I am trying to remotely access my RBLHGR&R11e-LTE-US MikroTik via the WAN IP address of the mikrotik in Winbox, but it is not working.
I have created the firewall rule to allow port 8291 to accept all traffic using an old forum page.
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
Even after doing this and putting it at the top of my firewall rules list, I still cannot access the Mikrotik using Winbox???
Re: Remote Access via Winbox
Not a safe or advised practice.
It would be like giving all your bank information to hackers and letting them play with password crackers to eventually get into your system.
The way to access your router remotely via winbox is to
a. preferably use IPSEC VPN or IKEv2 VPN
b. from a PC or your smart phone using the MT app.
c. or use port knocking as a less secure but still better method than the almost zero security of what you wish to do.
Also suggest changing winbox port from default to something else.
NEVER open up your winbox port to the internet!!!
(delete any such rule asap....... )
In fact in the input chain the only rules to allow port access externally are VPN ports to establish initial connectivity.
It would be like giving all your bank information to hackers and letting them play with password crackers to eventually get into your system.
The way to access your router remotely via winbox is to
a. preferably use IPSEC VPN or IKEv2 VPN
b. from a PC or your smart phone using the MT app.
c. or use port knocking as a less secure but still better method than the almost zero security of what you wish to do.
Also suggest changing winbox port from default to something else.
NEVER open up your winbox port to the internet!!!
(delete any such rule asap....... )
In fact in the input chain the only rules to allow port access externally are VPN ports to establish initial connectivity.
-
-
mikrowizard
just joined
- Posts: 12
- Joined:
Re: Remote Access via Winbox
Okay, thanks for the advice.
Is it possible to use the MikroTik App to remotely login to the MikroTik? I have used it using LAN inside the network, but have not tried it using the WAN IP address?
Is it possible to use the MikroTik App to remotely login to the MikroTik? I have used it using LAN inside the network, but have not tried it using the WAN IP address?
Re: Remote Access via Winbox
Yes, I have done it
a. with IKEV2 VPN
b. wireguard vpn
The only other way one would want to do it, not as secure as proper VPN, is port knocking.
https://mum.mikrotik.com/presentations/US10/discher.pdf
https://mum.mikrotik.com/presentations/ ... tknock.pdf
https://systemzone.net/securing-mikroti ... -knocking/
In this example below it looks like they use port knocking to then access other security protocols that are not quite as secure as standard VPN (like older pptp vpn and SSH etc...)
viewtopic.php?f=13&t=161763&p=868046&hi ... ng#p868046
a. with IKEV2 VPN
b. wireguard vpn
The only other way one would want to do it, not as secure as proper VPN, is port knocking.
https://mum.mikrotik.com/presentations/US10/discher.pdf
https://mum.mikrotik.com/presentations/ ... tknock.pdf
https://systemzone.net/securing-mikroti ... -knocking/
In this example below it looks like they use port knocking to then access other security protocols that are not quite as secure as standard VPN (like older pptp vpn and SSH etc...)
viewtopic.php?f=13&t=161763&p=868046&hi ... ng#p868046
Re: Remote Access via Winbox
SSH can also be a "VPN" of sorts:
This presumably connects to a NAT-forwarded public port, which in turn connects to a host behind the firewall that accepts your SSH connection. You may want to change the ports to add a bit of obscurity, saving you from a lot of script kiddie traffic, but I'm keeping the concept simple for this example.
You can then run WinBox on the same machine as you SSH'd from and point it at "localhost". It will connect to the local port 8291, and that will be forwarded through the presumed secure SSH tunnel back inside the LAN to the router at 192.168.88.1.
RouterOS itself can be this SSH-receiving host, but you have to set "/ip ssh forwarding-enabled=yes" to allow the tunnel. Regular SSH servers typically enable this by default. If you set strong SSH keys for the users, this tunnel will be all but impervious to brute force attacks short of DDoS.
Code: Select all
$ ssh -L 8291:192.168.88.1:8291 my.public.host.name.example.com
This presumably connects to a NAT-forwarded public port, which in turn connects to a host behind the firewall that accepts your SSH connection. You may want to change the ports to add a bit of obscurity, saving you from a lot of script kiddie traffic, but I'm keeping the concept simple for this example.
You can then run WinBox on the same machine as you SSH'd from and point it at "localhost". It will connect to the local port 8291, and that will be forwarded through the presumed secure SSH tunnel back inside the LAN to the router at 192.168.88.1.
RouterOS itself can be this SSH-receiving host, but you have to set "/ip ssh forwarding-enabled=yes" to allow the tunnel. Regular SSH servers typically enable this by default. If you set strong SSH keys for the users, this tunnel will be all but impervious to brute force attacks short of DDoS.
Re: Remote Access via Winbox
I would not consider SSH to be on the same level as VPN, so I would port knock and then SSH in from there as per the fourth link provided.
Not sure if this is accurate enough regarding SSH. but
2. Because SSH operates on an application level, only traffic from your applications gets encrypted. This means that any application on your device you want to protect will have to be configured separately for the SSH tunnel. On the other hand, a VPN connection automatically encrypts all your traffic, and some let you choose which apps you don’t want to encrypt through the VPN.
3. SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic
4. It doesn’t have protection against DNS leaks.
Not sure if this is accurate enough regarding SSH. but
2. Because SSH operates on an application level, only traffic from your applications gets encrypted. This means that any application on your device you want to protect will have to be configured separately for the SSH tunnel. On the other hand, a VPN connection automatically encrypts all your traffic, and some let you choose which apps you don’t want to encrypt through the VPN.
3. SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic
4. It doesn’t have protection against DNS leaks.
Re: Remote Access via Winbox
Because SSH operates on an application level, only traffic from your applications gets encrypted.
Thus the quotes around "VPN" above. I'm not trying to tell you to use SSH instead of IPsec or Wireguard. It's simply a useful tool to have in your pocket when you only need a small number of ports to be securely forwarded through the firewall. One short command, and with pre-configuration in ~/.ssh/config, it's even shorter. Tell me that's not valuable to know.
a VPN connection automatically encrypts all your traffic
Some do by default, but that practice isn't universal, nor is it always wanted. Tell me again how great it is to run everything through the VPN when I'm trying to copy a file from my local NAS to a host on the remote side. Thus this question.
SSH uses the only TCP, which makes it easy for ISPs and servers to detect its traffic
ISPs can't detect IPsec?
OpenVPN (which is TCP-based) isn't a VPN?
This feels like gate-keeping to me. Needless quibbling over what a "VPN" is or must be. What it needs to be is what the user needs it to be, no more, no less.
It doesn’t have protection against DNS leaks.
I'm pretty sure OP isn't worried if "localhost" leaks. 😉
Re: Remote Access via Winbox
Here is my default answer to user who like to access their router from a remote site.
My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:
1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++
I did test RemoteWinbox viewtopic.php?t=162583, but I will not use it.
I do not trust anyone, so that is why I never will use an online password service for example.
My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:
1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++
I did test RemoteWinbox viewtopic.php?t=162583, but I will not use it.
I do not trust anyone, so that is why I never will use an online password service for example.
-
-
mikrowizard
just joined
- Posts: 12
- Joined:
Re: Remote Access via Winbox
Can you explain how I can setup a IPsec tunnel on my mikrotik?Here is my default answer to user who like to access their router from a remote site.
My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:
1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++
I did test RemoteWinbox viewtopic.php?t=162583, but I will not use it.
I do not trust anyone, so that is why I never will use an online password service for example.
Who is online
Users browsing this forum: erlinden and 67 guests