Community discussions

MUM Europe 2020
 
JoshuaTree
just joined
Topic Author
Posts: 3
Joined: Fri Mar 16, 2018 9:51 pm

Can't login via WinBox

Wed Mar 06, 2019 3:09 am

WinBox report's can't connect to any port. After I reset the device, what needs to be changed in the code below (slightly modified from the Default Configuration)?
# RouterOS 6.40.7
# Model = RouterBOARD 3011UiAS

/interface bridge
add admin-mac=CC:2D:E0:F0:6F:14 auto-mac=no comment=Bridge1 name=Bridge1
add admin-mac=CC:2D:E0:F0:6F:15 auto-mac=no comment=Bridge2 mtu=1500 name=Bridge2

/interface ethernet
set [ find default-name=ether1 ] name=Ether1-WAN
set [ find default-name=ether2 ] name=Ether2-LAN-mstr
set [ find default-name=ether3 ] master-port=Ether2-LAN-mstr name=Ether3-LAN
set [ find default-name=ether4 ] master-port=Ether2-LAN-mstr name=Ether4-LAN
set [ find default-name=ether5 ] master-port=Ether2-LAN-mstr name=Ether5-LAN
set [ find default-name=ether6 ] name=Ether6-LAN-mstr
set [ find default-name=ether7 ] master-port=Ether6-LAN-mstr name=Ether7-LAN
set [ find default-name=ether8 ] master-port=Ether6-LAN-mstr name=Ether8-LAN
set [ find default-name=ether9 ] master-port=Ether6-LAN-mstr name=Ether9-LAN
set [ find default-name=ether10 ] master-port=Ether6-LAN-mstr name=Ether10-LAN

/ip neighbor discovery
set Ether1-WAN discover=no

/interface list
add comment="ISP WAN" name=WAN
add comment="Org LAN Bridge2" name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Org-DHCP-Pool ranges=10.11.4.1,10.11.7.250

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=Bridge1 name=defconf
add address-pool=Org-DHCP-Pool disabled=no interface=Bridge2 name=Org-DHCP-Server

/interface bridge port
add bridge=Bridge1 comment=defconf interface=Ether2-LAN-mstr
add bridge=Bridge2 comment="Org Bridge" interface=Ether6-LAN-mstr
add bridge=Bridge1 comment=defconf interface=sfp1

/interface list member
add comment="Org LAN Bridge2" interface=Bridge2 list=LAN
add comment="ISP WAN" interface=Ether1-WAN list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=Bridge1 network=192.168.88.0
add address=10.11.0.1/22 comment="Org" interface=Bridge2 network=10.11.0.0

/ip dhcp-client
add comment="Auto Obtain IP -- Ether1 WAN" dhcp-options=hostname,clientid disabled=no interface=Ether1-WAN

/ip dhcp-server network
add address=10.11.0.0/22 comment="Org LAN subnet" gateway=10.11.0.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 name=router.lan
add address=8.8.8.8 name=GoogleDNS1
add address=8.8.4.4 name=GoogleDNS2

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles

/system identity
set name=OrgGW

/tool mac-server
set [ find default=yes ] disabled=yes
add interface=Bridge1

/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=Bridge1
 
2frogs
Long time Member
Long time Member
Posts: 541
Joined: Fri Dec 03, 2010 1:38 am

Re: Can't login via WinBox

Wed Mar 06, 2019 3:38 am

If you are attempting to connect using ether 2-5, then this is your issue:
/interface list member
add comment="Org LAN Bridge2" interface=Bridge2 list=LAN
add comment="ISP WAN" interface=Ether1-WAN list=WAN

/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
1. You can either add Bridge1 to the LAN list also
2. Create a LAN2 list and change the filter rule to match
3. Change the firewall rule from in-interface-list to in-interface=Bridge1
 
JoshuaTree
just joined
Topic Author
Posts: 3
Joined: Fri Mar 16, 2018 9:51 pm

Re: Can't login via WinBox

Wed Mar 06, 2019 4:55 am

Thanks so much for your help, 2frogs. So if I understand correctly, the firewall rule is dropping all packets NOT from LAN members (Bridge2?), which would be Ether2-5, correct? What Ether interfaces are members of LAN? Why would I not be able to connect on Ether6-10? I do obtain a DHCP IP etc. but still cannot connect. I guess I'm not clear what that firewall rule is rejecting. It seems to me I should be able to connect on Ether6-10.
 
anav
Forum Guru
Forum Guru
Posts: 3185
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Can't login via WinBox

Wed Mar 06, 2019 5:01 am

Update your firmware while at it.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 47 guests