Community discussions

MikroTik App
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Accessing router in different ethernet port

Fri Jul 23, 2021 5:39 pm

Hi all,
Please need your expert advice,
I wish to be able from my main PC to connect to any of the 3 wireless AP shown below:
accessing router webconfig.PNG
but i can't open the web config or ping the device.
i've tried creating a route to each of the static ip but it's not working, and using nat also.

anyone can help ?
my purpose to do this is be able to configure the wireless AP and restart whenever i needed remotely (from main PC)

appreciate your advice,

Thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 5:48 pm

In general this should be very easy to do.
I would create a firewall address list for the three Access Points.
Then I would have a firewall rule allowing your PC (source address) in the forward chain be allowed to reach destination address list ( the list of the 3 access points.
That is the general concept without looking at your config.

I will look at the config next to see what makes sense........
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 5:57 pm

In general this should be very easy to do.
I would create a firewall address list for the three Access Points.
Then I would have a firewall rule allowing your PC (source address) in the forward chain be allowed to reach destination address list ( the list of the 3 access points.
That is the general concept without looking at your config.

I will look at the config next to see what makes sense........
Hi Anav,

nope doesn't work, unless my firewall rule is wrong.....
router access.PNG
the router ip list
routerlist.PNG
# jul/23/2021 21:55:04 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall address-list
add address=192.168.0.250 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.0.7 list=WirelesRouterList
add address=192.168.0.5 list=WirelesRouterList
add address=192.168.0.2 list=WirelesRouterList
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow winbox to connect from listed IP" dst-address=192.168.88.1 src-address-list=allowed_to_router
add action=drop chain=input comment="Drop all else!"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Allow connection to routers" dst-address-list=WirelesRouterList src-address=192.168.8.100
add action=drop chain=forward comment="Block certain Mac" src-mac-address=4C:17:44:51:B0:6A
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to DVR" dst-address=192.168.10.254 in-interface=4wireless out-interface=5DVR
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
You do not have the required permissions to view the files attached to this post.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 6:35 pm

oh i tried added additional nat rule.... still doesn't work.
not sure what's wrong with this.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 8:14 pm

Thanks for posting the config.

(1) Input chain: Only one line to change!

/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp

add action=accept chain=input comment="Allow winbox to connect from listed IP" dst-address=192.168.88.1 src-address-list=allowed_to_router
add action=drop chain=input comment="Drop all else!"

There is no need to put in your winbox number or IP address on the config. I note that you have two different interfaces that you want to be able to access the router from.
Typically I also include a mangement interface as well but it may not apply in your case.
Simply need
add action=accept chain=input comment="Allow admin access" src-address-list=allowed_to_router

(2) Forward chain Only one rule here I dont get....... with the block all rule at the end this should not be required........ what it is for ???????????????????
add action=drop chain=forward comment="Block certain Mac" src-mac-address=4C:17:44:51:B0:6A

(3) NAT Only one rule that needs removal.............you have it covered in the forward chain!!
/ip firewall nat
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000

Already have
add action=accept chain=forward comment="Allow Wireless to DVR" dst-address=192.168.10.254 in-interface=4wireless out-interface=5DVR

(4) I need to see the full config to figure out anything else that may be getting in the way!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 8:17 pm

Found something LOL.
the dangers of adding extra rules bloatware in firewall rules.
check this out.

ip address
add address=192.168.88.1/24 interface=2local network=192.168.88.0
add address=192.168.8.1/24 interface=3wired network=192.168.8.
0
add address=192.168.0.1/24 interface=4wireless network=192.168.0.0
add address=192.168.10.1/24 interface=5DVR network=192.168.10.0

ip firewall address-list
add address=192.168.0.250 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=\
allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet

add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 8:46 pm

Thanks for posting the config.

(1) Input chain: Only one line to change!

/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp

add action=accept chain=input comment="Allow winbox to connect from listed IP" dst-address=192.168.88.1 src-address-list=allowed_to_router
add action=drop chain=input comment="Drop all else!"

There is no need to put in your winbox number or IP address on the config. I note that you have two different interfaces that you want to be able to access the router from.
Typically I also include a mangement interface as well but it may not apply in your case.
Simply need
add action=accept chain=input comment="Allow admin access" src-address-list=allowed_to_router
Okay, i make changes to this and tested. it worked. Thanks bro!
(2) Forward chain Only one rule here I dont get....... with the block all rule at the end this should not be required........ what it is for ???????????????????
add action=drop chain=forward comment="Block certain Mac" src-mac-address=4C:17:44:51:B0:6A
now this is a strange one. i found in dhcp server leases, an ip that doesn't have a hostname, checks in the internet the best way to block his/her internet is based on the mac. also i've remove his mac from leases list.
Please kindly advise if you have other better way to block the rogue mac address, beside changing the wlan password.


(3) NAT Only one rule that needs removal.............you have it covered in the forward chain!!
/ip firewall nat
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000

Already have
add action=accept chain=forward comment="Allow Wireless to DVR" dst-address=192.168.10.254 in-interface=4wireless out-interface=5DVR
strangely as it is sound, if the nat is enabled, i can access from 4wireless. if i disabled this rule i can't access my DVR.
please don't touch this rule yah... not sure why, as long as it works, wife doesn't bitch in my ears. hehehehe
(4) I need to see the full config to figure out anything else that may be getting in the way!!
review2021072401.rsc
attached full export
You do not have the required permissions to view the files attached to this post.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 8:52 pm

Found something LOL.
the dangers of adding extra rules bloatware in firewall rules.
check this out.

ip address
add address=192.168.88.1/24 interface=2local network=192.168.88.0
add address=192.168.8.1/24 interface=3wired network=192.168.8.
0
add address=192.168.0.1/24 interface=4wireless network=192.168.0.0
add address=192.168.10.1/24 interface=5DVR network=192.168.10.0

ip firewall address-list
add address=192.168.0.250 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=\
allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet

add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
ok i'm getting a big headache with this not_in_internet rules. if i remove this, this will affect #14 rules comment="Block just before allowing internet traffic from your subnets"

any advise, i am very very newbie in this FW rules so i don't have any basic understanding of the firewall rules, appreciate if you can point it out
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 8:55 pm

review2021072401.rsc
Found something LOL.
the dangers of adding extra rules bloatware in firewall rules.
check this out.

ip address
add address=192.168.88.1/24 interface=2local network=192.168.88.0
add address=192.168.8.1/24 interface=3wired network=192.168.8.
0
add address=192.168.0.1/24 interface=4wireless network=192.168.0.0
add address=192.168.10.1/24 interface=5DVR network=192.168.10.0

ip firewall address-list
add address=192.168.0.250 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=\
allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet

add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
my export of the latest config
review2021072401.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accessing router in different ethernet port

Fri Jul 23, 2021 10:00 pm

Hi there thanks for being patient!
No you dont have to change any rules I would just disable that particular subnet from the list.

I will take a look at the config.

(1) I dont know why you have these rules as my arp knowledge and uses is next to nil........ so they clearly serve a purpose but beyond me. So I am asking only to learn on this comment.
/ip arp
add address=192.168.10.254 comment="DVR Hikvision" interface=5DVR \
mac-address=54:C4:15:D7:71:50
add address=192.168.0.249 comment="UBLOCK8 Android TV BOX" interface=\
4wireless mac-address=C0:45:F1:CA:65:91
add address=192.168.0.2 interface=4wireless published=yes


(2) add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
As stated, disable or remove this from your non in internet list.

(3) the first firewall rule in the config can be moved down with the other forward chain rules. Suggesting putting it before the drop all else rule.
add action=accept chain=forward comment="Allow connection to routers" \
dst-address-list=WirelesRouterList src-address=192.168.8.100

(3) Change tools mac winbox mac server from service port only to ALL,
Why you ask because you wish to access winbox from more than just serviceport subnet!!!

Suggest with that try changing neighbours discovery from serviceport to ALL as well.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Accessing router in different ethernet port

Sat Jul 24, 2021 4:34 am

Hi there thanks for being patient!
No you dont have to change any rules I would just disable that particular subnet from the list.

I will take a look at the config.

(1) I dont know why you have these rules as my arp knowledge and uses is next to nil........ so they clearly serve a purpose but beyond me. So I am asking only to learn on this comment.
/ip arp
add address=192.168.10.254 comment="DVR Hikvision" interface=5DVR \
mac-address=54:C4:15:D7:71:50
add address=192.168.0.249 comment="UBLOCK8 Android TV BOX" interface=\
4wireless mac-address=C0:45:F1:CA:65:91
add address=192.168.0.2 interface=4wireless published=yes
Hi Anav,
Thanks for looking.
i think i play around with this the first time setting up mikrotik to have a static rule but doesn't serve anything.
(2) add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
As stated, disable or remove this from your non in internet list.
i've tried to disable it. still doesn't work. something seem to be blocking or there is no rule to allow it?
(3) the first firewall rule in the config can be moved down with the other forward chain rules. Suggesting putting it before the drop all else rule.
add action=accept chain=forward comment="Allow connection to routers" \
dst-address-list=WirelesRouterList src-address=192.168.8.100
already move it down. but still cannot connect to router
(3) Change tools mac winbox mac server from service port only to ALL,
Why you ask because you wish to access winbox from more than just serviceport subnet!!!

Suggest with that try changing neighbours discovery from serviceport to ALL as well.
the winbox mac server is ok already, i didn't change to service port, cmiiw but this is for connecting using macaddress, so i think should be safe if from service port only (port2) ?
to access the router using winbox from pc & laptop & mobiles , the firewall rules is input type "Allowed Admin Access" andthis ok already, only certain ip can connect

by the way, the 3 wireless router is assigned static ip, does this causes why i can't connect ?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: h1ghrise, lifeboy, phascogale, RobertsN and 63 guests