I have a haP AC3 at a remote site (100 miles away) and I'm locked out.

Interestingly, the Wireguard VPN is still working -- I can ping the VPN address of 10.10.100.12 as well as the remote private ip block 192.168.20.x (route/AP is 192.168.20.1).

But Winbox won't connect.

I'm pretty sure it's because I fiddled with the firewall settings.

Is there any way in?

Thank you!

if you see the device in ip neighbors maybe you can try mac telnet

Tried mac-telnet and it does not connect.

I think because I have this in my config:
and I'm coming in on the "wireguard1" interface.

Anything else I can try?

Thank you.

So no other local-device / server onsite that you might use as a jumphost (ssh is enough) ?
Unless off course that change you made to a firewall-rule was significant enough to really block everything on the input-chain...

If so, schedule a nice 100mile trip because there are no other remote "backdoors" then....

Do you now way you are locked out? Have you done any changes?
If no changes are done, are there some close by who can take the power of the device?

So no other local-device / server onsite that you might use as a jumphost (ssh is enough) ?

Elaborate on this. As you can ping hosts on the local LAN , maybe you can enter/use one of them.

That "jumphost" mentioned by @jvanhambelgium would be my attack vector. If it is a MT, there are multiple possibilities to explore, besides the SSH/Telnet
e.g. (Set up a webproxy and enter hAP ac3 through that proxy,
RoMON (but needs to be activated on the hAP ac3 also),
wireless station connection to the hAP ac3 AP (eventually after hardware reset by someone, as long as the hAP ac3 is not delivering the Wireguard connection. MAC access is not enabled over wifi by default, but the standard IP should be usable with some NAT)

Wow, this has turned into a very interestin and informative thread -- thank you all!

First, I am still at the beginning stages of my learning.

I think what happened is this:

I added a firewall ALLOW rule for winbox traffic in (port 8291). Then I read that doing this was a security risk.

Then I added a firewall ALLOW rule for all traffic from the public IP of the main site I am usually at. It's been pointed out that this is a security risk also.

Then I added a firewall ALLOW rule for the private IP range used at the main site I am usually thinking the VPN will protect me.

I then proceeded to disable each of these and tested it again from my main location and winbox continued to work. I suspect because it was allowed through as an existing connection.

Now that it has been a few days, it doesn't work.

What I did not have is is the interface wireguard1 aed to the LAN list of interfaces so that the winbox would allow it.

So, I think that is what happened.

As for what to do now:

The location has no wired devices and only a handful of wifi-connected devices, mostly cell phones, tablets and maybe a laptop. None of these items are owned by or controlled by me. Nor are they controlled by anyone with enough computer skill to install winbox, connect to the hAP and make a change.

Should I enable RoMon as a backdoor for next time I mess up?

I thought about a Ras-Pi as a backdoor but it would probably take ahigher level of security skill to protect the environment while still giving me a way in than I possess.

I don't understand the webproxy approach or the wifi path (if I'm within wifi distance, I can easily plug in a laptop in my case).

So, looks like a trip is in my near future.

Then I guess it will be a 100 mile trip for you...not much other options it seems.
Perhaps in the future try to use Winbox SAFE-MODE while making such modifications from a remote location...
After that test the changes by initiating a new/fresh session
Only when 100% sure perform the commit.

viewtopic.php?t=50735

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(user rules)
add action=accept chain=input src-address-list=Admin
( optional to add dst-port=xxxxxx,yyyyyy protocol=tcp {winbox & SSH ports} )
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

WHERE:
/ip firewall address-list
add address=IP1 list=Admin (desktop)
add address=IP2 list=Admin (laptop)
add address=IP3 list=Admin (smartphone/ipad aka wifi connection)
add address=IP4 list=Admin (wireguard IP, coming in remotely)

Winbox SAFE-MODE should be more visible. Like are you sure you like to change this filter rule without safe mode etc.
This way more had seen the function. I have never looked my self out, but still use SAFE MODE for all remote work.

Then I guess it will be a 100 mile trip for you...not much other options it seems.
Perhaps in the future try to use Winbox SAFE-MODE while making such modifications from a remote location...
After that test the changes by initiating a new/fresh session
Only when 100% sure perform the commit.

viewtopic.php?t=50735

I didn't know about SAFE-MODE. Read a little bit and it looks great. Thank you!

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(user rules)
add action=accept chain=input src-address-list=Admin
( optional to add dst-port=xxxxxx,yyyyyy protocol=tcp {winbox & SSH ports} )
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

WHERE:
/ip firewall address-list
add address=IP1 list=Admin (desktop)
add address=IP2 list=Admin (laptop)
add address=IP3 list=Admin (smartphone/ipad aka wifi connection)
add address=IP4 list=Admin (wireguard IP, coming in remotely)

HI Anav -- thank you so much for your help.

Must the IP addresses above (IP1, IP2, IP3) be individual or can they be networks, like I have in the code below?

It looks like this can be achieved with FIREWALL ADDRESS-LIST or INTERFACE LIST.

Is one better than the other:

/interface list member
add interface=212-Wireguard list=LAN

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Or:

/ip firewall address-list
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin


/ip firewall filter
add action=accept chain=input src-address-list=Admin

There are several places one has to think about for winbox usage.

The most important settings are done in the INPUT CHAIN.
Here is where it is best to get granular as shown via an IP address.
This gives you visible control that is easy to administer, modify etc....

First and foremost, however is ensuring you are allowing the admin to configure the router. That is why you see on the input chain
an approved list of users whilst all other users LAN-INTERFACE-LIST get the services from the router they need like DNS.
You will note the above way of allowing users means that you dont have to display the winbox port on firewall config you share.

The second spot at least for winbox and also SSH is where you set the WINBOX PORT, and do change it from the default!!!!! Under IP SERVICES.
There is a column entry for available from. This is a good spot to put the subnets you will be coming from, in other words the subnets that your specific IPs were taken from.
Then one can change the IP addresses in the source address list and if from the same subnet, no need to change it...........

Finally we get to winbox mac server, since this has to be set to an interface list...............
its best to make it separate such as calling it managment or CONFIG

The interface list should include all members (subnets) that are in your ALLOW settings under IP services.....

So you can see there are a gazillion combinations that will work.
No entry in the ALLOW section of IP services, means that you only have to worry about winbox macserver and input chain firewall rules.
If you remove the mac server rule, then there are no limitations/restrictions by win-box mac server.

Thus with all said and done, the basic starting point for me is the firewall address list in the input chain.............
Then consider the others as you see fit.


One other place to control config access is the System Users.......

The most important settings are done in the INPUT CHAIN.
Here is where it is best to get granular as shown via an IP address.
This gives you visible control that is easy to administer, modify etc....

By "granular" do you mean specific IP addresses instead of networks (such as /24)?

I assume that the reason is to prevent access to the MT equipment by user who are authorized on the /24 subnet but not authorized to configure the router.

First and foremost, however is ensuring you are allowing the admin to configure the router. That is why you see on the input chain
an approved list of users whilst all other users LAN-INTERFACE-LIST get the services from the router they need like DNS.
You will note the above way of allowing users means that you dont have to display the winbox port on firewall config you share.

Sorry, I don't get this. Where is the list of users on an input chain?

The second spot at least for winbox and also SSH is where you set the WINBOX PORT, and do change it from the default!!!!! Under IP SERVICES.
There is a column entry for available from. This is a good spot to put the subnets you will be coming from, in other words the subnets that your specific IPs were taken from.
Then one can change the IP addresses in the source address list and if from the same subnet, no need to change it...........

I see /ip/services and the ability to change the port numbers associated with specific services. And I see that I can identify which subnets can access those service.

Do the subnets identified in /ip/services supercede firewall rules? That is, if I put 192.168.2.0/24 as an "available from" subnet for the winbox service do I not need any further firewall or interface-list commands? Or, are these settings subservient to the firewall rules?

Finally we get to winbox mac server, since this has to be set to an interface list...............
its best to make it separate such as calling it managment or CONFIG

The interface list should include all members (subnets) that are in your ALLOW settings under IP services.....

So the interface that 192.168.2.0/24 comes in on needs to be specified in the winbox mac server setting also?

The list of users, I speak of on the input chain is the firewall address list containing the IPs that the admin is likely going to be accessing the config from.
Yes granular means individual IPs. The only other group list is the interface-list=LAN which should comprise all the users that need access to router services such as DNS.........

So before looking at the other side entry arguments let me state that if nothing else you should do the input chain properly.
Thus only admin should be able to have access to config the router period...........

The side entry arguments are not subservient they are simply separate but I would not rely on them for security to bypass firewall rules.
Instead leave them blank if they are too much trouble to figure out.

In both case what I would do is put in the subnets the admin will be coming from in the systems winbox ALLOW column (based on the admin firewall list for the input chain rule)
On the winbox mac server I will ensure all interfaces that the admin may come in on are identified as a separate interface list name...........

In summary,
if you do nothing else ensure the input chain rules are good.
If you want more layers add winbox allow addresses and winbox mac server etc........

The location has no wired devices and only a handful of wifi-connected devices, mostly cell phones, tablets and maybe a laptop. None of these items are owned by or controlled by me. Nor are they controlled by anyone with enough computer skill to install winbox, connect to the hAP and make a change.

Actually the only thing "anyone" has to do is to set up shared desktop on their device for a short time when connected to your LAN. With the shared credentials you can take over that device, and log in to the hAP. (telnet, Hyper Terminal, Putty (on a stick), browser, ....)

Desktop sharing can be done just with the browser. With sites like GoToMyPc or alternatives. There is no need to install something on that laptop, he just has to share GoToMyPC credentials.(Corporate issue: no-install, user initiated backdoor to the corporate LAN). Teamviewer needs install, just as LOgMeIn, but there are many many others, like this list and much more .... https://www.g2.com/products/gotomypc/co ... ternatives

The location has no wired devices and only a handful of wifi-connected devices, mostly cell phones, tablets and maybe a laptop. None of these items are owned by or controlled by me. Nor are they controlled by anyone with enough computer skill to install winbox, connect to the hAP and make a change.

Actually the only thing "anyone" has to do is to set up shared desktop on their device for a short time when connected to your LAN. With the shared credentials you can take over that device, and log in to the hAP. (telnet, Hyper Terminal, Putty (on a stick), browser, ....)

Desktop sharing can be done just with the browser. With sites like GoToMyPc or alternatives. There is no need to install something on that laptop, he just has to share GoToMyPC credentials.(Corporate issue: no-install, user initiated backdoor to the corporate LAN). Teamviewer needs install, just as LOgMeIn, but there are many many others, like this list and much more .... https://www.g2.com/products/gotomypc/co ... ternatives

You did it!

I had someone go over, connect via WiFi and install Teamviewer.

I then connected remotely via Teamviewer, downloaded winbox, made my changes, and now I have access again!

While waiting, I implemented those changes at the 3 other sites I have.

Great solution. Thank you.