Community discussions

MikroTik App
 
Mikromm
just joined
Topic Author
Posts: 3
Joined: Fri Nov 26, 2021 10:20 pm

Winboxing towards a Mikrotik behind NAT

Fri Nov 26, 2021 10:33 pm

Hello,

I have some router with a static, public IP and a Mikrotik behind it. The Mikrotik needs to have an IP from the private range. Lets say my public IP is 55.55.55.1, the gateway to Mikrotik is 192.168.1.1/24 and the Mikrotik WAN IP is 192.168.1.2

If I want to connect to the said Mikrotik by typing 55.55.55.1 to the Winbox, what ports or other things do I need to configure on the first router?
Is it enough to create a simple NAT: 55.55.55.1 8291 ---> 192.168.1.2 8291?

If you'd be so kind as to not solve other solutions, I know this can be done differently, I do not aim to solve the security issues as of now nor anything else. Just this question.

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winboxing towards a Mikrotik behind NAT

Mon Nov 29, 2021 3:35 pm

This sounds like you want to be able to configure or reach the winbox remotely.
The way to do this is not by open ports to the router, that is a huge security problem.

What you should be asking is
"How do I securely manage the MT device remotely that is not the primary router but is acting as a secondary (router? switch?) and receives a private IP from the primary router.

The answer is VPN of some sort.
In any of the types of VPN be it wireguard (real easy for the public) or IPSEC, more complex, one will have to, as you surmized, port forward the VPN associated port on the primary router to the WANIP of the MT ( to 192.168.1.2 ).

There are also two other options I am aware of
SSTP type access through a service called Remote Winbox (one plain connection is free).
However this is only good enough for home and not recommeded for business as there are no certificates or anything.........

At my home I use wireguard on the router as the server and setup a connection for my iphone so that I can reach the router anytime from anywhere using the IOS APP for MT ( and of course wireguard for the phone as well).
https://apps.apple.com/us/app/wireguard/id1441195209
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winboxing towards a Mikrotik behind NAT  [SOLVED]

Mon Nov 29, 2021 9:24 pm

Yep, one forwarded tcp 8291 port is enough. Or any other, if you decide to change the number, but then you'd have to enter <address>:<port> in WinBox.

And sure, it's not the greatest idea security-wise, so it's better to avoid opening it to whole world. But it's not like you're automatically giving access to everyone if you do so. Only if you're going to have predictable username and password, and that's in your hands. Or if there's another security hole in WinBox server. So it depends on how much you trust MikroTik to not make the same mistake again. Also don't forget that same MikroTik implemented VPN servers in RouterOS. And some external service to access own router, talk about overkill.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winboxing towards a Mikrotik behind NAT

Mon Nov 29, 2021 10:04 pm

Dont open up winbox to the internet is clear and simple advice in order to configure the router.
Cant say it any more plainly.

The answer was already provided so not sure why SOB stated it again, other than to note that the default port for winbox is 8291................. seems like he wanted to pile bad advice on top of bad advice.
My advice is to always change the winbox port to non default setting like any password and this is for secure access let alone open access.

Some folks use port knocking as a method for accessing the router
I use both wireguard VPN to access my router anywhere, and use Remote Winbox free service as a backup/alternative.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winboxing towards a Mikrotik behind NAT

Mon Nov 29, 2021 11:34 pm

Are you sure? It seemed to me that you kind of missed OP's question. Or at least the specific request to not suggest other solutions. ;)

Btw, what's the point of changing WinBox port when it's not exposed? I get it when it is, it's cheap trick that helps to not get attacked by botnets almost immediatelly. But over VPN, when it's not reachable anyway?
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Winboxing towards a Mikrotik behind NAT

Mon Nov 29, 2021 11:37 pm

Btw, what's the point of changing WinBox port when it's not exposed? I get it when it is, it's cheap trick that helps to not get attacked by botnets almost immediatelly. But over VPN, when it's not reachable anyway?
Just good practise - for the one time you do accidentally expose it or some kind of attacker makes it on the trusted side of the network.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Winboxing towards a Mikrotik behind NAT

Mon Nov 29, 2021 11:54 pm

This sounds like you want to be able to configure or reach the winbox remotely.
The way to do this is not by open ports to the router, that is a huge security problem.
As long is you use a complex/secure username/password, opening winbox port isn't as problematic as used to be. They use AES128-CBC-SHA encryption, and this approach is dirt simple. Don't use "admin" as your username, and use a long complex password – same advice as any other system exposed to the internet – so "huge" may be overblown. If you changing the default winbox port, it be much more difficult for a bot to used an internet-exposed winbox port would add more protection.

Opening even VPN port poses risks too... But there are better, even safer choices.
What you should be asking is
"How do I securely manage the MT device remotely that is not the primary router but is acting as a secondary (router? switch?) and receives a private IP from the primary router.

The answer is VPN of some sort.
If you use v7 and have an ARM CPU, ZeroTier is just wonderful for remote management – no open ports required as would be the case with any other VPN choice here. With a ZeroTier client on my Mac, winbox-mac's "Neighbors" just magically shows up with an v7 ROS, even connecting via MAC address works for ZeroTeir. It's actually pretty nifty way – unforentlgy it's in beta and only for ARM platform Mikrotik. But that be my choice for this use case.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 12:07 am


If you'd be so kind as to not solve other solutions, I know this can be done differently, I do not aim to solve the security issues as of now nor anything else. Just this question.
The simple answer is this is need to be before any "drop"/etc on any of the chain=input lines:
/ip firewall filter add action=accept chain=input comment="always allow winbox" dst-port=8291 protocol=tcp
Generally you put it before the "!LAN"/drop rule in IP>Firewall>Filter, if you have a default-ish firewall. This allow winbox via the router's public IP from world/locally, or using private IP if on your LAN side.

If you have more routers downstream from the one with the public IP, Mikrotik has a feature call RoMON that allows you to connect to one Mikrotik, and via L2 find other Mikrotik anywhere locally that have RoMON enabled. It's old and likely insecure in a lot way I'd guess, but that's an additional option available in ROS. Winbox let's you connect to the Public IP remotely via "Connect to RoMON", which will then change the view of the winbox browser to allow to see RoMON-enabled MikroTik Routers on the LAN/far side.

But I would pay attention to the commentary, there are a lot of bots that do try to attack Mikrotik (but also true of Apache, WordPress, IIS, etc., etc.).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 1:16 am

Just good practise - for the one time you do accidentally expose it or some kind of attacker makes it on the trusted side of the network.
More like security through obscurity. But I can't deny that to some extent it works.
As long is you use a complex/secure username/password, opening winbox port isn't as problematic as used to be. They use AES128-CBC-SHA encryption, ...
If I remember correctly, they even added some MITM-resistant authentication protocol. So in theory, it should be perfectly safe, as long as they didn't make any mistake that would turn into security hole. Problem is, you never know if that may be the case.

Of course if you don't expose it at all, it's the safest way. But it's not fair to say that everything else is completely wrong. It's like saying that someone deserved to have their house burgled, because it had doors and windows, with big locks and everything, but with no doors or windows at all it wouldn't happen. Probably true, but...
If you use v7 and have an ARM CPU, ZeroTier is just wonderful for remote management – no open ports required as would be the case with any other VPN choice here.
Only you either have to rely on some external service (which I'm not a big fan of, if I don't have to) or you have to host the server yourself, which needs to be accessible, and in this case you may as well use any other VPN.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 1:36 am

Just good practise - for the one time you do accidentally expose it or some kind of attacker makes it on the trusted side of the network.
More like security through obscurity. But I can't deny that to some extent it works.
Security is like a puzzle - every little piece comes together to make the full picture. That 1 piece by itself is security by obscurity, but that combined with everything else is good security.

And mostly - a port change helps stop automated scans/brute-force in the instances where you have accidentally exposed it to public.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 1:57 am

So in theory, it should be perfectly safe, as long as they didn't make any mistake that would turn into security hole. Problem is, you never know if that may be the case.
It ain't my router.. Taking both Mikrotik re winbox, and this poster at their word re "don't care" ;). My bet is bots are also lazy - port scan non-standard ones takes time, they'd rather move on to another IP to try ;). Absolutely not fool proof, but just one more thing to slow them down... Similarly, not sure cut-and-paste config from a forum without understand it is a good idea either...but his question was straightforward.

If you use v7 and have an ARM CPU, ZeroTier is just wonderful for remote management – no open ports required as would be the case with any other VPN choice here.
Only you either have to rely on some external service (which I'm not a big fan of, if I don't have to) or you have to host the server yourself, which needs to be accessible, and in this case you may as well use any other VPN.
Agreed. Now, as an alternative to opening winbox port for someone "lazy" about security... All the VPNs have pro/cons.

Seemed the OP wasn't looking for other suggestions. @avnu tried. I tried again since if it's really just "remote winbox", the nice thing about ZeroTier is just a single interface to router (assuming you don't bridge it). ZeroTier does do a good job tunneling whatever upstream, so no firewall config troubles/holes... with their clients app, it be really like 10 minutes to solve this – trying to steer him away from opening winbox port...
 
Mikromm
just joined
Topic Author
Posts: 3
Joined: Fri Nov 26, 2021 10:20 pm

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 9:41 am

Thank you all for insights and answers. You are all right with the security and all, but I realy aimed just for the plain functionality right now. It's not going to be opened to the whole world, just for one IP. This has been looked after.

It's just that I knew how people here are very creative and good thinkers, and they would try to come up with all sorts of solutions. I mean it in a good way (:

Anyway, it worked with the plain port forward, as mentioned by the @SOB Thanks again, appreciated all answers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 4:07 pm

Well if you do get hacked and held ransom for lets say $50,000 just send the bill to Sob and if he gives you any trouble I know some really good lawyers. ;-P
 
Mikromm
just joined
Topic Author
Posts: 3
Joined: Fri Nov 26, 2021 10:20 pm

Re: Winboxing towards a Mikrotik behind NAT

Tue Nov 30, 2021 10:27 pm

I'll pass the information about making amends to the owner of the said Mikrotik who didn't want the procedure in some other way :D
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Winboxing towards a Mikrotik behind NAT

Wed Dec 01, 2021 4:49 am

@anav: I'm not worried, I wrote it very clearly that it's not a best idea. But I'll make a note about you, on whose side you are. ;)

Who is online

Users browsing this forum: 0xAA55 and 36 guests