Winbox remote connection

andriesh · November 6, 2018, 10:21pm

Hi!

I’m using an RB951-2n with RouterOS v6.43rc23.
I am trying to connect from my home IP address to the Wan address of this device no success. Port 8291 is open explicitly to the world but still cannot connect to the router.
I’ve read somewhere that the newer RouterOS version blocks all kind of access from the Internet, but certain connections can be allowed somehow.
Please advice what can I gain access via Wan port.

vecernik87 · November 7, 2018, 1:19am

Never, ever open your management ports to whole world. Even if you have updated RouterOS, there may be unknown vulnerability. Past two years, there was enormous amount of hacked devices which would be fine even with vulnerable version, if their www/winbox services were not available from internet.

I understand this is not what you want to hear but it is really important to understand the risk.

Recommended way for connecting from outer world is VPN. Even if it is just PPTP (which is considered not really secure), it will do the job and it is really easy to configure.

Jotne · November 7, 2018, 6:43am

If VPN is no option, you can open 8291, but you should use port knocking.
Set it up so you need to knock 3-4 ports in a given time interval before 8291 opens.
Search for Portknoking on how to set it up.

andriesh · January 10, 2019, 11:22pm

Port knocking is an interesting solution, especially is you need to connect from anywhere in the world without VPN, but I need to connect to the office from my home IP which is static.
I whitelisted my IP in all categories: Firewall, Services, Users but still cannot connect, though I do see packets matching the accept rule.
Am I missing something here?
P.S. Version 6.43.7

pcunite · January 11, 2019, 1:57am

Remove all your firewall rules and use this sample rule set that works. Replace 1.1.1.1 with your public and 192.168.0.0 with your private side. Replace bridge-LAN and ether-WAN, naturally.

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=accept dst-port=8291 protocol=tcp src-address=1.1.1.1 comment="Remote Winbox"
add chain=input action=drop comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat in-interface=ether-WAN comment="Accept Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip service
set winbox address=192.168.0.0/24,1.1.1.1/32

/ip ssh
set strong-crypto=yes

solar77 · January 11, 2019, 7:24pm

if you can see packet match the accept rule (not seen your rule but I assume it’s input chain, from your lan IP to wan IP on port 8291), the traffic is reaching it’s distination but either the return path is not there or the return is not accepted by the laptop because it is coming from a different IP it’s sent the packets to.
check this out
https://wiki.mikrotik.com/wiki/Hairpin_NAT

solution is to make a src-nat to your LAN bridge , something like

/ip firewall nat> add action=masquerade chain=
srcnat out-interface=Your_LAN_Bridge