Community discussions

MikroTik App
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

How to access the Mikrotik with winbox from internet side?

Fri Nov 12, 2004 12:35 pm

Hi!

Can anyone tell me how i need to configure mikrotik firewall so that i can use winbox to access it over internet ???

i use 2.8.17 mikortik !

i opened ports 8081 and 3986 but when i try to connect to router
xxx.xxx.xxx.xxx:8081 , the winbox displays message
''downloading plugins from xxx.xxx.xxx.xxx...'''
and just waits for eternity :(

it looks that i need to open one more port so winbox can download plugins from router but i cannot figure out wich one...

any ideas???
 
edzix
Member
Member
Posts: 333
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Fri Nov 12, 2004 12:43 pm

make sure that www has 8081 port under '/ip service' and you can ping that router from the PC.

Edgars
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Fri Nov 12, 2004 1:31 pm

its all like you said but it still does not work...

i must tell you that im running wireless hotspot on this router...

and my firewall input rules are just like mikrotik-howto's manual says:
/ip firewall rule input add protocol=tcp connection-state=established \
comment="Allow established TCP connections"
/ip firewall rule input add protocol=tcp connection-state=related \
comment="Allow related TCP connections"
/ip firewall rule input add protocol=udp comment="Allow UDP"
/ip firewall rule input add protocol=icmp comment="Allow ICMP Ping"
/ip firewall rule input add protocol=89 comment="Allow OSPF"
/ip firewall rule input add src-address=10.5.50.0/24 \
comment="Allow access from our local network. Edit this!"
/ip firewall rule input add src-address=10.5.50.0/24 protocol=tcp dst-port=8080 \
comment="This is web proxy service for our customers. Edit this!"
/ip firewall rule input add action=drop log=yes \
comment="Log and drop everything else"
but before this rules i added rules to open ports 8081 and 3986 ...

and it still does not work...

im 99% sure that its problem in firewall settings...

please help....
 
edzix
Member
Member
Posts: 333
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Fri Nov 12, 2004 2:23 pm

what did logs say about this?
can you put here a printout of firewall input chain?

Edgars
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Fri Nov 12, 2004 3:08 pm

here are my input chain firewall rules:

x.x.x.x is my public adress of ruter
192.168.1.2 is my local web server
10.5.50.1 is my hotspot gateway

[slobo@Kula1] ip firewall rule input> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; winbox from web #1
dst-address=x.x.x.x/32:8081 protocol=tcp action=accept log=yes

1 ;;; winbox from web #2
dst-address=x.x.x.x/32:3986 protocol=tcp action=accept log=yes

2 ;;; emule #1
in-interface=web dst-address=x.x.x.x/32:4662 protocol=tcp
action=accept

3 ;;; emule #2
src-address=10.5.50.0/24 dst-address=:4662 protocol=tcp action=accept

4 ;;; emule #3a
dst-address=x.x.x.x/32:4672 protocol=udp action=accept

5 ;;; emule #3b
src-address=10.5.50.0/24 dst-address=:4672 protocol=udp action=accept

6 ;;; emule #4
src-address=10.5.50.0/24 dst-address=:4661 protocol=tcp action=accept

7 ;;; emule #5
src-address=10.5.50.0/24 dst-address=:4665 protocol=tcp action=accept

8 src-address=192.168.1.0/24 dst-address=10.5.50.0/24 action=accept

9 src-address=10.5.50.0/24 dst-address=192.168.1.0/24 action=accept
10 in-interface=web dst-address=x.x.x.x/32:22 protocol=tcp
action=accept

11 ;;; account traffic from hotspot clients to hotspot servlet
in-interface=wlan1 dst-address=:80 protocol=tcp action=jump
jump-target=hotspot

12 ;;; accept requests for hotspot servlet
in-interface=wlan1 dst-address=:80 protocol=tcp action=accept

13 ;;; accept requests for local DHCP server
in-interface=wlan1 dst-address=:67 protocol=udp action=accept

14 ;;; limit access for unauthorized hotspot clients
in-interface=wlan1 action=jump jump-target=hotspot-temp

15 ;;; Allow established TCP connections
protocol=tcp connection-state=established action=accept

16 ;;; Allow related TCP connections
protocol=tcp connection-state=related action=accept

17 ;;; Allow UDP
protocol=udp action=accept

18 ;;; Allow ICMP Ping
protocol=icmp action=accept
19 ;;; Allow OSPF
protocol=ospf action=accept

20 ;;; Allow access from our local network. Edit this!
src-address=10.5.50.0/24 action=accept

21 ;;; This is web proxy service for our customers. Edit this!
src-address=10.5.50.0/24 dst-address=:8080 protocol=tcp action=accept

22 ;;; Log and drop everything else
action=drop log=yes

any ideas?
 
edzix
Member
Member
Posts: 333
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Fri Nov 12, 2004 3:21 pm

seems ok. What do you see under '/log pr ' when trying access the router?

Edgars
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Fri Nov 12, 2004 3:33 pm

in log it looks like this...

nov/12/2004 15:27:01 input->ACCEPT, in:web, out:(local), src-mac
00:e0:5c:46:08:15, prot TCP (ACK,PSH),
80.74.168.131:49525->x.x.x.x:8081, len 80
nov/12/2004 15:27:02 input->ACCEPT, in:web, out:(local), src-mac
00:e0:5c:46:08:15, prot TCP (ACK),
80.74.168.131:49525->x.x.x.x:8081, len 40
it seems that my packets from winbox pass the input chain but gets lost somewhere else, or maybe router cannot reply to winbox because of some forward rule or something???

anyway, tnx for the effort i appreciate it man...


Greets
Slobo
 
jarosoup
Long time Member
Long time Member
Posts: 596
Joined: Sun Aug 22, 2004 9:02 am

Fri Nov 12, 2004 4:07 pm

What does your output chain look like? Isn't that secure port 3987, not 3986?
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Fri Nov 12, 2004 9:25 pm

[slobo@Kula1] ip firewall rule output> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; account traffic from hotspot servlet to hotspot clients
src-address=:80 out-interface=wlan1 protocol=tcp action=jump jump-target=hotspot
??? any ideas... im clueless...
 
jarosoup
Long time Member
Long time Member
Posts: 596
Joined: Sun Aug 22, 2004 9:02 am

Sat Nov 13, 2004 8:00 pm

1 ;;; winbox from web #2
dst-address=x.x.x.x/32:3986 protocol=tcp action=accept log=yes

Try port 3987 instead of 3986.
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Mon Nov 15, 2004 3:45 pm

GREAT !!!!

now its working.... i only needed to open port 3987 !!!


Tnx alot to everybody that posted replyes and specially to user JAROSOUP !!!

Thumbs up man!!!

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot], GoogleOther [Bot], neskiask and 96 guests