Community discussions

MikroTik App
 
mlchris208
just joined
Topic Author
Posts: 5
Joined: Thu Mar 05, 2015 6:41 am

Need help with Remote management/DSL in Transparent Bridge mode

Fri Mar 06, 2015 6:55 pm

I recently started implementing Mikrotik RouterOS devices on my client deployments.

My goal is to be able to remotely administer client router with Winbox and telnet.

My first client location, I am having trouble getting remote management to work. I have a DSL circuit with a static address. The modem is set into Transparent Bridge mode. Modem connects to Mikrotik RB2011 via onboard switch port

I can ping the static address off-site of client premise.
I created a firewall rule, see below;


[admin@MikroTik] > ip firewall filter export
# jan/03/1970 01:24:59 by RouterOS 6.18
# software id = T1SI-5IY6
#
/ip firewall filter
add chain=input dst-address=192.168.88.1 dst-port=8291 protocol=tcp src-address=0.0.0.0/0 src-port=8291
add chain=input dst-address=192.168.88.1 dst-port=23 protocol=tcp src-address=0.0.0.0/0 src-port=23
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
[admin@MikroTik] >
------------------------------------

Here is the output of nat

/ip firewall nat export>[admin@MikroTik] > ip firewall nat export
# jan/03/1970 01:25:27 by RouterOS 6.18
# software id = T1SI-5IY6
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

------------------------------------------------------------------

When testing offsite of client premise with Winbox, it times out.

My questions. It will be a few weeks before I can get back onsite to reconfig.

1. Does the firewall routes look appropriate? I dont need to specify interface do I?

2. Even though the DSL modem is in transparent-bridge mode, do I still need to port forward to Mikrotik?
 
Netlantique
just joined
Posts: 5
Joined: Wed Jun 11, 2014 5:13 pm

Re: Need help with Remote management/DSL in Transparent Bridge mode

Fri Mar 13, 2015 9:41 pm

Try this instead of your rule...
/ip firewall filter
add chain=input dst-port=8291 protocol=tcp

Should work
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Need help with Remote management/DSL in Transparent Bridge mode

Fri Mar 13, 2015 10:17 pm

Try this instead of your rule...
/ip firewall filter
add chain=input dst-port=8291 protocol=tcp

Should work
Agreed. This does open Winbox from anywhere on the Internet, which you may not like, though.
(see below)
1. Does the firewall routes look appropriate? I dont need to specify interface do I?

2. Even though the DSL modem is in transparent-bridge mode, do I still need to port forward to Mikrotik?
No, you don't. In fact you really can't because the modem is no longer doing anything with IP.

As for firewall rules, I like using interfaces if possible. It allows IP address changes, etc to be much more fluid and less places to remember to update configurations.

I like this for input chain firewall myself:
allow established / related
allow in-interface=!wan
; now only new connections from WAN are considered.
allow icmp
allow src-address-list = ADMIN-WHITELIST
drop all

This list is a good starting point.
It blocks the Internet from everything but pings on the WAN.
It allows everything from the LAN, regardless of the src IP address.
(You can re-number the LAN if you want and won't have to go fix the addresses in the firewall rules.)

Finally, It allows anything from a list of trusted IP addresses. Just put your office's IP address, your monitoring server, etc into the IP > Address List named ADMIN-WHITELIST. Anything in that list can use any service on the Mikrotik.
 
mlchris208
just joined
Topic Author
Posts: 5
Joined: Thu Mar 05, 2015 6:41 am

Re: Need help with Remote management/DSL in Transparent Bridge mode

Thu Mar 19, 2015 1:02 am

Try this instead of your rule...
/ip firewall filter
add chain=input dst-port=8291 protocol=tcp

Should work

This worked and I was able to gain access at least. +1


Zerobyte, your suggestion for access list is great. I will do some lab testing and work my way towards this method.