Community discussions

MikroTik App
 
lpjerry
just joined
Topic Author
Posts: 3
Joined: Sat Dec 26, 2020 2:39 am

Cannot access RB4011 outside of bridge interface

Mon Oct 03, 2022 8:56 pm

Dear Forum,

So the other day when I was playing with my RB4011 I managed to disable my bridge1 interface and lock out from my router.
Luckily, I was able to dial in via VPN and solve the issue.

After this incident I decided to follow the suggestions found in this forum and created an ethernet interface (eth6-emerg) outside my bridge.
However after connecting this interface to my computer I cannot access the router via winbox nor via SSH, it's says wrong username/password which is clearly not true.
(The user/pass is saved in winbox).

I left out the firewall settings on purpose because I already tried disabling all of them, but still cannot connect to router.

Could you please tell me what I'm missing?
Many thanks,

Cheers,
Gerhard

Here is my config:
# oct/03/2022 19:20:30 by RouterOS 7.5
# model = RB4011iGS+
/interface bridge
add igmp-snooping=yes name=bridge1 priority=0x1000
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592 name=SFP+ rx-flow-control=\
    auto tx-flow-control=auto
set [ find default-name=ether1 ] name=WAN rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] name=ether6-emerg
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] poe-out=off rx-flow-control=auto \
    tx-flow-control=auto

set WAN disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set SFP+ disabled=no
/interface vlan
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan107 vlan-id=107
/interface bonding
add mode=802.3ad name="US-24 LACP" slaves=ether9,ether10
/interface list
add exclude=dynamic name=discover
add exclude=dynamic include=all name=internet

set [ find default=yes ] ip-type=ipv4 use-network-apn=no
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_pool ranges=10.0.0.50-10.0.0.250
add name=vlan107_pool ranges=10.0.107.50-10.0.107.98
add name=vlan20_pool ranges=10.0.20.50-10.0.20.100
add name=emerg_pool ranges=10.10.10.2-10.10.10.10
/ip dhcp-server
add address-pool=LAN_pool interface=bridge1 lease-time=6h name="LAN dhcp"
add address-pool=vlan107_pool interface=vlan107 lease-time=6h name="IoT dhcp"
add address-pool=vlan20_pool interface=vlan20 lease-time=6h name="Cam dhcp"
add address-pool=emerg_pool interface=ether6-emerg lease-time=1h name=\
    "Emergency DHCP"

/interface bridge port
add bridge=bridge1 fast-leave=yes ingress-filtering=no interface=SFP+
add bridge=bridge1 fast-leave=yes ingress-filtering=no interface="US-24 LACP"
/ip neighbor discovery-settings
set discover-interface-list=none

/ip address
add address=10.0.0.1/24 comment=LAN interface=bridge1 network=10.0.0.0
add address=10.0.107.1/24 comment=IoT interface=vlan107 network=10.0.107.0
add address=10.0.20.1/24 comment=Cameras interface=vlan20 network=10.0.20.0
add address=10.10.10.1/28 comment="Emergecy access" interface=ether6-emerg \
    network=10.10.10.0

/ip firewall filter
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24,10.0.66.0/27,10.10.10.0/28
set api disabled=yes
set winbox address=10.0.0.0/24,10.0.66.0/27,10.10.10.0/28
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=RB4011

/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot access RB4011 outside of bridge interface

Mon Oct 03, 2022 9:54 pm

I don't really know why device is rejecting your password used via ssh or winbox. Is it acting the same way when connecting via other subnets (LAN or VLAN 107 or VLAN 20)?

Personally I have high regard for MT's possibility to connect to device via MAC, which largely bypasses IP firewall (and thus one has to enable it after thorough consideration). Since you're dedicating a physical interface to out-of-band management, you may want to consider changing the following settings:

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Cannot access RB4011 outside of bridge interface

Mon Oct 03, 2022 11:02 pm

Are there perhaps some dstnat rules that could be sending those connection attempts to another device?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cannot access RB4011 outside of bridge interface

Tue Oct 04, 2022 12:18 am

Do it the right way.........
viewtopic.php?t=181718
 
lpjerry
just joined
Topic Author
Posts: 3
Joined: Sat Dec 26, 2020 2:39 am

Re: Cannot access RB4011 outside of bridge interface  [SOLVED]

Tue Oct 04, 2022 10:48 pm

Thanks everyone!
So the problem was that I forgot to add the new subnet into System/Users/Allowed Address field!

Cheers,
Gerhard
 
lpjerry
just joined
Topic Author
Posts: 3
Joined: Sat Dec 26, 2020 2:39 am

Re: Cannot access RB4011 outside of bridge interface

Tue Oct 04, 2022 10:50 pm

Do it the right way.........
viewtopic.php?t=181718
Also thank you anav for linking your post here! I found very helpful infos and practices in it!

Who is online

Users browsing this forum: Amazon [Bot], vladimirb and 61 guests