The thing is that i'm new in configuring my Mikrotik hAP Lite TC but i already learned the basics of it thanks to Mikrotik Wiki and this forum. And now, I got this problem accessing my Mikrotik router from my laptop wirelessly both connected ,RJ45 Cable for MT hAP Lite and Wi-Fi for my Laptop, to a modem (Provided by local ISP).
Firstly i tried connecting my laptop to the MT hAP Lite using its hotspot via Telnet and works perfectly fine also tried connecting directly my laptop to the MT hAP lite via RJ45 Cable also works fine.
Then now I want to access my MT hAP lite from my laptop which is both connected to my modem, I tried using the IP Address provided by the DHCP of the modem and also the default IP of MT hAP lite (192.168.88.1) through Telnet Client but failed.
Am I missing something?
Re: HELP: Access Mikrotik Router Externally
ISP's modem and its subnet is considered as untrustworthy internet by Routerboard's firewall by default.
You should reconsider your wish to connect to your RB from anywhere else than RB's LAN ... and if you are absolutely sure it should be allowed, you'll have to adjust firewall rules. As that means creating potential security holes, I won't give you any recipes. Read some firewall rule documentation and understand it. When you do, you'll be able to adjust firewall rules, it's not that hard after all.
You should reconsider your wish to connect to your RB from anywhere else than RB's LAN ... and if you are absolutely sure it should be allowed, you'll have to adjust firewall rules. As that means creating potential security holes, I won't give you any recipes. Read some firewall rule documentation and understand it. When you do, you'll be able to adjust firewall rules, it's not that hard after all.
Re: HELP: Access Mikrotik Router Externally
You might want to consider turning off fouter functionality on the Mikoritik. Just use it as switch and accesspoint (by removing NAT and creating a bridge where all interfaces should be part of).
Re: HELP: Access Mikrotik Router Externally
add rule
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=8291
move rule to just below the first input drop rule
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=8291
move rule to just below the first input drop rule
Re: HELP: Access Mikrotik Router Externally
Ignore the previous poster, that is an idiot rule that you should ignore.
First of all, nobody should be using the default port for Winbox.
The place to delineate which port you will use is the Winbox settings under IP services.
There should be no need to identify that port in input chain rules.
So basics.
DONT allow any external access to the router (via the input chain).
DONT allow any access to the router from your LAN (via the input chain) and you will note the following only exceptions.
DO allow ADMIN access from your LAN (via the input chain) and this is typically done stating the in-interface-list=LAN and using a source-address-list=what you define in Firewall Address Lists as the ONLY IPs allowed to access the router for admin purposes.
IF REQUIRED
Do allow LAN access for DNS from your LAN (via the input chain). (this is restricted by in-interface-list=LAN, port 53 and protocols tcp/udp.
Do have a last rule that says simply action=drop (in input chain).
If you want to access your router from external sources, the safe way is to either do some sort of port knocking (makes access less likely by hackers but not bulletproof), or BEST do it through a VPN connection to your LAN and then from your LAN to the router itself. For example I use my IPHONE with the MT app to make an IKE vpn connection to my LAN side and then access the router for admin changes.
If you are in wifi range of your MT router then, simply access the router for admin work via the MT LAN network.
First of all, nobody should be using the default port for Winbox.
The place to delineate which port you will use is the Winbox settings under IP services.
There should be no need to identify that port in input chain rules.
So basics.
DONT allow any external access to the router (via the input chain).
DONT allow any access to the router from your LAN (via the input chain) and you will note the following only exceptions.
DO allow ADMIN access from your LAN (via the input chain) and this is typically done stating the in-interface-list=LAN and using a source-address-list=what you define in Firewall Address Lists as the ONLY IPs allowed to access the router for admin purposes.
IF REQUIRED
Do allow LAN access for DNS from your LAN (via the input chain). (this is restricted by in-interface-list=LAN, port 53 and protocols tcp/udp.
Do have a last rule that says simply action=drop (in input chain).
If you want to access your router from external sources, the safe way is to either do some sort of port knocking (makes access less likely by hackers but not bulletproof), or BEST do it through a VPN connection to your LAN and then from your LAN to the router itself. For example I use my IPHONE with the MT app to make an IKE vpn connection to my LAN side and then access the router for admin changes.
If you are in wifi range of your MT router then, simply access the router for admin work via the MT LAN network.
Re: HELP: Access Mikrotik Router Externally
There's nothing wrong with default WinBox port:First of all, nobody should be using the default port for Winbox.
- If changing the port would be the only thing do you, it would be so called "security through obscurity" and it's mostly useless. It would stop dumb bots that only try default port, but anyone else could find it.
- If you add another level of protection (whitelist, port knocking), then it doesn't matter what port you use, because it's not accessible from everywhere anyway.
It depends on how much paranoid you are. Generally the less you allow the better. Plus we still remember recent WinBox bugs, especially that really ugly one causing password leaks. So if anyone isn't fully convinced that MikroTik found and fixed all such bugs, it's better to not have WinBox port open for everyone. But if you trust them, then why not. And don't forget, if you open ports for VPN, you're trusting the same MikroTik that they didn't create any nasty bugs there.DONT allow any external access to the router (via the input chain).
Re: HELP: Access Mikrotik Router Externally
Well, up to a point. If I allow (say) ssh from internet, it only takes ONE vulnerability in order to someone login on my router. If I block SSH from internet, but allow it from a VPN interface, there would be two bugs needed, in order to get access to my router: one to connect to the VPN and another to connect to SSH.It depends on how much paranoid you are. Generally the less you allow the better. Plus we still remember recent WinBox bugs, especially that really ugly one causing password leaks. So if anyone isn't fully convinced that MikroTik found and fixed all such bugs, it's better to not have WinBox port open for everyone. But if you trust them, then why not. And don't forget, if you open ports for VPN, you're trusting the same MikroTik that they didn't create any nasty bugs there.
All this assuming certificates as VPN auth and public keys to the SSH.
As You said, it all boils down to how paranoid You are. And, remember: "Just because You are not paranoid it doesn't mean they are not trying to get You"
Re: HELP: Access Mikrotik Router Externally
It's because you're not expecting the worst. Why couldn't VPN server contain some "nice" remote code execution vulnerability? If you get root this way, you don't need anything else. 
Re: HELP: Access Mikrotik Router Externally
I am expecting the worst. If my router's code is compromised, it's game over. Even when disabling all the services the backdoor would still be there.It's because you're not expecting the worst. Why couldn't VPN server contain some "nice" remote code execution vulnerability? If you get root this way, you don't need anything else.
Now, talking about situations where we can do something about.
With ssh only accessible through VPN, it would be needed either two bugs/vulnerabilities (VPN and SSH) or a serious escalation privilege exploit at VPN. Two bugs are harder than one, so it is more secure this way.
Escalation privilege: there's not much that can be done here, if we want to give remote access. If it affects the VPN, and it gives root access, it's game over again. But this same argument can be made to SSH: if you use just SSH, and it gets a similar exploit, it's game over too.
The setup VPN/SSH at least protects against a single bug - if it doesn't give root privileges. There is no perfect solution.
Re: HELP: Access Mikrotik Router Externally
blah blah blah...........
For the homeowner and non MT certified guru, ie normal people ;-P, Do not open up your routers to the internet for access to the router.
The best bet is port knocking as it is achievable without VPN work, but better is a VPN connection to the LAN and then access the router for config changes.
As for winbox port, yes any port is as vulnerable as any other port if left open, tis simply a common port that hackers are looking for. No more no less.
If you take umbrage with what I am saying tough mammaries, we can decide it through a manly Salad off! Come to my place and we will see who makes the best salad and much beer will have to be consumed during the competition.
For the homeowner and non MT certified guru, ie normal people ;-P, Do not open up your routers to the internet for access to the router.
The best bet is port knocking as it is achievable without VPN work, but better is a VPN connection to the LAN and then access the router for config changes.
As for winbox port, yes any port is as vulnerable as any other port if left open, tis simply a common port that hackers are looking for. No more no less.
If you take umbrage with what I am saying tough mammaries, we can decide it through a manly Salad off! Come to my place and we will see who makes the best salad and much beer will have to be consumed during the competition.
Re: HELP: Access Mikrotik Router Externally
That is tempting...If you take umbrage with what I am saying tough mammaries, we can decide it through a manly Salad off! Come to my place and we will see who makes the best salad and much beer will have to be consumed during the competition.
Re: HELP: Access Mikrotik Router Externally
When you say "Access Mikrotik Router Externally" do you mean access from devices that are connected to the modem or from anywhere in the world?
I use below rules on my Tik device along with port knocking and VPN
In terminal copy paste below, It disables services except for winbox and www
/ip service disable www-ssl
/ip service disable telnet
/ip service disable ftp
/ip service disable ssh
/ip settings set tcp-syncookies=yes
/ip settings set rp-filter=strict
/ip ssh set strong-crypto=yes
/system note set show-at-login=yes
/system note set note="Authorized administrators only. Access to this device is monitored."
Block all access to winbox and www except support address IP list change address to suit, I have added in Tik address
/ip firewall address-list
add address=192.168.88.0/24 list=support
These rules will add the IP of the hackers trying to access the winbox and www to a list for 10 days and block access to winbox and www unless it's a support IP address
and drop all IP's that are not support IPs from trying to access.
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=8291 log=no comment="allow support IP winbox"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291 log=no comment="Block all access to the winbox - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=winbox hacker address-list-timeout=1w3d dst-port=8291 log=no comment="Add winbox hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=winbox hacker dst-port=8291 log=no comment="Drop winbox hackers IP to winbox 8291"
add chain=input action=drop src-address-list=winbox hacker log=no comment="Drop winbox hackers IP address list"
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=80 log=no comment="allow support IP www"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=80 log=no comment="Block all access to the www - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=www hacker address-list-timeout=1w3d dst-port=80 log=no comment="Add www hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=www hacker dst-port=80 log=no comment="Drop www hackers IP to www 80"
add chain=input action=drop src-address-list=www hacker log=no comment="Drop www hackers IP address list"
You can add your modem private IP to the support list replace 0.0.0.0/0 with your modem private IP.
/ip firewall address-list
add address=0.0.0.0/0 list=support
Hope this helps
I use below rules on my Tik device along with port knocking and VPN
In terminal copy paste below, It disables services except for winbox and www
/ip service disable www-ssl
/ip service disable telnet
/ip service disable ftp
/ip service disable ssh
/ip settings set tcp-syncookies=yes
/ip settings set rp-filter=strict
/ip ssh set strong-crypto=yes
/system note set show-at-login=yes
/system note set note="Authorized administrators only. Access to this device is monitored."
Block all access to winbox and www except support address IP list change address to suit, I have added in Tik address
/ip firewall address-list
add address=192.168.88.0/24 list=support
These rules will add the IP of the hackers trying to access the winbox and www to a list for 10 days and block access to winbox and www unless it's a support IP address
and drop all IP's that are not support IPs from trying to access.
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=8291 log=no comment="allow support IP winbox"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291 log=no comment="Block all access to the winbox - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=winbox hacker address-list-timeout=1w3d dst-port=8291 log=no comment="Add winbox hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=winbox hacker dst-port=8291 log=no comment="Drop winbox hackers IP to winbox 8291"
add chain=input action=drop src-address-list=winbox hacker log=no comment="Drop winbox hackers IP address list"
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=80 log=no comment="allow support IP www"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=80 log=no comment="Block all access to the www - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=www hacker address-list-timeout=1w3d dst-port=80 log=no comment="Add www hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=www hacker dst-port=80 log=no comment="Drop www hackers IP to www 80"
add chain=input action=drop src-address-list=www hacker log=no comment="Drop www hackers IP address list"
You can add your modem private IP to the support list replace 0.0.0.0/0 with your modem private IP.
/ip firewall address-list
add address=0.0.0.0/0 list=support
Hope this helps
Re: HELP: Access Mikrotik Router Externally
sorry for the late reply, i wanna use telnet to access terminal of my MK or any other means will do?When you say "Access Mikrotik Router Externally" do you mean access from devices that are connected to the modem or from anywhere in the world?
I use below rules on my Tik device along with port knocking and VPN
In terminal copy paste below, It disables services except for winbox and www
/ip service disable www-ssl
/ip service disable telnet
/ip service disable ftp
/ip service disable ssh
/ip settings set tcp-syncookies=yes
/ip settings set rp-filter=strict
/ip ssh set strong-crypto=yes
/system note set show-at-login=yes
/system note set note="Authorized administrators only. Access to this device is monitored."
Block all access to winbox and www except support address IP list change address to suit, I have added in Tik address
/ip firewall address-list
add address=192.168.88.0/24 list=support
These rules will add the IP of the hackers trying to access the winbox and www to a list for 10 days and block access to winbox and www unless it's a support IP address
and drop all IP's that are not support IPs from trying to access.
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=8291 log=no comment="allow support IP winbox"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291 log=no comment="Block all access to the winbox - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=winbox hacker address-list-timeout=1w3d dst-port=8291 log=no comment="Add winbox hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=winbox hacker dst-port=8291 log=no comment="Drop winbox hackers IP to winbox 8291"
add chain=input action=drop src-address-list=winbox hacker log=no comment="Drop winbox hackers IP address list"
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=80 log=no comment="allow support IP www"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=80 log=no comment="Block all access to the www - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=www hacker address-list-timeout=1w3d dst-port=80 log=no comment="Add www hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=www hacker dst-port=80 log=no comment="Drop www hackers IP to www 80"
add chain=input action=drop src-address-list=www hacker log=no comment="Drop www hackers IP address list"
You can add your modem private IP to the support list replace 0.0.0.0/0 with your modem private IP.
/ip firewall address-list
add address=0.0.0.0/0 list=support
Hope this helps
with the firewall rules above you have mentioned, it says that it will disable the telnet of the router?
do i need to bindings so that my unit will just receive the same ip from dhcp every time i connect to it?
Re: HELP: Access Mikrotik Router Externally
You want to open up telnet to the router from the internet side??
Brilliant, why didnt I think of that............
That is very very secure! Makes VPN look like swiss cheese.
Brilliant, why didnt I think of that............
That is very very secure! Makes VPN look like swiss cheese.