Hello.
I have what I feel is a very basic configuration but I just applied this configuration to a new RB4011 and after I do that it is random as to whether I can login by IP after that. Sometimes I can from a windows box, sometimes I can't. Sometimes I can login from a linux box using wine and sometimes I can't. When i can't login I get the message about the router not supporting a secure connection. Even if I switch to legacy mode I cannot login. In legacy mode it just sits trying to login but never succeeds. I can connect by MAC without any issues and the DHCP on ether 10 is working as I do get an IP assigned.
(I have also temporarily configured ether9 the same as ether10 so I can connect both linux and windows machines at the same time while testing)

This configuration is applied to my RB760iGS and is working currently. I wanted to upgrade the device to have more ports and better hardware.

Very simply what I am trying to do is have 5 VLANs (plus a management VLAN)
Ether 1 will be WAN
Ether 2 and 3 will be trunk connections to other managed devices (They are already there and working with my RB760iGS)
Ether 10 will be an access port to use for management when needed.
Other trunk or access ports will be added as needed to expand the system throughout the house.

Running winbox 3.37 connecting to RB4011 running ROS 7.6

I have been researching and searching the forums trying to understand what would cause this message and why it would be so intermittent. Please help educate me and point me to information if something I'm doing is wrong.

Thanks so much!
Jeff

Hi.
Please see if moving the rule to the top of the list solves the problem:

add action=accept chain=input comment="Allow MGMT devices full access" \
in-interface-list=MGMT_LIST

You also have MGMT_VLAN assigned to two lists

add interface=MGMT_VLAN list=MGMT_LIST
add interface=MGMT_VLAN list=LAN

possibly add ether 10 to MGMT_LIST

Hi.
Please see if moving the rule to the top of the list solves the problem:

add action=accept chain=input comment="Allow MGMT devices full access" \
in-interface-list=MGMT_LIST

You also have MGMT_VLAN assigned to two lists

add interface=MGMT_VLAN list=MGMT_LIST
add interface=MGMT_VLAN list=LAN

possibly add ether 10 to MGMT_LIST

Thank you piotrchm93 for the response.

I did go ahead and try this. I don't believe it has to do with firewall rules. Even after these changes there is no change to being able to login. I also deactivated all firewall rules (the router is not connected to internet just yet) just to check if any of them might be causing it. Still no luck.

In my current load of the config to the router the linux box can see both IP addresses for the MGMT_VLAN and the BR bridge (sometimes the bridge IP doesn't show up in a refresh), but when trying to login to the MGMT_VLAN ip I get the message.
ERROR: router does not support secure connection, please enable Legacy Mode if you want to connect anyway

Again, selecting the MAC address logs right in with no issues.

I thought maybe it was an issue with the clock time not being close to my system time but I have manually updated the time and still no luck.

Jeff

Just trying to troubleshoot this and figure out any sort of rhyme or reason.

I have been doing system resets and reapplying the configuration script on reboot. Sometimes I can connect by IP, other times I cannot. I cannot find any sort of pattern. I thought I had traced it to the cache in winbox and shutting down winbox between resets but then I got the router does not support secure connection message while doing that.

Recently I started testing connecting to webfig when having this issue. So far it has matched that when i get the secure connection message in winbox I cannot even connect to webfig in a browser. I'm really hoping I can get an understanding of what is happening here. I don't know why applying the same configuration file can lead to different results each time. Would love to know some settings to compare on a good reboot vs. a bad reboot to see what might be happening.

Hope some of this might spark an idea from someone.

Thanks again.
Jeff

Note, I have not looked at your config yet.

What version was the RB760 and what version is the 4011?

In a lot of cases, a simple export from one device and import into a different type of device does not work all that well. Different devices sometimes have different specific config requirements.

Also confirm that you are not trying to use a backup and restore? That should only be used on the same device - not just same type, but the same device.

The RB760 is running 6.49.7 right now.

Running winbox 3.37 connecting to RB4011 running ROS 7.6

I am not using a backup and restore. The script file was created and uploaded to the RB4011 to run after a reset. I don't think there is anything in the script that is out of the ordinary from simple VLAN and dchp for each VLAN.

ROS 6 and ROS 7 have some quite substantial differences. Make sure you understand them.
Part of why my 4011 is still running ROS 6...

I uploaded your configuration to CHR for a test... and there is indeed a problem with the connection. I'll try to look at it, although as you wrote it looks very simple...

ROS 6 and ROS 7 have some quite substantial differences. Make sure you understand them.
Part of why my 4011 is still running ROS 6...

That's part of why I didn't just apply the config and replace the devices. I'm trying to install from scratch again in parallel and make sure I understand the new device before it goes into production.

I uploaded your configuration to CHR for a test... and there is indeed a problem with the connection. I'll try to look at it, although as you wrote it looks very simple...

Thanks for looking piotrchm93.

I did a little more troubleshooting this morning. I removed config items that I thought might be causing the problem then added back after a few restarts without issues. It seems that the offending issue is assigning an IP address to the bridge BR1.

/ip address add address=10.14.120.9/24 interface=BR1 network=10.14.120.0

If I have this in then I get the intermittent issue of the security message when connecting by IP. If I disable the address then the affected system can login without issue. Re-enable the IP and the login issue comes back.

Unfortunately my notes aren't great as to why I had that address added in production. I did purposely leave out my capsman and wifi config on the new device because I wanted to make sure things were working one step at a time. I also wanted to revisit my capsman config because I think it might be overly complicating my environment but that's a topic for a different post.

So other than me not knowing why I have an IP added to BR1, why would that cause an issue with logging in to the RB4011 and the secure error?

Jeff