Does anyone know the reason why I can't get through winbox to router from WAN? Connection via PPPoE, static IP address.

Because the router knows that is a stupid idea......
You want access to the router from the WAN side, use vpn to access the router first.
Its obvious why it doesnt work but I am not going to be the one that shows you the path to "step on your dick" so to speak.

Actually, it doesn't seem obvious, the rule allowing WinBox port is there and should work (connection-state="" and in-interface-list=!LAN are useless, but it doesn't change anything).

@dertyh
You can call directly https://connected.pl and ask (why is bad idea activate cloud and publish serial number and)
why some ISP (like me) for default are blocking incoming Winbox connections (and also http, ftp, telnet, dns, ntp, sql, rdp, netbios, smb, etc.) ...
I unlock the port only after I receive a written declaration of responsability.

I also suggest you to change that private "telnet" service on port 20021... now is public...

Actually, it doesn't seem obvious, the rule allowing WinBox port is there and should work (connection-state="" and in-interface-list=!LAN are useless, but it doesn't change anything).

Depends............. what if he was trying to do it via mac address.. :-PPPPP
Take a closer look my blind friend!
Also I dont think winbox likes being called wimbox and thus another reason the router is not allowing this connection!

That's not it, WinBox can only see the wrong name in comment after it successfully connects, so it can't be discouraged by it before.

This is my test Mikrotik config and I'm not going to put port 8291 up for Winbox connections. I am trying to understand why no service is available from WAN. I tried FTP, telnet, ssh. It is probably not the fault of the ISP - everything works on the Rmerlin router.

@anav: Come on, tell us what you see, you can't pass an opportunity to score a point over me.

@Sob... is NATted from ISP...?

@dertyh
If you are not NATted from your ISP, your IP Cloud bAaOObSSIEbZ.sn.mynetname.net is resolveable to 9E.IS9.I9I.5A and is the same IP from you connect to the forum, and respond perfectly to ping.
But if your ISP NAT you, you can not open any WAN service... ask ISP first...

Unlikely, if it works with different router.

For Sob........

/tool mac-server mac-winbox
set allowed-interface-list=LAN

For Sob........

/tool mac-server mac-winbox
set allowed-interface-list=LAN

I changed the entry to:
set allowed-interface-list=all
still not working

@Sob... is NATted from ISP...?

@dertyh
If you are not NATted from your ISP, your IP Cloud bAaOObSSIEbZ.sn.mynetname.net is resolveable to 9E.IS9.I9I.5A and is the same IP from you connect to the forum, and respond perfectly to ping.
But if your ISP NAT you, you can not open any WAN service... ask ISP first...

This is my static public IP address (I'm paying for it). I turned off ICMP and the ping is no longer working.

DO NOT OPEN ADMIN INTRAFACE FROM INTERNET. EVEN FOR TEST

Use VPN to administrate your device from remote location.
If VPN can not be used, follow this list to make connection some more secure.

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. Block all user for some time that do try an port that is not open
8. +++

3 different IP has tried to access one of my routers the last 24 hour, and this is an a calm day. And all 3 where added to the 24 hour block list, since they tried one port that was not open. (So there may be more tester out there since they are blocked on first non open port they try).
.

@anav
/tool mac-server mac-winbox can work only on local LAN ignoring how is set, (or WAN port, if you are directly linked...),
can not work on Internet, is based on MAC, not on IP...

Someone has considered what I have already wroted?

[...] some ISP (like me) for default are blocking incoming Winbox connections (and also http, ftp, telnet, dns, ntp, sql, rdp, netbios, smb, etc.) [...]

@rextended: Yes, but:

I am trying to understand why no service is available from WAN. I tried FTP, telnet, ssh. It is probably not the fault of the ISP - everything works on the Rmerlin router.

@OP
Rmelin router is an router you test instead of Mikrotik?

Do you have an public IP on your router?
See output of: To test if a port is open the easy way, you can go to:
https://canyouseeme.org/
and type in the port you are testing. Should respond with a green Success

@OP
Rmelin router is an router you test instead of Mikrotik?

Do you have an public IP on your router?
See output of:

Code: Select all

/ip address print

Yes:
Flags: I, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.0.1/24 192.168.0.0 bridge
1 I 192.168.200.1/24 192.168.200.0 *A
2 D 93.XXX.XXX.XXX/32 172.XXX.XXX.XXX pppoe-out1
I can ping this address 93.XXX.XXX.XXX from WAN (but now ICMP is disabled)


To test if a port is open the easy way, you can go to:
https://canyouseeme.org/
and type in the port you are testing. Should respond with a green Success

My scan: Error: I could not see your service on 93.XXX.XXX.XXX on port (8291)
When i have this in my firewall conf:
add action=accept chain=input comment=winbox connection-state="" dst-port=\
8291 in-interface-list=!LAN protocol=tcp
So I can't understand why it doesn't work.
And that's why I turned to the more experienced Mikrotik users in this forum for help.

Where do rmelin router come inn to play. Does it have 8291 port that you can access?
You have confirmed that ISP does not block 8291 in their net.

For test you can open port 8291, but should not be done for some in production. Use VPN.
And I do hope you do not use 7.3rc1 in production as vell, Its not a stable version and should be used to test only.

If you add this:
and then do any kind of access from internet (try different ports), does it log anything?