Community discussions

MikroTik App
 
mikrowizard
just joined
Topic Author
Posts: 12
Joined: Fri Jul 16, 2021 3:36 am

Remote Access via Winbox

Fri Jul 16, 2021 4:04 am

I am trying to remotely access my RBLHGR&R11e-LTE-US MikroTik via the WAN IP address of the mikrotik in Winbox, but it is not working.

I have created the firewall rule to allow port 8291 to accept all traffic using an old forum page.

/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp

Even after doing this and putting it at the top of my firewall rules list, I still cannot access the Mikrotik using Winbox???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remote Access via Winbox

Fri Jul 16, 2021 5:17 pm

Not a safe or advised practice.
It would be like giving all your bank information to hackers and letting them play with password crackers to eventually get into your system.

The way to access your router remotely via winbox is to
a. preferably use IPSEC VPN or IKEv2 VPN
b. from a PC or your smart phone using the MT app.
c. or use port knocking as a less secure but still better method than the almost zero security of what you wish to do.

Also suggest changing winbox port from default to something else.
NEVER open up your winbox port to the internet!!!
(delete any such rule asap....... )

In fact in the input chain the only rules to allow port access externally are VPN ports to establish initial connectivity.
 
mikrowizard
just joined
Topic Author
Posts: 12
Joined: Fri Jul 16, 2021 3:36 am

Re: Remote Access via Winbox

Mon Jul 19, 2021 4:27 pm

Okay, thanks for the advice.

Is it possible to use the MikroTik App to remotely login to the MikroTik? I have used it using LAN inside the network, but have not tried it using the WAN IP address?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remote Access via Winbox

Mon Jul 19, 2021 4:44 pm

Yes, I have done it
a. with IKEV2 VPN
b. wireguard vpn

The only other way one would want to do it, not as secure as proper VPN, is port knocking.

https://mum.mikrotik.com/presentations/US10/discher.pdf
https://mum.mikrotik.com/presentations/ ... tknock.pdf
https://systemzone.net/securing-mikroti ... -knocking/

In this example below it looks like they use port knocking to then access other security protocols that are not quite as secure as standard VPN (like older pptp vpn and SSH etc...)
viewtopic.php?f=13&t=161763&p=868046&hi ... ng#p868046
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Remote Access via Winbox

Tue Jul 20, 2021 12:45 am

SSH can also be a "VPN" of sorts:

$ ssh -L 8291:192.168.88.1:8291 my.public.host.name.example.com

This presumably connects to a NAT-forwarded public port, which in turn connects to a host behind the firewall that accepts your SSH connection. You may want to change the ports to add a bit of obscurity, saving you from a lot of script kiddie traffic, but I'm keeping the concept simple for this example.

You can then run WinBox on the same machine as you SSH'd from and point it at "localhost". It will connect to the local port 8291, and that will be forwarded through the presumed secure SSH tunnel back inside the LAN to the router at 192.168.88.1.

RouterOS itself can be this SSH-receiving host, but you have to set "/ip ssh forwarding-enabled=yes" to allow the tunnel. Regular SSH servers typically enable this by default. If you set strong SSH keys for the users, this tunnel will be all but impervious to brute force attacks short of DDoS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remote Access via Winbox

Tue Jul 20, 2021 1:43 am

I would not consider SSH to be on the same level as VPN, so I would port knock and then SSH in from there as per the fourth link provided.

Not sure if this is accurate enough regarding SSH. but
2. Because SSH operates on an application level, only traffic from your applications gets encrypted. This means that any application on your device you want to protect will have to be configured separately for the SSH tunnel. On the other hand, a VPN connection automatically encrypts all your traffic, and some let you choose which apps you don’t want to encrypt through the VPN.

3. SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic

4. It doesn’t have protection against DNS leaks.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Remote Access via Winbox

Tue Jul 20, 2021 2:01 am

Because SSH operates on an application level, only traffic from your applications gets encrypted.

Thus the quotes around "VPN" above. I'm not trying to tell you to use SSH instead of IPsec or Wireguard. It's simply a useful tool to have in your pocket when you only need a small number of ports to be securely forwarded through the firewall. One short command, and with pre-configuration in ~/.ssh/config, it's even shorter. Tell me that's not valuable to know.

a VPN connection automatically encrypts all your traffic

Some do by default, but that practice isn't universal, nor is it always wanted. Tell me again how great it is to run everything through the VPN when I'm trying to copy a file from my local NAS to a host on the remote side. Thus this question.

SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic

ISPs can't detect IPsec?

OpenVPN (which is TCP-based) isn't a VPN?

This feels like gate-keeping to me. Needless quibbling over what a "VPN" is or must be. What it needs to be is what the user needs it to be, no more, no less.

It doesn’t have protection against DNS leaks.

I'm pretty sure OP isn't worried if "localhost" leaks. 😉
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Access via Winbox

Tue Jul 20, 2021 8:24 am

Here is my default answer to user who like to access their router from a remote site.

My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

I did test RemoteWinbox viewtopic.php?t=162583, but I will not use it.
I do not trust anyone, so that is why I never will use an online password service for example.
 
mikrowizard
just joined
Topic Author
Posts: 12
Joined: Fri Jul 16, 2021 3:36 am

Re: Remote Access via Winbox

Sat Jul 31, 2021 12:57 am

Here is my default answer to user who like to access their router from a remote site.

My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

I did test RemoteWinbox viewtopic.php?t=162583, but I will not use it.
I do not trust anyone, so that is why I never will use an online password service for example.
Can you explain how I can setup a IPsec tunnel on my mikrotik?
 

Who is online

Users browsing this forum: sergejs and 49 guests