Community discussions

 
nitrogear
just joined
Topic Author
Posts: 4
Joined: Wed Sep 13, 2017 11:46 am

Can't open port for remote access

Wed Sep 13, 2017 11:54 am

Hello,

Sorry for a dumb question, but I really don't understand logic of Mikrotik. On my router winbox service is enabled and port is open from outside even without additional firewall rule.
However, when I do same for ssh or www-ssl I can access them from local network, but not from outside. I added firewall rules for the services, but ports are still closed.

Could someone explain me how to open ssh and www-ssl for access from WAN?

Thank you.
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward
 1    chain=input action=accept protocol=tcp dst-port=8443 log=no log-prefix=""
 2    chain=input action=accept protocol=tcp dst-port=44022 log=no log-prefix=""
 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
 4    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix=""
 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix=""
 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
/ip service print
Flags: X - disabled, I - invalid
 #   NAME                                              PORT ADDRESS                                                                                 CERTIFICATE
 0 XI telnet                                              23
 1   ftp                                                 21 192.168.0.0/16
 2   www                                                 80 192.168.0.0/16
 3   ssh                                              44022 0.0.0.0/0
 4   www-ssl                                           8443 0.0.0.0/0                                                                               cert1.pem_0
 5 XI api                                               8728
 6   winbox                                            8291 0.0.0.0/0
 7 XI api-ssl                                           8729                                                                                         none
 
User avatar
soonwai
Member Candidate
Member Candidate
Posts: 162
Joined: Mon Feb 06, 2012 10:50 pm
Location: Kuala Lumpur

Re: Can't open port for remote access

Wed Sep 13, 2017 4:33 pm

Do you see any activity, packets increasing, for this rule during an unsuccessful attempt with ssh?
2 chain=input action=accept protocol=tcp dst-port=44022 log=no log-prefix=""
 
strods
MikroTik Support
MikroTik Support
Posts: 1284
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Can't open port for remote access

Wed Sep 13, 2017 4:39 pm

This part of configuration seems to be correct. Are there any Firewall NAT rules on device?
 
nitrogear
just joined
Topic Author
Posts: 4
Joined: Wed Sep 13, 2017 11:46 am

Re: Can't open port for remote access

Wed Sep 13, 2017 6:12 pm

Do you see any activity, packets increasing, for this rule during an unsuccessful attempt with ssh?
2 chain=input action=accept protocol=tcp dst-port=44022 log=no log-prefix=""
no, numbers remain same
telnet office.xxx.com 44022
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused
 
nitrogear
just joined
Topic Author
Posts: 4
Joined: Wed Sep 13, 2017 11:46 am

Re: Can't open port for remote access

Wed Sep 13, 2017 6:16 pm

This part of configuration seems to be correct. Are there any Firewall NAT rules on device?
only NAT for internet
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
 
nitrogear
just joined
Topic Author
Posts: 4
Joined: Wed Sep 13, 2017 11:46 am

Re: Can't open port for remote access

Wed Sep 13, 2017 9:13 pm

LOL, it seems I figured out what the issue was - I got a real IP from my ISP, but I forgot to set it on WAN ;-)
Instead of that WAN interface got internal IP and I was trying to connect from outside to my ISP's mikrotik ;-)

Who is online

Users browsing this forum: Anumrak and 6 guests