Community discussions

 
Maelstrom
just joined
Topic Author
Posts: 2
Joined: Wed Dec 05, 2018 10:01 am

Setting up a dedicated Management Port

Wed Dec 05, 2018 10:42 am

Hi,

I'm very new to Mikrotik. I just bought a RB3011 few weeks ago, to replace my ISP Box (more for fun than for a real need ;-), but for the moment, it's all but fun...)

Before configuring anything else, the first thing I want to do, is to have a dedicated management ethernet port on my router (let's say ether3 port), with the fixed IP 192.168.1.2 (192.168.1.0/24 is my management subnet on my LAN. It's on the "natave" VLAN). I don't want it to be possible to access the management tools on the router from other ports / subnet, either from winbox or by ssh.

Here are the steps of my different tries :
- i removed ether3 from the defaut bridge (on RB3011, ether2 to ether10 + sfp1 are bridged in the default configuration).
- I added the 192.168.1.2/24 IP address on ether3
- I forced my PC IP address to be 192.168.1.200 (mask 255.255.255.0 / gateway 192.168.1.2 just in case) and plugged it in ether3 port of the router => Can't connect either from WinBox and by ssh
- then, I forced the 192.168.1.0/24 subnet as source address on the Winbox service => no success. And, of course, from that step, I could not connect anymore on ether2 (with host IP set to 192.168.88.x). Fortunatly, connecting by MAC address still worked on ether2, so I have added 192.168.88.0/24 as source address on the Winbox service.
- I tried to put ether3 in a new bridge, just in case => no success
- I tried to add a firewall rule (chain : input / src:192.168.1.0/24 / Action : accept) at the very beginning of the rules => no success
- And other tries I don't remember of... => No success

What the hell is wrong with my actions ? Can someone here help me ?

And for my information, can someone also explain me how it is possible, out of the box, to manage the router from winbox (connecting by IP) and by SSH, with the default firewall rules, because none of them, related to the input chain, explicitly permit new connection (the only accept rules are for ICMP and for established and related states) ? That's a mistery for me.

Thank you for reading and... for replying ;-)
Last edited by Maelstrom on Wed Dec 05, 2018 6:34 pm, edited 1 time in total.
 
sebastia
Long time Member
Long time Member
Posts: 622
Joined: Tue Oct 12, 2010 3:23 am

Re: Setting up a dedicated Management Port

Wed Dec 05, 2018 3:29 pm

Hi

I'm i'm not mistaken, the default config makes use of interface lists. Since you removed the eth3 from bridge, it's not part of known list and disallowed in firewall.
Either add it to LAN again, or create new List and allow that list to access the router in firewall.
 
Maelstrom
just joined
Topic Author
Posts: 2
Joined: Wed Dec 05, 2018 10:01 am

Re: Setting up a dedicated Management Port

Wed Dec 05, 2018 6:26 pm

Thanks Sebastia !

First try I made : changing the "LAN" interface list to Include "all" (that is : also ether3) was a success.I can now connect on my ether3 port, on its IP.

I will see now if I can do in another way (by creating a new list including only my management port), but there are many things I still don't understand :
- where is the rule for allowing interfaces belonging to "LAN" list to access the router ? Is it a firewall rule (layer 3) ? Is it implicit ?
- when on the "Interface list" tab, in Interfaces Windows, the only action you can do on a list (by double-clicking on it in Winbox) is to change it's interface (by default : "bridge"). But after pressing the "Lists" button, in the same tab/same window, double-clicking on a list allows you to include and/or to exclude any other list (plus none, all and dynamic). It's not quite clear for me to have the list including all (as I did), and in the other Windows, having the same list pointing the interface "bridge"...

If someone can explain this misteries...

Thanks again, Sebastia !
 
WeWiNet
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Thu Sep 27, 2018 4:11 pm

Re: Setting up a dedicated Management Port

Wed Dec 05, 2018 10:57 pm

There are a couple of places in RouterOS where you need to define who can access the router itself.
Even if firewall allows access on the input chain accept, this does not mean the router will respond or accept the connection
- System/User, and from which IP address is he allowed to log in; Normally this is set by default for all IP addresses.
- IP/Services: Is Winbox, Webfig, SSH, API etc available, and from which network address ; Here you can also specify/change the ports used
- MAC-Server / Neighbourhood discovery settings for MAC level communication (including ROMON).

Try those settings to see if by changing the IP address you did not broke something or forgot to set it somewhere else as allowed.
WeWiNet

**
MTCNA
hapac2, map, hap-lite
 
tiico
just joined
Posts: 1
Joined: Tue Dec 04, 2018 12:07 pm

Re: Setting up a dedicated Management Port

Thu Dec 06, 2018 12:10 am

Thanks for your explaination because i have had the same problem (unable to connect [Winbox or Webfig] when i have exclude 1 interface from the default 'bridge')
I continue to discover all the possibility of that router (from some days)
I'm in the same position as Maelstrom, just try to use it for fun (and the main objective is to change ISP box)
;)
Tiico

Who is online

Users browsing this forum: No registered users and 14 guests