Page 1 of 1
Access to webfig not working
Posted: Fri Apr 12, 2019 9:18 am
by pimseb
Hello,
I have a newbie question. I own a mikrotik hap ac2.
When I use it for the very first time, I'm able to connect on the web interface by entering
http://192.168.88.1 in my browser
At this point I only change some settings on the quick setup page. I put the router into the bridge mode, enter the getaway and dns adress of my main router (192.168.1.254) and click on apply.
After this I'm unable to reach the mikrotik web interface anymore. Mikrotik has now ip 192.168.1.252 (I also see it on the main router) but
http://192.168.1.252 doesn't work
I've changed the web settings in ip>service to allow local LAN 192.168.1.0/24 but with no luck
The only way to access the mikrotik settings is using winbox with mac adress
How can I enable the webfig in my local LAN ?
Thank you for helping out
Re: Access to webfig not working
Posted: Sat Apr 13, 2019 1:30 am
by harvey
Can you post the output of:-
You may need to obscure any private details such as public IP addresses if needed.
Re: Access to webfig not working
Posted: Sun Apr 28, 2019 12:31 am
by GeorgeAA
I am new to Mikrotik, so I can't tell which RouterOS version introduced this issue, but I can tell what is causing it and how to resolve it. I am running a hAp ac^2 with RouterOS v6.43.10.
I believe, the Quick Set WISP AP (and probably the Home AP as well), Bridge mode sets a few configuration items incorrectly. One of them is making the WebFig interface inaccessible.
The firewall rule #4 "defconf:drop all not coming from LAN" drops our WebFig packets because the bridge interface is not on the LAN interface list.
You can resolve this by either:
1. adding the bridge interface to the LAN list (RECOMMENDED):
Interfaces->Interface List tab->Add New: List=LAN, Interface=bridge, Enabled=True ->OK
2. Disabling the firewall rule, which drops our WebFig packages:
IP->Firewall: Press disable on rule #4 (drop all not coming from LAN)
The solution #1 seems right to me, as it is corrects the root cause. However, the #2 might be OK to do as well, as I believe there is no reason to have firewall rules at all in bridge mode whatsoever. (Though I am interested in any reasoning which proves that otherwise)
I also find other Quick Set "bridge" mode settings quite strange or erroneous. A bridge is essentially a switch. Yet, there is
1. a configured DHCP server, (a switch does not need a DNS server)
2. The DHCP server is configured with a strange IP pool (it may be in conflict with IP pool of the master DHCP server pobably running in our router)
3. A firewall is configured with many rules (a switch does not need a firewall) (?)
4. A static DNS server is configured (a switch does not need a DNS server)
5. The ether1 interface is configured for WAN (a bridge does not need a WAN port and its a waste of one ethernet port)
Re: Access to webfig not working
Posted: Sat Sep 14, 2019 10:38 pm
by banjopicker
Thank you George, this was driving me nuts. I had used quickset to set up a wireless bridge with a Mini Hap and I could never get back into the settings using the IP. Adding the bridge to the interface list did the trick.
Re: Access to webfig not working
Posted: Sun Sep 15, 2019 7:28 pm
by pimseb
Thank you. I disabled the IP->Firewall rule #4
In fact I found it out some days after my post but forgot to write it here. This rule shouldn't be enable by default by mikrotik in my opinion
Re: Access to webfig not working
Posted: Thu Nov 28, 2019 1:12 pm
by tvhung83
Thank you, George, you saved my day!
Re: Access to webfig not working
Posted: Wed Sep 22, 2021 1:22 pm
by misko903
I am new to Mikrotik, so I can't tell which RouterOS version introduced this issue, but I can tell what is causing it and how to resolve it. I am running a hAp ac^2 with RouterOS v6.43.10.
I believe, the Quick Set WISP AP (and probably the Home AP as well), Bridge mode sets a few configuration items incorrectly. One of them is making the WebFig interface inaccessible.
The firewall rule #4 "defconf:drop all not coming from LAN" drops our WebFig packets because the bridge interface is not on the LAN interface list.
You can resolve this by either:
1. adding the bridge interface to the LAN list (RECOMMENDED):
Interfaces->Interface List tab->Add New: List=LAN, Interface=bridge, Enabled=True ->OK
2. Disabling the firewall rule, which drops our WebFig packages:
IP->Firewall: Press disable on rule #4 (drop all not coming from LAN)
The solution #1 seems right to me, as it is corrects the root cause. However, the #2 might be OK to do as well, as I believe there is no reason to have firewall rules at all in bridge mode whatsoever. (Though I am interested in any reasoning which proves that otherwise)
I also find other Quick Set "bridge" mode settings quite strange or erroneous. A bridge is essentially a switch. Yet, there is
1. a configured DHCP server, (a switch does not need a DNS server)
2. The DHCP server is configured with a strange IP pool (it may be in conflict with IP pool of the master DHCP server pobably running in our router)
3. A firewall is configured with many rules (a switch does not need a firewall) (?)
4. A static DNS server is configured (a switch does not need a DNS server)
5. The ether1 interface is configured for WAN (a bridge does not need a WAN port and its a waste of one ethernet port)
YES!
you solved my long-term troubles! THANK YOU!
Re: Access to webfig not working
Posted: Tue Oct 19, 2021 6:47 am
by EEAA
Adding another robust THANK YOU here. This firewall rule was the cause of me banging my head against the wall for many hours in the past few days.
Re: Access to webfig not working
Posted: Tue Oct 19, 2021 2:20 pm
by anav
Update your firmware to the latest long version at least.
Re: Access to webfig not working
Posted: Thu Nov 04, 2021 7:13 am
by MikroDave
Hey guys, I've updated the firewall settings, but can't seem to figure out how to add the bridge interface to the LAN list from the terminal. Here's my settings dump in case it helps.
I really appreciate your time and help here!
[admin@EntryRouter] /ip firewall> export
# nov/03/2021 22:11:08 by RouterOS 6.49
# software id = 1EIH-CITT
#
# model = RB750Gr3
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
[admin@EntryRouter] /interface> export
# nov/03/2021 22:11:49 by RouterOS 6.49
# software id = 1EIH-CITT
#
# model = RB750Gr3
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface bridge
add admin-mac=xxxredactedxx auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox