Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

problems logging in with winbox but web portal works  [SOLVED]

Post Reply
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

problems logging in with winbox but web portal works

Sun Mar 06, 2022 6:26 pm

Hi everyone!

I recently made a misconfiguration and i had to revert my settings on my hex POE.
I have previously left a emergency physical port (ether 5) so that i can physically log in to the device to undo the change.

Ether 5 is assigned DHCP server, firewall input rule (allow Ether5 to 192.168.88.1), Ether 5 is not joined to any bridge or switch1 and switch settings is "Leave as is".

When i winbox into 192.168.88.1, the session opens and terminates immediately.
The logs shows the user has logged in and logged out.

logging in via mac address doesnt work.

i can however log in via the http.

where do i start troubleshooting?
Code: Select all
# mar/06/2022 23:13:23 by RouterOS 6.48.4
# software id = 9WAC-9NWN
#
# model = 960PGS
# serial number = CB560B93305E
/interface bridge
add admin-mac=C4:AD:34:A3:99:78 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
/interface vlan
add comment=vlan13 interface=bridge name=Guest vlan-id=13
add comment=vlan14 interface=bridge name=IoT vlan-id=14
add comment=vlan15 disabled=yes interface=bridge name=IoT2 vlan-id=15
add comment=vlan11 interface=bridge name=MGMT vlan-id=11
add comment=vlan12 interface=bridge name=SNET vlan-id=12
add comment=vlan1201 interface=bridge name=vlan1201 vlan-id=1201
add comment=vlan1202 interface=bridge name=vlan1202 vlan-id=1202
/interface ethernet switch port
set 1 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=12 vlan-header=always-strip vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=ManagementNW
add name=INET_LAN
add include=INET_LAN name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.20
add name=dhcp_pool1 ranges=192.168.11.101-192.168.11.110
add name=dhcp_pool2 ranges=192.168.12.101-192.168.12.120
add name=dhcp_pool3 ranges=192.168.13.101-192.168.13.120
add name=dhcp_pool4 ranges=192.168.14.101-192.168.14.120
add name=dhcp_pool5 ranges=192.168.15.101-192.168.15.110
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 name=defconf
add address-pool=dhcp_pool1 disabled=no interface=MGMT lease-time=10h name=\
    dhcp1
add address-pool=dhcp_pool2 disabled=no interface=SNET lease-time=4h name=\
    dhcp2
add address-pool=dhcp_pool3 disabled=no interface=Guest lease-time=1h name=\
    dhcp3
add address-pool=dhcp_pool4 disabled=no interface=IoT lease-time=2h name=\
    dhcp4
add address-pool=dhcp_pool5 interface=IoT2 name=dhcp5
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=ManagementNW
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether2,ether4 switch=switch1 \
    vlan-id=11
add independent-learning=yes ports=switch1-cpu,ether3,ether4 switch=switch1 \
    vlan-id=12
add independent-learning=yes ports=switch1-cpu,ether4 switch=switch1 vlan-id=\
    13
add independent-learning=yes ports=switch1-cpu,ether4 switch=switch1 vlan-id=\
    14
add independent-learning=yes ports=switch1-cpu,ether4 switch=switch1 vlan-id=\
    15
add independent-learning=yes ports=switch1-cpu,ether4 switch=switch1 vlan-id=\
    1201
add independent-learning=yes ports=switch1-cpu,ether4 switch=switch1 vlan-id=\
    1202
/interface list member
add interface=MGMT list=ManagementNW
add interface=ether5 list=ManagementNW
add interface=MGMT list=LAN
add interface=SNET list=INET_LAN
add interface=Guest list=INET_LAN
add interface=IoT list=INET_LAN
add interface=sfp1 list=WAN
add interface=IoT2 list=INET_LAN
add interface=vlan1201 list=INET_LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether5 network=\
    192.168.88.0
add address=192.168.11.45/24 interface=MGMT network=192.168.11.0
add address=192.168.12.45/25 interface=SNET network=192.168.12.0
add address=192.168.13.45/24 interface=Guest network=192.168.13.0
add address=192.168.14.45/24 interface=IoT network=192.168.14.0
add address=192.168.15.45/24 interface=IoT2 network=192.168.15.0
add address=192.168.12.129/30 interface=vlan1201 network=192.168.12.128
add address=192.168.12.133/30 interface=vlan1202 network=192.168.12.132
/ip dhcp-client
add comment=defconf disabled=no interface=sfp1
/ip dhcp-server network
add address=192.168.11.0/24 dns-none=yes
add address=192.168.12.0/25 dns-server=1.1.1.1,165.21.100.88 gateway=\
    192.168.12.45 netmask=25
add address=192.168.13.0/24 dns-server=1.1.1.1,165.21.83.88 gateway=\
    192.168.13.45
add address=192.168.14.0/24 dns-server=1.1.1.1,165.21.83.88 gateway=\
    192.168.14.45
add address=192.168.15.0/24 dns-server=1.1.1.1 gateway=192.168.15.45
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip firewall address-list
add address=192.168.14.81-192.168.14.100 list="R-IoT VIP"
add address=192.168.12.81-192.168.12.100 list="R-SNET VIP"
add address=192.168.13.81-192.168.13.86 list="R-Guest VIP"
add address=192.168.12.130 list=D-GuestVM01
add address=192.168.12.100 list=D-PC
add address=192.168.12.102 list=D-OMV
add address=192.168.14.61 list=D-Printer
add address=192.168.12.134 list=D-GuestVM02
add address=192.168.13.81-192.168.13.86 list=S-NPVR
add address=192.168.12.134 list=S-NPVR
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Block OMV to WAN" out-interface-list=\
    WAN src-address=192.168.12.102
add action=accept chain=input comment="Allow vlan11 to contact Gateway" \
    dst-address=192.168.11.45 in-interface=MGMT
add action=accept chain=input dst-address=192.168.88.1 in-interface=ether5
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "Jumphost vlan12 to Mikrotik via Winbox and web" dst-address=\
    192.168.11.45 dst-port=8291,80 protocol=tcp src-address=192.168.12.100
add action=accept chain=forward comment="Jumphost vlan 12 to AP web portal" \
    dst-address=192.168.11.48 dst-port=80,443 protocol=tcp src-address=\
    192.168.12.100
add action=accept chain=forward comment="Local NTP Server" dst-address=\
    192.168.12.100 dst-port=123 in-interface=MGMT out-interface=SNET \
    protocol=udp
add action=accept chain=forward comment="RDP to GuestVM01" dst-address-list=\
    D-GuestVM01 dst-port=3389 in-interface=Guest protocol=tcp
add action=accept chain=forward comment="vlan14 to PC" dst-address-list=D-PC \
    in-interface=IoT
add action=accept chain=forward comment="Allow NPVR" dst-address=\
    192.168.12.100 dst-port=8866 protocol=tcp src-address-list=S-NPVR
add action=accept chain=forward comment="vlan14 to OMV" dst-address-list=\
    D-OMV in-interface=IoT
add action=accept chain=forward comment="Guest VIP to OMV" dst-address-list=\
    D-OMV src-address-list="R-Guest VIP"
add action=accept chain=forward comment="Allow vlan12 to Printer" \
    dst-address-list=D-Printer in-interface=SNET
add action=accept chain=forward comment="Allow vlan13 to Printer" \
    dst-address-list=D-Printer in-interface=Guest
add action=accept chain=forward comment="GuestVM02 SMB to OMV" \
    dst-address-list=D-OMV dst-port=445 protocol=tcp src-address-list=\
    D-GuestVM02
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="Allow AP to connect to Internet" \
    disabled=yes out-interface-list=WAN src-address=192.168.11.48
add action=accept chain=forward comment="Allow INET_LAN to Internet" \
    in-interface-list=INET_LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.11.0/24,192.168.12.100/32,192.168.88.0/24
set ssh address=192.168.11.0/24,192.168.12.100/32,192.168.88.0/24
set api disabled=yes
set winbox address=192.168.11.0/24,192.168.12.100/32,192.168.88.0/24
set api-ssl disabled=yes
Last edited by hwsinn on Tue Mar 08, 2022 4:02 am, edited 1 time in total.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Sun Mar 06, 2022 7:16 pm

For starters showing the complete config.......
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6819
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: problems logging in with winbox but web portal works

Sun Mar 06, 2022 10:03 pm

My guess
Firewall services.
You may have disabled winbox but kept http active.

Could be under ip service as well.
Top
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

Re: problems logging in with winbox but web portal works

Mon Mar 07, 2022 8:23 am

My guess
Firewall services.
You may have disabled winbox but kept http active.

Could be under ip service as well.
IP services config has been shown above.
Firewall is allowed too as shown in the config
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6819
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: problems logging in with winbox but web portal works

Mon Mar 07, 2022 8:40 am

Missed that piece.

In that case, full config might be needed indeed.
You're only showing a part.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Mon Mar 07, 2022 2:21 pm

You will learn eventually my Belgian chocolate, to not guess and ask for better info before assisting. ;-))
Top
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 4:02 am

i have updated the code with full config
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 4:53 am

(1) There is no need to assign a dhcp server to ether 5, remove it.

(2) You have 7 vlans but only 6 pools............ but then only 5 dhcp servers........... Good IP addresses=7 (besides ether5)....... but only 5 dhcp-server-networks
and get rid of the ether5 dhcp-server-network - not needed

(3) Horrid firewall chain setup. One should be more organized and have all of one chain together..........

(4) What do you aim to accomplish with this rule in the input chain?? The input chain is for traffic to and fro the router not inter LAN traffic ??
add action=accept chain=input comment="Allow vlan11 to contact Gateway" \
dst-address=192.168.11.45 in-interface=MGMT

(5) Same with this rule it means nothing and is gibberish
add action=accept chain=input dst-address=192.168.88.1 in-interface=ether5

(6) This rule allows a single IP address 192.168.12.100 to reach port 8291(assuming winbox - good secure port but I would never use default) and reach port 80 (bad not encrypted).
Further, the dst address 192.168.11.45 has nothing to do with traffic TO the router............. not sure where you are getting all this crappy firewall advice ????
add action=accept chain=input comment=\
"Jumphost vlan12 to Mikrotik via Winbox and web" dst-address=\
192.168.11.45 dst-port=8291,80 protocol=tcp src-address=192.168.12.100

(7) I am confused by this variation of an interface list.......
/interface list
add name=WAN
add name=ManagementNW
add name=INET_LAN
add include=INET_LAN name=LAN

Does this mean that by ipso facto, INET-LAN is also part of the LAN interface ??? Lets assume so which brings me then to point (8).

(8) This rule........ Makes your rule at (6) look pretty dumb. Why go through the bother of identifying one IP (assuming admin) on the lAn to be able to access winbox and the two rules later let every USER on the router access everything to the router ????
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN

(9) The invalid input chain rule should be the second one in the input chain (after established etc.....)

(10) I dont know enough about your network to comment on the accuracy of the the forward chain rules but they are in weird order, again the invalid line should be third after fastrack and the regular established one... Typically the ipsec default rules are first but if you dont use them they can be removed.

(11) This rule makes no sense since you have a block all rule at the end.. ( all you need is add chain=forward action=accept connection-state=dstnat )
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward

(12) Why are you using un-secure means of router access (use ONLY winbox or SSH to access router.....)
set www address=192.168.11.0/24,192.168.12.100/32,192.168.88.0/24
Top
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 6:10 am

hi 404, thanks for vetting my config on security.
I am no expert when it comes to mikrotik configuration (hence i am here). i am still learning but i am trying work on a backup plan to connect back in to the router when given physical access.
i have a small amount of years as a network engineer (mainly cisco switches and fortinet devices) and mainly as as a sysadmin

(1) There is no need to assign a dhcp server to ether 5, remove it.
Care to explain? the reason i left it there is becos i want it to distribute IP when i physically plug in to port 5 during emergency (yes bad practice and i might turn it off once i get the set up running)

(2) You have 7 vlans but only 6 pools............ but then only 5 dhcp servers........... Good IP addresses=7 (besides ether5)....... but only 5 dhcp-server-networks
and get rid of the ether5 dhcp-server-network - not needed
Yes, i have 2 vlans that are /30 and i do not require dhcp. there is only 1 IP address that can be assigned.
Again, ether5 DHCP is by choice.

(3) Horrid firewall chain setup. One should be more organized and have all of one chain together..........
I tried merging but failed hence it is like this?
Care to show how can i be more organised?

(4) What do you aim to accomplish with this rule in the input chain?? The input chain is for traffic to and fro the router not inter LAN traffic ??
add action=accept chain=input comment="Allow vlan11 to contact Gateway" \
dst-address=192.168.11.45 in-interface=MGMT
if this was not there, how can i access mikrotik from vlan11? vlan 11 is management vlan

(5) Same with this rule it means nothing and is gibberish
add action=accept chain=input dst-address=192.168.88.1 in-interface=ether5
same as above.

(6) This rule allows a single IP address 192.168.12.100 to reach port 8291(assuming winbox - good secure port but I would never use default) and reach port 80 (bad not encrypted).
Further, the dst address 192.168.11.45 has nothing to do with traffic TO the router............. not sure where you are getting all this crappy firewall advice ????
add action=accept chain=input comment=\
"Jumphost vlan12 to Mikrotik via Winbox and web" dst-address=\
192.168.11.45 dst-port=8291,80 protocol=tcp src-address=192.168.12.100
this was here because if i removed this input chain and replaced with a forward chain, connection to the device will drop

(7) I am confused by this variation of an interface list.......
/interface list
add name=WAN
add name=ManagementNW
add name=INET_LAN
add include=INET_LAN name=LAN

Does this mean that by ipso facto, INET-LAN is also part of the LAN interface ??? Lets assume so which brings me then to point (8).
i didnt notice this.
What is the difference adding from interface-> interface list vs interface -> interface list -> Lists -> include.
I think this might be a residual config from the early days.

(8) This rule........ Makes your rule at (6) look pretty dumb. Why go through the bother of identifying one IP (assuming admin) on the lAn to be able to access winbox and the two rules later let every USER on the router access everything to the router ????
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
this is the default config and is disabled.
in addition, my firewall rules are denied unless allowed. did i get this part wrong?

(9) The invalid input chain rule should be the second one in the input chain (after established etc.....)
will move that

(10) I dont know enough about your network to comment on the accuracy of the the forward chain rules but they are in weird order, again the invalid line should be third after fastrack and the regular established one... Typically the ipsec default rules are first but if you dont use them they can be removed.
i didnt put them on any order, as long the allowed is above the deny. Does it matter?

(11) This rule makes no sense since you have a block all rule at the end.. ( all you need is add chain=forward action=accept connection-state=dstnat )
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward
its default so i didnt remove and the counter was running high so i didnt remove assuming it is really blocking something.

(12) Why are you using un-secure means of router access (use ONLY winbox or SSH to access router.....)
set www address=192.168.11.0/24,192.168.12.100/32,192.168.88.0/24
http was the backup - luckily i had it on, if not i could have to start afresh from this misconfig. hence u realised only certain IP/range will be allowed and not all the vlans.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 2:35 pm

The order of the firewall rules is how traffic is matched or not matched and thus removed or moves to the next rule.
Order within a chain is thus critical. Organizationally to avoid errors and to understand ones firewall rules its common sense to separate the two chains and typically the input chain is put first and the forward chain put second.

For emergency access to ether5 you only need
IP ADDRESS and ensure ether5 is part of the management interface and that ether5 has access in the input chain. NOTHING else.
Attach your laptop with IPV4 settings of 192.168.88.5 or .10 whatever netmask 255.255.255.0 and with the proper winbox credential you will be in.
All the extra stuff is not needed.

Personally your cisco/fortigate networking engineering belligerence seems to be getting in the way of your learning something new. ;-)

To organize your firewall rules in notepad++ (so I could make sense of it) I simply cut and pasted the order as it should be. You can move rules up or down within winbox.

Vlan 11 needing to connect to the router is an invalid statement. Specifically its an improperly stated requirement. Is vlan 11 alive???
Furthermore, what will vlan11 do with the router, make bread?
No the admin needs access to the winbox port of the router is the correct requirement, in order to configure the router.
Thus ONEIP, if you are using several devices, as admin, on vlan 11 then use a source address list. (think desktop, laptop, ipad, smartphone on static leases)

Thus access to the router for config purposes is
add action=accept chain=input in-interface-list=ManagementNW src-address-list=authorized dst-port=8291 ( where authorized is the specific list of IPs allowed to config the router. )

But you need to ensure any other router services are available for LAN members, typically this is DNS and sometimes also NTP and more rarely UPNP.
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp

Most of the time get rid of rules that are disabled, they are not useful and clutter up the config and make it harder to spot errors.

Yes order matters, one wants to ensure any invalid traffic is removed earlier vice later....... so its not checked against other rules

As far as the counter being high on the default rule, why dont you apply some brain matter to answer that. Of course it does, because the rule blocks WAN to LAN traffic......... while allowing all dst-natted WAN trafffic through (supposing a valid dst-nat rule for the ports in question also exist).

But then you have a drop all else rule that does the same thing but will not see any hits due to the WAN to LAN already being eliminated.
Much better and efficient to have
a single allow DST NAT Rule as I have shown, then followed by
Drop all rule!

The drop all rule will take care of all WAN to LAN traffic and any LAn to LAN traffic or LAN to WAN traffic not approved/allowed by the admin.


====================\
Check out - viewtopic.php?t=182373
A. off bridge access.
B. firewall rules.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6819
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 3:08 pm

Personally I WOULD add a DHCP server with a pool having exactly ONE address on that eth5.
Otherwise you always need to fiddle with the ethernet settings on your laptop. Or only use Winbox in MAC mode.

I know it adds an additional layer of (perceived) security but I don't believe the trouble is worth it.
When you forget to change back those settings (and it WILL happen !), you're stuck again the next time you need to connect using that same ethernet port on a normal network.
Been there, done that, cursed myself several times already when realizing what was the cause.
My view.
Top
 
afuchs
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Wed Jul 03, 2019 11:10 am

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 3:32 pm

In the most cases where I got the problem, that WinBox closed immediately on a router connection, I had a to old Winbox version or it was a new one but the ROS was older and I had to use the Tools / Legacy Mode in Winbox to connect.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Tue Mar 08, 2022 3:54 pm

Personally I WOULD add a DHCP server with a pool having exactly ONE address on that eth5.
Otherwise you always need to fiddle with the ethernet settings on your laptop. Or only use Winbox in MAC mode.

I know it adds an additional layer of (perceived) security but I don't believe the trouble is worth it.
When you forget to change back those settings (and it WILL happen !), you're stuck again the next time you need to connect using that same ethernet port on a normal network.
Been there, done that, cursed myself several times already when realizing what was the cause.
My view.
Personal choice, it adds another needless line in the config script...........
Top
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

Re: problems logging in with winbox but web portal works  [SOLVED]

Wed Mar 09, 2022 4:23 pm

honestly, i am not sure where was the problem.

For winbox access via IP -> i did a one time allow rule for the specific port (8291) and it allowed me to enter.
I then removed the rule, restarted the laptop, manually released the IP from MT DHCP lease and i tried multiple times and it still worked. Strange.

For winbox access via MAC -> settings was set to all interfaces. (yes insecure). I was able to see the entry in neighbours under winbox but couldnt connect.
I forced the interface to my management interface list and while it took some time, i was able to log in via mac-address and it has been working so far.

So honestly, i am not sure why i was not able to access via both these methods via ether5 previously. I also faintly recalled that i verified this set up before during the set up phase.

I will now look into the fine tuning process since i have the emergency access up and running
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6819
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: problems logging in with winbox but web portal works

Wed Mar 09, 2022 4:27 pm

Usually when I change something in firewall rules in such context, I clear all pending connections.
Then I am sure the new rules are being applied and if they don't work, then I know where it comes from.

Safe mode can be quite important here.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Wed Mar 09, 2022 4:48 pm

Good to hear its working!
Top
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

Re: problems logging in with winbox but web portal works

Thu Mar 10, 2022 4:35 am

How do i enable safe mode from winbox?

I know you can do a ctrl-x in winbox terminal.
But i am not that well versed and comfortable with the commands yet
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6819
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: problems logging in with winbox but web portal works

Thu Mar 10, 2022 7:11 am

Having Winbox connected to the device you want to control.
On the very top there is a menu bar.
Right below it, there are some buttons.
Undo, Redo, and so on.

You might want to clean your glasses when looking there ... :lol:
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: problems logging in with winbox but web portal works

Thu Mar 10, 2022 1:20 pm

......
safemode.jpg
You do not have the required permissions to view the files attached to this post.
Top
 
hwsinn
newbie
Topic Author
Posts: 35
Joined: Wed Aug 12, 2020 6:41 am

Re: problems logging in with winbox but web portal works

Sat Mar 12, 2022 10:55 am

Sorry for the late reply.

Oh yes! Didnt notice that.

I am also putting in action=jump firewall rules using so that it finds a match faster.
Top
Post Reply

Who is online

Users browsing this forum: jaclaz and 64 guests
  4. RouterOS
  5. Beginner Basics