Community discussions

 
andriesh
just joined
Topic Author
Posts: 4
Joined: Sat Jun 09, 2018 12:18 pm

Winbox remote connection

Wed Nov 07, 2018 12:21 am

Hi!

I'm using an RB951-2n with RouterOS v6.43rc23.
I am trying to connect from my home IP address to the Wan address of this device no success. Port 8291 is open explicitly to the world but still cannot connect to the router.
I've read somewhere that the newer RouterOS version blocks all kind of access from the Internet, but certain connections can be allowed somehow.
Please advice what can I gain access via Wan port.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 530
Joined: Fri Nov 10, 2017 8:19 am

Re: Winbox remote connection

Wed Nov 07, 2018 3:19 am

Never, ever open your management ports to whole world. Even if you have updated RouterOS, there may be unknown vulnerability. Past two years, there was enormous amount of hacked devices which would be fine even with vulnerable version, if their www/winbox services were not available from internet.

I understand this is not what you want to hear but it is really important to understand the risk.

Recommended way for connecting from outer world is VPN. Even if it is just PPTP (which is considered not really secure), it will do the job and it is really easy to configure.
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Winbox remote connection

Wed Nov 07, 2018 8:43 am

If VPN is no option, you can open 8291, but you should use port knocking.
Set it up so you need to knock 3-4 ports in a given time interval before 8291 opens.
Search for Portknoking on how to set it up.
.
Use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
andriesh
just joined
Topic Author
Posts: 4
Joined: Sat Jun 09, 2018 12:18 pm

Re: Winbox remote connection

Fri Jan 11, 2019 1:22 am

Port knocking is an interesting solution, especially is you need to connect from anywhere in the world without VPN, but I need to connect to the office from my home IP which is static.
I whitelisted my IP in all categories: Firewall, Services, Users but still cannot connect, though I do see packets matching the accept rule.
Am I missing something here?
P.S. Version 6.43.7
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 907
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Winbox remote connection

Fri Jan 11, 2019 3:57 am

Am I missing something here?

Remove all your firewall rules and use this sample rule set that works. Replace 1.1.1.1 with your public and 192.168.0.0 with your private side. Replace bridge-LAN and ether-WAN, naturally.

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=accept dst-port=8291 protocol=tcp src-address=1.1.1.1 comment="Remote Winbox"
add chain=input action=drop comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat in-interface=ether-WAN comment="Accept Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip service
set winbox address=192.168.0.0/24,1.1.1.1/32

/ip ssh
set strong-crypto=yes
 
solar77
Member
Member
Posts: 402
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Winbox remote connection

Fri Jan 11, 2019 9:24 pm

if you can see packet match the accept rule (not seen your rule but I assume it's input chain, from your lan IP to wan IP on port 8291), the traffic is reaching it's distination but either the return path is not there or the return is not accepted by the laptop because it is coming from a different IP it's sent the packets to.
check this out
https://wiki.mikrotik.com/wiki/Hairpin_NAT

solution is to make a src-nat to your LAN bridge , something like
/ip firewall nat> add action=masquerade chain=
srcnat out-interface=Your_LAN_Bridge
MTCNA MTCTCE UEWA

Who is online

Users browsing this forum: No registered users and 16 guests