Guys,
i added the firewall run so to open port 8291 but no luck
i cant connect to the router with winbox from the wan port
ping to the wan works
firewall rules are stock i just added the winbox one
look the pic below .. line 5 .
routerboard model below
https://prnt.sc/fqGChtOVniYU
Yep, but do you have these (they are default)?
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
If the port you are using is not in the LAN interface list the second will prevent winbox access.
You need:
/tool mac-server mac-winbox
set allowed-interface-list=all
if you want access from both LAN and WAN ports (and AFAIK you don’t need a special rule in firewall for port 8291, while it is vital to disable - as you did - the rule “drop all not coming from LAN”)
it is a SXT R that have an EM06-A LTE RADIO
and so im assuming the WAN is on the LTE side ?
what commands i need to do on the terminal so i can pull the info you need
i dont know on what part to look in winbox
i can reach the box via the public IP
when i ping it
but some how winbox refuse to connect.
it just times out
I lost you, in the title you talked of a WAN port? 
It is entirely possible that you have changes in the configuration that reverse the default logic of Mikrotik (winbox access only allowed from LAN side)
Anyway, if you can somehow connect with winbox from one of the ethernet ports or via WI-FI, follow these instructions:
http://forum.mikrotik.com/t/forum-rules/173010/1
and post your configuration.
@rolo95 - Just some friendly advice: never ever expose your router services, like port 8291, for external access through the internet on the LTE/WAN port. Instead, use a VPN like RouterOS ‘Back to Home’ or similar. Also, avoid using ‘/tool mac-server mac-winbox set allowed-interface-list=ALL’.
yes i can access winbox from the LAN side , with a cable connected to the ETH1 ( that device only have 2 ports )
WAN side i mean, connecting from a remote location, im using my cellphone with the mikrotik app and also tried with a laptop via a hotspot and
even i can ping the mikrotik , the winbox session just timeout and cant connect.
ok i created the dump file but it won’t let me paste in to a notepad, nothing happens
and i already tried paste… CTR-V , arrggg
i wish MT made drag and drop from the files window possible but that do not work either
https://prnt.sc/dg8dr7Gck22o
AHH!!!
i was able to make it to work
i can drag to the desktop
ok so i dragged it
change the extension to TXT ( that is not mentioned in the guide lol )
opened it
select all
CTRL -C
click CODE brackets
CTRL -V
DONE !!
# 2024-05-29 09:26:22 by RouterOS 7.14.3
# software id = A2N8-******
#
# model = RBSXTR
# serial number = HG1********
/interface bridge
add admin-mac=18:FD:******* auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=18:FD:*******
set [ find default-name=ether2 ] mac-address=18:FD:*******
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=broadband use-network-apn=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=broadband \
band=4 network-mode=lte sms-read=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment=WINBOX connection-nat-state=dstnat \
connection-state=new connection-type="" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=lte1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=iPhone12
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/system watchdog
set watch-address=1.1.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
see the pic below
https://prnt.sc/pp7MmiB6o5bp
It’s a pity they don’t support the MIPS platform for BTH for some weird reason. But there’s always the “regular” WireGuard that BHT also uses. The important thing is that you never expose ROS services directly to the internet.
Btw, you can attach files to your posts using the “Attachments” button, just to the right of “Options” at the bottom of the editor.
EDIT:
nevermind…
ic
just dipping my toes in to the command line but i use winbox all the time
where are those settings in winbox
and also using the android built in VPN what is the protocol to use in the MT
so i can VPN from the android phone and use the MT android app to connect
I think Wireguard would work great. Start a new thread asking for help with setting up Wireguard (like “How to setup Wireguard for RBSXTR”) using the same text you just described about your need to connect your Android with Wireguard. Include the previous export and mention which Mikrotik model it is and that it’s an LTE device.
10-4
Thanks for you Help !