API Port 8728 - Not Available

MeTaLliC · Sat Sep 10, 2011 2:36 pm

Hi Guys,

I've just purchased my first Mikrotik (RB450G) and I've just spent most of my evening setting it up to replace my existing Linksys router. I'm also a PHP developer and would love to start designing a web interface for this device to suit my needs. So I acquired a copy of the PHP API Class and got to work.

Now, here is my issue. I have enabled the API by using the following command via SSH: /ip service enable api but when I try connecting to my router via the API it fails. I've also noticed that when I nmap the Mikrotik, this is the result.

Starting Nmap 5.21 ( http://nmap.org ) at 2011-09-10 21:27 EST
Nmap scan report for 10.1.2.1
Host is up (0.0012s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
53/tcp open domain
80/tcp open http
1723/tcp open pptp
2000/tcp open cisco-sccp
8291/tcp open unknown
MAC Address: 00:0C:42:7F:97:21 (Routerboard.com)

As you can see, port 8728 isn't listed. Can anyone help me out? Has anyone else seen this before?

fewi · Sat Sep 10, 2011 8:47 pm

Post the output of "/ip server export", "/ip address print detail", "/ip firewall export", and information on what IP address the host has that you're trying to connect from.

MeTaLliC · Sun Sep 11, 2011 3:08 am

/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=no port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.1.200/24 network=192.168.1.0 broadcast=192.168.1.255
interface=ether3-wan-wimax actual-interface=ether3-wan-wimax

1 address=192.168.2.200/24 network=192.168.2.0 broadcast=192.168.2.255
interface=ether4-wan-adsl actual-interface=ether4-wan-adsl

2 address=10.1.2.1/24 network=10.1.2.0 broadcast=10.1.2.255
interface=ether1-local actual-interface=ether1-local

/ip firewall export
# jan/03/1970 20:40:24 by RouterOS 4.14
# software id = 9NE2-7AFJ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=yes \
new-routing-mark=WiMAX passthrough=yes src-address=10.1.2.17
add action=mark-routing chain=prerouting comment="" disabled=no \
new-routing-mark=WiMAX passthrough=yes src-address=10.1.2.121
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=\
10.1.2.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=24986 \
protocol=tcp to-addresses=10.1.2.17 to-ports=443
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

My webserver's IP address is 10.1.2.121. Here is the nmap results again:

root@webserver:~# nmap 10.1.2.1

Starting Nmap 5.21 ( http://nmap.org ) at 2011-09-11 10:07 EST
Nmap scan report for 10.1.2.1
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
53/tcp open domain
80/tcp open http
1723/tcp open pptp
2000/tcp open cisco-sccp
8291/tcp open unknown
MAC Address: 00:0C:42:7F:97:21 (Routerboard.com)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

fewi · Sun Sep 11, 2011 3:58 am

Huh, I'm baffled. I got nothing outside of a reboot, and maybe an upgrade if you're not on 5.6.

MeTaLliC · Sun Sep 11, 2011 4:31 am

Huh, I'm baffled. I got nothing outside of a reboot, and maybe an upgrade if you're not on 5.6.

You're baffled, I was stumped last night! Everything looked fine to me. I'll try what you suggested.

MeTaLliC · Sun Sep 11, 2011 4:56 am

Ok, I've rebooted the mikrotik and upgraded to 5.6 but still no joy

tjc · Sun Sep 11, 2011 6:29 am

Have you checked that the user belongs to a group with api permissions?

tjc · Sun Sep 11, 2011 7:16 am

I just tested 5.6 with the Python API after enabling the service and it worked.

/ip service enable api

[admin@MikroTik] > /ip service print where name=api
Flags: X - disabled, I - invalid 
 #   NAME      PORT ADDRESS                                       CERTIFICATE  
 5   api       8728 192.168.1.0/24

Maybe setting an address matters?

MeTaLliC · Sun Sep 11, 2011 11:22 am

What happens when you nmap your router? Does it show the port as open?

tjc · Sun Sep 11, 2011 7:10 pm

Not if I don't tell it scan ports in that range (default is only 1-1000), but if I do yes.

[tjc@x2 ~]$ nmap -p1-1000,8000-8999 router

Starting Nmap 5.50 ( http://nmap.org ) at 2011-09-11 12:09 EDT
Nmap scan report for router (192.168.1.1)
Host is up (0.0033s latency).
Not shown: 1995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
443/tcp  open  https
8728/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

tjc · Sun Sep 11, 2011 7:18 pm

BTW - You should really lock down some of those services. I would disable the unencrypted ones and limit the allowed addresses for the rest.

JAza · Mon Sep 24, 2012 5:39 pm

Just a point to note: Opening the service in /ip services alone is not enough (at least it did not work for me.) I also needed to create a firewall filter rule to accept packets on that port as well.
Yes, maybe it's a little obvious but for a noob or just someone newly climbing the Mikrotik learning curve, just thought I'd add that here.

peace.
J.

matthysdt · Fri Nov 30, 2012 11:09 am

Hi, I tried following this topic but I still have no such thing as an API port.

I'm running RouterOS 5.8 on a RB433UAH.

[admin@MT] > ip firewall service-port print
Flags: X - disabled, I - invalid
# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 h323
4 sip 5060
5061
5 pptp

EDIT: I just got it fixed, thanks anyway!
Just go to Ip Services and enable API.

Cheers

janisk · Fri Nov 30, 2012 11:47 am

all i can say, if API does not work if you enable it under '/ip services' then check firewall, cables, service access rules. As API is used extensively in testing. starting with router mass upgrade tools, to running test-cases.

however nmap ran against my test router:

$ nmap mt

Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-30 11:46 EET
Nmap scan report for mt (10.5.113.1)
Host is up (0.0019s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
2000/tcp open  cisco-sccp
3986/tcp open  mapper-ws_ethd
8291/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

$ nmap mt -p 8728

Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-30 11:45 EET
Nmap scan report for mt (10.5.113.1)
Host is up (0.00021s latency).
PORT     STATE SERVICE
8728/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds