Hi
Recently I've read Mikrotik wiki about DDNS and wanted to give it a try.
enabled it and it showed me my public IP address that changes periodically cause it is not valid and a DNS Name like 7de6081f5436.sn.mynetname.net.
but when I enable my cellular network on my phone to access my router from different IP it won't show up my webfig even though WWW and WWW-SSL services are on.
any idea?
Re: DDNS does not let me access my Router
DDNS just updates hostname to whatever public IP address your router uses, but it otherwise doesn't help with incoming connections. For those to work, you need to either have public IP address directly on your router, or have forwarded ports from router with public address to yours without one. If you have neither, DDNS can't help you.
Re: DDNS does not let me access my Router
My setup is:
A modem as a bridge that is connected to ether1 of my MikroTik and have a PPPoE connection that goes through ether1 for internet access. the ether1 has 192.168.1.2/24 address and my bridge has 192.168.1.1/24 and the PPPoE connection that is over ether1 gets Public IP from ISP. what to do now?
A modem as a bridge that is connected to ether1 of my MikroTik and have a PPPoE connection that goes through ether1 for internet access. the ether1 has 192.168.1.2/24 address and my bridge has 192.168.1.1/24 and the PPPoE connection that is over ether1 gets Public IP from ISP. what to do now?
Re: DDNS does not let me access my Router
what to do now?
Adjust /ip firewall filter rules to allow access to services you want to expose. However, it's a baaad idea to allow access to any of router's services from random internet IP address (let alone allowing it from any address). So it would be wise that you reconsider decision to allow direct access to your router from internet.
Re: DDNS does not let me access my Router
I want to just give it try and this is my educational router, no worry about security.
may you please explain more how to do that part? firewall, rule and etc...
may you please explain more how to do that part? firewall, rule and etc...
Re: DDNS does not let me access my Router
Perhaps you could start off by reading firewall manual?
Re: DDNS does not let me access my Router
Thanks a lot, I will post my relevant problem here if could not overcome to that issue by the wiki.
Please don't close the topic for a bit.
Please don't close the topic for a bit.
Re: DDNS does not let me access my Router
Could not solve the problem still stuck on it, here is my firewall filter rule:
ether1 is the one connected to bridge with 192.168.1.2 IP and my bridge with 192.168.1.1
and also 46.62.190.233 is my public IP that usually change from ISP after reconnect.
any idea?
Code: Select all
[admin@R1] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept dst-address=46.62.190.233
in-interface=ether1 log=no log-prefix=""
[admin@R1] >and also 46.62.190.233 is my public IP that usually change from ISP after reconnect.
any idea?
Re: DDNS does not let me access my Router
If PPPoE connection is terminated on RB, then correct WAN interface is pppoe-out1 (or whatever its name). And you don't have to specify both dst-address and in-interface in this case as most likely there's only one IP address bound to WAN interface.
BTW, default settings use interface lists. To follow the suit, you should add pppoe-out1 interface to WAN interface list and use in-interface-list=WAN instead of in-interface in firewall rules (including NAT rules).
If you go with using only in-interface(-list), then the rule is resistant to occasional change of WAN IP.
I'd add some speciffics to the rule, such as protocol=tcp dst-port=80 to allow access only to a particular service.
BTW, default settings use interface lists. To follow the suit, you should add pppoe-out1 interface to WAN interface list and use in-interface-list=WAN instead of in-interface in firewall rules (including NAT rules).
If you go with using only in-interface(-list), then the rule is resistant to occasional change of WAN IP.
I'd add some speciffics to the rule, such as protocol=tcp dst-port=80 to allow access only to a particular service.
Re: DDNS does not let me access my Router
Code: Select all
[admin@R1] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp in-interface-list=WAN src-port=80
dst-port=80 log=no log-prefix=""
[admin@R1] >
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp
in-interface-list=WAN src-port=80 dst-port=80 log=no log-prefix=""
[admin@R1] >
When I enter the public IP or DNS (from cloud window) in a web browser on one of the clients in private network, the webfig will show up, but when I enter either DNS or IP in a web browser on another device with a different connection, it does not show anything.
Re: DDNS does not let me access my Router
Both rules have one error in common: setting src-port=80 allows only connections that have originating TCP port 80 ... which is highly unlikely, browsers usually use random TCP ports with numbers higher than 30000. So delete this part of rules.
Both rules shown are opposed to each other as they stand. Probably you want to use the firewall filter rule, not the NAT rule (the second redirects connection attempt to some LAN host and if I understood you right, you actually want to connect to Webfig on router itself).
However, I guess you have some other things mis-configured ... if the command ip firewall filter print really displayed that single rule, then its not needed anyway, because with non-existing FW there's nothing which would block the connectivity.
So I'd rather you posted output of /export hide-sensitive so we can have a look at all of the config.
Both rules shown are opposed to each other as they stand. Probably you want to use the firewall filter rule, not the NAT rule (the second redirects connection attempt to some LAN host and if I understood you right, you actually want to connect to Webfig on router itself).
However, I guess you have some other things mis-configured ... if the command ip firewall filter print really displayed that single rule, then its not needed anyway, because with non-existing FW there's nothing which would block the connectivity.
So I'd rather you posted output of /export hide-sensitive so we can have a look at all of the config.
Re: DDNS does not let me access my Router
Code: Select all
[admin@R1] > /export hide-sensitive
# oct/10/2019 15:50:01 by RouterOS 6.45.6
# software id = 1529-6NPQ
#
# model = RouterBOARD 941-2nD
# serial number = 7DE6081F5436
/interface bridge
add fast-forward=no name=InBridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=iran disabled=no \
frequency=auto mode=ap-bridge ssid=R1 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:19:86:F9
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:19:86:FA
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:19:86:FB
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:19:86:FC
/interface pptp-client
add allow=pap connect-to=188.40.177.131 disabled=no name=pptp-out1 user=\
sohrabp72
/interface pppoe-client
add add-default-route=yes allow=pap default-route-distance=2 disabled=no \
interface=ether1 keepalive-timeout=60 name=pppoe-out1 service-name=Pars \
use-peer-dns=yes user=6153224723
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.10
add name=dhcp_pool2 ranges=192.168.1.11-192.168.1.20
add name=dhcp_pool3 ranges=192.168.1.2-192.168.1.30
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.20
add name=dhcp_pool5 ranges=192.168.1.2-192.168.1.5
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no \
interface=InBridge lease-time=1w3d10m name=dhcp1
add address-pool=dhcp_pool5 disabled=no interface=ether1 lease-time=3d10m name=\
dhcp2
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=InBridge hw=no interface=ether2
add bridge=InBridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=InBridge list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,178.22.122.100 gateway=\
192.168.2.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.4
/ip firewall filter
add action=accept chain=input in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=yes \
src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=\
"src nat for private lan network to bridge network" dst-address=192.168.1.1 \
out-interface=ether1 src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment="dst nat for pptp" in-interface=\
pptp-out1 to-addresses=192.168.2.0/24
add action=masquerade chain=srcnat comment="src nat for pptp" out-interface=\
pptp-out1 src-address=192.168.2.0/24
/ip route
add distance=1 gateway=pptp-out1 routing-mark=VPN
add distance=2 gateway=pppoe-out1
add distance=1 dst-address=188.40.177.131/32 gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=pppoe-out1 type=external
add interface=InBridge type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=Asia/Tehran
/system identity
set name=R1
/system ntp client
set primary-ntp=5.78.150.112 secondary-ntp=5.78.150.112
/system routerboard settings
set boot-protocol=dhcp
[admin@R1] >
Re: DDNS does not let me access my Router
OK, from the exported config it's clear that your firewall is non-existing ... implicit default rule is allow and as you don't have any drop rules you should be able to connect to Webfig just from anywhere. As you're not able to do so from internet, it's clear that your ISP is doing some firewalling (and it seems to be a good thing, otherwise your router would be hacked by now).
Before you get ISP to release firewall rules on your WAN IP, I suggest you to get some good firewall up & running. You should probably start off with default rules, you can see what they are by executing /system default-configuration print, there are something like 12 filter rules and you probably should apply them exactly as shown. Then add whatever you deem necessary just before the ultimate action=drop rule for given chain ...
Before you get ISP to release firewall rules on your WAN IP, I suggest you to get some good firewall up & running. You should probably start off with default rules, you can see what they are by executing /system default-configuration print, there are something like 12 filter rules and you probably should apply them exactly as shown. Then add whatever you deem necessary just before the ultimate action=drop rule for given chain ...
Re: DDNS does not let me access my Router
So the problem is my ISP?
and for the command: /system default-configuration print
I don't understand the output of the command and don't know what do to.
and for the command: /system default-configuration print
I don't understand the output of the command and don't know what do to.
Re: DDNS does not let me access my Router
I'd say its definitely your ISP.
As of default config: the command outputs a script that, if run on unconfigured router, will create default config. You can take out any part and apply that manually.
E.g. default IP firewall filter rule list is this:
As of default config: the command outputs a script that, if run on unconfigured router, will create default config. You can take out any part and apply that manually.
E.g. default IP firewall filter rule list is this:
Code: Select all
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
Who is online
Users browsing this forum: No registered users and 72 guests