Community discussions

MikroTik App
 
gimmepatiencequickly
newbie
Topic Author
Posts: 35
Joined: Wed Jan 30, 2008 1:00 pm
Location: South Africa

I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 2:45 pm

Hello to all you Guru's

I am such an idiot, partly due to lack of concentration...
I set a firewall filter
/ip firewall filter
add chain=input protocol=!icmp action=reject reject-with=icmp-admin-prohibited
So in essence, I cannot log in to my router unless I use an ICMP protocol to do it. Anybody know how I can get that right?
I suppose I could use the serial console. but that means bringing the AP down (No internet for my clients for a day, plus the time it takes to figure out how to use the console)

Also added
/ip firewall filter
add chain=input protocol=!tcp action=reject reject-with=icmp-admin-prohibited
to a my personal CPE, which means I will not connect to it, via ICMP protocol or TCP protocol

How will I connect to it now?
Defer not till tomorrow to be wise, tomorrow's sun to thee may never
rise.
--- William Congreve
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 3:06 pm

Greetings! This is what I do. The order is important!
I curse loudly.
I kick something inanimate real hard.
I curse again when the searing pain rushes up my leg.
I get my laptop and null-modem cable, then limp to my car.
The rest I bet you can guess. :(
Last edited by SurferTim on Wed Jan 28, 2009 3:16 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24609
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 3:08 pm

also you can try with Winbox by using a Mac address instead of IP
No answer to your question? How to write posts
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 3:17 pm

Hi normis,

If I am close enough to mac-telnet in, it usually does not involve the first three things I do.

Hi gimmepatiencequicky,

I put this as the first line in my /ip firewall filter
add chain=input action=accept src-address=xxx.xxx.xxx.xxx/yy place-before=0

xxx.xxx.xxx.xxx/yy is your public net ip set for the computers you access it from remotely. Do not remove it. EVER!
 
gimmepatiencequickly
newbie
Topic Author
Posts: 35
Joined: Wed Jan 30, 2008 1:00 pm
Location: South Africa

Re: I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 3:47 pm

SurferTim
Thank you for adding a bit of humour to my demise, it slightly brightened up my day... I am going to add the filter to the firewall you suggested.
All my computers in my office will need "AP admin rights"
So this is what i am gonna do ---
/ip firewall filter
add chain=input action=accept src-address=10.254.0.0/16
place-before=0 AND NEVER REMOVE IT!!!


Normis
I used Mac telnet... I had a relay AP connected to the "broken" AP and MAC Telneted into it. I did try Winbox telnet, but the problem was that if I click on the "elipse" button (...) on winbox... it did not show up on the list. I tried mac anyway, by using my relay system and it worked. Now to try it on the CPE I 'broke'

Thank you guys, it worked
Defer not till tomorrow to be wise, tomorrow's sun to thee may never
rise.
--- William Congreve
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 4:18 pm

if you are not close enough, try to make eopi tunnel to router connected to blocked router and then try to mac-winbox, or try to mac-telnet right away from your closest router on same ethernet

edit:

also, chain - accept me is good idea...

you do not have to put that rule the first one, but make sure that jump there is just right after accept established, that usually is the first rule in firewall to optimise firewall performance as 95% of packets are related/established
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: I cannot access AP router, I set the wrong firewall filter

Wed Jan 28, 2009 5:30 pm

Hi janisk,

I lied. It is not my first rule. Did you notice I did not say "don't move it". When they know what is what there, they can move it. All my input chain rules are before this one because I have been doing this a while. It is really just before the
chain=input action=drop
rule. :wink:

Who is online

Users browsing this forum: benc1337, dhiaahmed, eworm, Kampfwurst, sindy and 108 guests