Community discussions

MikroTik App
 
MildlyOffensive
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2023 12:25 am

Mikrotik Admin Access in Existing Network

Tue Mar 07, 2023 12:33 am

I have a new stock Mikrotik hAP ac2 that I am placing within my existing network to handle VLANs and isolate an IP camera system from the Internet.

I was unable to access the administration web page or administration from Winbox through the WAN port or any other port that use an automatic DHCP address from the upstream router.

I added firewall rules to allow web and Winbox access but administration was still inaccessible.

I was finally able to access administration from the WAN port by moving WAN (Ether1) into the LAN bridge.

While this may not matter in this specific case where the Mikrotik router in question is behind another routers firewall, this would seem to be a bad security practice in general in a typical modem>router>LAN configuration. Am I correct in believing that this configuration would allow WAN access into the LAN unrestricted other than by the existing firewall rules on the specific WAN port/group or would the typical firewall settings be sufficient for securing this type of setup?

Also, should this process of allowing administration access to the WAN and other ports been done another way?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Admin Access in Existing Network

Tue Mar 07, 2023 11:22 pm

A. So the MT is a second router behind the ISP router?
B. Can you port forward to the MT router?
C. Why are accessing the MT router from the ISP router, vice from the MT itself?
D. Are you trying to access the MT router from the ISP routers WANIP ???
 
MildlyOffensive
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2023 12:25 am

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 12:00 am

A. So the MT is a second router behind the ISP router?
The full network architecture is a little complicated due to untrusted devices I have.
Modem > (Mikrotik RB4011) > (Asus RT-AX86U) > (Mikrotik hAP ac2)
The Mikrotik RB4011 has some devices attached I don’t fully trust that is to be isolated from the private LAN. The Asus provides wireless, but is not VLAN aware. I have IP cameras that are currently on the Asus, but I would like to isolate these from the Internet and private LAN and allow connections to be initiated only from the private LAN or VPN to the cameras, which is why I am adding the hAP ac2. I plan to be able to VPN to the LAN to access the cameras from remote locations.

B. Can you port forward to the MT router?
Ultimately yes, but it would be through multiple routers.

C. Why are accessing the MT router from the ISP router, vice from the MT itself?
I would eventually like to be able to do router administration on the RB4011 remotely. Ultimately the issue is that I don’t fully understand best practices as to correctly setting up the firewall for the Mikrotik ecosystem. I was under the impression years ago that Mikrotik did not have Stateful Packet Inspection and instead relied on firewall filter rules. It seems that in either case Mikrotik currently does have SPI, but I am still concerned about opening up the firewall too much, which is why I have the double router situation. The hAP ac2 is behind the private LAN, but ideally everything would be arranged around the RB4011.

D. Are you trying to access the MT router from the ISP routers WANIP ???
To some extent, yes. I am often remote and would like to be able to make changes from the internet side while minimizing security issues. The way I usually do that is to have a device inside the firewall and VPN to that.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 12:13 am

If I'm understanding what you are trying to do, you are making it really far more complex than it needs to be. Set up the 4011 with several LANs or VLANs that segregate your untrusted devices. Use the ASUS strictly as a WiFi access point - NOT a router. Forget adding the hAP. If you run out of physical port, use a switch. If it is a VLAN aware switch, it can have several VLANs so you have ports for your trusted and untrusted devices. Put all the smarts into the 4011 (a fine router - that's what I have as my primary router).
Router behind router behind router just complicates.the works...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 12:50 am

Concur with K6.

This is not to difficult. Assuming one thing, you can reach the RB4011.
This means the ISP modem router in front of RB4011 gets a public IP! Can you confirm? and you have access to port forward ports to the RB4011.

If so then we will use wireguard to provide remote access to the RB4011.
As stated the ASUS will be put on vlan on the RB4011. It doesnt have to read vlan tags because we will untag the
data going to the ASUS and then tag the traffic coming from the ASUS.

The vlan nature of all subnets on the rb4011 including the private network will ensure isolation at layer2 (mac address )
With forward chain rules we will ensure isolation between vlans at layer3(Ip address).

Not to worry all very doable.
The best thing for you to do is create a network diagram showing all the equipment and which vlans you want going on which port. etc.
To PC, to ASUS, managed switch etc..

The hapac makes an excellent AP/SWITCH as well if you need more ports or want additional wifi that is for private or untrusted use ( as the hapac does handle vlans )
 
MildlyOffensive
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2023 12:25 am

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 1:49 am

I agree that the network architecture should ultimately be simplified, but the hAP admin question still remains.

I can access the hAP admin from any computer directly attached to any of the hAP LAN ports, but if the hAP takes a dynamic address (192.168.10.45) from the upstream router, I then cannot access admin from a computer on 192.168.10.0 network regardless of which port the uplink is on the hAP (WAN or LAN). I have tried addresses 192.168.10.45 and the default 192.168.88.1. Winbox detects the hAP on
192.168.88.1, but it is not accessible.

I can communicate and do file transfers from a computer directly attached to the hAP with address 192.168.88.10 to computers on 192.168.10.0 network.

I was able to get admin from 192.168.10.0 network working, but only after moving the WAN port into the LAN bridge.

Is this normal behavior with a dynamic IP address or is there another way to allow admin access?
 
MildlyOffensive
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2023 12:25 am

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 1:52 am

@anav
Yes, the modem receives a dynamic public IP address from the ISP (Comcast Cable). It is my privately owned cable modem but is not VLAN aware.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 1:55 am

again, no diagram its all jibberish, as you never explain yourself clearly where networks reside............
There is no issue in accessing the hapac when behind the hapac, its simple it works, if you know what you are doing.
If you mean accessing the hapac from in front of the hapac, then that is also possible......
If you have the hapac behind an MT device its even easier.

In other words your concerns are nothing burgers........
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 2:17 am

Is this normal behavior with a dynamic IP address or is there another way to allow admin access?

It is entirely based on how the router is configured. You can allow or disallow whatever access you want based on the router configuration.

As anav said, a network drawing would be helpful and your configuration is needed.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
MildlyOffensive
just joined
Topic Author
Posts: 5
Joined: Tue Mar 07, 2023 12:25 am

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 8:46 am

I think I have the issue figured out.
It seems Admin access will not be enabled on a port unless the port is assigned to a Bridge under Bridge>Bridge AND also assigned to an interface list under Interfaces>Interface List. This seems to apply both to IP Address connections & MAC Address connections to the router (in WinBox).

In my earlier attempts, I had to move the WAN port into the LAN Bridge in order to enable WebFig & Winbox admin over ether1 (WAN) port. This worked since it gave ether1 an entry on the Bridge page.

Current Configuration:
# mar/06/2023 23:13:10 by RouterOS 6.49.7
# software id = EZH7-EEL2
#
# model = RBD52G-5HacD2HnD
/interface bridge
add comment="Remove later" name=Bridge_WAN
add admin-mac=18:FD:74:DD:09:6B auto-mac=no comment=defconf name=bridge
add comment="Management port" name=bridge2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-DD096F wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-DD0970 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.80.2-192.168.80.254
add name=dhcp_pool2 ranges=192.168.70.2-192.168.70.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge2 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=Bridge_WAN name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge2 comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=Bridge_WAN comment="Remove later" interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge2 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=192.168.80.1/24 interface=bridge2 network=192.168.80.0
add address=192.168.70.1/24 interface=Bridge_WAN network=192.168.70.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.70.0/24 dns-server=8.8.8.8 gateway=192.168.70.1
add address=192.168.80.0/24 dns-server=8.8.8.8 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
    8291 protocol=tcp
add action=accept chain=input comment="HTTP WAN Admin" dst-port=80 protocol=\
    tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik Admin Access in Existing Network

Wed Mar 08, 2023 5:06 pm

It seems Admin access will not be enabled on a port unless the port is assigned to a Bridge under Bridge>Bridge AND also assigned to an interface list under Interfaces>Interface List. This seems to apply both to IP Address connections & MAC Address connections to the router (in WinBox).
That may be the case with the way YOU have it configured, but is not a general requirement. For example, I don't have a bridge at all in my primary router, nor are there any interface list based allowances on router access other than allowed packets can not be on the WAN interface list. There are other restrictions on router access, but not interface list based.
That you for posting your config. I will look at it shortly...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Admin Access in Existing Network

Thu Mar 09, 2023 2:11 am

Winbox is controlled or not by several choices.

(1) One is the /tools mac-server mac-winbox
I typically set this to
set allowed-interface-list=MGMT

Where I have
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface list memberts
add vlanX=LAN
add vlanY=LAN
add vlanZ=LAN
add vlanX=MGMT (where vlanX is the trusted vlan and where all smart devices such as managed switches or other mt devices get their IP address from and thus limit winbox access from }

(2) This is besides IP addresses or subnets you can put in winbox services column for allowed IPs.........

(3) This is besides the input chain where once again I limit access to winbox by
add chain=input action=accept in-interface-list=MGMT source-address-list=Authorized.

Where Authorized is a list of static IPs (set static in dhcp leases) for all admin devices and also may include fixed ips such as remote wireguard assigned IPs.

So right there we have three different control spots for winbox alone.
The first step is changing the winbox default to something different!!

Another step is using IP Neighbors discovery in this schema.
/ip neighbor discovery-settings
set discover-interface-list=MGMT

Again, allows winbox to work seemlessly across all MT devices in a network.

Note, I dont count the user password login but thats another security part of the picture.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Admin Access in Existing Network

Thu Mar 09, 2023 2:14 am

This is not a secure access method and should be set to NONE.
/tool mac-server
set allowed-interface-list=LAN

Who is online

Users browsing this forum: Bing [Bot], dioeyandika and 41 guests