Community discussions

MikroTik App
  4. RouterOS
  5. General

Cannot open ports / access router externally

Post Reply
 
kai
newbie
Topic Author
Posts: 38
Joined: Thu Aug 24, 2017 1:15 pm

Cannot open ports / access router externally

Fri Oct 11, 2019 4:57 pm

I'm having some issues with a particular router - the problem is that I cannot remotely connect to it via Winbox or SSH. out bound, within the network seems to be fine, but externally not. I've looked through the config over and over and I cannot seem to find the issue. Can someone else please take a look at this for me and point out if anything obvious is wrong please?

Thanks in advance
Code: Select all
# oct/11/2019 14:02:20 by RouterOS 6.45.6
# software id = QJ4L-AAL9
#
# model = RouterBOARD 750G r3
# serial number = XXX
/interface bridge
add admin-mac=64:D1:54:9F:72:08 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=\
    ether1 name=pppoe-out1 password=bt use-peer-dns=yes user=\
    Xxx
/interface list
add name=WAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=xxx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.230
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge1 lease-time=8h name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set enabled=yes ipsec-secret=xxx use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=pppoe-out1 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.254/24 comment=defconf interface=ether3 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.142 comment="xxx" mac-address=18:68:CB:AA:DE:D9
add address=192.168.1.159 comment="xxx" mac-address=\
    90:A7:C1:53:0B:2D server=defconf
add address=192.168.1.150 comment="xxx" mac-address=\
    00:0F:FF:1E:FF:75 server=defconf
add address=192.168.1.149 comment="xxx" mac-address=00:1E:C0:A0:04:68 \
    server=defconf
add address=192.168.1.162 comment="xxx" mac-address=\
    44:C3:06:42:D5:EA
add address=192.168.1.58 always-broadcast=yes client-id=1:d8:f:99:2d:f0:5f \
    comment="xxx" mac-address=D8:0F:99:2D:F0:5F server=\
    defconf
add address=192.168.1.152 comment="xxxx" mac-address=\
    04:5D:4B:D9:D1:27
add address=192.168.1.57 client-id=1:4:5d:4b:b3:60:49 comment=\
    "xxxx" mac-address=04:5D:4B:B3:60:49 server=defconf
add address=192.168.1.66 comment="xxx" mac-address=00:16:E8:B5:BB:FB
add address=192.168.1.56 client-id=1:54:13:79:7d:50:f3 comment=\
    "xxxx" mac-address=54:13:79:7D:50:F3 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.254 name=router.lan
add address=192.168.1.254 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=INVALID
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log-prefix="WAN INVALID"
add action=accept chain=input comment="Allow Pings" protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Allow Winbox" dst-port=8291 protocol=\
    tcp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=WAN log-prefix="DROPPED ALL"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 out-interface=bridge1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="xxx" dst-address=\
    !192.168.1.0/24 dst-address-type=local dst-port=8000 protocol=tcp \
    to-addresses=192.168.1.142 to-ports=8000
add action=dst-nat chain=dstnat comment="xxx" dst-address=\
    !192.168.1.0/24 dst-address-type=local dst-port=554 protocol=tcp \
    to-addresses=192.168.1.142 to-ports=554
add action=dst-nat chain=dstnat comment="xxx" dst-address=\
    !192.168.1.0/24 dst-address-type=local dst-port=8888 protocol=tcp \
    to-addresses=192.168.1.142 to-ports=80
add action=dst-nat chain=dstnat comment="xxx" dst-address=\
    !192.168.1.0/24 dst-address-type=local dst-port=9999 protocol=tcp \
    to-addresses=192.168.1.159 to-ports=80
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/London
/system identity
set name=XXX
/system ntp client
set enabled=yes server-dns-names=\
    0.uk.pool.ntp.org,1.uk.pool.ntp.org,2.uk.pool.ntp.org,3.uk.pool.ntp.org
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether2-master disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Top
 
dmitris
Member Candidate
Member Candidate
Posts: 130
Joined: Mon Oct 09, 2017 1:08 pm

Re: Cannot open ports / access router externally

Fri Oct 11, 2019 8:16 pm

I checked your configuration and i don't see any granting rule to ssh.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow SSH" dst-port=22 protocol=\
    tcp
*
*

Second thing i would not recommend to expose Winbox service to all, it's very insecure...


Also you can check remotely, does port open or not with command:
This work only for tcp connection.

telnet your_public_ip 8291
telnet your_public_ip 22
Top
Post Reply
  4. RouterOS
  5. General