port forward for remote web access to WebFig

ockac23 · Thu Dec 29, 2022 4:11 pm

Hi folks,

How should the NAT rule for port forward look like, when I want to access the routers WebFig from WAN, but using e.g. 65000 as destination port (instead of 80) and then the rule should forward it to 80?

rextended · Thu Dec 29, 2022 4:17 pm

Simply change the web port on ip/services from 80 to 65000
but is better you access to config panel with a VPN...

A simple port scan detect web services on port 65000...

ockac23 · Thu Dec 29, 2022 4:25 pm

Simply change the web port on ip/services from 80 to 65000
but is better you access to config panel with a VPN...

A simple port scan detect web services on port 65000...

Yes, I usually use VPN for that.
But I was just curious if it is possible to somehow forward the port instead of changing the ip/services setting.

rextended · Thu Dec 29, 2022 5:45 pm

Yes is possible, just for test...

/ip firewall nat add action=dst-nat chain=dstnat dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp to-ports=80

Depending on how is configured your firewall you must also set:

/ip firewall filter add action=accept chain=input dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp

gotsprings · Thu Dec 29, 2022 6:50 pm

I prefer

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

pe1chl · Thu Dec 29, 2022 6:59 pm

The actual default firewall setup already has a rule like that. So you only need to specify incoming port mappings.
However, likely those people who think it is a good idea to allow admin access from outside already have butchered the default firewall beyond recognition...

ockac23 · Thu Dec 29, 2022 10:08 pm

Yes is possible, just for test...
Code: Select all
/ip firewall nat add action=dst-nat chain=dstnat dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp to-ports=80
Depending on how is configured your firewall you must also set:
Code: Select all
/ip firewall filter add action=accept chain=input dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp

Well, thanks, but I did exactly that steps few days ago, but it is not working.... no idea why, so far.

@pe1chl: And again, this is not my preferred way to access the router remotely, I just check that for test purposes.

anav · Thu Dec 29, 2022 10:30 pm

Not sure what you mean, I dont access the router via port forwarding and winbox nor should you using webconfig. Use a VPN then access the router.

ockac23 · Thu Dec 29, 2022 10:39 pm

Not sure what you mean, I dont access the router via port forwarding and winbox nor should you using webconfig. Use a VPN then access the router.

I've said before that I basically use VPN, but I guess there's no harm in trying out a few things for learning purposes out of interest in Router OS

gotsprings · Fri Dec 30, 2022 2:49 am

Like pouring sand in the Vaseline.

ockac23 · Fri Dec 30, 2022 10:43 am

However, the suggested solution is not working...

rextended · Fri Dec 30, 2022 11:20 am

Depending on how is configured your firewall you must also set:

Show all your exported config, without omit anything and censore, but not delete, with *** the private data, like serial numbers, emails and public IPs.

ockac23 · Fri Dec 30, 2022 12:31 pm

Depending on how is configured your firewall you must also set:

Show all your exported config, without omit anything and censore, but not delete, with *** the private data, like serial numbers, emails and public IPs.

I exported the config and hided private data ****.
Should I paste it here in text or attach somewhere as file?

rextended · Fri Dec 30, 2022 12:53 pm

paste text on forum between

example code

[code]your export here[/code]

blocks

ockac23 · Fri Dec 30, 2022 1:12 pm

# dec/30/2022 12:58:47 by RouterOS 6.49.7
# software id = ************
#
# model = RB962UiGS-5HacT2HnT
# serial number = *************
/interface bridge
add admin-mac=XX:xx:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country= disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MyNet station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country= disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MyNet station-roaming=\
    enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.viva
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******* \
    wpa2-pre-shared-key=*******
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.0.1 local-address=192.168.89.1 \
    remote-address=
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=*********** use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
    "GUI: accept new,established,related,untracked" connection-state=\
    established,related,new,untracked dst-address=XX.XX.XX.XX dst-port=65000 \
    protocol=tcp
add action=accept chain=input comment=\
    "SSH: accept new,established,related,untracked" connection-state=\
    established,related,new,untracked disabled=yes dst-address=XX.XX.XX.XX \
    dst-port=22 protocol=tcp
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade Hairpin NAT" \
    dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=www dst-address=XX.XX.XX.XX \
    dst-port=65000 protocol=tcp to-ports=80
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
    both
/ppp secret
add name=*** password=
/system clock
set time-zone-name=Europe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

ockac23 · Fri Dec 30, 2022 1:13 pm

.....

rextended · Fri Dec 30, 2022 1:16 pm

ockac23 · Fri Dec 30, 2022 1:22 pm

.....

ockac23 · Fri Dec 30, 2022 1:23 pm

rextended · Fri Dec 30, 2022 1:24 pm

I haven't noticed anything strange in the rules,
except the useless addon "connection-state=established,related,new,untracked"

ockac23 · Fri Dec 30, 2022 1:47 pm

Yes, strange thing, but the forward 65000->80 as mentioned above is not working.

And regarding the addon in rule 3 "connection-state=established,related,new,untracked", should I delete connection-state?

rextended · Fri Dec 30, 2022 1:48 pm

the useless addon

¯\_(ツ)_/¯

anav · Fri Dec 30, 2022 7:59 pm

Like pouring sand in the Vaseline.

Luv it........