Page 1 of 1
port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 4:11 pm
by ockac23
Hi folks,
How should the NAT rule for port forward look like, when I want to access the routers WebFig from WAN, but using e.g. 65000 as destination port (instead of 80) and then the rule should forward it to 80?
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 4:17 pm
by rextended
Simply change the web port on ip/services from 80 to 65000
but is better you access to config panel with a VPN...
A simple port scan detect web services on port 65000...
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 4:25 pm
by ockac23
Simply change the web port on ip/services from 80 to 65000
but is better you access to config panel with a VPN...
A simple port scan detect web services on port 65000...
Yes, I usually use VPN for that.
But I was just curious if it is possible to somehow forward the port instead of changing the ip/services setting.
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 5:45 pm
by rextended
Yes is possible, just for test...
/ip firewall nat add action=dst-nat chain=dstnat dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp to-ports=80
Depending on how is configured your firewall you must also set:
/ip firewall filter add action=accept chain=input dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 6:50 pm
by gotsprings
I prefer
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 6:59 pm
by pe1chl
The actual default firewall setup already has a rule like that. So you only need to specify incoming port mappings.
However, likely those people who think it is a good idea to allow admin access from outside already have butchered the default firewall beyond recognition...
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 10:08 pm
by ockac23
Yes is possible, just for test...
/ip firewall nat add action=dst-nat chain=dstnat dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp to-ports=80
Depending on how is configured your firewall you must also set:
/ip firewall filter add action=accept chain=input dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp
Well, thanks, but I did exactly that steps few days ago, but it is not working.... no idea why, so far.
@pe1chl: And again, this is not my preferred way to access the router remotely, I just check that for test purposes.
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 10:30 pm
by anav
Not sure what you mean, I dont access the router via port forwarding and winbox nor should you using webconfig. Use a VPN then access the router.
Re: port forward for remote web access to WebFig
Posted: Thu Dec 29, 2022 10:39 pm
by ockac23
Not sure what you mean, I dont access the router via port forwarding and winbox nor should you using webconfig. Use a VPN then access the router.
I've said before that I basically use VPN, but I guess there's no harm in trying out a few things for learning purposes out of interest in Router OS
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 2:49 am
by gotsprings
Like pouring sand in the Vaseline.
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 10:43 am
by ockac23
However, the suggested solution is not working...
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 11:20 am
by rextended
Depending on how is configured your firewall you must also set:
Show all your exported config, without omit anything and censore, but not delete, with *** the private data, like serial numbers, emails and public IPs.
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 12:31 pm
by ockac23
Depending on how is configured your firewall you must also set:
Show all your exported config, without omit anything and censore, but not delete, with *** the private data, like serial numbers, emails and public IPs.
I exported the config and hided private data ****.
Should I paste it here in text or attach somewhere as file?
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 12:53 pm
by rextended
paste text on forum between
example code
[code]your export here[/code]
blocks
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:12 pm
by ockac23
# dec/30/2022 12:58:47 by RouterOS 6.49.7
# software id = ************
#
# model = RB962UiGS-5HacT2HnT
# serial number = *************
/interface bridge
add admin-mac=XX:xx:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country= disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MyNet station-roaming=enabled \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country= disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=MyNet station-roaming=\
enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.viva
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******* \
wpa2-pre-shared-key=*******
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.0.1 local-address=192.168.89.1 \
remote-address=
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=*********** use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"GUI: accept new,established,related,untracked" connection-state=\
established,related,new,untracked dst-address=XX.XX.XX.XX dst-port=65000 \
protocol=tcp
add action=accept chain=input comment=\
"SSH: accept new,established,related,untracked" connection-state=\
established,related,new,untracked disabled=yes dst-address=XX.XX.XX.XX \
dst-port=22 protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade Hairpin NAT" \
dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=www dst-address=XX.XX.XX.XX \
dst-port=65000 protocol=tcp to-ports=80
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
both
/ppp secret
add name=*** password=
/system clock
set time-zone-name=Europe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:13 pm
by ockac23
.....
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:16 pm
by rextended
...
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:22 pm
by ockac23
.....
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:23 pm
by ockac23
....
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:24 pm
by rextended
I haven't noticed anything strange in the rules,
except the useless addon "connection-state=established,related,new,untracked"
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:47 pm
by ockac23
Yes, strange thing, but the forward 65000->80 as mentioned above is not working.
And regarding the addon in rule 3 "connection-state=established,related,new,untracked", should I delete connection-state?
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 1:48 pm
by rextended
the useless addon
¯\_(ツ)_/¯
Re: port forward for remote web access to WebFig
Posted: Fri Dec 30, 2022 7:59 pm
by anav
Like pouring sand in the Vaseline.
Luv it........