Community discussions

 
Cue
newbie
Topic Author
Posts: 38
Joined: Thu Jun 14, 2007 3:23 am

Remote access from the Internet (WAN side)

Fri Mar 23, 2012 5:42 am

However I look I just cant seem to figure out how to enable remote access on my RG750G
I would like to open it so I can access remotely via Winbox.

If anyone could give me some pointers preferably in Winbox I would be grateful.
 
vik1988
Member Candidate
Member Candidate
Posts: 235
Joined: Sun Oct 25, 2009 2:18 pm
Location: India

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 6:25 am

However I look I just cant seem to figure out how to enable remote access on my RG750G
I would like to open it so I can access remotely via Winbox.

If anyone could give me some pointers preferably in Winbox I would be grateful.
What do you mean by Remote access. ?? Remote Desktop ??
Vikas Kumar Gupta
If you Like my post then add KARMA
skype- kumarvikas_gupta
 
Cue
newbie
Topic Author
Posts: 38
Joined: Thu Jun 14, 2007 3:23 am

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 6:33 am

No, remote access to the RB750 with Winbox.

(to remotely control the router with Winbox).
 
scampbell
Trainer
Trainer
Posts: 458
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 6:42 am

create an Input rule to allow Port 8291 from the internet.

/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp

be sure to place it above any rules dropping Input.

I would also consider specifying which hosts can connect rather than leaving it wide open.
 
vik1988
Member Candidate
Member Candidate
Posts: 235
Joined: Sun Oct 25, 2009 2:18 pm
Location: India

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 8:22 am

No, remote access to the RB750 with Winbox.

(to remotely control the router with Winbox).
If you have a Live IP then just configuire that on ur WAN Interface otherwise if you are using some DSL connection then contact ur ISP to configure Port address translation on DSL modem.
Vikas Kumar Gupta
If you Like my post then add KARMA
skype- kumarvikas_gupta
 
Cue
newbie
Topic Author
Posts: 38
Joined: Thu Jun 14, 2007 3:23 am

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 1:13 pm

create an Input rule to allow Port 8291 from the internet.

/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp

be sure to place it above any rules dropping Input.

I would also consider specifying which hosts can connect rather than leaving it wide open.
Thank you, this works if I disable the drop rule in filter, but I belive its not a good idea to do that. How do I move this nat rule above the filter rule to drop?
 
Cue
newbie
Topic Author
Posts: 38
Joined: Thu Jun 14, 2007 3:23 am

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 1:17 pm

No, remote access to the RB750 with Winbox.

(to remotely control the router with Winbox).
If you have a Live IP then just configuire that on ur WAN Interface otherwise if you are using some DSL connection then contact ur ISP to configure Port address translation on DSL modem.
Yes the Mikrotik is connected to brodband internet (optical), im useing the Mikrotik as the primary router.
If you have a Live IP then just configuire that on ur WAN Interface
That was my question, how do I do that
 
vik1988
Member Candidate
Member Candidate
Posts: 235
Joined: Sun Oct 25, 2009 2:18 pm
Location: India

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 1:32 pm

create an Input rule to allow Port 8291 from the internet.

/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp

be sure to place it above any rules dropping Input.

I would also consider specifying which hosts can connect rather than leaving it wide open.
Thank you, this works if I disable the drop rule in filter, but I belive its not a good idea to do that. How do I move this nat rule above the filter rule to drop?
just drag that rule to top of the list...
Vikas Kumar Gupta
If you Like my post then add KARMA
skype- kumarvikas_gupta
 
vik1988
Member Candidate
Member Candidate
Posts: 235
Joined: Sun Oct 25, 2009 2:18 pm
Location: India

Re: Remote access from the Internet (WAN side)

Fri Mar 23, 2012 1:34 pm

No, remote access to the RB750 with Winbox.

(to remotely control the router with Winbox).
If you have a Live IP then just configuire that on ur WAN Interface otherwise if you are using some DSL connection then contact ur ISP to configure Port address translation on DSL modem.
Yes the Mikrotik is connected to brodband internet (optical), im useing the Mikrotik as the primary router.
If you have a Live IP then just configuire that on ur WAN Interface
That was my question, how do I do that
are u using some PPPOE interface for WAN ??
Vikas Kumar Gupta
If you Like my post then add KARMA
skype- kumarvikas_gupta
 
scampbell
Trainer
Trainer
Posts: 458
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Remote access from the Internet (WAN side)

Fri Mar 23, 2012 4:07 pm

create an Input rule to allow Port 8291 from the internet.

/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp

be sure to place it above any rules dropping Input.

I would also consider specifying which hosts can connect rather than leaving it wide open.
Thank you, this works if I disable the drop rule in filter, but I belive its not a good idea to do that. How do I move this nat rule above the filter rule to drop?
In Winbox you can simply drag the rule with your mouse to a position above the other rules :-)
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
Cue
newbie
Topic Author
Posts: 38
Joined: Thu Jun 14, 2007 3:23 am

Re: Remote access from the Internet (WAN side)

Sat Mar 24, 2012 1:00 am

Nat and Filter rules are not in the same category, I cannot drag from NAT to Filter rules.
 
DynStatic
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Feb 18, 2010 3:11 am

Remote access from the Internet (WAN side)

Sat Mar 24, 2012 3:47 am

Cue,

I think the confusion is everyone is assuming your drop rule is in filter not nat, as that is typically where it would be.

Perhaps if you provide the rules we can clear up the confusion.

Paste the out put of these commands into a reply.
In terminal window:
/ip firewall filter export
/ip firewall nat export
 
Cue
newbie
Topic Author
Posts: 38
Joined: Thu Jun 14, 2007 3:23 am

Re: Remote access from the Internet (WAN side)

Sat Mar 24, 2012 4:29 am

I just have the default rules.

I ran this command.
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
That created a NAT srcnat using port 8291 TCP, nothing in "filter rules".
 
User avatar
perspetolis
Member Candidate
Member Candidate
Posts: 103
Joined: Tue Aug 02, 2011 9:08 pm
Location: Tehran
Contact:

Re: Remote access from the Internet (WAN side)

Sat Mar 24, 2012 9:00 am

hi
you can enable or disable winbox port from ip/service.
---------------------------------------------------
Mohsen Farahani
MTCNA-MTCWE-MTCTCE
http://www.ipsolution.ir
 
vik1988
Member Candidate
Member Candidate
Posts: 235
Joined: Sun Oct 25, 2009 2:18 pm
Location: India

Re: Remote access from the Internet (WAN side)

Sat Mar 24, 2012 9:15 am

I just have the default rules.

I ran this command.
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
That created a NAT srcnat using port 8291 TCP, nothing in "filter rules".
Use this command...
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp place-before=0
Vikas Kumar Gupta
If you Like my post then add KARMA
skype- kumarvikas_gupta
 
siavashblade
just joined
Posts: 4
Joined: Wed Feb 25, 2015 1:02 pm

Re: Remote access from the Internet (WAN side)

Wed Feb 25, 2015 1:04 pm

hi dude I have a problem with this can you help me?
first of all after I enable DDNS, in the status section it tells me that:
"DDNS server received request from ip ...(the public ip adress)... but your local ip was 192.168.1.6 (which is my gateway ip). DDNS service might not work."
and I can't ping the DNS name it gives me 100% timeout then I've added this command:"/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp place-before=0"
but this didnt help either! :|
what should I do?
I have ip cameras in my work place and I want to watch them from home via this feature.
can you help me?
 
amrphus
just joined
Posts: 3
Joined: Wed Mar 04, 2015 2:19 am

Re: Remote access from the Internet (WAN side)

Wed Mar 04, 2015 2:40 am

192.168.1.6 (which is my gateway ip)
It sounds like your Mikrotik is itself behind a firewall with NAT. The wlan address used for DDNS cannot be a 192.168 address. See "private addresses" at http://en.wikipedia.org/wiki/IP_address. For DDNS to work, the Mikrotik would need to be connected directly to the internet instead of behind NAT.
 
User avatar
tushar
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Mar 18, 2014 10:58 pm
Location: NewDelhi
Contact:

Re: Remote access from the Internet (WAN side)

Tue May 19, 2015 11:05 am

even i want to access my Mikrotik 5shpn radio from home which is installed on ISP premise. How can i access radio from winbox.
 
User avatar
lectrapon
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Mar 03, 2015 2:10 pm

Re: Remote access from the Internet (WAN side)

Fri Aug 19, 2016 11:13 am

I just have the default rules.

I ran this command.
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
That created a NAT srcnat using port 8291 TCP, nothing in "filter rules".
Use this command...
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp place-before=0
Hi,
I have tried your command but I can't access my routerboard.
When I try to access from WAN side I get "ERROR: Gateway timeout" from web browser and "connection refused" from Tik-App (android)
 
aslanov
just joined
Posts: 4
Joined: Thu Sep 29, 2016 2:41 pm

Re: Remote access from the Internet (WAN side)

Mon Oct 03, 2016 12:31 am

hi
you can enable or disable winbox port from ip/service.
yes, but if you have "drop all" firewall rule at the bottom of your all firewall rules then you need also allow 8291 port to your router input chain.
 
Abdifatah
just joined
Posts: 1
Joined: Sat Dec 31, 2016 8:02 pm

Re: Remote access from the Internet (WAN side)

Sat Dec 31, 2016 8:10 pm

hey friends thanks for the discussions; i have the same issue i configured my mikrotik 951v and my WAN ip is local IP from TP link router and i need it to access from another internet without public IP addess, i need to access and i want use it with local IP address so is that possible frinds thanks
 
chshahzadnasir
newbie
Posts: 27
Joined: Sat Nov 05, 2016 8:26 pm
Location: Pakistan
Contact:

Re: Remote access from the Internet (WAN side)

Tue Jan 17, 2017 10:53 am

how to access multi router board (winbox) in same internet connection. i am also using single winbox access anywhere on other internet by using this port forward settings
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
know i am using multi router board..... i want to access multi winbox access on same domain how to configuration
 
mtecuy
just joined
Posts: 2
Joined: Sun Jan 22, 2017 1:17 am

Re: Remote access from the Internet (WAN side)

Sun Jan 22, 2017 2:01 am

Hi, im using the 3.9 version.

Sadly im not able to access throw cloud service.
Can you guys recomend me any topic for setup the remote access?

My primary router is a Mikrotik Rb2011 UIAS-RM conected by PPPOE to my ISP (Dynamic IP service).
Have some Ubiquiti antenas and ip cameras... its all working good in my local network my problem is to access from my office.
 
serkand93
just joined
Posts: 11
Joined: Tue May 16, 2017 9:21 pm

Re: Remote access from the Internet (WAN side)

Fri May 19, 2017 1:59 pm

create an Input rule to allow Port 8291 from the internet.

/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp

be sure to place it above any rules dropping Input.

I would also consider specifying which hosts can connect rather than leaving it wide open.

I would like to access my 3011 mikrotik device remotely wiht only my personal laptop . Do you know how to achieve this ?
 
chuky0
newbie
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: Remote access from the Internet (WAN side)

Sat May 27, 2017 8:36 am

I may have solutions for this thread. I posted the link below and I can now successfully access all my Mikrotik devices on my home network through the internet.

viewtopic.php?p=597203#p597203

below is what I used as a guideline, its from this link https://shop.duxtel.com.au/article_info ... icles_id=6

Access "hidden" mikrotik device by Winbox by Mike Everest

inShare

Here's the scenario:

Mikrotik Router as a hotspot gateway running on the wireless network (the Gateway).
A second device is connected by WDS to the gateway used as a network range extender (the Booster).
We can connect to the Gateway using winbox by connecting to the public IP address.
How to connect to the Booster with Winbox too?
To acheive this task, we will map connections to the Gateway device on port 8292 to the winbox port (8291) on the Booster. The following steps will assume that the Booster is a simple WDS slave with no IP address assigned to any iterface.

STEP 1: Add an DHCP client address to the Booster device on the hotspot cell.

This can be done easily using winbox, but you can't access with winbox, right? Not a problem. We can use the mac-telnet tool from the Gateway device to add the dhcp client on the Booster:

First log in to the Gateway using winbox
Click on the Telnet menu item, and select the MAC Telnet option, and notice that the IP address field now changes to a drop-down select field
If your Booster device doesn't show up in the list, you can type it in manually, then click Connect
Enter the username and password for the Booster, then execute the following command:
/ip dhcp-client add add-default-route=yes comment="" default-route-distance=0 disabled=no interface=<wds-bridge-interface> use-peer-dns=yes use-peer-ntp=yes
Note that you will need to change the interface <wds-bridge-interface> to suit your configuration. If you are not sure what is the name of the right interface, execute:
/interface wireless print
and look for the value of the wds-default-bridge setting.
Now check that there is an ip address
/ip address print
And make a note of the IP address assigned
Try to ping the Gateway
/ping <gateway IP address>
Change (of course) the <gateway IP address> to the actual address of your gateway device. Note that ping time-out is expected, but pinging the gateway will cause the Booster host to be added to the device list under the Gateway hotspot service.
STEP 2: Make the Booster DHCP lease permanent in the Gateway DHCP Server.

Back on the Winbox session to the Gateway, click on the IP menu item, then select DHCP Server
Select the Leases tab, and then click on the entry containing the IP address observed in point 11 of STEP 1 above
STEP 3: Add a bypass rule in the Gateway hotspot for the Booster device.

Still in the Gateway Winbox session, click on IP and then select Hotspot
Select the Hosts, then double click on the entry containing the Booster device. If it is not there, go back to point 12 in STEP 1 above
When the host entry details panel opens, click the button labelled Make Binding
In the New Hotspot Binding dialog, set the Type to Bypassed, then click OK
STEP 4: Create a destination NAT rule to map incoming port 8292 to the Booster on port 8291.

Now click IP in the menu, and choose Firewall
Select the NAT tab, then click the red '+' icon near the top left
On the General tab, enter:
Chain: dstnat
Dst. Address: <ip address of the gateway> (i.e. the address you are connecting to with the current winbox session)
Protocol: tcp
Dst. Port: 8292
On the Action tab, enter:
Action: dst-nat
Dst. Addresses: <ip address of the booster > (i.e. the address from 11 of STEP 1 above)
Dst. Port: 8291
Click OK
STEP 5: Connect to the Booster in Winbox.

Now, if everything is set up right, you can now connect to the remote device using winbox by specifying the IP address of the Gateway, and specifying the port defined in 3 of STEP 4 above, using this notation:

<ip address>:<port>

For example, if you connect to the Gateway device on adress 192.168.1.1, then you will connect to the Booster using 192.168.1.1:8291

NOTE: Older versions of the Winbox loader do not support this port specification. Always make sure that you have the latest version downloaded from the Mikrotik web site.

You can repeat these steps multiple times if you have several Booster devices inside your hidden network, by simply changing the destination port each time; 8293, 8294, etc.
 
francescob
just joined
Posts: 4
Joined: Tue May 29, 2018 9:58 am

Re: Remote access from the Internet (WAN side)

Wed Apr 17, 2019 1:09 am

Actually if you want to get access to your Mikrotik from a remote network, you should have a look to Cloutik
Very simple to use, tested with several routerboards
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Remote access from the Internet (WAN side)

Wed Apr 17, 2019 5:38 pm

@scampbell Trainer my ass, go back to security school!
This whole thread seems to ignore the huge security implications (or infractions if for a business) that are being apparently openly discussed.
Access to the router in any plain mode is let me put it in simple terms - STUPID.

The best way to access the RouterOS remotely is through VPN. This is actually not that difficult for example using the RouterOS IOS or Android app on the smart phone via an
IKEv2 secure connection is fairly easy(one of many options). If that is too daunting at least look at port knocking which is discussed in many threads.

As a minimum, any wanker that is still using the default winbox port, needs to be drawn and quartered (UK euphemism for getting a good spanking........ hmm some here might like that)

(Ip services - set winbox port and narrow down allowed access)
(System - users, narrows down access)
(input chain - narrow down users with access to router)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4794
Joined: Mon Apr 20, 2009 9:11 pm

Re: Remote access from the Internet (WAN side)

Wed Apr 17, 2019 6:36 pm

You're responding to post from 2012. That was long before the most ugly WinBox bug. It's possible that WinBox was completely secure back then, but it's hard to tell, since changelogs from that time were a little sparse.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Remote access from the Internet (WAN side)

Wed Apr 17, 2019 9:00 pm

What?? Its 2019......... where did the time go! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Thor187
newbie
Posts: 46
Joined: Sat Oct 21, 2017 10:21 pm

Re: Remote access from the Internet (WAN side)

Fri May 03, 2019 1:02 pm

If I enabled the default firewall in the Quick Config screen and I then went to IP->Cloud and setup a CNAME on my domain what rule to I need to add to the firewall to allow myself to access the router with WinBox remotely from (xxx.xxx.xx.xxx - my office IP)
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: Remote access from the Internet (WAN side)

Fri May 03, 2019 2:29 pm

If I enabled the default firewall in the Quick Config screen and I then went to IP->Cloud and setup a CNAME on my domain what rule to I need to add to the firewall to allow myself to access the router with WinBox remotely from (xxx.xxx.xx.xxx - my office IP)
You don't because it is highly unwise. If you really need access to any services locally, use VPN.

Red your post again, you have to add the address to your rule
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Remote access from the Internet (WAN side)

Fri May 03, 2019 6:02 pm

Nothing to worry about, with Thor's Hammer he will be able to repel any hackers. No need for proper config security.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
AidanAus
newbie
Posts: 25
Joined: Wed May 08, 2019 7:35 am

Re: Remote access from the Internet (WAN side)

Wed May 08, 2019 11:24 am

I would assume you have a dynamic wan ip so i would enable ddns under ip cloud then if the router is not the one with the public address run ip cloud advanced use-local-address that will make ur routers ip be linked to the dns name that is publicly routable. From there set up a sstp or l2tp-ipsec server so that you can make clients connect to the dns name ip cloud gave you. From there sort our ur firwall by adding rules to accept input from ur lan and from the tunnel ports as well as to the ip could servers that the ips can be found at https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Advanced
Basic firewall rules and security can be found here https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
L2tp config can be found here https://wiki.mikrotik.com/wiki/Manual:I ... pSec_setup

Do that then once all that is set up connect a client to the tunnel server and do a ping -l (packet size) -f from a cmd at eithet and and ping the other end. Start at lik 1472 and work ur way down by like 10-20 each time till it works then go up till it doesnt. Find the largest size u can ping through at and go to ur vpn servrr config and put that in the mtu configuration section. Oh also enable proxy arp on ur lan bridge interface if u want the clients to be able to connect to ur lan.
Sorry for the low quality post im on my phone atm :]
 
charliecrash
just joined
Posts: 21
Joined: Tue Nov 13, 2018 4:04 pm
Location: Sweden

Re: Remote access from the Internet (WAN side)

Sun Oct 20, 2019 2:39 pm

I'm trying to access routerboard from the android app, wan side.

Could the RoMON agent be used for this? If so, please redirect me to a setup page for dummies, or explain how it is done,

Do I still need some kind of dyndns?

Use case: Kid control at work. Homework & dishes done before play...

Thanks in advance!

Who is online

Users browsing this forum: No registered users and 52 guests