I have taken over managing a setup for my inlaws. It was installed by a local installer. The main router is 960pgs powering a pair of access points. The firmware on it appears to be a customized version of routerOS from https://www.custom-integration-solutions.com/

Winbox and ssh have been disabled on the router, but the api is available via the port.
Webfig is enabled, but only shows a subset of the information.

I am wanting to enable the winbox port or ssh so I can get a good view of the configuration. Is the API able to enable ssh or winbox services?

Thanks.

Yes, for example with php:

Take care.
You should not have any port open over the internet open for management. Nor SSH/Winbox or API. (many MT Router has been hacked this way)

Using VPN i an ok solution (with certificates)

If that cant be done and you need a port open over internet.

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

The goal is to access the host via the local LAN and be able to do management. Currently the API is available via the LAN. I have not confirmed if it accessible via the WAN/internet, that will be one of my next attempts the next time I am visiting.

But the key push is to be able to do so from the LAN/internal network and enable ssh/winbox access. This will then allow me to assess the current config, and possibly even back it up. And also help with the job of getting the firmware upgrade to a stock mikrotik release rather than the customized one that the integrator seems to have put onto the box.

Via Lan, you should normally be able to use Winbox, if some one has not shut that down.

Hi as some has used them you can use console cable login to you can net install put back to stock router os config if u want it run router os with custom webfig skin and dynamic DNS preconfigured for them remote access

You can so net install it get back to stock configuration on router then set-up caps manger etc on it

I seen most config file on it mind U was old one not sure how much would have changed to be honest
It not very locked down

you can use console cable login

Do the 960pgs has console cable. I do not see that on any picture of it.
https://mikrotik.com/product/RB960PGS

you can use console cable login

Do the 960pgs has console cable. I do not see that on any picture of it.
https://mikrotik.com/product/RB960PGS

Ya I was thinking the rb 2011 version they had it did

I doubt alot special on new one

Did you try default login have for them

I have been able to log into WebFig, but it is customized version that seems to only show a portion of the whole, it was missing a number of the items that I am used to seeing like the services. Winbox port has been disabled.

Looks like they had the boxes setup to be remotely managed through api access since they provided an option to subscribe to a service whereby the service provider would do firmware upgrades.

Plan is to enable winbox via the api next time I am on the LAN. Once I have that. I will hopefully be able to get the config details that I want and then either upgrade the firmware via winbox or do a netinstall.

I would just reset but if you do get config let me know in I curious if any changes but I doubted it honestly

Curious how you end up cis hardware anyway? Parts audio video company install

This is installed at my inlaws house. Their house is a recent new build, and as part of it, the builder worked with an external installer who used these parts. It was before I knew much about Mikrotik other than it seemed like decent gear. Since then, I have started using Mikrotik gear personally.

After the first year, the installer wanted to put them on a maintenance plan which I thought was pretty pricey for what amounted to apply firmware upgrades. What I hadn't accounted for was that the firmware wasn't stock mikrotik. Yeah, I will likely just do a clean install, but I was hoping to get as much of the config to make it as easy as possible to put it back the way I found it.

It's a business model the hardware cost bit too

Honestly firmware is stock it just has configuration on it logos change ya it was designed for purposes
For av installers

But it not driffent firmware if you had login you could upgrade it and would cause issues

The problem is in some API rule, Mikrotik don’t accept it (may be its some duplicate, etc…)

Simple way to check it is to go to the router - click on Save, and then go to Mikrotik log, and check where is an error

It is a valid business plan. Most people in that whole development are using the same AV installer, so a decent one for him if they get people onto the plan. There are 100-200 houses in the development with more planned. They wanted $15 a month for maintenance. They were doing the firmware upgrades remotely (likely during the overnight) so decent cash for some unattended scripting.

I am hoping that after I get winbox enabled via the API, that I can get a better picture of things through winbox which will give me the confidence to download and apply a stock firmware, likely just the one step up from their current one.

Ya I think it kinda of big ask I mean hardware as services is model but every one I see do seem want 15 month is kinda of high

Consider some other hardware and with high cost to get into hardware send me pm if you don't mind curios about some stuff but I don't think we can pm msg

It's runs cap manager some custom skins with logo's on a dynamic DNS so they know

And problay has few other depending on what is enabled maybe guest network pretty easy to rebuild

The $15 a month was just for software updates. So this was purely for software maintenance. My inlaws own the hardware outright at this point, but have decided against the software maintenance plan. This is where I come in and will be applying software updates to the existing hardware. Getting winbox enabled on the LAN was the first step.

I don't see an option to PM.

Heheh it would probably only cost 150 to reprogram



I would do am kind curios what they offer in way of support contract on it it u don't mind share you should be able click on name send msg unless it disabled

Net install will erase all setup on it can start over

Just look up configure caps manager and net install I be curious what ports are on try run nmap on lan up and public you see what runs

RTI control system in house
Might be vpn server also set-up if control house remotely maybe some port forward to