Hi,
I would appreciate your help. Reading all related forum post did not help.

I am using SXT Lite 5 as CPE client. My wireless AP is a Fritzbox 7390 with cable internet access. Now I want to access SXT Webfig from internet. Port forwarding in Fritzbox from 81 to 80 and to to SXT Lite 5 CPE seems ok.

Now invoking Webfig from internet using DDNS (i.e., http://xxx.mydyndsprovider.org:81) and it takes some seconds and sometimes Webfig Login screen appears. After inputting username and password browser idles endlessly and nothing happens. Any further access to Webfig does not show login screen again. ????
Any other Webaccess, for example to other devices in LAN behind CPE, is ok. Access to CPE from LAN is ok as well.

My config:

ros code

[admin@MikroTik] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
0 ;;; default configuration 
   chain=input action=accept protocol=icmp 
1 ;;; default configuration 
   chain=input action=accept connection-state=established 
2 ;;; default configuration 
   chain=input action=accept connection-state=related 
3 ;;; to allow remote access from internet to WebFig (my new rule) 
   chain=input action=accept protocol=tcp in-interface=wlan1-gateway dst-port=80 
4 ;;; default configuration 
   chain=input action=drop in-interface=wlan1-gateway 
5 ;;; default configuration 
   chain=forward action=accept connection-state=established 
6 ;;; default configuration 
 chain=forward action=accept connection-state=related

Do you have any clue what could be the reason? Sorry, I am real beginner.

Just for reference, here is my whole config:

ros code

# sep/23/2013 20:16:34 by RouterOS 6.4
# software id = MPIF-N75C
#
/interface wireless
set 0 band=5ghz-a/n channel-width=20/40mhz-ht-above disabled=no frequency=\
    5300 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=station-pseudobridge \
    name=wlan1-gateway ssid="FRITZ!Box Fon WLAN 7390"
/interface ethernet
set 0 name=ether1-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=123412341234 wpa2-pre-shared-key=123412341234
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether1-local name=default
/queue simple
add dst=185.12.240.0/24 limit-at=32k/0 max-limit=64k/0 name=GuaranteeWoTEU2 \
    priority=7/7 total-priority=7
add dst=213.252.131.0/24 limit-at=32k/0 max-limit=64k/0 name=GuaranteeWoTEU1 \
    priority=7/7 total-priority=7
add burst-limit=22k/0 burst-threshold=20k/0 burst-time=1s/0s dst=\
    198.211.96.60/32 limit-at=10k/0 max-limit=20k/0 name=\
    LimitTrafficRelayAerofs queue=default/default-small
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether1-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=wlan1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=\
    "to allow remote access from internet to WebFig (my new rule)" dst-port=80 \
    in-interface=wlan1-gateway protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    wlan1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input dst-port=80 protocol=tcp
add chain=input
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=wlan1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=4040 protocol=tcp to-addresses=\
    192.168.88.254 to-ports=4040
add action=dst-nat chain=dstnat dst-port=4041 protocol=tcp to-addresses=\
    192.168.88.254 to-ports=4041
add action=dst-nat chain=dstnat dst-port=5000 protocol=tcp to-addresses=\
    192.168.88.254 to-ports=5000
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp to-addresses=\
    192.168.88.254 to-ports=5001
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.88.254 to-ports=8080
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set api disabled=yes
/system clock manual
set time-zone=+02:00
/system leds
set 0 interface=wlan1-gateway
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes mode=unicast primary-ntp=130.149.220.70 secondary-ntp=\
    46.4.37.135
/system watchdog
set watchdog-timer=no
/tool graphing interface
add interface=wlan1-gateway
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1-local

Thanks in advance.

Hi,

I tried again but found no solution. Using the configuration above I was able to access the login page, but after "Login" nothing happens. The browser idles endlessly.

I assume that the order of entries in the configuration for "/ip firewall filter" (showsn below) is not correct. As far as I understand the logic behind the different rules, my first access to Webfig login page is handled by code below comment line 3 and communication is now "established" so any further access is handled by code below comment lines 1 or 2. That is, I should see Webfig Quick set page. But nothing happens. As external web access to devices attached to CPE is possible my further setup should be ok. I think, I am missing the most important point.

Do you have any hint? It must be easy

ros code

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
   chain=input action=accept protocol=icmp
1 ;;; default configuration
   chain=input action=accept connection-state=established
2 ;;; default configuration
   chain=input action=accept connection-state=related
3 ;;; to allow remote access from internet to WebFig (my new rule)
   chain=input action=accept protocol=tcp in-interface=wlan1-gateway dst-port=80

well the easiest would be for you to disable all firewall and nat rules on the TIK for now for testing, you dont have to have anything really set up on the tik under the firewall for you to access it, the only requirement from a clean config would be

1) Ip with route to internet

You can also try to move the service on the tik to :81 and then forward in 81 and use 81, i have seen in some cases that works best to forward the port in and use the same port, some web sites has code in that asks the browser to open streams to the port specified in the config, i would not be able to tell you if this is the case with webfig, but try moving the www to :81 and then forward :81 in and see if you are able to load the internals.

I have tested it from my external tik to my other on internal and mine works fine this is the rule on my external

Code: Select all

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface="10mb afrihost"
add action=netmap chain=dstnat disabled=no dst-port=81 protocol=tcp to-addresses=172.16.99.3 to-ports=\
    80

Internal needed no changes, and just has a 0/0 to the one heading out.

firewall looks fine, since you are accepting related and established connections and then you are accepting connection over TCP protocol destined to your outer interface and port 80.

What browser are you using and what RouterOS version you are using? Have you tried using latest RouterOS and update the browser?

Also, is your ISP allowing use of port 80? Trying to set it above port# 1024 might be the solution.

thank you very much for your comments, CyberT and janisk. It is really frustrating that I am not able to achieve external access which
was easy with all other routers I used previously. Now, with your comments, I have a little hope.

@CyberT: I will try your suggestions this evening. In fact, I am already using port 81 from my external PC, that is www.mydydnsprovider.org:81. In my Fritzbox I am forwarding port 81 to port 80 at Mikrotik to allow external web access using port 80 to Fritzbox AND port 80 to Mikrotik. I already tried at Fritzbox to forward incoming port 81 to 81 at Mikrotik and realized a port forwarding from 81 to 80 in Mikrotik. But this was not successful. maybe, this was a fault in my configuration.
Anyway, I will diable firewall and nat this evening and try your proposals. In which menu can I switch to port 81 for standard/internal Webfig access?

@janisk: I tested external access with most actual firefox browser v23.0.1 and v6.4 routeros. I will test this evening with Chrome browser as well. ISP allows port 80, as I can access Fritzbox configuration menu from public/external IP.

Thanks again for your support. I will report my findings ASAP.

unitil now, I tested the follollowing:
e.g.. on my external PC I tried yesterday evening http://www.mydyndnsprovider.org:81 with Firefox and Chrome (both most actual versions). Login window appears, after entering user and password both browsers are idleing. This morning, I checked the external PC and it was still idleing. However, I saw the next window with the message "loading" and the animation, but nothing else. Possibly, the access is just terribly slow so it took very long to reach the next window. It' a mystery.

Tomorrow, I will modify my fiewall and NAT settings according CyberT.

Now I disabled all firewall rules, I just allowed all incoming traffic.
Unfortunately, there is no difference. After login, browser idles. After waiting several minutes the next screen with animation "loading" appears but nothing else happens.

More details on my configuration are shown below. I also tried to access Mikrotik directly from Fritzbox (net ....201.x) using IP 192.168.201.30. Same result. Is there something else to configure to allow external (non-LAN) access?
Thanks for your patience.

Just FYI,

today, I tried again external access from public IP after 5 days of absence and without any change in my configuration. I do not know why, but today I was successful.
Thanks for your help.

Unfortunately, I was wrong. Access from public IP is not possible yet.