Community discussions

MikroTik App
 
pimseb
just joined
Topic Author
Posts: 3
Joined: Wed Apr 10, 2019 9:38 pm

Access to webfig not working

Fri Apr 12, 2019 9:18 am

Hello,
I have a newbie question. I own a mikrotik hap ac2.
When I use it for the very first time, I'm able to connect on the web interface by entering http://192.168.88.1 in my browser
At this point I only change some settings on the quick setup page. I put the router into the bridge mode, enter the getaway and dns adress of my main router (192.168.1.254) and click on apply.
After this I'm unable to reach the mikrotik web interface anymore. Mikrotik has now ip 192.168.1.252 (I also see it on the main router) but http://192.168.1.252 doesn't work
I've changed the web settings in ip>service to allow local LAN 192.168.1.0/24 but with no luck
The only way to access the mikrotik settings is using winbox with mac adress
How can I enable the webfig in my local LAN ?
Thank you for helping out
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 130
Joined: Thu Apr 05, 2012 8:16 pm

Re: Access to webfig not working

Sat Apr 13, 2019 1:30 am

Can you post the output of:-
/ip firewall export


You may need to obscure any private details such as public IP addresses if needed.
 
GeorgeAA
just joined
Posts: 2
Joined: Sat Apr 27, 2019 5:54 pm

Re: Access to webfig not working

Sun Apr 28, 2019 12:31 am

I am new to Mikrotik, so I can't tell which RouterOS version introduced this issue, but I can tell what is causing it and how to resolve it. I am running a hAp ac^2 with RouterOS v6.43.10.
I believe, the Quick Set WISP AP (and probably the Home AP as well), Bridge mode sets a few configuration items incorrectly. One of them is making the WebFig interface inaccessible.
The firewall rule #4 "defconf:drop all not coming from LAN" drops our WebFig packets because the bridge interface is not on the LAN interface list.
You can resolve this by either:
1. adding the bridge interface to the LAN list (RECOMMENDED):
Interfaces->Interface List tab->Add New: List=LAN, Interface=bridge, Enabled=True ->OK
2. Disabling the firewall rule, which drops our WebFig packages:
IP->Firewall: Press disable on rule #4 (drop all not coming from LAN)

The solution #1 seems right to me, as it is corrects the root cause. However, the #2 might be OK to do as well, as I believe there is no reason to have firewall rules at all in bridge mode whatsoever. (Though I am interested in any reasoning which proves that otherwise)

I also find other Quick Set "bridge" mode settings quite strange or erroneous. A bridge is essentially a switch. Yet, there is
1. a configured DHCP server, (a switch does not need a DNS server)
2. The DHCP server is configured with a strange IP pool (it may be in conflict with IP pool of the master DHCP server pobably running in our router)
3. A firewall is configured with many rules (a switch does not need a firewall) (?)
4. A static DNS server is configured (a switch does not need a DNS server)
5. The ether1 interface is configured for WAN (a bridge does not need a WAN port and its a waste of one ethernet port)
 
banjopicker
just joined
Posts: 6
Joined: Mon Sep 29, 2014 8:50 pm

Re: Access to webfig not working

Sat Sep 14, 2019 10:38 pm

Thank you George, this was driving me nuts. I had used quickset to set up a wireless bridge with a Mini Hap and I could never get back into the settings using the IP. Adding the bridge to the interface list did the trick.
 
pimseb
just joined
Topic Author
Posts: 3
Joined: Wed Apr 10, 2019 9:38 pm

Re: Access to webfig not working

Sun Sep 15, 2019 7:28 pm

Thank you. I disabled the IP->Firewall rule #4
In fact I found it out some days after my post but forgot to write it here. This rule shouldn't be enable by default by mikrotik in my opinion
 
tvhung83
just joined
Posts: 1
Joined: Thu Nov 28, 2019 11:38 am

Re: Access to webfig not working

Thu Nov 28, 2019 1:12 pm

Thank you, George, you saved my day!
 
misko903
just joined
Posts: 1
Joined: Tue Sep 21, 2021 3:26 pm

Re: Access to webfig not working

Wed Sep 22, 2021 1:22 pm

I am new to Mikrotik, so I can't tell which RouterOS version introduced this issue, but I can tell what is causing it and how to resolve it. I am running a hAp ac^2 with RouterOS v6.43.10.
I believe, the Quick Set WISP AP (and probably the Home AP as well), Bridge mode sets a few configuration items incorrectly. One of them is making the WebFig interface inaccessible.
The firewall rule #4 "defconf:drop all not coming from LAN" drops our WebFig packets because the bridge interface is not on the LAN interface list.
You can resolve this by either:
1. adding the bridge interface to the LAN list (RECOMMENDED):
Interfaces->Interface List tab->Add New: List=LAN, Interface=bridge, Enabled=True ->OK
2. Disabling the firewall rule, which drops our WebFig packages:
IP->Firewall: Press disable on rule #4 (drop all not coming from LAN)

The solution #1 seems right to me, as it is corrects the root cause. However, the #2 might be OK to do as well, as I believe there is no reason to have firewall rules at all in bridge mode whatsoever. (Though I am interested in any reasoning which proves that otherwise)

I also find other Quick Set "bridge" mode settings quite strange or erroneous. A bridge is essentially a switch. Yet, there is
1. a configured DHCP server, (a switch does not need a DNS server)
2. The DHCP server is configured with a strange IP pool (it may be in conflict with IP pool of the master DHCP server pobably running in our router)
3. A firewall is configured with many rules (a switch does not need a firewall) (?)
4. A static DNS server is configured (a switch does not need a DNS server)
5. The ether1 interface is configured for WAN (a bridge does not need a WAN port and its a waste of one ethernet port)
YES!
you solved my long-term troubles! THANK YOU!
 
EEAA
just joined
Posts: 3
Joined: Sun Oct 17, 2021 6:51 am

Re: Access to webfig not working

Tue Oct 19, 2021 6:47 am

Adding another robust THANK YOU here. This firewall rule was the cause of me banging my head against the wall for many hours in the past few days.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 12016
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to webfig not working

Tue Oct 19, 2021 2:20 pm

Update your firmware to the latest long version at least.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
MikroDave
just joined
Posts: 1
Joined: Thu Nov 04, 2021 7:10 am

Re: Access to webfig not working

Thu Nov 04, 2021 7:13 am

Hey guys, I've updated the firewall settings, but can't seem to figure out how to add the bridge interface to the LAN list from the terminal. Here's my settings dump in case it helps.

I really appreciate your time and help here!
[admin@EntryRouter] /ip firewall> export
# nov/03/2021 22:11:08 by RouterOS 6.49
# software id = 1EIH-CITT
#
# model = RB750Gr3
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
[admin@EntryRouter] /interface> export
# nov/03/2021 22:11:49 by RouterOS 6.49
# software id = 1EIH-CITT
#
# model = RB750Gr3
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface bridge
add admin-mac=xxxredactedxx auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox

Who is online

Users browsing this forum: meazz1, Unfilled1865, Zacharias and 26 guests