Community discussions

MikroTik App
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Remote access

Tue Dec 23, 2014 12:22 am

So, I've set up a new router, enabled ssh and set up PPTP, but am unable to access any the router remotely.

I have one other older router that works perfectly and looking at it the only main difference I see is that although it is also set up as a Router, there is a Bridge interface on it. Out of curiosity I added a Bridge interface to my newer router to see if that would make it work, but it actually ended up blocking all traffic, so I removed it.

To be honest, I just don't see what having a Bridge interface should matter. I can ssh to the device within the LAN, just on the external interface. What am I doing wrong?

Thanks!
Curtis Vaughan
Seattle, USA
 
User avatar
jacekes
Member Candidate
Member Candidate
Posts: 167
Joined: Tue Aug 30, 2011 9:34 am
Location: Poznan, Poland
Contact:

Re: Remote access

Tue Dec 23, 2014 9:29 am

Hi,

what kind of router is it?
I would check the firewall first, routers like RB75*, RB95* have a default firewall setup, which prevent from accessing the router from the WAN interface.

In IP->firewall->filter, chain input the last rule probably is a drop rule for in-interface=ether1-gateway.
I propose inserting 2 new rules before the dropping one. First rule should accept GRE protocol, the second one should accept TCP connections on dst-port 1723.
After adding these 2 rules, you should be able to connect to the router via PPTP.
I was certified a long time ago:
MTCNA# 1210NA193 MTCTCE# 1210TCE056 MTCWE# 1211WE010

ONE NETWORK DIAGRAM IS WORTH MORE THAN A THOUSAND WORDS!
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Re: Remote access

Wed Dec 24, 2014 8:12 pm

Yes, it is an RB750. So are you saying there is no way to access it remotely, or can the firewall rules be manipulated to bypass that default setting. Here is some information about my settings that might help:

So here are the results of the commands you asked me to provide. A few things I have removed for privacy reasons:

/ip service export
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=222
set api disabled=yes

/ip firewall filter export
/ip firewall filter
add chain=input protocol=tcp src-port=222
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=192.168.1.0/24
add action=drop chain=input comment="drop everything else"

/interface export
/interface bridge
add auto-mac=no name=Bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] disabled=yes master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] disabled=yes master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] disabled=yes master-port=ether2-master-local name=ether5-slave-local
/interface pptp-server
add name=pptp-in1 user=********

/interface bridge export
/interface bridge
add auto-mac=no name=Bridge
Curtis Vaughan
Seattle, USA
 
cavaughan
newbie
Topic Author
Posts: 30
Joined: Sun Nov 09, 2014 8:01 pm
Location: Seattle, WA, USA
Contact:

Re: Remote access

Thu Dec 25, 2014 2:12 am

Ok, figured it out.
I just needed to change src-port to dst-port and everything worked!
Curtis Vaughan
Seattle, USA

Who is online

Users browsing this forum: Google [Bot], sindy and 134 guests