Community discussions

MikroTik App
 
b4n3
just joined
Topic Author
Posts: 2
Joined: Sat Mar 26, 2022 11:07 pm

Cut Myself Off From WinBox Connection!

Sun Mar 27, 2022 1:30 am

I'm a complete newbie at RouterOS running a RB4011IGS_RM and as a simply hobbyist I like to learn by breaking things, so apologies for lacking some fundamentals... (Although I have broken something and am hoping to learn!)

I was attempting to follow the thread here to try out wireguard as a VPN: viewtopic.php?t=174417 and I believe I have made a mistake in the below line;
/ip address add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
As when I made the changes to my version of this line and set it up as below, I think I've managed to assign two addresses (or interfaces?) over the top of each other. immediately after doing this, I am no longer able to hit my Webfig or Winbox through 192.168.88.1. (I guess I've double allocated 192.168.88.1 to the another device?)
ip address add address=192.168.88.232/24 interface=wireguard1 network=192.168.88.0
Honestly, not sure why I didn't set up a subnet for wireguard clients - I guess because I didn't understand that wireguard was a purely 1:1 relation client:peer and wasn't strictly smart enough to allocate to unused IPs (and honestly, I'm just trying stuff to see what does and doesn't work).

Right now, I'm trying to rollback what I've done to gain access back to WinBox and Webfig - but without being able to get into WinBox or WebFig in the first place, I'm a bit stuck.
- CMD -> ipconfig /all still lists 192.168.88.1 as my gateway and using arp -a I've pulled its physical address.
- I don't think I can use the WinBox MAC Telnet (https://wiki.mikrotik.com/wiki/Manual:Winbox) as I don't have a neighboring device (and I am pretty sure I closed Telnet (https://wiki.mikrotik.com/wiki/Manual:S ... our_Router, although I can't strictly remember).
- I think I have the correct router MAC address and I've tried just straight WinBox connecting with that in the "Connect To:" field (no real luck with : or - delimiters) - just times out, anyone have any pointers?
- I have an externally facing DDNS'd Webfig page that I can connect to from my main machine (its exclusively whitelisted - I figure the whole thing is bad practice, but I wasn't sure how else to remotely access webfig - other than a VPN, which is what I'm trying to set up now) that brings me to my login page - but after putting in details, it just times out.

I'm looking for ideas as to how else I might be able to get back into the router to undo what I did (without physically going and hard resetting the device) as I'm away sat in a hotel this week (conected to my home network through Teamviewer) - hence the burning desire to try to set up a VPN properly!

I'm currently spinning up a VM to try run this https://github.com/haakonnessjoen/MAC-Telnet to close out my MAC Telnet question, but once I've tried that (and I think its likely to fail) I'm fresh out of ideas.

For the future, I'm doing some reading on RoMON as I think that might help me if I ever do this again... (Per this thread; viewtopic.php?t=120629 and this article; https://wiki.mikrotik.com/wiki/Manual:Tools/RoMON and this one https://rickfreyconsulting.com/romon-po ... r-network/).

Anyone have any ideas of things I can try? Or is the prognosis that I need to cancel tinkering until I get home to factory reset?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cut Myself Off From WinBox Connection!

Mon Mar 28, 2022 2:22 pm

Yes,,,,
Going from newb to Wireguard is a stretch...........
viewtopic.php?t=182373

However I do suggest looking at article A prior to F, and also understanding firewall rules and routing before attempting wireguard.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Cut Myself Off From WinBox Connection!

Tue Mar 29, 2022 5:37 am

That MAC-Telnet won't help you, because it can't work with newer RouterOS. If you have somewhere to run in (in same LAN), you could use MAC telnet from CHR (RouterOS VM). Connection to MAC address using WinBox should also work. That's if you have them enabled from LAN. As for external access, if you just messed up internal 192.168.88.0/24, it can't influence external connections. But if you did that, it seems weird that you could still connect to something in LAN with TeamViewer.
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Cut Myself Off From WinBox Connection!

Sun Apr 03, 2022 2:44 am

Maybe I'm having a brain-fart about what your issue is, but if you are really stuck trying to regain access.. Why not just reset-to-defaults the router?

To regain access without reset, serial console?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Cut Myself Off From WinBox Connection!

Sun Apr 03, 2022 12:20 pm

Yes, on the back is present console port (that is not for ethernet cable but for etherserial cable)

@b4n3
Next time use "safe mode" button first...
and I'm absolutely against disabling WinBox or MAC WinBox Server on LAN side...
At least one untagged port, in contact with CPU, with full service active (but obviously secured) used only for admin the device.
In this case, if you have console port (and do not the idiocy to disable also that), you can admin all by serial, and this require physical access to the device.
 
b4n3
just joined
Topic Author
Posts: 2
Joined: Sat Mar 26, 2022 11:07 pm

Re: Cut Myself Off From WinBox Connection!

Mon Apr 04, 2022 8:11 pm

Hi all, thanks for your attempts to help my stupidity - I've regained access now that I have returned from being remote, did a hardware (button) reset and am building again from scratch. That'll show me for trying to mess with things I don't fully understand whilst remote!
Yes,,,,
Going from newb to Wireguard is a stretch...........
viewtopic.php?t=182373

However I do suggest looking at article A prior to F, and also understanding firewall rules and routing before attempting wireguard.
Thanks for the link to the guide pack, this has been very interesting reading!
That MAC-Telnet won't help you, because it can't work with newer RouterOS. If you have somewhere to run in (in same LAN), you could use MAC telnet from CHR (RouterOS VM). Connection to MAC address using WinBox should also work. That's if you have them enabled from LAN. As for external access, if you just messed up internal 192.168.88.0/24, it can't influence external connections. But if you did that, it seems weird that you could still connect to something in LAN with TeamViewer.
Yeah, I had disabled it - which was a mistake in retrospect. So I couldn't have got back in that way even if I had managed to figure it out. I didn't mess up 192.168.88.0/24 as an entire address range - I think I specifically messed up 192.168.88.1 and managed to somehow double allocate it, so when trying to hit it with WinBox/WebFig it just wouldn't resolve inside the LAN.
Maybe I'm having a brain-fart about what your issue is, but if you are really stuck trying to regain access.. Why not just reset-to-defaults the router?

To regain access without reset, serial console?


You're completely correct that reset-to-defaults was the simple way out - I was remote at the time and thus unable to physically press the button unfortunately (same for being able to plug in to use serial console). Ah well!
Yes, on the back is present console port (that is not for ethernet cable but for etherserial cable)

@b4n3
Next time use "safe mode" button first...
and I'm absolutely against disabling WinBox or MAC WinBox Server on LAN side...
At least one untagged port, in contact with CPU, with full service active (but obviously secured) used only for admin the device.
In this case, if you have console port (and do not the idiocy to disable also that), you can admin all by serial, and this require physical access to the device.
I've just read about using the etherserial console port - certainly a very useful port if I had physical access at the time! I think I need to understand a bit further about WinBox/MAC WinBox via an untagged port. Do you have any good suggestions for reading?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Cut Myself Off From WinBox Connection!

Mon Apr 04, 2022 8:17 pm

search @anav posts about VLAN and @chupaka
but WinBox or MAC WinBox Server on LAN side...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cut Myself Off From WinBox Connection!

Mon Apr 04, 2022 8:47 pm

Why would you put winbox access to any port specifically.
It should be available ONLY to the admin.
step 1 - ensure the subnet the admin is on, is included in an interface list that is called TRUSTED
step2 - this is the interface list that should noted on the mac server winmac server ENTRY.
step3 - ensure an input firewall rule that allows access to winbox port ONLY to that interface and further limited by IP address to the admin (use a firewall address list for a number of admin devices )
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Cut Myself Off From WinBox Connection!

Mon Apr 04, 2022 8:57 pm

@anav, all is good, but not for beginners...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cut Myself Off From WinBox Connection!

Mon Apr 04, 2022 9:35 pm

That is why I have my off bridge article!!
viewtopic.php?t=181718

Who is online

Users browsing this forum: cdblue, koolandrew and 47 guests