Community discussions

 
miltont
newbie
Topic Author
Posts: 47
Joined: Wed Nov 11, 2015 3:58 am

Permit Winbox

Sat Jul 27, 2019 1:49 am

Greetings
I have 1 RouterBOARD 962UiGS-5HacT2HnT with Firmware 6.45.1
With Default Settings, i have 1 public ip address assigned on my PPPOE Session, i want to be able to connect via WINBOX to it.
Its enabled on Services port 8291, but im not able to connect with my laptop using Mobile ATT ,

IS there a FW Rule that maybe is blocking ?
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 134
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Permit Winbox

Sat Jul 27, 2019 7:56 am

In default configuration access from wan is blocked! Just go to IP > Firewall > Filter Rules and disable input drop rule ate the end of list
Of better recommend is to create a new rule chain input, protocol tcp, Dst. Port 8291, action accept and put this rule on top of all other rules!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: Permit Winbox

Sat Jul 27, 2019 9:08 am

Of course both of these solutions are not recommended!
There have been several problems with Winbox security in the recent past, and people that have done what was described here have found that their routers were hacked.
MikroTik thinks that the current version is no longer vulnerable to such attacks, but so they did for previous versions and there were some very big holes in them.
So please manage your devices only from the inside, and when you really need to access it from outside then try to find a range of IP addresses that you can allow access, and still block the majority of the internet.
 
rbnewfan
newbie
Posts: 28
Joined: Sat Oct 22, 2016 5:23 pm

Re: Permit Winbox

Sat Jul 27, 2019 10:51 am

I agree with pe1chl, of course.
Permitting only a range of IPs that you anticipate your mobile or other internet would have when you want access, is the way to go.
Still, this is kinda ridiculous to always be scared to allow access from the internet, because of such large-scale exploits that can happen. I have bunch of internal services (IRC, FTP, Web etc. etc.) on internal computers available to the internet and never had any problem with what. Yet mikrotiks had so many holes in this basic administration service!
The protocol should be strong and well established - receive requests for connection, and if incorrect credentials, just refuse and done. Very frustrating and this causes many annoyances.
Trust is easily lost.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1235
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Permit Winbox

Sat Jul 27, 2019 11:10 am

I do agree that MT should not have had these problems. Since with MT you can do nearly everything with it, setup proxy or socks server, its much more interesting to get inn to an MikroTik Router

Why you should not open your router form outside has been discussed here many times before.

If you need access from outside to you router, you should use VPN.
Router could call home and you can access it. VPN can use DNS, so if you have a dynamic IP, that should be no problem.

If you need to open Winbox/SSH or web access to MT and can not use VPN, you should.
1. Use Port Knocking.
2. Use access-list
3. Disable admin, add a new user with long password.
4. Log all access
+++
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: Permit Winbox

Sat Jul 27, 2019 2:23 pm

I agree that a VPN or more clever firewall is a better solution for this problem, but it is not so useful to suggest that to a beginner who does not yet know how the firewall works.
That is why I suggested more simple solutions for now.
 
miltont
newbie
Topic Author
Posts: 47
Joined: Wed Nov 11, 2015 3:58 am

Re: Permit Winbox

Sat Jul 27, 2019 6:33 pm

I gave up, on the winbox, but i needed also to permit port 8282 to access DVR, i created the forward and also DST NAT from public to private ip
and still shows it as filtered and not open if i scan via a online scan port website....
FW-RB2.jpg
FW-RB.jpg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: Permit Winbox

Sat Jul 27, 2019 7:27 pm

1) Don't post screenshots, they don't show everything, post config export instead. In this case "/ip firewall export" could be enough.
2) Firewall rule #1 is useless, input chain is for services on router itself, not for forwarded ports.
3) By disabling firewall rule #5, you opened every service on router to whole world. So on the upside, even access to WinBox from internet should now work. But it's probably not the best idea (see previous posts).
4) You don't need rule #12, implicit invisible accept rule at the end already exists.
5) Assuming your dstnat rule is correct, and since you (as it seems) didn't change much in default firewall, it should work. You already have some incoming connections matched by the rule. So also check if the target device is configured correctly.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
miltont
newbie
Topic Author
Posts: 47
Joined: Wed Nov 11, 2015 3:58 am

Re: Permit Winbox

Sat Jul 27, 2019 10:18 pm

add action=accept chain=input dst-port=8282 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward log=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=23.x.x.x dst-port=8282 log=yes \
protocol=tcp to-addresses=192.168.0.201 to-ports=8282
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN

1) Don't post screenshots, they don't show everything, post config export instead. In this case "/ip firewall export" could be enough.
2) Firewall rule #1 is useless, input chain is for services on router itself, not for forwarded ports.
3) By disabling firewall rule #5, you opened every service on router to whole world. So on the upside, even access to WinBox from internet should now work. But it's probably not the best idea (see previous posts).
4) You don't need rule #12, implicit invisible accept rule at the end already exists.
5) Assuming your dstnat rule is correct, and since you (as it seems) didn't change much in default firewall, it should work. You already have some incoming connections matched by the rule. So also check if the target device is configured correctly.
 
miltont
newbie
Topic Author
Posts: 47
Joined: Wed Nov 11, 2015 3:58 am

Re: Permit Winbox

Sat Jul 27, 2019 10:23 pm

Removed the ones and ran the export again

add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=23.x.x.x dst-port=8282 log=yes \
protocol=tcp to-addresses=192.168.0.201 to-ports=8282
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: Permit Winbox

Sun Jul 28, 2019 2:28 am

You still have all access to router open (see point 3 in previous post). But other than that, there's nothing wrong. So try to watch packets more closely. You use either Tools->Torch, or some logging rules, e.g.:
/ip firewall mangle
add chain=postrouting dst-address=192.168.0.201 protocol=tcp dst-port=8282 action=log log-prefix="packet to DVR"
add chain=prerouting src-address=192.168.0.201 protocol=tcp src-port=8282 action=log log-prefix="response from DVR"
The first rule should log some packets (if dstnat rule logs something, it should be here too). The second rule will only log something if DVR responds. If it doesn't, you need to check what's wrong there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: Permit Winbox

Sun Jul 28, 2019 8:30 am

DVR are usually even worse than Winbox for security, so when you are going to do that it may be better to setup a VPN.

Who is online

Users browsing this forum: No registered users and 33 guests