Community discussions

MUM Europe 2020
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 5:22 pm

I just got my RB711-2Hn and thay are running ROS 5.6. I set them up the usual way. I have my entire network running 4.17 and have good luck with them. With this new board and Ros I am having problems. I can't ping the CPE (711) or telnet or connect with winbox.

I don't know if it is the RB711 or the new ROS. I suspect the new ROS is the problem. I am sure I just don't have some setting correct. the cpe works fine I just can't get to it remotely to manage it.

Any help will be welcome.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 5:52 pm

There's something wrong with your config. What exactly is wrong is hard to troubleshoot without seeing the configuration. Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip service print detail", and "/ip firewall export" together with a network diagram and a detailed explanation of how you're trying to access the CPE (from what source IP to what destination IP, protocol used, etc).
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 6:18 pm

is there a way to cut and past from terminal? all I can do is a screen capture and inport to PAINT. not sure how to attach the jpeg to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 6:24 pm

Of course. Select the text, right click, copy, then paste here. Just like any other text.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 6:26 pm

[admin@MikroTik] > ip add pr det
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether1-local actual-interface=ether1-local

1 address=74.113.211.8/27 network=74.113.211.0 interface=wlan1-gateway actual-interface=wlan1-gateway
[admin@MikroTik] > ip rou pr det
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=74.113.211.30 gateway-status=74.113.211.30 reachable wlan1-gateway distance=1 scope=30
target-scope=10

1 ADC dst-address=74.113.211.0/27 pref-src=74.113.211.8 gateway=wlan1-gateway gateway-status=wlan1-gateway reachable
distance=0 scope=10

2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1-local gateway-status=ether1-local reachable
distance=0 scope=10
[admin@MikroTik] > int pr det
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="wlan1-gateway" type="wlan" mtu=1500 l2mtu=2290

1 R name="ether1-local" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=2030
[admin@MikroTik] > ip ser pr det
Flags: X - disabled, I - invalid
0 name="telnet" port=23

1 name="ftp" port=21

2 name="www" port=80

3 name="ssh" port=22

4 X name="www-ssl" port=443 certificate=none

5 X name="api" port=8728

6 name="winbox" port=8291
[admin@MikroTik] > ip fire exp
# dec/08/2011 10:07:26 by RouterOS 5.6
# software id = 3AH7-DP72
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=wlan1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=wlan1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
[admin
@Mikro
Tik] >
[admin@MikroTik] >



I have this one on my test bench connect to my Mikrotik AP here at the office. it's real address is shown so you can try to winbox or telnet in. 74.113.211.8 admin and no password
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 6:45 pm

i even down graded one of my live 711-2hn in the field to 4.17 and it does the same thing. it works fine but you can't ping or telnet to it. i still suspect some setting stayed the same even after I down graded it to 4.17. I need to see what setting is causing this.

Thanks for your help!
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 7:53 pm

 /ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=wlan1-gateway
That means "don't accept any management connection to the router when they come into the router via the wlan1-gateway interface". You need to add a firewall filter above the drop rule that permits traffic sourced from the IPs that your management traffic would come from.

You should also look into using SSH over telnet if you're going to do management access via the WAN. telnet transmits usernames and passwords in clear text and is very insecure.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 8:32 pm

can you give me an example of the code to use? I have a block of Assigned address from ARIN and would like to allow access from them.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 8:48 pm

/ip firewall address-list
add list=management address=1.1.1.0/24
add list=management address=2.2.2.0/24
/ip firewall filter
add chain=input src-address-list=management action=accept
Then move the filter rule above the existing drop rule.

Also refer to the manual: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter - these are very basic questions.

And again: look into SSH. Seriously. telnet is very, very insecure.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 9:55 pm

thanks it works!. I guess the new boards come with filter rules that block incoming from wlan port. I never had that problem with boards that came with 4.x ROS.

Thanks

David
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: can't ping or telnet or winbox into RB711-2Hn

Thu Dec 08, 2011 10:11 pm

Those rules were part of 4.x, too. The different is the kind of board you use. http://wiki.mikrotik.com/wiki/Manual:De ... igurations documents the different default configurations of a variety of RouterBOARDs.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Re: can't ping or telnet or winbox into RB711-2Hn

Fri Dec 09, 2011 12:06 am

thanks 1 last question. I can telnet and winbox now but not ssh to it. I looked at services and telnet and ssh are enabled. also tools and wireless in winbox don't have ssh as an option. from my unix server i can't ssh to it.

thanks

david
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: can't ping or telnet or winbox into RB711-2Hn

Fri Dec 09, 2011 1:48 am

According to what you posted SSH is enabled.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Who is online

Users browsing this forum: allevot, Cascuda, FRANKMUNOZ, sterling, thanasisch, valvinc, vortex and 118 guests