Community discussions

MikroTik App
 
Cartman
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Wed Jul 23, 2008 6:14 pm

No Winbox access

Mon Nov 15, 2021 3:49 pm

Hello World !!!

I have a site with 26 Mikrotiks. The main router brings up a VPN to one of my servers to grant access
to the devices. So far, so good.
I can access all devices behind the router using winbox. The only device that is not reachable, is
the router itself.
On other sites I do not have these problems.
ROS is 6.48.5 LT
Main router replies to PING.

In short, devices 10.128.36.2-10.128.36.42 can be winboxed,
10.128.36.1 not.

Firewall rules are mainly dynamic with following additional entries:
/ipfirewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
and
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
The filters seem to be generated by the hotspot setup.

Thanks for your help.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: No Winbox access  [SOLVED]

Mon Nov 15, 2021 6:16 pm

This is most likely the issue.
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
You need to add your vpn to the LAN interface list or add an accept rule above it for for vpn.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No Winbox access

Mon Nov 15, 2021 7:51 pm

Ding ding winner winner frogs legs for dinner!! ;-)
 
Cartman
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Wed Jul 23, 2008 6:14 pm

Re: No Winbox access

Fri Nov 19, 2021 4:56 pm

Thanks a lot 2frogs,

for now I have disabled the firewall rule you mentioned.
Was sure I already tried, but it has been a long day...
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: No Winbox access

Fri Nov 19, 2021 6:15 pm

You shouldn't disable that rule, when disabled it allows access from internet. You should add the vpn to LAN list or add an accept rule for the vpn.

Who is online

Users browsing this forum: quanbau, zdiv and 37 guests