I work for an ISP where our customer's CPEs are all MikroTik routers. I have a problem where I cannot log into about 500 of the devices through Winbox or any other means like SSH, or Webfig, for that matter. I am able to access these routers through mac-telnet one at a time. But I need to be able to use SSH so I can update them all at once through a Python script. The problem seems to lie with the IP addresses that are allowed with the /ip service winbox/ssh/www etc. command.

This isn't a problem for most of our customer's CPEs because they have an updated IP service address list that includes more addresses. This list was created before I started working here and I am the only network engineer so I have no one to ask about it.

The odd thing is that the public IP I'm using is in the subnet of allowed addresses as seen by the "/ip service print" command. To figure out which IP addresses had to be included in the list I started adding addresses to a customer's router from the updated list one at a time and testing if I could Winbox in and found that I was able to only after adding a subnet that included the WAN IP address of the customer's router.

I am also pretty new to MikroTik. If anyone can tell me why this problem is occurring or has advice I would love to hear it.

Thanks.

So you're connecting from some address, but even when it's allowed, it doesn't work. And it does work only after you allow another subnet that your address is not part of? If that's the case, then it sounds like some unexpected srcnat on the way. You can confirm it by looking at address in "/user active print".

Thank you for responding.

I think you are right and I was actually able to solve the issue earlier.

I logged into a router I was trying to access with mac-telnet and checked the log. It showed that it blocked Winbox access from an IP address that was not my IP. Every router with the issue that I tried to access had the same log entry and was blocking the same IP address.

Apparently, the routing was going through a customer's router as the last hop before reaching the subnet in question and the address was being nat'd to an address that is not allowed. I had to fix the routing and it solved the problem!

I work for an ISP where our customer's CPEs are all MikroTik routers. I have a problem where I cannot log into about 500 of the devices through Winbox or any other means like SSH, or Webfig, for that matter. I am able to access these routers through mac-telnet one at a time. But I need to be able to use SSH so I can update them all at once through a Python script. The problem seems to lie with the IP addresses that are allowed with the /ip service winbox/ssh/www etc. command.

This isn't a problem for most of our customer's CPEs because they have an updated IP service address list that includes more addresses. This list was created before I started working here and I am the only network engineer so I have no one to ask about it.

The odd thing is that the public IP I'm using is in the subnet of allowed addresses as seen by the "/ip service print" command. To figure out which IP addresses had to be included in the list I started adding addresses to a customer's router from the updated list one at a time and testing if I could Winbox in and found that I was able to only after adding a subnet that included the WAN IP address of the customer's router.

I am also pretty new to MikroTik. If anyone can tell me why this problem is occurring or has advice I would love to hear it.

Thanks.

MAC-Telnet suggests you are on the same L2 network.. But what does 'one at a time' mean?

"This isn't a problem for most of our customer's CPEs because they have an updated IP service address list that includes more addresses."

This part suggests you are connecting using a IP address that isn't on the access list.

"To figure out which IP addresses had to be included in the list I started adding addresses to a customer's router from the updated list one at a time and testing if I could Winbox in and found that I was able to only after adding a subnet that included the WAN IP address of the customer's router."

Huh? How exactly are you using the MAC connection? What steps do you do, to connect?

"This list was created before I started working here and I am the only network engineer so I have no one to ask about it."

If you are the only network engineer, design and set it up as you think it should be. Some initial work may be required to accomplish the task, but it will only need to be done once..

There are 500 units you can't access in your normal way but "most" of the network is no problem... At minimum, most would be 501 units, so the company you work for has 1000+ customers and you are the only network engineer?

MAC-Telnet suggests you are on the same L2 network.. But what does 'one at a time' mean?

"This isn't a problem for most of our customer's CPEs because they have an updated IP service address list that includes more addresses."

This part suggests you are connecting using a IP address that isn't on the access list.

"To figure out which IP addresses had to be included in the list I started adding addresses to a customer's router from the updated list one at a time and testing if I could Winbox in and found that I was able to only after adding a subnet that included the WAN IP address of the customer's router."

Huh? How exactly are you using the MAC connection? What steps do you do, to connect?

"This list was created before I started working here and I am the only network engineer so I have no one to ask about it."

If you are the only network engineer, design and set it up as you think it should be. Some initial work may be required to accomplish the task, but it will only need to be done once..

There are 500 units you can't access in your normal way but "most" of the network is no problem... At minimum, most would be 501 units, so the company you work for has 1000+ customers and you are the only network engineer?

"MAC-Telnet suggests you are on the same L2 network.. But what does 'one at a time' mean?"

I am able to mac-telnet into the customer's routers because our core router is on the same layer2 network. I have to Winbox into the core router and then mac-telnet into the customer's routers from that router. "One at a time" means exactly what it implies. A tedious process where I have to manually type in MAC addresses and credentials to log in. Network automation is a good thing you should look into it.

"This part suggests you are connecting using a IP address that isn't on the access list."

This is an incorrect assumption and I stated in my original post that my IP address IS in the access list. This is why I was confused as to why my connection was being refused. But as @Sob correctly ascertained, and I had already posted about before you decided to post your response, the issue was with address translation.

"Huh? How exactly are you using the MAC connection? What steps do you do, to connect?"

Winbox --> Tools --> Telnet --> MAC Telnet --> eureka!

"If you are the only network engineer, design and set it up as you think it should be. Some initial work may be required to accomplish the task, but it will only need to be done once.."

How exactly am I supposed to "design and set it up as I think it should be" if I can't access these routers? The whole point of this is so that I can access the routers and do so.

"There are 500 units you can't access in your normal way but "most" of the network is no problem... At minimum, most would be 501 units, so the company you work for has 1000+ customers and you are the only network engineer?"

Yes.