Community discussions

MUM Europe 2020
 
upviqq
newbie
Topic Author
Posts: 38
Joined: Thu Jun 02, 2016 10:18 am

Unable to access mikrotik services, like ssh and winbox, from Internet

Thu Jul 07, 2016 10:29 pm

Hi!
Today I couldn't acces my MikroTik 2011 series at home from work. At home I've installed stable updates, nothing changed. Reset to defaults either.
I definitely have external ip working, I can dsnat ssh to this computer with linux in mikrotik network and connect from 3g internet on phone.
And local acces fully functional, ssh, web and winbox from virtual machine with windows.

Sorry for my English.
Last connection was several weeks ago, I don't use it often.
Last time I'd setup IPv6 thanks to this forum. But now it has all defaults except ISP connection.
 
upviqq
newbie
Topic Author
Posts: 38
Joined: Thu Jun 02, 2016 10:18 am

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Fri Jul 08, 2016 2:55 pm

Any suggestions? All services accesessible from lan and nothing from internet, but i cant DSTNAT any port to NATed PC.
Nmap shows host up, but no open ports.
 
User avatar
gabrielpike
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Thu Apr 17, 2014 4:17 pm

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Fri Jul 08, 2016 4:29 pm

Possible firewall blocking. Post export of config.
Gabriel Pike
MTCNA
 
upviqq
newbie
Topic Author
Posts: 38
Joined: Thu Jun 02, 2016 10:18 am

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Fri Jul 08, 2016 4:44 pm

Possible firewall blocking.  Post export of config.
Default config after "Reset configuration". I'll get config after work, can't access it now because of the topic problem :).
And DSTNAT works, like I mentioned. I tried to dstnat port 22 from external ip to local - doesn't work.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5965
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Fri Jul 08, 2016 4:55 pm

Default config allows only ping from WAN port. everything else is blocked.
 
upviqq
newbie
Topic Author
Posts: 38
Joined: Thu Jun 02, 2016 10:18 am

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Fri Jul 08, 2016 5:30 pm

Default config allows only ping from WAN port. everything else is blocked.
Since what version? WinBox worked several weeks ago...
So I just place
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
before drop rule in filter tab of firewall for winbox?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5965
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Fri Jul 08, 2016 6:18 pm

Since the beginning of the first produced RB2011 :D

Yes you simply add accept rules for protocols you need, before drop.
 
User avatar
k6ccc
Member
Member
Posts: 484
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Sun Jul 10, 2016 5:22 am

I would be VERY careful about making command ports available via the internet.  At the very least use non-standard ports.  Then add another layer of security or two above that.
 
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
User avatar
gabrielpike
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Thu Apr 17, 2014 4:17 pm

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Tue Jul 12, 2016 3:36 pm

As long as your access control policies are in place you should be fine. and example would be to only allow access to a service from a specific set of "safe" addresses. To do this create an address list then add an input and forward rule at the top of your firewall list to allow all "safe" IP addresses.
Gabriel Pike
MTCNA
 
User avatar
k6ccc
Member
Member
Posts: 484
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Unable to access mikrotik services, like ssh and winbox, from Internet

Tue Jul 12, 2016 5:22 pm

I believe that would be another layer of security that I mentioned.  In my case, the remote access methods use non-standard ports, a multi-step port knock to even open the ports, and complex usernames and passwords.  Only secure connections are allowed (no http, ftp, or telnet from the internet for example).  From specific IPs on my local LAN, it's a little less stringent.

Jim
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: No registered users and 50 guests