Community discussions

MikroTik App
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Let MikroTik support access my router

Fri Jun 04, 2021 6:12 pm

Good morning
since i am experiencing problems that the support can not solve, they would like to access my device from their labs.
My firewall (the one that protect my LAN from the Internet) is already forwarding some ports to expose to the public network some local services and of course il works
I then added a rule to forward the SSH and Winbox port of the MikroTik IP address outside on my public IP address.
Unfortunately from the public internet I can not reach both SSH and Winbox service on the MikroTik but at the same time I can do that on other Linux servers.

What am I missing?

I was assuming that there is no need to work on the firewall side of the MikroTik since flows come from the LAN side of my router...

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Let MikroTik support access my router

Fri Jun 04, 2021 6:57 pm

You do not want to expose winbox port to the internet.
What you do is allow a vpn tunnel to your router for configuration purposes and not much else.
I wouldnt use SSH either.

My recommendation is that you setup team viewer on a PC with access to the router.
Then you run a team viewer sessions where the support person enters the router (after you enter the username and password)
and mucks about.

When they are done, you should change your winbox port and username and password for example.
Thats is what I would do.........
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Sat Jun 05, 2021 12:23 am

Understood and I agree with you.
This way is the one we usually do with other vendors (Cisco, EMC, Dell, etc.), but I posted the question since it is what support asked to me to do.

I will suggest to them teamviewer.

Anyway... why forwarding the MikroTik IP\port to the public interface of my ISP router does not work, while the same work for the VPN, the Linux servers and even for the Windows RDP?

Thanks
 
jonah1810
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Tue Jul 30, 2019 10:19 pm

Re: Let MikroTik support access my router

Sat Jun 05, 2021 10:46 pm

if I'm understanding correctly this is your edge router, the one directly facing the internet?
well you don't need to port forward for access to the router. you only port forward for access past the router. ie trafffic that needs to be forwarded.

just create a filter rule with action accept in chain input at the top of your filter and that would allow anybody to connect to your mikrotik from outside who knows the password. if support told you what ip/subnet they will be reaching you from you could specify src address aswell so it isnt a complete gaping hole into your security and only a smaller one.

But as others have pointed out this is a pretty massive security hole and going the vpn route like anav suggested is by far the superior option.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Let MikroTik support access my router

Sat Jun 05, 2021 10:57 pm

Do not open up your router on the internet without any protection, port knocking or vpn etc.
As stated just use TeamViewer temporarily.
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Mon Jun 07, 2021 1:02 am

if I'm understanding correctly this is your edge router, the one directly facing the internet?
Well... maybe I was not so clear... try to explain better.
I have an edge router\firewall where my ISP brings the fiber and this is not the MikroTik. Of course I have there a public and static IP address, resolved by the public DNS, etc.
Then inside the LAN, so behind the above edge router\firewall, there is a lot of stuff and also the MikroTik router.
If I forward the local IP\port of any Linux box I have in my LAN to the public IP by creating the proper forwarding rule on the edge router, then I can connect from any remote location by opening a SSH session to my public IP\port I forwarded and it works. I never do that for security reason and best practice, but if I do it... IT WORKS.

So the question is: why forwarding the MikroTik IP\port 22 to the public IP I CAN NOT connect?
I was supposed to think that the connection the MikroTik sees is something coming from the LAN, let me say the inside interface of the edge router, so in my mind there was no need to configure anything on the MikroTik...
Anyway I defined a rule in the MikroTik firewall, at the very top of the list, to accept everything coming from the ethernet interface... but nothing... it does not work
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let MikroTik support access my router

Mon Jun 07, 2021 1:32 am

What shitty question is "why .. i can not connect?" if you don't let us check how you have configured the device?
When one goes to the doctor, who says: "Doctor I feel pain, but it's up to you to guess where"?

All this world of words, but no one line of exported config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Let MikroTik support access my router

Mon Jun 07, 2021 4:29 am

Agreed this post has gone to the toilet.
Do whatever you want, but it sounds like it has nothing to do with MT, I gave you my opinion on what to use.
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Wed Jun 09, 2021 11:28 am

What shitty question is "why .. i can not connect?"
I agree with you when you say that the doctor can not guess your problems, but maybe, in my opinion, just asking to provide the config would be much more polite.
Agreed this post has gone to the toilet.
Do whatever you want, but it sounds like it has nothing to do with MT, I gave you my opinion on what to use.
I also agree with you regarding how to let MikroTik support connect to my device and I proposed them this way. I am waiting for a feedback (usually I wait 3 days to have someone back to me).

Then, regardless the question, I am anyway curious to understand why forwarding MikroTik local IP\port to the public interface of my edge router does not work.
is it something stupid? i agree... yes... it is something stupid and I am curious to understand why, since it works with every other device in my network.

By the way, the config of the MikorTik is DEFAULT. just set the IP address to manage it according to my local address space.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let MikroTik support access my router

Wed Jun 09, 2021 11:52 am

All this world of words and you still do not have write any useful information, like RouterOS version, RouterBOARD model, and the export of the confguration.
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Fri Jun 11, 2021 3:10 pm

Model R11e-LTE6
Installed Version 6.48.3
Config attached. WiFi and DHCP disabled

Support said: no way to go with TeamViewer... we need you forward ports on your edge router
# jun/11/2021 02:52:49 by RouterOS 6.48.3
# software id = GLNI-ZTMK
#
# model = RBwAPGR-5HacD2HnD
# serial number = C0080CAFB101
/interface bridge
add admin-mac=48:8F:5A:F7:40:F9 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no name=lte1 network-mode=lte
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=italy distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-F740FB tx-power=40 tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=italy distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-F740FC \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=mobile.vodafone.it
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=********** \
    wpa2-pre-shared-key=**********
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.234/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.234 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.234 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let MikroTik support access my router

Fri Jun 11, 2021 3:15 pm

>skip<
Last edited by rextended on Fri Jun 11, 2021 4:31 pm, edited 1 time in total.
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Fri Jun 11, 2021 3:34 pm

R11e-LTE6 KIT, board + modem revision v028

Asti
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let MikroTik support access my router

Fri Jun 11, 2021 4:03 pm

>skip<
Last edited by rextended on Fri Jun 11, 2021 4:31 pm, edited 1 time in total.
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Fri Jun 11, 2021 4:15 pm

I am responding in English, if you agree.

The MikroTik device works but not without problems.
Support provided to me a beta version of the modem firmware that I installed. This version fixed the error I was experiencing but... unfortunately I have a new one.
Support needs to connect to the device by the LAN interface to run some tools to collect required data.
So they are asking to me to forward the SSH port of the Mikrotik to the public IP on the external interface of my edge router to let them to connect to what they need.

If I test this forward with any Linux boxes, it works, but not with the Mikrotik, so the issue is on the Mikrotik... something is blocking or a config to fix on the MikrotiK routing...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let MikroTik support access my router

Fri Jun 11, 2021 4:31 pm

...

I suggest you, after backup any important, paste this on termial, this DELETE EVERYTHING:
/sys rou up
y
/sys pack
enable dhcp,security
disable hotspot,mpls,routing
/file remove [find where name!="flash"]
/system reset-configuration skip-backup=yes keep-users=no no-defaults=yes
after that, open the router with winbox,
add dhcp-client to ether1
set a strong password for ssh and winbox
do not touch nothing else.
test from remote if you can reach the device,
contact mikrotik support

done.
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Fri Jun 11, 2021 7:14 pm

Done!
adding DHCP client now it works. I can reach the MikroTik from remote with port forwarding, so MikroTik support can connect to it, as they requestes.
But...
now al the traffic destination public Internet goes through the edge router.
I explain better: from inside the MikroTik if i ping or traceroute a public host I can reach it, but the traffic does not go through the LTE interface, but is routed to the edge router
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let MikroTik support access my router

Fri Jun 11, 2021 7:23 pm

Done!
adding DHCP client now it works. I can reach the MikroTik from remote with port forwarding, so MikroTik support can connect to it, as they requestes.
But...
now al the traffic destination public Internet goes through the edge router.
I explain better: from inside the MikroTik if i ping or traceroute a public host I can reach it, but the traffic does not go through the LTE interface, but is routed to the edge router
Obvious, the vodafone not give you a directly available public IP, but is shared
Mikrotik staff can come only from edge router
 
vanille
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Apr 29, 2021 4:48 pm

Re: Let MikroTik support access my router

Fri Jun 11, 2021 7:44 pm

Of course I know, but in my mind this would be setup:
the Mikortik work as a consumer mobile hotspot providing access to the public internet
but the LAN interface is connected to my LAN and work as a console-port just to manage the MikroTik
moreover the IP the MikroTik has on the LAN is forwared by the edge router to its external IP to let the support to connect to it.

Who is online

Users browsing this forum: hjf and 73 guests