Hello,

I have a hAP with default configuration (switch eth2-3-4-5-wifi, dhcp server, dhcp client on eth1)

I would like to reach Winbox since eth1 ( internet )

Default configuration of firewall :

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

With default configuration, it is not possible to access the router with Winbox from internet (eth1)

So i add this rules :
add action=accept chain=input comment="Winbox from Internet" dst-port=8921 protocol=tcp

But it doesn't works..

Can you help me ?

Remove this rule

interface=ether1
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1

Yes i know this will work if i remove this rule

But it is more secure no ?

Is it possible to drop all exept 8921 ?

And if i put my rule before the drop all, why doesn't works ??

Hi,

Just a guess:

a. put your input before any drop rule b. disable rule Does it work now ?

kind regards,

No,
It works only when i disable : add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1

Port number is 8291..

Hi,

Port number is 8291..

Sharp eyes... i did not notice it
kind regards,

OMFG !
2 days !!

RTFM slowly..

Sorry and thanks

Hi,

No problem. Anytime

kind regards,