Doesn't work web interface but ssh - does

zmicier0k · Wed Jan 05, 2022 3:06 pm

Hi! The problem is: I can ssh to Mikrotik RB760iGS, but can't to get an access to web interface. I guess something is blocking web access. The OS version 6.49.2 (stable). Firewall rules:

/ip firewall filter
add action=accept chain=forward comment="Allow VPN to VLAN" in-interface=all-ppp out-interface=vlan_client008
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow all from mgmt-outband" connection-state=new in-interface=bridge_mgmt
add action=accept chain=input comment="Allow all from mgmt-inband" connection-state=new in-interface=vlan_mgmt
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="drop port scanners" src-address-list="port scanners"
add action=accept chain=input comment="Allow mgmt from VPN" connection-state=new dst-port=22,11443 in-interface=!vlan_public28 protocol=tcp src-address=192.168.108.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - statistic" protocol=tcp psd=21,4s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Write port scanner to list - NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="Allow ssh & www management from Public-trusted" connection-state=new dst-port=22,11443 in-interface=vlan_public28 protocol=tcp src-address-list=public_trusted
add action=accept chain=input comment="Accept www management from WAN" connection-state=new dst-port=11443 in-interface=vlan_public28 protocol=tcp
add action=accept chain=input comment="accept L2TP VPN" dst-port=4500,500,1701 in-interface=vlan_public28 protocol=udp
add action=accept chain=input comment="allow IPSEC input" in-interface=vlan_public28 protocol=ipsec-esp
add action=accept chain=input comment="Allow DNS queries from VPN" dst-port=53 protocol=udp src-address=192.168.50.0/24
add action=drop chain=input comment="defconf: drop all"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept VPN to VLAN client008" connection-state=new disabled=yes dst-address=10.10.8.0/24 src-address=192.168.108.0/24
add action=accept chain=forward comment="Test transferu" connection-state=new disabled=yes dst-address=10.10.8.30 dst-port=80 protocol=tcp
add action=accept chain=forward comment="Test transferu 2" connection-state=new disabled=yes dst-address=10.10.8.252 dst-port=80 protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=vlan_public28
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=vlan_public28 src-address-list=not_in_internet
add action=accept chain=forward comment="SQL - temp" connection-state=new dst-address=10.10.8.40 dst-port=1433 protocol=tcp
add action=accept chain=forward comment="Accept VPN to WAN" connection-state=new in-interface=all-ppp out-interface=vlan_public28
add action=drop chain=forward comment="Default rule: Block everything"
add action=accept chain=output comment="Accept all outgoing"

When I curl webinterface:

curl -IL x.x.x.x:yyyy -v
*   Trying x.x.x.x:yyyy...
* TCP_NODELAY set
* connect to x.x.x.x port yyyy failed: Connection timed out
* Failed to connect to x.x.x.x port yyyy: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to x.x.x.x port yyyy: Connection timed out

Which additional info do you need?

k6ccc · Thu Jan 06, 2022 5:21 pm

Post your complete config.

zmicier0k · Fri Jan 07, 2022 1:41 pm

Thanks. But problem has been solved via /system reboot =)))

Doesn't work web interface but ssh - does [SOLVED]

Doesn't work web interface but ssh - does

Re: Doesn't work web interface but ssh - does

Re: Doesn't work web interface but ssh - does [SOLVED]

Who is online