Page 1 of 1

Remote access

Posted: Tue Dec 23, 2014 12:22 am
by cavaughan
So, I've set up a new router, enabled ssh and set up PPTP, but am unable to access any the router remotely.

I have one other older router that works perfectly and looking at it the only main difference I see is that although it is also set up as a Router, there is a Bridge interface on it. Out of curiosity I added a Bridge interface to my newer router to see if that would make it work, but it actually ended up blocking all traffic, so I removed it.

To be honest, I just don't see what having a Bridge interface should matter. I can ssh to the device within the LAN, just on the external interface. What am I doing wrong?


Re: Remote access

Posted: Tue Dec 23, 2014 9:29 am
by jacekes

what kind of router is it?
I would check the firewall first, routers like RB75*, RB95* have a default firewall setup, which prevent from accessing the router from the WAN interface.

In IP->firewall->filter, chain input the last rule probably is a drop rule for in-interface=ether1-gateway.
I propose inserting 2 new rules before the dropping one. First rule should accept GRE protocol, the second one should accept TCP connections on dst-port 1723.
After adding these 2 rules, you should be able to connect to the router via PPTP.

Re: Remote access

Posted: Wed Dec 24, 2014 8:12 pm
by cavaughan
Yes, it is an RB750. So are you saying there is no way to access it remotely, or can the firewall rules be manipulated to bypass that default setting. Here is some information about my settings that might help:

So here are the results of the commands you asked me to provide. A few things I have removed for privacy reasons:

/ip service export
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=222
set api disabled=yes

/ip firewall filter export
/ip firewall filter
add chain=input protocol=tcp src-port=222
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=
add action=drop chain=input comment="drop everything else"

/interface export
/interface bridge
add auto-mac=no name=Bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] disabled=yes master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] disabled=yes master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] disabled=yes master-port=ether2-master-local name=ether5-slave-local
/interface pptp-server
add name=pptp-in1 user=********

/interface bridge export
/interface bridge
add auto-mac=no name=Bridge

Re: Remote access

Posted: Thu Dec 25, 2014 2:12 am
by cavaughan
Ok, figured it out.
I just needed to change src-port to dst-port and everything worked!