Community discussions

MikroTik App
 
User avatar
Paradox
just joined
Topic Author
Posts: 20
Joined: Fri Oct 15, 2021 3:50 pm

Allow WinBox broadcast on WAN interface

Mon Oct 18, 2021 10:51 am

Hi,

I've setup a router with quick setup and I'd like to allow the WinBox broadcast messages on the WAN interface, so that the router automatically can be found.

I've tried to allow inbound UDP traffic to port 5678, but still the router cannot be found in WinBox. What else do I have to do?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow WinBox broadcast on WAN interface

Tue Oct 19, 2021 2:05 pm

Nope, winbox is not meant to be used on the wan interface.
If you need to access winbox from a remote location use vpn, port knocking etc to access the router and then use winbox to config the router
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Allow WinBox broadcast on WAN interface

Tue Oct 19, 2021 3:12 pm

You would have to make an input rule on port 8291 TCP to allow connection to winbox.

The. Enable IP cloud and use the netname to "find/reach" the router.

But it's generally considered a good idea to use an ACL or port knocking if you wanna do it that way.

But Zerotier works for this...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Allow WinBox broadcast on WAN interface

Tue Oct 19, 2021 3:55 pm

I guess @OP is trying to get MNDP working on WAN interface. Which is IMO very stupid idea, but @OP might have a valid reason for doing it (e.g. in block of flats, every flat has its own MT router managed by landlord via WAN interface).
 
User avatar
Paradox
just joined
Topic Author
Posts: 20
Joined: Fri Oct 15, 2021 3:50 pm

Re: Allow WinBox broadcast on WAN interface

Tue Oct 19, 2021 6:03 pm

I guess @OP is trying to get MNDP working on WAN interface. Which is IMO very stupid idea, but @OP might have a valid reason for doing it (e.g. in block of flats, every flat has its own MT router managed by landlord via WAN interface).
Actually it's something like this. The WAN interfaces of several routers should be connected to a private LAN to create small, separated networks. So the computers in the separated networks cannot reach each other but the routers can be maintained from the "WAN".
Of course I could just use static IPs to connect from the "WAN", but an autodetection can have it's benefits.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Allow WinBox broadcast on WAN interface

Tue Oct 19, 2021 6:11 pm

I guess @OP is trying to get MNDP working on WAN interface. Which is IMO very stupid idea, but @OP might have a valid reason for doing it (e.g. in block of flats, every flat has its own MT router managed by landlord via WAN interface).
Actually it's something like this. The WAN interfaces of several routers should be connected to a private LAN to create small, separated networks. So the computers in the separated networks cannot reach each other but the routers can be maintained from the "WAN".
Of course I could just use static IPs to connect from the "WAN", but an autodetection can have it's benefits.
In that case it's not a true WAN because you're still in a controlled environment.
Under those circumstances it can be understandable and sometimes even needed to allow access to Winbox from WAN.
Just add a rule in firewall before the first input-drop rule to accept the port where you are using Winbox, don't change anything else.
Your last line of defense for those devices will then be your account and password :lol:
 
User avatar
Paradox
just joined
Topic Author
Posts: 20
Joined: Fri Oct 15, 2021 3:50 pm

Re: Allow WinBox broadcast on WAN interface

Tue Oct 19, 2021 6:18 pm

BTW: MNDP was the right keyword 8)

For this to work you need:
* allow inbound traffic on UDP port 5678
* enable ip->neighbors->discovery on WAN or all interfaces (I was missing this)

Of course you also need to allow WinBox traffic to TCP 8291, too.

Who is online

Users browsing this forum: Guntis, Josephny, svmk, synchro and 99 guests