MikroTik

hi every one
i installed mikrotik version 5.2
and i need to make a simple remote accsess to mikrotik ,
so i can mangment the users from my laptop throught the internet
how can i make this ?!
please need your help

use winbox to connect to the router from any place, there is nothing special to confiure

I'm not sure what you're asking, but point your browser and/or winbox to the IP address and you're in your router.

If you're referring to port forwarding do you can reach a server inside your network, try this:
The first rule allows me ssh access, the second web access. I have other rules (I can access about 20 different things from outside my network, assuming I can remember the port numbers I assigned to them).

use winbox to connect to the router from any place, there is nothing special to confiure

can you describe more than this about winbox ,what configuration shoulb be done?? so i can accsess the mikrotik server from outside
thanks

I'm not sure what you're asking, but point your browser and/or winbox to the IP address and you're in your router.

If you're referring to port forwarding do you can reach a server inside your network, try this:

Code: Select all

/ip firewall nat
add action=dst-nat chain=dstnat comment=portfwd disabled=no dst-address=com.ca.st.ip \
   dst-port=8734 protocol=tcp to-addresses=192.168.0.250 to-ports=22
add action=dst-nat chain=dstnat comment=portfwd disabled=no dst-address=com.ca.st.ip \
   dst-port=3727 protocol=tcp to-addresses=192.168.0.250 to-ports=80

The first rule allows me ssh access, the second web access. I have other rules (I can access about 20 different things from outside my network, assuming I can remember the port numbers I assigned to them).

thanks troy for you answer but,
i mean that i want to access the mikrotik server form outisde not from la lan netwrork
can you give me a solution like a static ip as example and how to make this
thanks

@ MikroTik Support
i think you didn't understand me ,i know more about this manual
but my question is how i can access my mikrotik server from another city
can i use a static ip or any thing like this or make a certain configuration in the mikrotik?
and i'm sorry for my many question
thanks for your concern

yes, winbox is meant to do exactly what you ask. connect to the MikroTik RouterOS device, and adjust it's configuration. There is no special configuration involved. Just enter the router's IP address in Winbox and connect from anywhere

okay i tried what did you tell me
i entered the ip 192.168.1.64
and user name and password but
it gave me a message (colud not fetch index from 192.168.1.64 (port 80 disconnected )

192.168.1.64 <-- is this the router's public IP address, or are you connecting from the LAN? Make sure you are using a new RouterOS version.

i use version 5.2
and my IPs is for Ethernet 1 (192.168.1.64 ) >> for wan
Ethernet 2 (10.0.0.2 ) >> for lan (users)



and my Gateway in the router is 192.168.1.1

did you mean public ip equale to real ip ? and i should use this real ip to connect to the winbox from outside ???

192.168.1.64 is definitely not a public IP, you will have to contact your ISP how to connect to your devices. This is beyond the control of your router.

okay i began to understand you
so i have to call my ISP and dedicated a static ip,because every time i connect throught the internet my real ip changed ,so i must have a fixed public ip .right ?

you must either ask for a real ip for your router, or organize some other way with the ISP

i get my real ip and i is 41.237.60.98 and it give me the same meesage port 80 disconnected

what happens if you type that IP address in your web browser?

That is a tplink router, with default user/pass, you should be firewalling that asap

but what you need to do is put the tplink device into bridge and have the routerboard initiate the ppp session

@ MikroTik Support
when i put this ip i can enter throught this router easily

if you see something like in this image, then click on WEBFIG to configure your MikroTik RouterOS device:

@ jtroy
my router is Tplink
and i make a disable to my firewall
can you explain more about PPP??
thanks

@ jtroy
my router is Tplink
and i make a disable to my firewall
can you explain more about PPP??
thanks

well, from what i saw of your network, at the moment you have a tplink modem/router, which is currently doing the authentication with your isp. you should put the tplink into "bridge mode" and then in the routerboard setup a ppp connection, that way the routerboard will have the public ip and be the edge router for that site. The tplink modem is handing out private addresses, which are not routable (nat) to the internet, this means that you cannot directly access a device behind it without port forward and such. You ideally want the mikrotik doing that

yes, why do you need that tplink at all? just let the mikrotik device do the same things

well, from what i saw of your network, at the moment you have a tplink modem/router, which is currently doing the authentication with your isp. you should put the tplink into "bridge mode" and then in the routerboard setup a ppp connection, that way the routerboard will have the public ip and be the edge router for that site. The tplink modem is handing out private addresses, which are not routable (nat) to the internet, this means that you cannot directly access a device behind it without port forward and such. You ideally want the mikrotik doing that

What he said is absolutely correct, ("pppoe client" connection on the mikrotik, tplink in bridge mode) and if you additionally create a pptp server on the mikrotik with a secret, using windows vpn you can then get whole network remote access(which is nice).

thanks guys for your concern
but my router use PPPoA/PPPoE so i had to use Bridge Mode ????
and can any one explain how to use PPP in mikrotik server ???

Winbox in port 8291
Open tcp port 8291 on the dsl router at work..

I would have a static IP from your ISP but if not possible get a dyn dns account setup and the client running on a device within your local network. Using one of the many dyn dns providers you can then access your site via a fully qualified dns name.

moving on to the setup>>

1. setup your modem to be in bridged mode. This will mean that your mikrotik will do the pppoe authentication.
2. start winbox, under interfaces, setup a pppoe client with your ISP supplied user/pass
3. setup dhcp client on the pppoe interface
4. setup your firewall rules
5. for the inbound mikrotik ports, setup inbound tcp/8291 for input on the inbound interface of pppoe client.

read up on 'port knocking' as this can be used to open the requires port up on the fly which will lock down the management port when you need it. Also disable your default logon account and create a unique username/password.

talk to your local mikrotik company you purchased from for help. They may redirect you to a local consultant if you are happy to pay for local help.

mikrotik takes a while to get used to as its so feature rich. Not for people who wants a simple tick the box setup.



Wayne
-Australia-

I would have a static IP from your ISP but if not possible get a dyn dns account setup and the client running on a device within your local network. Using one of the many dyn dns providers you can then access your site via a fully qualified dns name.

moving on to the setup>>

1. setup your modem to be in bridged mode. This will mean that your mikrotik will do the pppoe authentication.
2. start winbox, under interfaces, setup a pppoe client with your ISP supplied user/pass
3. setup dhcp client on the pppoe interface
4. setup your firewall rules
5. for the inbound mikrotik ports, setup inbound tcp/8291 for input on the inbound interface of pppoe client.

read up on 'port knocking' as this can be used to open the requires port up on the fly which will lock down the management port when you need it. Also disable your default logon account and create a unique username/password.

talk to your local mikrotik company you purchased from for help. They may redirect you to a local consultant if you are happy to pay for local help.

mikrotik takes a while to get used to as its so feature rich. Not for people who wants a simple tick the box setup.



Wayne
-Australia-

@wayneash thanks alot for your great description , I benefited from you alot
but i have some questions i hope you answer it .
what's the meaning of ( the inbound mikrotik ports, setup inbound tcp/8291 for input on the inbound interface of pppoe client) , and how can i open port 8291 can you give me a detailed explanation of this ??
i so sorry for my many questions
thank Wayne again

its a firewall rule on the input chain.

create a new rule with on input chain, protocol = TCP, DST port = 8291, with action = allow

i also make it the the "In.Interface" my pppoe interface.

The input chain controls what is alllowed/denied to come to the mikrotik. The output chain is what is allowed to leave the mikrotik, and the FORWARD chain is what PASSED thru (IN and OUT) the mikrotik for your protected devices.

Another port to look at opening is tcp/8728 which is the API interface port if you run a iphone/ipad. There is a app on the apple store that comes in free for basic stats and reboot feature, and also a paid version of it. search for "tikbox". This app also support port knocking so the api port can be opened on the go to your mobile device.

also ensure that under "ip/services" that you have "winbox" enabled.

if you wish to use the API, then "api" to be enabled. Everything else, if you don't use them have the disabled.

You will also see a "available from" field, which enables you to define a range of IPs or a defined IP to control what can talk to it. I would myself do this under the firewall rules instead and don't use this field.

@ Wayne Ash
thanx very much,i did every thing and now it's working ,and can management my network easil