Hello community.
Maybe this topic is already covered, but I cannot find the answer to my issue.
This is the configuration I have donde wiht my RB.
I have One RB in AP-Bridge, we could call it RB-1 and a second RB in Station-Bridge mode, we could call it RB-2.
RB-2 is connected to RB-1 perfectly, I can access all services from this side internet and networks are working fine, even I can telnet and MAc telnte the RB-1 no problems.
When I'm in thte RB-1 side, I cannot acces trough Winbox by any method, Even make it a dst-nat pointing the RB-2......
I can from RB-1 Winbox, use Telnet and Mac-Telnet to login the RB-2, but I cannot make it with winbox...... what could be the issue?
By the way en both RB's the IP-Services are all enabled...
Hope is clear enough.
Thanks for the help
Regards
-
-
bramwittendorp
Member Candidate
- Posts: 101
- Joined:
- Location: The Netherlands
- Contact:
Re: Winbox from AP to Station
Hi,
Please share your config, by doing an. That way we'll get a better understanding of your config and possible firewall rules that are in the way.
Please share your config, by doing an
Code: Select all
/export hide-sensitiveRe: Winbox from AP to Station
Thanks for the fast reply.
First part of the code is RB-1 the RB951Ui-2HnD
The RB-2 is the wAP-2nDr2
First part of the code is RB-1 the RB951Ui-2HnD
Code: Select all
# aug/14/2018 16:56:29 by RouterOS 6.42.6
# software id = ZGKJ-958S
#
# model = 951Ui-2HnD
# serial number = 8D0108222D29
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk comment="WiFi Owners" eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=MTM_SEC supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk comment="Guest Only" eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=GUESTS supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=BRIDGE supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] default-forwarding=no disabled=no hide-ssid=yes mode=ap-bridge name=BridgeAP radio-name=MainStation security-profile=BRIDGE ssid=MTM_BRIDGE
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:9B:6F:6F master-interface=BridgeAP multicast-buffering=disabled name=GuestAP security-profile=GUESTS ssid=MTM_GUESTS wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:9B:6F:6E master-interface=BridgeAP multicast-buffering=disabled name=WareHouseAP security-profile=MTM_SEC ssid=MTM_WAREHOUSE wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=WH_POOL ranges=192.168.185.80-192.168.185.100
add name=G_POOL ranges=192.168.175.20-192.168.175.60
/ip dhcp-server
add address-pool=WH_POOL disabled=no interface=WareHouseAP name=WH_DHCP
add address-pool=G_POOL disabled=no interface=GuestAP name=G_DHCP
/queue simple
add burst-limit=768k/2M burst-threshold=512k/1M burst-time=5s/5s limit-at=512k/1M max-limit=512k/1M name=Conta-Sistema packet-marks=G-EvolutionF priority=2/2 target=192.168.200.40/32,192.168.50.200/32
add name=Conta-vCloud packet-marks=vCLoudF priority=1/1 target=192.168.200.40/32
add burst-limit=768k/2M burst-threshold=512k/1M burst-time=5s/5s max-limit=512k/1M name="Conta External" target=192.168.200.40/32
add burst-limit=768k/2M burst-threshold=512k/1M burst-time=5s/5s limit-at=512k/1M max-limit=512k/1M name=Asistente-Sistema packet-marks=G-EvolutionF priority=2/2 target=192.168.200.41/32,192.168.50.200/32
add name=Asistente-vCloud packet-marks=vCLoudF priority=1/1 target=192.168.200.41/32
add burst-limit=768k/2M burst-threshold=512k/1M burst-time=5s/5s max-limit=512k/1M name="Asistente External" target=192.168.200.40/32
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.50.1/24 comment="Full Servers" interface=ether3 network=192.168.50.0
add address=192.168.180.1/24 comment="For Admin BD" interface=ether5 network=192.168.180.0
add address=192.168.200.1/24 comment="Administration Office" interface=ether2 network=192.168.200.0
add address=192.168.20.1/24 comment="LTE OUT" interface=ether1 network=192.168.20.0
add address=192.168.220.1/24 comment="Surveillance Cameras IP-DVR" interface=ether4 network=192.168.220.0
add address=192.168.195.1/24 comment="Wi-Fi Just Owners" interface=BridgeAP network=192.168.195.0
add address=192.168.185.1/24 interface=WareHouseAP network=192.168.185.0
add address=192.168.175.1/24 interface=GuestAP network=192.168.175.0
add address=192.168.195.100/24 interface=ether2 network=192.168.195.0
/ip dhcp-server network
add address=192.168.175.0/24 dns-server=200.87.100.10,200.87.100.40,8.8.8.8,8.8.4.4 gateway=192.168.175.1
add address=192.168.185.0/24 dns-server=200.87.100.10,200.87.100.40,8.8.8.8,8.8.4.4 gateway=192.168.185.1
/ip dns
set allow-remote-requests=yes servers=200.87.100.10,200.87.100.40,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.220.40 name=www.dvrextnave.net
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=jump chain=input comment="Allowed All for some PC" jump-target="All Allowed"
add action=jump chain=input comment="Jump to Denied WebSurfing" jump-target=Deny-Out
add action=jump chain=input comment="Denied Services" jump-target="Blocked Services"
add action=jump chain=input comment="Allowed Services" jump-target="Allowed Services"
add action=accept chain=input comment="Allow Established" connection-state=established
add action=accept chain=input comment="Allow Related" connection-state=related
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Drop everything Else"
add action=jump chain=forward comment="Allowed All for some PC" jump-target="All Allowed"
add action=jump chain=forward comment="Jumt to Denied WebSurfing" jump-target=Deny-Out
add action=jump chain=forward comment="Denied Services" jump-target="Blocked Services"
add action=jump chain=forward comment="Allowed Services" jump-target="Allowed Services"
add action=accept chain=forward comment="Allow Established" connection-state=established
add action=accept chain=forward comment="Allow Related" connection-state=related
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop everything Else"
add action=jump chain=output comment="Allowed All for some PC" jump-target="All Allowed"
add action=jump chain=output comment="Jumt to Denied WebSurfing" jump-target=Deny-Out
add action=jump chain=output comment="Denied Services" jump-target="Blocked Services"
add action=jump chain=output comment="Allowed Services" jump-target="Allowed Services"
add action=accept chain=output comment="Allow Established" connection-state=established
add action=accept chain=output comment="Allow Related" connection-state=related
add action=drop chain=output comment="Drop Invalid" connection-state=invalid
add action=drop chain=output comment="Drop everything Else"
add action=accept chain="All Allowed" comment="GADMIN PC" src-address=192.168.200.60
add action=accept chain="All Allowed" comment="MAC GADMIN" src-address=192.168.200.61
add action=accept chain="All Allowed" comment="GADMIN iPhone" src-address=192.168.195.90
add action=accept chain="All Allowed" comment="Bridge Station" src-address=192.168.195.2
add action=accept chain="All Allowed" comment="Bridge Station" src-address=192.168.195.1
add action=accept chain="All Allowed" comment="DVR Planta" src-address=192.168.220.40
add action=accept chain="Allowed Services" comment="NTP Service" dst-port=123 protocol=udp
add action=accept chain="Allowed Services" comment="DNS Requests UDP" dst-port=53 protocol=udp
add action=accept chain="Allowed Services" comment="DNS Requests TCP" dst-port=53 protocol=tcp
add action=accept chain="Allowed Services" comment="WEB Traffic" dst-port=80 protocol=tcp
add action=accept chain="Allowed Services" comment="S-WEB Traffic" dst-port=443 protocol=tcp
add action=accept chain="Allowed Services" comment="Winbox Service" dst-port=8291 protocol=tcp
add action=accept chain="Allowed Services" comment="Mobile TikTool" dst-port=8728 protocol=tcp
add action=accept chain="Allowed Services" comment="S-POP Service" dst-port=995 protocol=tcp
add action=accept chain="Allowed Services" comment="S-IMAP Service" dst-port=993 protocol=tcp
add action=accept chain="Allowed Services" comment="S-SMTP Service" dst-port=465 protocol=tcp
add action=accept chain="Allowed Services" comment="S-IMAP SMTP Service" dst-port=587 protocol=tcp
add action=accept chain="Allowed Services" comment="ENTEL App for account managment" dst-port=7770 protocol=tcp
add action=accept chain="Allowed Services" comment="OV SIN App for account managment" dst-port=8087 protocol=tcp
add action=accept chain="Allowed Services" comment="Mobile DVR Control" dst-port=15961 protocol=tcp
add action=accept chain="Allowed Services" comment="DVR Control" dst-port=9000 protocol=tcp
add action=accept chain="Allowed Services" comment="Min Trabajo OVT" dst-port=8080 protocol=tcp
add action=accept chain="Allowed Services" comment="vCloudPoint Services" dst-port=3389 protocol=tcp
add action=accept chain="Allowed Services" comment="vCloudPoint Services" dst-port=13389 protocol=udp
add action=accept chain="Allowed Services" comment="vCloudPoint Services" dst-port=13389 protocol=tcp
add action=accept chain="Allowed Services" comment="vCloudPoint Services" dst-port=13389-13422 protocol=tcp
add action=accept chain="Allowed Services" comment="Webmin Local Service" dst-port=10000 protocol=tcp
add action=drop chain=Deny-Out comment="Deny everything From Conta" disabled=yes src-address=192.168.200.40
add action=drop chain=Deny-Out comment="Deny everything From Control" disabled=yes src-address=192.168.200.41
add action=drop chain=Deny-Out comment="Deny everything From Prod" disabled=yes src-address=192.168.200.42
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=178.33.155.171 dst-port=443 new-connection-mark=G-EvolutionC passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=G-EvolutionC new-packet-mark=G-EvolutionF passthrough=no
add action=mark-connection chain=prerouting dst-address=192.168.50.200 new-connection-mark=vCloudC passthrough=yes
add action=mark-packet chain=prerouting connection-mark=vCloudC new-packet-mark=vCLoudF passthrough=no
add action=mark-connection chain=prerouting dst-address=192.168.220.40 new-connection-mark=DVRc passthrough=yes
add action=mark-packet chain=prerouting connection-mark=DVRc new-packet-mark=DVRf passthrough=no
add action=mark-connection chain=prerouting dst-port=80 new-connection-mark=HttpC passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HttpC new-packet-mark=HttpF passthrough=no
add action=mark-connection chain=prerouting dst-port=8291 new-connection-mark=WinBoxC passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=WinBoxC new-packet-mark=WinBoxF passthrough=no
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=DNS-RequestC passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS-RequestC new-packet-mark=DNS-RequestF passthrough=no
add action=mark-connection chain=prerouting dst-port=443 new-connection-mark=Https-C passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Https-C new-packet-mark=Https-F passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="PATH FOR OUTGOING \A1\A1\A1DO NOT TOUCH!!!" out-interface=ether1
add action=dst-nat chain=dstnat dst-address=192.168.195.100 dst-port=8291 protocol=tcp to-addresses=192.168.195.63 to-ports=8291
add action=dst-nat chain=dstnat dst-address=192.168.195.100 dst-port=80 protocol=tcp to-addresses=192.168.195.2 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.195.100 dst-port=9000 protocol=tcp to-addresses=192.168.195.2 to-ports=9000
/ip route
add distance=1 gateway=192.168.20.254
/ip service
set www-ssl disabled=no
/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=input
add action=drop chain=output
/system clock
set time-zone-name=America/La_Paz
/system identity
set name=MainRouterPlanta
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WareHouseAP disabled=yes display-time=5s
set GuestAP disabled=yes display-time=5s
set BridgeAP disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/system ntp client
set enabled=yes primary-ntp=130.149.17.21 secondary-ntp=216.229.0.179
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system routerboard settings
set silent-boot=no
/system scheduler
add comment="Disable Firewall Block" interval=1d name=Disable-Deny-Output-All on-event=enabe-web policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=07:55:00
add comment="Disable LTE-Out" interval=1d name=Disable-LTE on-event=disable-LTE policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=19:00:00
add comment="Disable WiFi" interval=1d name=DisableWiFi on-event=disableWlan policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=19:00:00
add comment="Enable Firewall Block" interval=1d name=Enable-Deny-Output-All on-event=disable-web policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=17:30:00
add comment="Enable LTE-Out" interval=1d name=Enable-LTE on-event=enable-LTE policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=08:00:00
add comment="Enable Wifi" interval=1d name=EnableWiFi on-event=enableWlan policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=08:30:00
add comment="Enable ALL for week jobs" interval=1w name=MondayEnabler on-event=mondayenable policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/13/2018 start-time=07:00:00
add comment="To release charge and renew logs" interval=1d name=RefreshReboot policy=reboot start-date=aug/13/2018 start-time=07:30:00
add comment="Disable all for weekend" interval=1w name=WeekendDisable on-event=weekenddisable policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/17/2018 start-time=18:00:00
/system script
add name=enable-LTE owner=admin policy=ftp,reboot,read,write,policy,test,password source="/interface enable ether1"
add name=disable-LTE owner=admin policy=ftp,reboot,read,write,policy,test,password source="/interface disable ether1"
add name=enableWlan owner=admin policy=ftp,reboot,read,write,policy,test,password source="/interface enable wlan1"
add name=disableWlan owner=admin policy=ftp,reboot,read,write,policy,test,password source="/interface disable wlan1"
add name=weekenddisable owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system scheduler disable [/system scheduler find name=EnableWiFi]\r\
\n/system scheduler disable [/system scheduler find name=DisableWiFi]\r\
\n/system scheduler disable [/system scheduler find name=Enable-LTE]\r\
\n/system scheduler disable [/system scheduler find name=Disable-LTE]\r\
\n/system scheduler disable [/system scheduler find name=Disable-Deny-Output-All]\r\
\n/system scheduler disable [/system scheduler find name=Enable-Deny-Output-All]\r\
\n/interface disable ether1\r\
\n/interface disable wlan1\r\
\n"
add name=mondayenable owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system scheduler enable [/system scheduler find name=EnableWiFi]\r\
\n/system scheduler enable [/system scheduler find name=DisableWiFi]\r\
\n/system scheduler enable [/system scheduler find name=Enable-LTE]\r\
\n/system scheduler enable [/system scheduler find name=Disable-LTE]\r\
\n/system scheduler enable [/system scheduler find name=Disable-Deny-Output-All]\r\
\n/system scheduler enable [/system scheduler find name=Enable-Deny-Output-All]"
add name=enable-web owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/ip firewall filter disable [find comment=\"Deny everything From Conta\"]\r\
\n/ip firewall filter disable [find comment=\"Deny everything From Control\"]\r\
\n/ip firewall filter disable [find comment=\"Deny everything From Prod\"]"
add name=disable-web owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/ip firewall filter enable [find comment=\"Deny everything From Conta\"]\r\
\n/ip firewall filter enable [find comment=\"Deny everything From Control\"]\r\
\n/ip firewall filter enable [find comment=\"Deny everything From Prod\"]"
/tool user-manager database
set db-path=user-manager
Code: Select all
# aug/14/2018 17:03:38 by RouterOS 6.42.6
# software id = Q05R-URXZ
#
# model = RouterBOARD wAP 2nD r2
# serial number = 676505843D29
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=BRIDGE \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=MTM_DEPTO \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto radio-name=MTM_BASE2 \
security-profile=BRIDGE ssid=MTM_BRIDGE wds-mode=dynamic
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:5E:DB:01 \
master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
security-profile=MTM_DEPTO ssid=MTM_HOME wds-cost-range=0 wds-default-cost=\
0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=10.10.10.100-10.10.10.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=wlan2 name=dhcp1
/system logging action
set 1 disk-file-name=log
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.200.1/24 interface=ether1 network=192.168.200.0
add address=10.10.10.1/24 interface=wlan2 network=10.10.10.0
add address=192.168.195.2/24 interface=wlan1 network=192.168.195.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1,200.87.100.10 gateway=\
10.10.10.1
/ip dns
set allow-remote-requests=yes servers=192.168.195.1,192.168.200.1,200.87.100.10
/ip firewall filter
add action=fasttrack-connection chain=forward
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.200.0/24
add action=masquerade chain=srcnat out-interface=wlan1
add action=dst-nat chain=dstnat dst-address=192.168.195.63 dst-port=8291 \
protocol=tcp to-addresses=192.168.200.1 to-ports=8291
/ip route
add distance=1 gateway=192.168.195.1
/system clock
set time-zone-name=America/La_Paz
/system identity
set name=MTM-AP-CEO
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set wlan2 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
/system ntp client
set mode=broadcast
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set allocate-udp-ports-from=1000 max-sessions=1
/tool user-manager database
set db-path=flash/user-manager
Re: Winbox from AP to Station
to my understanding, i will suggest that you create a bridge on rb-1.
then add the port where rb-2 is connected to the bridge.
good luck
then add the port where rb-2 is connected to the bridge.
good luck
Re: Winbox from AP to Station
Thanks to all....
I managed to make it work without too much changes.
First (my mistake), changed the band on both RB, to B/G/N, also remake all the configurations con RB2, to add it freshly, Make sure that all routes are correctly, and EURECA!!!!!
All works fine.......
Again thanks for all
Hope this could help somebody else
I managed to make it work without too much changes.
First (my mistake), changed the band on both RB, to B/G/N, also remake all the configurations con RB2, to add it freshly, Make sure that all routes are correctly, and EURECA!!!!!
All works fine.......
Again thanks for all
Hope this could help somebody else