Page 1 of 1
Cannot remotely connect via WinBox. [SOLVED]
Posted: Thu Jan 03, 2019 3:55 pm
by Zetera
Cannot remotely connect via WinBox.
Winbox service is enabled on port 8291
Firewall Rules should allow it through. (I literally created an allow all input firewall rule and it still would not allow it.)
I can connect to several other MikroTiks via WinBox just fine.
The offending MikroTik allows HTTP connections etc. Just seems to be a problem with WinBox.
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 4:01 pm
by sebastia
Are you trying on a "lan" port? "Wan" won't allow it out-of-the-box.
What rules do you have? is the winbox service enabled?
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 4:05 pm
by Zetera
Connecting via WAN.
Winbox is enabled as a service on port 8291.
It does allow me to connect via port 80 into the MikroTik
and Yes I created an allow all firewall rule and it still does not allow me access.
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=ether1-wan-master protocol=tcp
add action=accept chain=input in-interface=all-ethernet
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=x
add action=accept chain=input dst-port=80 in-interface=ether1-wan-master protocol=tcp src-address-list=x
add action=accept chain=input dst-port=21 in-interface=ether1-wan-master protocol=tcp src-address-list=x
add action=accept chain=input dst-port=161 in-interface=ether1-wan-master protocol=tcp src-address-list=x
add action=accept chain=input dst-port=8728 in-interface=ether1-wan-master protocol=tcp src-address-list=x
add action=drop chain=forward comment="deny intervlan traffic" in-interface=!ether1-wan-master out-interface=all-vlan
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 4:24 pm
by sebastia
First rule accepts winbox on wan indeed.
Do you limit winbox service to specific ip / range?
Do you limit user to specific ip / range?
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 4:32 pm
by Zetera
Winbox is not limited to any range via IP service or the firewall rules that isn't mirrored (I've triple-checked) on other ports that are accessible.
Didn't know that you could limit users to certain ranges (good to know) also the user was not limited to any ranges either.
I've done a Masscan and confirmed that port 8291 does not appear open on the MikroTik.
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 443/tcp on x.x.x.x
Discovered open port 80/tcp on x.x.x.x
Discovered open port 21/tcp on x.x.x.x
Discovered open port 20001/tcp on x.x.x.x
Discovered open port 30001/tcp on x.x.x.x
30001 and 20001 are port forwarded ports.
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 4:45 pm
by sebastia
Do you allow all in output?
multiple routes? and response gets routed over other connection?
If not try posting full config, maybe something pops up: /export hide-sensitive compact terse
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 5:25 pm
by CZFan
Also check PC Firewall. Connection Profile might be public instead of private then windows firewall will be more restrictive
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 5:35 pm
by Zetera
/interface ethernet set [ find default-name=ether1 ] name=ether1-wan-master
/interface ethernet set [ find default-name=ether4 ] master-port=ether1-wan-master
/interface ethernet set [ find default-name=ether5 ] name="ether5 trunk"
/ip neighbor discovery set ether1-wan-master discover=no
/interface vlan add interface="ether5 trunk" name="vlan 10 eth 5" vlan-id=10
/interface vlan add interface="ether5 trunk" name="vlan 11 eth 5" vlan-id=11
/interface vlan add interface="ether5 trunk" name="vlan 100 eth 5" vlan-id=100
/interface vlan add interface="ether5 trunk" name="vlan 200 eth 5" vlan-id=200
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option add code=43 name=Option43 value=xx
/ip dhcp-server option add code=60 name=Option60 value="'Ruckus CPE'"
/ip dhcp-server option sets add name=Ruckus options=Option43,Option60
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip pool add name=dhcp_pool2 ranges=10.10.11.2-10.10.11.254
/ip pool add name=dhcp_pool3 ranges=10.10.100.2-10.10.101.254
/ip pool add name=dhcp_pool4 ranges=10.10.200.2-10.10.200.254
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=ether2 name=defconf
/ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface="vlan 10 eth 5" lease-time=1h name=dhcp1
/ip dhcp-server add address-pool=dhcp_pool2 disabled=no interface="vlan 11 eth 5" lease-time=1h name=dhcp2
/ip dhcp-server add address-pool=dhcp_pool3 disabled=no interface="vlan 100 eth 5" lease-time=1h name=dhcp3
/ip dhcp-server add address-pool=dhcp_pool4 disabled=no interface="vlan 200 eth 5" lease-time=1h name=dhcp4
/snmp community add addresses=::/0 name=RqBpmdRYBUs0Jdb
/snmp community add addresses=::/0 name=uVfzZZilzotAtUq read-access=no write-access=yes
/interface list member add comment=defconf interface=ether2 list=LAN
/interface list member add comment=defconf interface=ether1-wan-master list=WAN
/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip address add address=98.153.21.138/30 interface=ether1-wan-master network=x.x.x.x
/ip address add address=10.10.10.1/24 interface="vlan 10 eth 5" network=10.10.10.0
/ip address add address=10.10.11.1/24 interface="vlan 11 eth 5" network=10.10.11.0
/ip address add address=10.10.100.1/23 interface="vlan 100 eth 5" network=10.10.100.0
/ip address add address=10.10.200.1/24 interface="vlan 200 eth 5" network=10.10.200.0
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid interface=ether1-wan-master
/ip dhcp-server lease add address=10.10.10.2 mac-address=00:AA:6E:FB:B4:41
/ip dhcp-server lease add address=10.10.11.254 mac-address=60:D0:2C:2A:20:60
/ip dhcp-server network add address=10.10.10.0/24 dns-server=209.18.47.61,209.18.47.62,4.2.2.4 gateway=10.10.10.1
/ip dhcp-server network add address=10.10.11.0/24 dhcp-option-set=Ruckus dns-server=209.18.47.61,209.18.47.62,4.2.2.4 gateway=10.10.11.1
/ip dhcp-server network add address=10.10.100.0/23 dns-server=209.18.47.61,209.18.47.62,4.2.2.4 gateway=10.10.100.1
/ip dhcp-server network add address=10.10.200.0/24 dns-server=209.18.47.61,209.18.47.62,4.2.2.4 gateway=10.10.200.1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers=209.18.47.61,209.18.47.62,4.2.2.4
/ip dns static add address=192.168.88.1 name=router.lan
Address List here <---
/ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp
/ip firewall filter add action=accept chain=input in-interface=all-ethernet
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=x
/ip firewall filter add action=accept chain=input dst-port=80 in-interface=ether1-wan-master protocol=tcp src-address-list=x
/ip firewall filter add action=accept chain=input dst-port=21 in-interface=ether1-wan-master protocol=tcp src-address-list=x
/ip firewall filter add action=accept chain=input dst-port=161 in-interface=ether1-wan-master protocol=tcp src-address-list=x
/ip firewall filter add action=accept chain=input dst-port=8728 in-interface=ether1-wan-master protocol=tcp src-address-list=x
/ip firewall filter add action=drop chain=forward comment="deny intervlan traffic" in-interface=!ether1-wan-master out-interface=all-vlan
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat dst-port=30001 in-interface=ether1-wan-master protocol=tcp src-address-list=x to-addresses=10.10.10.2 to-ports=22
/ip firewall nat add action=dst-nat chain=dstnat dst-port=20001 in-interface=ether1-wan-master protocol=tcp src-address-list=x to-addresses=10.10.11.254 to-ports=22
/ip route add distance=1 gateway=98.153.21.137
/ip service set telnet disabled=yes
/ip service set ssh disabled=yes
/ip service set www-ssl disabled=no
/snmp set enabled=yes
/system clock set time-zone-name=America/New_York
/system identity set name=MikroTik-SupFoodCA
/system ntp client set enabled=yes primary-ntp=152.2.133.54 secondary-ntp=152.2.133.55 server-dns-names=time.nist.org
/system package update set channel=bugfix
/tool mac-server set [ find default=yes ] disabled=yes
/tool mac-server add interface=ether2
/tool mac-server mac-winbox set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox add interface=ether2
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 5:38 pm
by Zetera
Also check PC Firewall. Connection Profile might be public instead of private then windows firewall will be more restrictive
My outgoing firewall has connected to thousands of MikroTiks before. I'm not entirely sure what you might mean by 'PC' in this case; and there is no receiving PC on the other end. Please advise.
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 6:24 pm
by CZFan
Below might be reason for your problem
/tool mac-server mac-winbox set [ find default=yes ] disabled=yes
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 7:32 pm
by Zetera
Edited that to reflect disabled=no.
No joy. the problem persists.
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 8:22 pm
by mkx
Are you sure your ISP is not filtering winbox port?
Re: Cannot remotely connect via WinBox.
Posted: Thu Jan 03, 2019 8:25 pm
by sebastia
eth1 is multihomed? fixed & dhcp
* which ip are you trying to access router with: .21.138 or dhcp clients one?
* which ip will masq select for src-nat then?
if fixed:
* adj the masq -> src-nat
* remove dhcpc config on wan
Edit: or is that somehow PtP hence "network" removed? "/ip address add address=...21.138/30 interface=ether1-wan-master network=x.x.x.x" (shouldn't be as it's /30)
Re: Cannot remotely connect via WinBox.
Posted: Sat Jan 05, 2019 6:01 pm
by gotsprings
Below might be reason for your problem
/tool mac-server mac-winbox set [ find default=yes ] disabled=yes
That's for accessing Winbox via MAC address rather than IP.
His first allow rule using port 8291 is for a TCP connection as an IP connection.
If you see the proper PUBLIC IP on the WAN INTERFACE in
/ip address
Then as stated by others... 8291 might be blocked by the ISP.
Sometimes the ISP uses Mikrotik and when i try to reach a router... I hit the ISP router instead of my intended unit.
ONCE AGAIN.
If you do have the public IP on you router's wan interface... you could always change the service port that Winbox runs on. Then change you accept rule.
/ip service
set winbox port=8292
/ip firewall filter
add action=accept chain=input dst-port=8292 protocol=tcp place-before=1