Hi everyone,
I am unable to access any of our MT devices (https://mikrotik.com/product/wap_lte_kit_us) behind our office router,
which is a Mikrotik RB2011UiAS (https://mikrotik.com/product/RB2011UiAS-RM). Winbox opens, and everything remains blank,
and no information in any windows appears. In the log in that device, I can see that
it shows a user successfully logs in and out.
I thought it might be just with winbox, so I enabled www-ssl, but it just hangs in a browser and eventually times out. On a connection
that's not behind another MT router, there is no problem.
Has anyone experienced anything like this? I am not using any tunnel, no L2TP or IPsec or anything like that. Just a fiber/sfp connection
at the office to the LTE interface of the wAP LTE kit.
Lastly, I AM able to access these devices over SSH. I'm not sure why winbox and www-ssl is not working properly, but ssh is.
Thanks for your help
Jordan
Thanks for your help, and let me know if you need any other information.
-
-
ConnyMercier
Forum Veteran
- Posts: 725
- Joined:
Re: Unable to access any MT device behind Mikrotik Router
Difficult to say.....
We need to take a look at the Config of your Router
If possible please POST Config of RB2011UiAS AND WAP LTE
(/export hide-sensitive file=anynameyoulike)
We need to take a look at the Config of your Router
If possible please POST Config of RB2011UiAS AND WAP LTE
(/export hide-sensitive file=anynameyoulike)
Re: Unable to access any MT device behind Mikrotik Router
How are your devices connected?
Is their a managment vlan or a trusted subnet.
All devices behind the router should have an IP on the trusted subnet or management vlan.
Is their a managment vlan or a trusted subnet.
All devices behind the router should have an IP on the trusted subnet or management vlan.
Re: Unable to access any MT device behind Mikrotik Router
# This is the core router at the office
# This is the LTE wAP Kit US' config
Let me know if you need anything else.
Code: Select all
# nov/22/2021 16:14:54 by RouterOS 6.49
# software id = R38N-59QM
#
# model = 2011UiAS
# serial number = 8C1B09809B79
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment="to Core" speed=\
100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=sfp1 ] comment="to DCDI"
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out1 user=\
pppoe@user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn_pool ranges=10.0.150.0/24
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=defconf
/ppp profile
add dns-server=10.0.100.5 local-address=vpn_pool name=ovpn_profile \
remote-address=vpn_pool use-ipv6=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add list=LAN
add interface=pppoe-out1 list=WAN
add interface=sfp1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=ovpn_server cipher=aes256 enabled=yes mode=ethernet \
require-client-certificate=yes
/ip address
add address=10.0.0.2/29 comment="/30 route to Core" interface=ether1 network=\
10.0.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=local dns-server=1.1.1.1,8.8.8.8 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=75.174.14.139 comment="Employees" list=Makayla
add address=212.0.0.0/8 list=Unwanted
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=OVPN disabled=yes dst-port=1194 \
in-interface=pppoe-out1 log=yes log-prefix=" ! ovpn !" protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="hackers(lol)" src-address=\
212.0.0.0/8
add action=drop chain=input comment="hackers(lol)" src-address=\
27.0.0.0/8
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN NAT" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="start PBX ports" dst-port=8443 \
in-interface-list=WAN protocol=tcp to-addresses=10.0.200.200 to-ports=\
8443
add action=dst-nat chain=dstnat dst-port=8043 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=8043
add action=dst-nat chain=dstnat dst-port=2088 in-interface-list=WAN protocol=\
udp to-addresses=10.0.200.200 to-ports=2088
add action=dst-nat chain=dstnat dst-port=8081 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=8081
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN protocol=\
udp to-addresses=10.0.200.200 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5070 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=5070
add action=dst-nat chain=dstnat dst-port=15000-15511 in-interface-list=WAN \
protocol=udp to-addresses=10.0.200.200 to-ports=15000-15511
add action=dst-nat chain=dstnat comment="start NVR ports" dst-port=7080 \
in-interface-list=WAN protocol=tcp to-addresses=10.0.230.200 to-ports=\
7080
add action=dst-nat chain=dstnat dst-port=7443 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7443
add action=dst-nat chain=dstnat dst-port=7445 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7445
add action=dst-nat chain=dstnat dst-port=7446 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7446
add action=dst-nat chain=dstnat dst-port=7447 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7447
add action=dst-nat chain=dstnat comment="start RDS ports" disabled=yes \
dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=10.0.100.6 \
to-ports=443
add action=dst-nat chain=dstnat comment="rdp to .5 from WAN" disabled=yes \
dst-port=3389 in-interface-list=WAN protocol=tcp to-addresses=10.0.100.5 \
to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
pppoe-out1 protocol=tcp src-address=96.18.88.44 to-addresses=10.0.100.6 \
to-ports=3389
add action=dst-nat chain=dstnat comment="Sophos (\?)" disabled=yes dst-port=\
4444 in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.3 to-ports=\
4444
add action=dst-nat chain=dstnat disabled=yes dst-port=22 in-interface-list=\
WAN protocol=tcp to-addresses=10.0.100.190 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface-list=\
WAN protocol=tcp to-addresses=10.0.5.7 to-ports=3389
/ip route
add distance=1 dst-address=10.0.5.0/24 gateway=10.0.0.1
add distance=1 dst-address=10.0.100.0/24 gateway=10.0.0.1
add distance=1 dst-address=10.0.200.0/24 gateway=10.0.0.1
add distance=1 dst-address=10.0.230.0/24 gateway=10.0.0.1
add distance=1 dst-address=208.98.183.168/29 gateway=10.0.0.1
/ip service
set telnet address=10.0.0.0/8,192.168.0.0/16,67.215.46.70/32
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/8,192.168.0.0/16,67.215.46.70/32
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set time-interval=hour
/ppp secret
add local-address=67.215.46.70 name=jordan remote-address=10.0.100.237 \
service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Boise
/system identity
set name=ASE-Edge
/system ntp client
set enabled=yes primary-ntp=72.87.88.202 secondary-ntp=208.79.89.249
/system script
add dont-require-permissions=no name=firehol-blocklist owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
# Generic IP address list input\r\
\n ## Based on a script written by Sam Norris, ChangeIP.com 2008\r\
\n ## Edited by Andrew Cox, AccessPlus.com.au 2008\r\
\n :if ( [/file get [/file find name=firehol_level1.netset] size] > 0 ) \
do={\r\
\n # Remove exisiting addresses from the current Address list\r\
\n /ip firewall address-list remove [/ip firewall address-list find list\
=MY-IP-LIST]\r\
\n \r\
\n :global content [/file get [/file find name=firehol_level1.netset] co\
ntents] ;\r\
\n :global contentLen [ :len \$content ] ;\r\
\n \r\
\n :global lineEnd 0;\r\
\n :global line \"\";\r\
\n :global lastEnd 0;\r\
\n \r\
\n :do {\r\
\n :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
\n :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
\n :set lastEnd ( \$lineEnd + 1 ) ;\r\
\n #If the line doesn't start with a hash then process and add to \
the list\r\
\n :if ( [:pick \$line 0 1] != \"#\" ) do={\r\
\n \r\
\n :local entry [:pick \$line 0 \$lineEnd ]\r\
\n :if ( [:len \$entry ] > 0 ) do={\r\
\n /ip firewall address-list add list=MY-IP-LIST address=\$entry\
\r\
\n }\r\
\n }\r\
\n } while (\$lineEnd < \$contentLen)\r\
\n }"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Code: Select all
# nov/22/2021 18:22:44 by RouterOS 6.49
# software id = LZXF-3J9P
#
# model = RBwAPR-2nD
# serial number = E3530D55B9E5
/interface lte
set [ find ] name=lte1 network-mode=gsm,3g,lte
/interface bridge
add admin-mac=08:55:31:D9:27:A7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge ssid=MikroTik-D927A8 station-roaming=enabled wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=we01.vzwstatic
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
/system logging action
set 1 disk-lines-per-file=50000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=174.192.0.0/10 list=Verizon
add address=66.174.0.0/16 list=Verizon
add address=69.96.0.0/13 list=Verizon
add address=70.192.0.0/11 list=Verizon
add address=97.128.0.0/9 list=Verizon
add address=67.215.46.70 list=Verizon
add address=192.168.1.90-192.168.1.99 list=iPad
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="drop WAN ICMP" in-interface-list=WAN \
protocol=icmp src-address=!1.1.1.1 src-address-list=!Verizon
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"allow from Verizon and Office, need to add Sparklight" \
in-interface-list=WAN src-address-list=Verizon
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="drop all ipad traffic" \
in-interface-list=LAN src-address-list=iPad
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=dst-nat chain=dstnat dst-port=4001 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.1.51 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4001 in-interface-list=WAN protocol=\
udp to-addresses=192.168.1.51 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4002 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.1.52 to-ports=4002
add action=dst-nat chain=dstnat dst-port=4002 in-interface-list=WAN protocol=\
udp to-addresses=192.168.1.52 to-ports=4002
/system clock
set time-zone-name=America/New_York
/system identity
set name=NickelFarms-11and12-AP
/system watchdog
set watch-address=1.1.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
Re: Unable to access any MT device behind Mikrotik Router
The LTE devices are connected via their LTE interface. I am attempting to access them at their public IP given to them by Verizon.How are your devices connected?
Is their a managment vlan or a trusted subnet.
All devices behind the router should have an IP on the trusted subnet or management vlan.
-
-
ConnyMercier
Forum Veteran
- Posts: 725
- Joined:
Re: Unable to access any MT device behind Mikrotik Router
The "bridge" is missing RB2011UiAS
Is there a reason for this ?
Is there a reason for this ?
Re: Unable to access any MT device behind Mikrotik Router
The core config is hosed. Start there. Lots of errors......... lack of bridge definition being one of them.
Re: Unable to access any MT device behind Mikrotik Router
I'm not using the bridge. I'm using eth1 on the internal network as a router port, and sfp1 as the wan port. I am NAT masquerad'ing from eth1 --> wan, lan to wan. I can define the bridge (add a bridge interface) but it will still be inactive.
Edit: Okay, I defined the bridge. All ports (eth2 -> eth8) are inactive. Still having same problem.
Edit: Okay, I defined the bridge. All ports (eth2 -> eth8) are inactive. Still having same problem.
Re: Unable to access any MT device behind Mikrotik Router
Can you draw a network diagram.
It appears you have setup the LTE devices as routers but I thought the 2011 was your router?
Chicken or egg, whats going on here??
What is connected to the internet and what is the purpose of the LTE devices..............
It appears you have setup the LTE devices as routers but I thought the 2011 was your router?
Chicken or egg, whats going on here??
What is connected to the internet and what is the purpose of the LTE devices..............
Re: Unable to access any MT device behind Mikrotik Router
Okay, it's actually really simple.
I'm at my office, with a fiber connection and a mikrotik router.
I have a bunch of remote locations with MT LTE devices.
I want to winbox from my computer in my office to the remote devices.
The remove devices are connected to the internet via cellular LTE.
The network diagram would be:
My computer --> office switch --> mikrotik core router --> (( INTERNETS )) --> LTE Device
Let me know if you need any more information.
I'm at my office, with a fiber connection and a mikrotik router.
I have a bunch of remote locations with MT LTE devices.
I want to winbox from my computer in my office to the remote devices.
The remove devices are connected to the internet via cellular LTE.
The network diagram would be:
My computer --> office switch --> mikrotik core router --> (( INTERNETS )) --> LTE Device
Let me know if you need any more information.
-
-
spynappels
Member Candidate
- Posts: 106
- Joined:
- Location: Northern Ireland
- Contact:
Re: Unable to access any MT device behind Mikrotik Router
For the ((INTERNETS)) portion are you using any VPN?
If not, you may be risking opening the remote routers up to the Internet, if the LTE CG-NAT doesn't cause you problems.
Your LTE devices are unlikely to get a true public IP which you can route to, and even if they do, you really don't want to accept management traffic from the WAN port.
You need a VPN tunnel between each remote device and your main router.
If not, you may be risking opening the remote routers up to the Internet, if the LTE CG-NAT doesn't cause you problems.
Your LTE devices are unlikely to get a true public IP which you can route to, and even if they do, you really don't want to accept management traffic from the WAN port.
You need a VPN tunnel between each remote device and your main router.
Re: Unable to access any MT device behind Mikrotik Router
They have a static public routeable IP, and the firewall rules only allow input connections from the networks that I am coming from. I am not using any VPN.
-
-
spynappels
Member Candidate
- Posts: 106
- Joined:
- Location: Northern Ireland
- Contact:
Re: Unable to access any MT device behind Mikrotik Router
OK, that's still dangerous IMHO, but whatever.
Then unless I'm mistaken (on a small screen) it looks like you've set Winbox access via MAC address to only be allowed on LAN interfaces:
Then unless I'm mistaken (on a small screen) it looks like you've set Winbox access via MAC address to only be allowed on LAN interfaces:
Code: Select all
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN Re: Unable to access any MT device behind Mikrotik Router
Possibly an MTU issue, there are some large packets exchanged during TLS setup.
Re: Unable to access any MT device behind Mikrotik Router
I will look into that, but isn't that just for that device's winbox connections. Its saying, only listen for mac-winbox connections on the LAN interface, not that it doesnt allow L3 forward traffic. Is that correct?OK, that's still dangerous IMHO, but whatever.
Then unless I'm mistaken (on a small screen) it looks like you've set Winbox access via MAC address to only be allowed on LAN interfaces:
Code: Select all/tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
This is what I was leaning towards, something along the lines of the details of the connection between the two devices. How would I go about troubleshooting something like this? Should I raise or lower the MTU on one of the sides?Possibly an MTU issue, there are some large packets exchanged during TLS setup.
Re: Unable to access any MT device behind Mikrotik Router
ping the remote device with the DF bit set and a packet of 1500 bytes (on Windows ping -f -l 1472 ...), if it fails reduce the payload size until the ping succeeds. The usual fix is MSS clamping if PMTUD doesn't work, see https://en.wikipedia.org/wiki/Path_MTU_Discovery
Re: Unable to access any MT device behind Mikrotik Router
Bingo. Just so everyone knows, the command to do this on Linux is:ping the remote device with the DF bit set and a packet of 1500 bytes (on Windows ping -f -l 1472 ...), if it fails reduce the payload size until the ping succeeds. The usual fix is MSS clamping if PMTUD doesn't work, see https://en.wikipedia.org/wiki/Path_MTU_Discovery
Code: Select all
jordan $ ping -M do -s 1470 127.34.22.156
PING 127.34.22.156 (127.34.22.156) 1470(1498) bytes of data.
ping: sendmsg: Message too long
ping: sendmsg: Message too long
^C
jordan Jordan ping -M do -s 1450 127.34.22.156
PING 127.34.22.156 (127.34.22.156) 1450(1478) bytes of data.
1458 bytes from 127.34.22.156: icmp_seq=1 ttl=45 time=128 ms
^C
Thank you tdw, and everyone else for your help.
Jordan
Re: Unable to access any MT device behind Mikrotik Router
Sorry if you want to connect MT devices over the internet for configuration purposes, it should be done via VPN.
If you want to take short cuts, and let someone else handle connectivity for you
try Remote WINBOX service SSTP good enough for home,
If you want to take short cuts, and let someone else handle connectivity for you
try Remote WINBOX service SSTP good enough for home,