" \
disabled=yes layer7-protocol=Skype-to-Phone
add action=drop chain=forward comment="Layer 7 filter AIM" disabled=yes \
layer7-protocol=AIM
add action=drop chain=forward comment="Layer 7 filter MSN" disabled=yes \
layer7-protocol=MSN
add action=drop chain=forward comment="Layer 7 filter ICQ" disabled=yes \
layer7-protocol=ICQ
add action=drop chain=forward comment="Layer 7 filter IRC" disabled=yes \
layer7-protocol=IRC
add action=drop chain=forward comment="Layer 7 filter Yahoo" disabled=yes \
layer7-protocol=Yahoo
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid disabled=yes
Maybe is time to temporary disable all and then enable one by one to find what rule is blocking winbox ?
Can’t see any problems in this configuration.
You can try temporally disable all rules in input chain. (Input used to filter traffic entering the router. Forward to filter traffic going through.)
Is there any NAT rules? And SSH, telnet, HTTP to the router works?
Sorry for late … I was bussy this days … problem is still here… yes I have nat to my local servers … here is how:
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=no
add action=redirect chain=dstnat comment="intercept all DNS requests" \
disabled=no dst-port=53 protocol=udp
add action=masquerade chain=srcnat comment="masquerade network on eth5" \
disabled=no src-address=192.168.25.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="masquerade public network" \
disabled=no src-address=192.168.11.0/24
add action=redirect chain=dstnat comment="transparent proxy - hotspot net" \
disabled=no dst-port=80 in-interface=ether2 protocol=tcp src-address=\
192.168.3.0/24 to-ports=3130
add action=redirect chain=dstnat comment="transparent proxy - public net" \
disabled=no dst-port=80 in-interface=Public protocol=tcp to-ports=3130
add action=redirect chain=dstnat comment="transparent proxy - ether5" \
disabled=no dst-port=80 in-interface=ether5 protocol=tcp to-ports=3130
add action=dst-nat chain=dstnat comment="server web - 80" disabled=no \
dst-port=80 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=80
add action=dst-nat chain=dstnat comment="server web - 80 backup WAN" \
disabled=no dst-port=80 in-interface=reserv protocol=tcp to-addresses=\
192.168.11.200 to-ports=80
add action=dst-nat chain=dstnat comment="server smpt - 25" disabled=no \
dst-port=25 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=25
add action=dst-nat chain=dstnat comment="server smpt - 25 backup WAN" \
disabled=no dst-port=25 in-interface=adsl protocol=tcp to-addresses=\
192.168.11.200 to-ports=25
add action=dst-nat chain=dstnat comment="server pop - 110" disabled=no \
dst-port=110 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=110
add action=dst-nat chain=dstnat comment="server news 119" disabled=no \
dst-port=119 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=119
add action=dst-nat chain=dstnat comment="server pop - 110 backup WAN" \
disabled=no dst-port=110 in-interface=reserv protocol=tcp to-addresses=\
192.168.11.200 to-ports=110
add action=dst-nat chain=dstnat comment="UltraVNC Viewer 5900 " disabled=no \
dst-port=5900 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=5900
add action=dst-nat chain=dstnat comment="winbox - 8291" disabled=yes \
dst-port=8291 in-interface=adsl protocol=tcp to-addresses=192.168.11.10 \
to-ports=8291
add action=dst-nat chain=dstnat comment="FTP Server" disabled=yes dst-port=21 \
in-interface=adsl protocol=tcp to-addresses=192.168.11.200 to-ports=20-21
add action=dst-nat chain=dstnat comment=emule disabled=yes dst-port=17322 \
in-interface=adsl protocol=tcp to-addresses=192.168.11.200 to-ports=17322
add action=dst-nat chain=dstnat comment=emule disabled=yes dst-port=17322 \
in-interface=adsl protocol=udp to-addresses=192.168.11.200 to-ports=17322
add action=dst-nat chain=dstnat comment="torent 6881 utorent" disabled=yes \
dst-port=6881 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=6881
add action=dst-nat chain=dstnat comment="torent 6881 utorent" disabled=yes \
dst-port=6881 in-interface=adsl protocol=udp to-addresses=192.168.11.200 \
to-ports=6881
add action=dst-nat chain=dstnat comment="torent 6882 bit spirit" disabled=yes \
dst-port=6882 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=6882
add action=dst-nat chain=dstnat comment="torent 6882 bit spirit" disabled=yes \
dst-port=6882 in-interface=adsl protocol=udp to-addresses=192.168.11.200 \
to-ports=6882
add action=dst-nat chain=dstnat comment="torent 38386 vuze" disabled=yes \
dst-port=38386 in-interface=adsl protocol=tcp to-addresses=192.168.11.200 \
to-ports=38386
add action=dst-nat chain=dstnat comment="torent 38386 vuze" disabled=yes \
dst-port=38386 in-interface=adsl protocol=udp to-addresses=192.168.11.200 \
to-ports=38386
You should have same winbox version with Router OS and also Public IP
yes of curse, same version of winbox same PC (only diferen conection) , and my nat on mikrotik is working i see my web server and e-mail sever even news server is temporara acesible …
I think that is something with with port … maybe to I need to try to change winbox port?
is that address public? can you ping it from the same PC where your winbox is?
Yes it is public IP on my ADSL line and it is changed every 24 hour today is 188.129.87.39
So I was again try to conect with winbox 188.129.87.39 on port 80 , 188.129.87.39:8291 and also mydomain.com … in a same time (all time) I connect normaly to all my services (pop,smpt.www etc) behind router … so mikrotik doing src-nat ok …
Im lost all ideas what is wrong …
Im runing mikrotik on routerboard 450 with userman ,hotspot,PPPoE server and radius all on same routerboard (with mangle and QOS) and everythig is running normaly … if is nessesary I can post other configuration …
I was just acidentaly connect via other internet line and checking that all my services is acesible … which are acesible … exept winbox …