Community discussions

MikroTik App
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Winbox not connecting to router.

Sun Jan 16, 2022 7:54 pm

My hAP AC is on router os 7.1.1. Since upgrading to router os I am having an issue with winbox failing to connect to the router. Never tested whether it occurs over ether or not. Only occurred to devices connected through the wifi. At first, the device lost the internet. After that, the device failed to connect to the router. My router has neighborhood discovery enabled. But, winbox couldn't find it, neither it can connect. But, among all the devices conencted over wifi (three in testing), only one can connect. I had to reboot the router to get the internet back. The device can connect is random. The only common thing is when this happens the device lost internet, but wifi signal is still there.
Does anyone encounter this issue?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Sun Jan 16, 2022 8:15 pm

Works fine for all my 7.1.1 devices,
Suggest you configure access OFF the bridge ;-)
Also have you tried by both mac and IP:port
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Sun Jan 16, 2022 9:06 pm

I always use iP to log into. But, router kinda kicks the device out. I will let you know when the next occurrence occurs.
access OFF the bridge
Are you referring dedicating port for router access that you mentioned on your guides?
Though, found this error in mikrotik ios app " failed to establish secure connection"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Sun Jan 16, 2022 9:12 pm

That happens to me if I try to use mac address aka not able to use discovery on IOS app no matter what.
I can access via wireless if I use the IP address and port.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Sun Jan 16, 2022 9:16 pm

For it happens with IP address in ios. Not, sure about the mac address, never tried. Will report back. The weirdest part is that device's loss of internet. To my understanding it can happen for various reasons ( low signal strength, fail to establish secure connection). But, no internet on the device is kinda weird. I will report back next time it happens.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Sun Jan 16, 2022 9:18 pm

I would like to see your settings to see if you have something amiss for for the OFF Bridge access.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Sun Jan 16, 2022 9:34 pm

Here is my settings:
# jan/17/2022 01:22:55 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=bad station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=bad station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=192.168.40.2/32 interface=Home public-key=\
    ""
add allowed-address=192.168.40.3/32 comment="" interface=Home \
    public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
    192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.188.21 client-id=xxxxxx mac-address=\
    xxxxxxxxxx server=pinetDHCP
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.2,1.0.0.2 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
add address=192.168.40.2-192.168.40.12 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to LAN" \
    in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall mangle
add action=log chain=prerouting connection-state="" disabled=yes \
    in-interface=Home log-prefix=WGnew
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.40.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add disabled=yes topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=45s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
    nt count-only where comment~\"pihole_bypass\" && disabled]\r\
    \n:local piholeDNS \"192.168.188.25\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$piholeDown > 0 ) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip firewall nat enable [find comment=pihole_bypass];\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip firewall nat disable [find comment=pihole_bypass];\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/21/2021 start-time=03:39:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
When the issue occurs I am not over vpn.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Sun Jan 16, 2022 10:16 pm

(1) Why is UPNP enabled.
and more specifically why is the OFF Bridge access listed here.....
Should be removed
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal

(2) src-address-list=allowed.........
as long as your wired connection on ether5 has an IP of 20 or greater (has to match the pool) that part is OK.

(3) Where it falls apart is here.
set winbox address=192.168.88.0/24,192.168.40.0/24 MISSING 192.168.188.0/24

5. FINALLY when you talk about IOS app not being able to reach the device.
YOU HAVE NO WLAN SETUP FOR THIS ???

Create WLAN3 (virtual wlan off 2.4 ghz wlan as master interface)
- ip address=192.168.190.1/24 network=192.168.190.0 interface=wlan3
etc..
- Not on bridge.
add WLAN3 as a LAN member
Add to source-address-list=allowed 192.168.190.0/24
Add to winbox settings 192.168.190.0/24
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Sun Jan 16, 2022 10:26 pm

1. Didn't configure ether5 as an off-bridge connection. Its dedicated for rpi. Which has some containers which need UPnP.
2. Devices on the ether5 don't need to access the router administration. 192.168.188.0/24 I left that intentionally.
3. No wlan for ios app, The issue only occurred after upgrading to ros 7
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Sun Jan 16, 2022 10:29 pm

Okay but now you have a path forward using WLAN to gain access off the bridge............try it........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Mon Jan 17, 2022 3:23 am

Yes, I will definitely. I like the idea of having a separate WLAN outside of the bridge after the recent events blocking myself out of the router in the cold. And finally a use case scenario for an SSID name that I thought of, but couldn't figure out a use case. :D
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Mon Jan 17, 2022 4:18 pm

Here is the issue so far what I could manage. The router is connected to the device, no logs about the device being disconnected from the router. But, no internet on the device. I had to disable/enable the wifi on the device to get it back online. I tried to connect using mac address but didn't work.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Mon Jan 17, 2022 5:39 pm

Sorry I have no idea what I am looking at??

Is that you on a wifi laptop trying to gain access to the router via the Off the bridge wlan ??
I do it via my Iphone but wifi laptop works for me......

IF that is the case, I need to see
a. the config of the MT device
b. the Ipv4 config of the laptop
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Tue Jan 18, 2022 1:58 pm

Didn't get the chance to create the off bridge wlan, it was the regular wlan that I use to access the router. I was trying to saw you the scenario where device is connected to router , but router denying access to internet.
I will try to create the off-brdige wlan and see if the problem persist. Will report back soon .
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Tue Jan 18, 2022 5:18 pm

Not relevant the existing wlan is ON the bridge LOL. Yes try with third virtual WLAN off the bridge.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Fri Jan 21, 2022 7:13 pm

Here is the config export:
# jan/21/2022 23:02:24 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=bad station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=bad station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xxxxxxxxxxxx \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=test \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=Manage
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
add interface=wlan3 list=Manage
/interface wireguard peers
add allowed-address=192.168.40.2/32 interface=Home public-key=\
    ""
add allowed-address=192.168.40.3/32 comment="iPhone 7" interface=Home \
    public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
    192.168.40.0
add address=192.168.50.1/24 interface=wlan3 network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.188.21 client-id=xxxxxx mac-address=\
    xxxxxx server=pinetDHCP
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.2,1.0.0.2 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
add address=192.168.40.2-192.168.40.12 list=allowed_to_router
add address=192.168.50.0/24 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to LAN" \
    in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall mangle
add action=log chain=prerouting connection-state="" disabled=yes \
    in-interface=Home log-prefix=WGnew
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=\
    none-dynamic chain=prerouting comment=YouTube content=youtube.com
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=\
    none-dynamic chain=prerouting comment=YouTube-googlevideo.com content=\
    googlevideo.com
add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
    none-static chain=prerouting comment=Netflix content=netflix.com
add action=add-dst-to-address-list address-list=Facebook \
    address-list-timeout=none-static chain=prerouting comment=Facebook \
    content=facebook.com
add action=add-dst-to-address-list address-list=Facebook \
    address-list-timeout=none-static chain=prerouting content=fbcdn.net
add action=add-dst-to-address-list address-list=Facebook \
    address-list-timeout=none-static chain=prerouting content=fbsbx.com
add action=add-dst-to-address-list address-list=Instagram \
    address-list-timeout=none-static chain=prerouting comment=Instagram \
    content=instagram.com
add action=add-dst-to-address-list address-list=Instagram \
    address-list-timeout=none-static chain=prerouting content=\
    connect.facebook.net
add action=add-dst-to-address-list address-list=Instagram \
    address-list-timeout=none-static chain=prerouting content=fbcdn.net
add action=add-dst-to-address-list address-list=Instagram \
    address-list-timeout=none-static chain=prerouting content=\
    cdninstagram.com
add action=add-dst-to-address-list address-list=twitter address-list-timeout=\
    none-static chain=prerouting comment=twitter content=twitter.com
add action=add-dst-to-address-list address-list=Reddit address-list-timeout=\
    none-static chain=prerouting comment=Reddit content=reddit.com
add action=add-dst-to-address-list address-list=tumblr address-list-timeout=\
    none-static chain=prerouting comment=tumblr content=tumblr.com
add action=add-dst-to-address-list address-list=TikTok address-list-timeout=\
    none-static chain=prerouting comment=TikTok content=tiktok
add action=add-dst-to-address-list address-list=TikTok address-list-timeout=\
    none-static chain=prerouting content=musical.ly
add action=add-dst-to-address-list address-list=rarbg address-list-timeout=\
    none-static chain=prerouting comment=rarbg content=rarbg.to
add action=add-dst-to-address-list address-list=rarbg address-list-timeout=\
    none-static chain=prerouting content=dyncdn.me
add action=add-dst-to-address-list address-list=rarbg address-list-timeout=\
    none-static chain=prerouting content=rarbgtor.org
add action=add-dst-to-address-list address-list=1337x address-list-timeout=\
    none-static chain=prerouting comment=1337x content=1337x.to
add action=add-dst-to-address-list address-list=1337x address-list-timeout=\
    none-static chain=prerouting content=dyncdn.cc
add action=add-dst-to-address-list address-list=thepiratebay \
    address-list-timeout=none-static chain=prerouting comment=thepiratebay \
    content=thepiratebay.org
add action=add-dst-to-address-list address-list=thepiratebay \
    address-list-timeout=none-static chain=prerouting content=torrindex.net
add action=add-dst-to-address-list address-list=thepiratebay \
    address-list-timeout=none-static chain=prerouting content=cdn.izooto.com
add action=add-dst-to-address-list address-list=pubg address-list-timeout=\
    none-static chain=prerouting comment=PUBG content=ap-south-1 \
    dst-address-list=""
add action=add-dst-to-address-list address-list=pubg address-list-timeout=\
    none-static chain=prerouting content=cdn.pubg.com dst-address-list=""
add action=mark-packet chain=forward new-packet-mark=YouTube passthrough=no \
    src-address-list=YouTube
add action=mark-packet chain=forward new-packet-mark=Netflix passthrough=no \
    src-address-list=Netflix
add action=mark-packet chain=forward new-packet-mark=Facebook passthrough=no \
    src-address-list=Facebook
add action=mark-packet chain=forward new-packet-mark=Instagram passthrough=no \
    src-address-list=Instagram
add action=mark-packet chain=forward new-packet-mark=twitter passthrough=no \
    src-address-list=twitter
add action=mark-packet chain=forward new-packet-mark=Reddit passthrough=no \
    src-address-list=Reddit
add action=mark-packet chain=forward new-packet-mark=tumblr passthrough=no \
    src-address-list=tumblr
add action=mark-packet chain=forward new-packet-mark=TikTok passthrough=no \
    src-address-list=TikTok
add action=mark-packet chain=forward new-packet-mark=rarbg passthrough=no \
    src-address-list=rarbg
add action=mark-packet chain=forward new-packet-mark=1337x passthrough=no \
    src-address-list=1337x
add action=mark-packet chain=forward new-packet-mark=thepiratebay \
    passthrough=no src-address-list=thepiratebay
add action=mark-packet chain=forward new-packet-mark=pubg passthrough=no \
    src-address-list=pubg
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2133
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.40.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=45s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
    nt count-only where comment~\"pihole_bypass\" && disabled]\r\
    \n:local piholeDNS \"192.168.188.25\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$piholeDown > 0 ) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip firewall nat enable [find comment=pihole_bypass];\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip firewall nat disable [find comment=pihole_bypass];\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/21/2021 start-time=03:39:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
What I am doing wrong ? Though, both router and phone showing connected, but phone not showing wifi signal icon.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Fri Jan 21, 2022 11:39 pm

(1) WHY is wlan3 the only interface with Manage.........???

(2) Problem: Figure it out and it has to do with (1) being used not fully!!
add address=192.168.50.1/24 interface=wlan3 network=192.168.50.0

add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
add interface=wlan3 list=Manage ( Good but ?? which interface does the admin use?? ether5? LAN? )

Remember Manage is also what we use for
IP neighbours discovery = Manage
/tool mac-server mac-winbox
set allowed-interface-list= Manage

So recommend either adding ether5 or LAN whichever one is correct to Manage!!
So that the admin can connect to winbox from all Manage locations!!

The alternative is to add wlan3 to LAN interface and forget about interface Manage altogether.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Apr 12, 2017 1:42 am

Re: Winbox not connecting to router.

Mon Jan 24, 2022 3:51 pm

wlan3 is the only interface because I wanted to make a virtual hidden interface to the router as a fail safe. So, that I can access the router, regardless of firewall rules.
The alternative is to add wlan3 to LAN interface and forget about interface Manage altogether.
I liked the line :D . But, the question that still remains, if I add wlan3 to the LAN interface, how do I gain access if locked myself out of the router? For my home network, LAN is trusted.
Sorry, for the delay. Getting old means too little time for my router :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11751
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox not connecting to router.

Mon Jan 24, 2022 6:23 pm

wlan3 is the only interface because I wanted to make a virtual hidden interface to the router as a fail safe. So, that I can access the router, regardless of firewall rules.
The alternative is to add wlan3 to LAN interface and forget about interface Manage altogether.
I liked the line :D . But, the question that still remains, if I add wlan3 to the LAN interface, how do I gain access if locked myself out of the router? For my home network, LAN is trusted.
Sorry, for the delay. Getting old means too little time for my router :lol:
You are overthinking it and adding noise I never stated. There is nothing HIDDEN about it.
Only you will have the SSID password to access the vWLAN plus, you are the only one with the correct IP address and port for winbox when using winbox, PLUS you are the only authorized user LOL.

(1) On the managed interface list, you should have the subnet you are on ALL the time as admin to be able to reach the router, lets say its Home
Then your interface list members would include
add interface=Home list=Manage
add interface=wlan3 list=Manage

If you as admin are on ether5 all the time and access winbox from there normally then your list would have
add interface=ether5 list=Manage
add interface=wlan3 list=Manage

(2) You need to add the specific IP addresses here if relevant. MISSING
set winbox address=192.168.88.0/24,192.168.40.0/24, 192.168.50.0/24

(3) This needs to be set to Managed
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(4) YOur source list allowed to router is not needed. That is what you have the interface list "Managed" for!!!
From
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_routershould be:
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=Manage
[ src-address-list=IP , SHOULD BE FOR SPECIFIC IPs if necessary, if you want to narrow it down to Admin PC, Laptop, IPAD, Smartphone, Laptop IP for accessing wlan3 ]
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], keaton, Semrush [Bot] and 14 guests