Community discussions

MikroTik App
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Remote access

Tue Dec 23, 2014 12:25 am

So, I've set up a new router, enabled ssh and set up PPTP, but am unable to access any the router remotely.

I have one other older router that works perfectly and looking at it the only main difference I see is that although it is also set up as a Router, there is a Bridge interface on it. Out of curiosity I added a Bridge interface to my newer router to see if that would make it work, but it actually ended up blocking all traffic, so I removed it.

To be honest, I just don't see what having a Bridge interface should matter. I can ssh to the device within the LAN, just on the external interface. What am I doing wrong?

Thanks!
Curtis Vaughan
Seattle, USA
 
error216216
newbie
Posts: 25
Joined: Fri May 23, 2014 2:07 am

Re: Remote access

Tue Dec 23, 2014 12:50 am

Have you opened the 22 port in the firewall for all interfaces?
/ip firewall filter
add chain=input comment=SSH dst-port=22 protocol=tcp place-before=0
For PPTP:
add chain=input comment="pptp port input chain" dst-port=1723 protocol=tcp place-before=0
add chain=input comment="pptp auth protocol" protocol=gre place-before=0
These rules open these ports on all interfaces, use with caution if secutity is a sensible issue, use them to test and then if it works add more parameters to rules for security like: "src-address-list=" or "in-interface="
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Re: Remote access

Tue Dec 23, 2014 1:06 am

Well, let's put it this was for ssh, it is listed in the Filter as:

0 ;;; SSH for secure shell
chain=input action=accept protocol=tcp dst-port=222 log=no
log-prefix=""

So wouldn't that be the same?
BTW, note that the 0 means it's in position ZERO.
Curtis Vaughan
Seattle, USA
 
CR24
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Dec 04, 2013 10:32 pm

Re: Remote access

Tue Dec 23, 2014 4:30 am

Just wanted to verify, on your last post you said the filter rule was setup for port 222, is that a typo or is your rule setup for port 222?

Make sure the ssh IP service is enabled.
/ip service
set ssh disabled=no
Last edited by CR24 on Tue Dec 23, 2014 5:33 am, edited 1 time in total.
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Re: Remote access

Tue Dec 23, 2014 5:21 am

222 was on purpose to help in preventing hacks on port 22.
Curtis Vaughan
Seattle, USA
 
CR24
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Dec 04, 2013 10:32 pm

Re: Remote access

Tue Dec 23, 2014 5:55 am

Do an export so we can see your settings.

/ip service export

/ip firewall filter export

/interface export

/interface bridge export
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Re: Remote access

Wed Dec 24, 2014 8:06 am

So here are the results of the commands you asked me to provide. A few things I have removed for privacy reasons:

/ip service export
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=222
set api disabled=yes

/ip firewall filter export
/ip firewall filter
add chain=input protocol=tcp src-port=222
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=192.168.1.0/24
add action=drop chain=input comment="drop everything else"

/interface export
/interface bridge
add auto-mac=no name=Bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] disabled=yes master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] disabled=yes master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] disabled=yes master-port=ether2-master-local name=ether5-slave-local
/interface pptp-server
add name=pptp-in1 user=********

/interface bridge export
/interface bridge
add auto-mac=no name=Bridge
Curtis Vaughan
Seattle, USA
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Re: Remote access

Thu Dec 25, 2014 2:13 am

Ok, figured it out.
I just needed to change src-port to dst-port and everything worked!
Curtis Vaughan
Seattle, USA

Who is online

Users browsing this forum: No registered users and 42 guests