Community discussions

MikroTik App
 
densukke
just joined
Topic Author
Posts: 16
Joined: Sun Jun 05, 2022 4:11 pm

PRTG webserver behind MK  [SOLVED]

Thu Nov 24, 2022 2:40 pm

Hi!

unfortunately, my brain just gave up on me, and i seek fresh braincells to figure this one out. Ive gone through several iteration of forums post trying this one, but with no luck.

Simple setup: Win10 running PRTG - Switch - MK - ISP1
- ISP2 (Disabled currently due to degradation)

all i want is to enable the webserver to be reachable remotely, to stop using a remote desktop utility to the WIN10 machine for basic monitoring, that i should be able to do , once i get the NAT part sorted out, and reach it from home.

thanks!!
# nov/24/2022 09:30:07 by RouterOS 6.49.7
# software id = B2RC-819H
#
# model = RB2011UiAS
# serial number = x
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=\
    argentina datapath.client-to-client-forwarding=no \
    datapath.local-forwarding=yes distance=indoors guard-interval=any \
    keepalive-frames=enabled name=configuracion_barentz \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.group-key-update=1d ssid=Barentz
add channel.band=5ghz-a/n/ac channel.control-channel-width=20mhz country=\
    argentina datapath.client-to-client-forwarding=no \
    datapath.local-forwarding=yes distance=indoors guard-interval=any \
    keepalive-frames=enabled name=configuration_barentz5 \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.group-key-update=1d ssid=Barentz
/interface bridge
add admin-mac=11:22:33:AA:BB:CC auto-mac=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="WAN1 - IPLAN" loop-protect=on \
    loop-protect-disable-time=1m
set [ find default-name=ether2 ] comment="WAN2 - FIBERCORP" loop-protect=on
set [ find default-name=ether3 ] comment="WAN1 - IPLAN BKP"
set [ find default-name=ether4 ] comment="WAN2 - FIBERCORP"
set [ find default-name=ether5 ] comment="LAN - switch Trunk to TPLINK" \
    loop-protect=on
/interface list
add name=WAN1
add name=LAN
add name=WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.101.2-192.168.101.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge1 \
    lease-time=1w name=dhcp1
/queue type
add kind=pcq name=DOWN pcq-classifier=dst-address
add kind=pcq name=UP pcq-classifier=src-address
/queue tree
add name="WAN1 DOWN" parent=global queue=default
add name="WAN1 UP" parent=ether1 queue=default
add name="WAN1 - WEB - rx" packet-mark=web-wan1 parent="WAN1 DOWN" priority=3 \
    queue=DOWN
add name="WAN1 - WEB- tx" packet-mark=web parent="WAN1 UP" priority=3 queue=\
    UP
add name="WAN1 - DNS - rx" packet-mark=dns-wan1 parent="WAN1 DOWN" priority=2 \
    queue=DOWN
add name="WAN1 - DNS - tx" packet-mark=dns parent="WAN1 UP" priority=2 queue=\
    UP
add name="WAN1 - ICMP -rx" packet-mark=icmp-wan1 parent="WAN1 DOWN" priority=\
    1 queue=DOWN
add name="WAN1 - ICMP - tx" packet-mark=icmp parent="WAN1 UP" priority=1 \
    queue=UP
add name="WAN1 - QUIC - rx" packet-mark=quic-wan1 parent="WAN1 DOWN" \
    priority=5 queue=DOWN
add name="WAN1 - QUIC -tx" packet-mark=quic parent="WAN1 UP" priority=5 \
    queue=UP
add name="WAN2 DOWN" parent=global queue=default
add name="WAN2 UP" parent=ether2 queue=default
add name="WAN2- DNS - rx" packet-mark=dns-wan2 parent="WAN2 DOWN" priority=2 \
    queue=DOWN
add name="WAN2 - DNS -tx" packet-mark=dns parent="WAN2 UP" priority=2 queue=\
    UP
add name="WAN2 - ICMP - rx" packet-mark=icmp-wan2 parent="WAN2 DOWN" \
    priority=1 queue=DOWN
add name="WAN2 - ICMP -tx" packet-mark=icmp parent="WAN2 UP" priority=1 \
    queue=UP
add name="WAN2 - QUIC - rx" packet-mark=quic-wan2 parent="WAN2 DOWN" \
    priority=5 queue=DOWN
add name="WAN1 - QUIC - tx" packet-mark=quic parent="WAN2 UP" priority=5 \
    queue=UP
add name="WAN2 - RESTO - rx" packet-mark=resto-wan2 parent="WAN2 DOWN" queue=\
    DOWN
add name="WAN2 - RESTO - tx" packet-mark=resto parent="WAN2 UP" queue=UP
add name="WAN2 - WEB - rx" packet-mark=web-wan2 parent="WAN2 DOWN" priority=3 \
    queue=DOWN
add name="WAN2 - WEB - tx" packet-mark=web parent="WAN2 UP" priority=3 queue=\
    UP
add name="WAN1 - Resto -rx" packet-mark=resto-wan1 parent="WAN1 DOWN" queue=\
    DOWN
add name="WAN1 - Resto - tx" packet-mark=resto parent="WAN1 UP" queue=UP
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    C2:42:26:B0:48:0D ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled comment=2.4 hw-supported-modes=gn \
    master-configuration=configuracion_barentz
add action=create-dynamic-enabled comment=5 hw-supported-modes=ac \
    master-configuration=configuration_barentz5
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all wan-interface-list=all
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN1
add interface=ether2 list=WAN2
/ip address
add address=192.168.101.1/24 comment="LAN SUBNET" interface=bridge1 network=\
    192.168.101.0
add address=x.x.210.151/24 comment="IPLAN STATIC IP" interface=ether1 \
    network=x.x.210.0
add address=x.x.190.35/24 comment="FIBERCORP STATIC IP" interface=ether2 \
    network=x.x.190.0
/ip arp
add address=192.168.101.248 interface=bridge1 mac-address=18:FD:74:7C:49:60
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.101.249 client-id=1:dc:2c:6e:64:a0:54 lease-time=58w6d12h \
    mac-address=DC:2C:6E:64:A0:54 server=dhcp1
add address=192.168.101.247 client-id=1:14:eb:b6:ce:de:ff mac-address=\
    14:EB:B6:CE:DE:FF server=dhcp1
add address=192.168.101.248 client-id=1:dc:2c:6e:64:9f:32 lease-time=58w6d12h \
    mac-address=DC:2C:6E:64:9F:32 server=dhcp1
add address=192.168.101.253 client-id=1:48:5b:39:a3:ed:a3 mac-address=\
    48:5B:39:A3:ED:A3 server=dhcp1
add address=192.168.101.246 lease-time=58w6d12h mac-address=DC:2C:6E:64:9E:27 \
    server=dhcp1
add address=192.168.101.250 lease-time=58w6d12h mac-address=DC:2C:6E:64:9F:57 \
    server=dhcp1
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=500 \
    max-concurrent-tcp-sessions=100 max-udp-packet-size=512 \
    query-server-timeout=1s servers=1.1.1.1,208.67.222.222
/ip firewall address-list
add address=192.168.101.0/24 list=LocalLan
add address=x.x.210.0/24 list=SubnetWAN1
add address=x.x.28.0/24 list=SubnetWAN2
add address=cloud.mikrotik.com list=Cloud
add address=cloud2.mikrotik.com list=Cloud2
/ip firewall filter
add action=accept chain=input comment="Clound MK" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Alow access Router from LAN" \
    src-address-list=LocalLan
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow conn from LAN" \
    connection-state=new in-interface=bridge1
add action=accept chain=forward comment="allow established" connection-state=\
    established
add action=accept chain=forward comment="allow related" connection-state=\
    related
add action=drop chain=forward comment="drop all fwd"
add action=accept chain=input comment="allow established to router" \
    connection-state=established
add action=accept chain=input comment="allow related to router" \
    connection-state=related
add action=drop chain=input comment="Dropp all to router"
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark Routing  - WAN1" \
    disabled=yes in-interface=ether1 new-connection-mark=isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp1 disabled=yes \
    new-routing-mark=isp_1 passthrough=no
add action=mark-connection chain=prerouting comment="Mark Routing - WAN2" \
    disabled=yes in-interface=ether2 new-connection-mark=isp2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2 disabled=yes \
    new-routing-mark=isp_2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark WEB" \
    new-connection-mark=web port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=web in-interface=\
    ether1 new-packet-mark=web-wan1 passthrough=no
add action=mark-packet chain=prerouting connection-mark=web in-interface=\
    ether2 new-packet-mark=web-wan2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=web new-packet-mark=\
    web passthrough=no
add action=mark-connection chain=prerouting comment="Mark DNS" \
    new-connection-mark=dns port=53 protocol=udp
add action=mark-connection chain=prerouting new-connection-mark=dns port=53 \
    protocol=tcp
add action=mark-packet chain=prerouting connection-mark=dns in-interface=\
    ether1 new-packet-mark=dns-wan1 passthrough=no
add action=mark-packet chain=prerouting connection-mark=dns in-interface=\
    ether2 new-packet-mark=dns-wan2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=\
    dns passthrough=no
add action=mark-connection chain=prerouting comment="Mark ICMP" \
    new-connection-mark=icmp protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp in-interface=\
    ether1 new-packet-mark=icmp-wan1 passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp in-interface=\
    ether2 new-packet-mark=icmp-wan2 passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=\
    icmp passthrough=no protocol=icmp
add action=mark-connection chain=prerouting comment="Mark QUIC" \
    new-connection-mark=quic port=443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=quic in-interface=\
    ether1 new-packet-mark=quic-wan1 passthrough=no protocol=udp
add action=mark-packet chain=prerouting connection-mark=quic in-interface=\
    ether2 new-packet-mark=quic-wan2 passthrough=no protocol=udp
add action=mark-packet chain=prerouting connection-mark=quic new-packet-mark=\
    quic passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Mark RESTO" \
    new-connection-mark=resto
add action=mark-packet chain=prerouting connection-mark=resto in-interface=\
    ether1 new-packet-mark=resto-wan1 passthrough=no
add action=mark-packet chain=prerouting connection-mark=resto in-interface=\
    ether2 new-packet-mark=resto-wan2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=resto \
    new-packet-mark=resto passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade - WAN1" out-interface=\
    ether1 src-address-type=""
add action=masquerade chain=srcnat comment="Masquerade - WAN2" out-interface=\
    ether2
add action=masquerade chain=srcnat dst-address=192.168.101.0/24 src-address=\
    192.168.101.0/24 to-addresses=192.168.101.253
add action=src-nat chain=srcnat out-interface-list=WAN1 to-addresses=\
    x.x.210.151
add action=dst-nat chain=dstnat dst-address=x.x.210.151 dst-port=8445 \
    protocol=tcp to-addresses=192.168.101.253
/ip route
add check-gateway=ping comment="RPD - IPLAN a OPENDNS" distance=1 gateway=\
    208.67.222.222
add check-gateway=ping comment="RPD - FIBERCORP a SL" disabled=yes distance=2 \
    gateway=1.1.1.1
add comment="Monitor - FCORP->SOFTLAYER" disabled=yes distance=1 dst-address=\
    1.1.1.1/32 gateway=x.x.190.1 scope=10
add comment="Monitor - IPLAN->OPENDNS" distance=1 dst-address=\
    208.67.222.222/32 gateway=x.x.210.1 scope=10
/lcd
set default-screen=informative-slideshow
/snmp
set enabled=yes trap-generators=interfaces
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=Barentz
/system logging
Last edited by densukke on Thu Nov 24, 2022 3:22 pm, edited 1 time in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: PRTG webserver behind MK

Thu Nov 24, 2022 3:17 pm

Your firewall rules will drop any new incoming connections other than those from the local LAN, you need to permit connections from the WAN(s) where connection-nat-state=dstnat in addition to the dstnat rule.

The firewall rules are less than optimal, ideally they should be ordered so the most frequently used ones (e.g. established, related, untracked) are hit first unless you specifically want to count packets in other rules which would be handled by these.

Having the Winbox service open to the world is not recommended as there have been bugs in earlier firmware versions allowing remote unauthenticated access permitting devices to be infected with various malware, using a whitelist or VPN provide some protection against this.

I'm not sure why you have obsfucated the public IP address in the dstnat rule as you have left it fully visible elsewhere in the configuration, e.g. in /ip address, you may wish to edit your post.
 
densukke
just joined
Topic Author
Posts: 16
Joined: Sun Jun 05, 2022 4:11 pm

Re: PRTG webserver behind MK

Thu Nov 24, 2022 3:42 pm

many thanks tdw! i was in fact multitasking while went through the extract, and completely missed that part, which was now corrected.

2 questions ;

1.- disabling WINBOX service, does that disable for remote accessing the box? i dont want to be locked out. since im literally an ocean away from the physical box
2.- would this kind of rule work? (just tried it and get no hit on the rule)

/ip firewall
add chain= input action=accept dst-port=8445 protocol=tcp

thanks!
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: PRTG webserver behind MK

Thu Nov 24, 2022 4:34 pm

Disabling Winbox completely would remove remote access. Rather than leaving accessible to the entire internet it is good practice to restrict access from a set of known addresses and/or setting up a VPN server on the Mikrotik so a VPN connection has to be established before a Winbox session can be started.

You are using the wrong chain, it should be forward as the traffic is passing through the Mikrotik, not input which is for traffic to the Mikrotik itself.
 
densukke
just joined
Topic Author
Posts: 16
Joined: Sun Jun 05, 2022 4:11 pm

Re: PRTG webserver behind MK

Thu Nov 24, 2022 5:17 pm

many thanks for the help, the chain was the solution, and im already looking into a VPN setup to avoid leaving this open.

thanks!!

Who is online

Users browsing this forum: Amazon [Bot], cmmike and 25 guests