Access "hidden" mikrotik device by Winbox
Here's the scenario:
- Mikrotik Router as a hotspot gateway running on the wireless network (the Gateway).
- A second device is connected by WDS to the gateway used as a network range extender (the Booster).
- We can connect to the Gateway using winbox by connecting to the public IP address.
- How to connect to the Booster with Winbox too?
To acheive this task, we will map connections to the Gateway device on port 8292 to the winbox port (8291) on the Booster. The following steps will assume that the Booster is a simple WDS slave with no IP address assigned to any iterface.
STEP 1: Add an DHCP client address to the Booster device on the hotspot cell.
This can be done easily using winbox, but you can't access with winbox, right? Not a problem. We can use the mac-telnet tool from the Gateway device to add the dhcp client on the Booster:
- First log in to the Gateway using winbox
- Click on the Telnet menu item, and select the MAC Telnet option, and notice that the IP address field now changes to a drop-down select field
- If your Booster device doesn't show up in the list, you can type it in manually, then click Connect
- Enter the username and password for the Booster, then execute the following command:
- /ip dhcp-client add add-default-route=yes comment="" default-route-distance=0 disabled=no interface=<wds-bridge-interface> use-peer-dns=yes use-peer-ntp=yes
- Note that you will need to change the interface <wds-bridge-interface> to suit your configuration. If you are not sure what is the name of the right interface, execute:
- /interface wireless print
- and look for the value of the wds-default-bridge setting.
- Now check that there is an ip address
- /ip address print
- And make a note of the IP address assigned
- Try to ping the Gateway
- /ping <gateway IP address>
- Change (of course) the <gateway IP address> to the actual address of your gateway device. Note that ping time-out is expected, but pinging the gateway will cause the Booster host to be added to the device list under the Gateway hotspot service.
STEP 2: Make the Booster DHCP lease permanent in the Gateway DHCP Server.
- Back on the Winbox session to the Gateway, click on the IP menu item, then select DHCP Server
- Select the Leases tab, and then click on the entry containing the IP address observed in point 11 of STEP 1 above
STEP 3: Add a bypass rule in the Gateway hotspot for the Booster device.
- Still in the Gateway Winbox session, click on IP and then select Hotspot
- Select the Hosts, then double click on the entry containing the Booster device. If it is not there, go back to point 12 in STEP 1 above
- When the host entry details panel opens, click the button labelled Make Binding
- In the New Hotspot Binding dialog, set the Type to Bypassed, then click OK
STEP 4: Create a destination NAT rule to map incoming port 8292 to the Booster on port 8291.
- Now click IP in the menu, and choose Firewall
- Select the NAT tab, then click the red '+' icon near the top left
- On the General tab, enter:
- Chain: dstnat
- Dst. Address: <ip address of the gateway> (i.e. the address you are connecting to with the current winbox session)
- Protocol: tcp
- Dst. Port: 8292
- On the Action tab, enter:
- Action: dst-nat
- Dst. Addresses: <ip address of the booster > (i.e. the address from 11 of STEP 1 above)
- Dst. Port: 8291
- Click OK
STEP 5: Connect to the Booster in Winbox.
Now, if everything is set up right, you can now connect to the remote device using winbox by specifying the IP address of the Gateway, and specifying the port defined in 3 of STEP 4 above, using this notation:
<ip address>:<port>
For example, if you connect to the Gateway device on adress 192.168.1.1, then you will connect to the Booster using 192.168.1.1:8291
NOTE: Older versions of the Winbox loader do not support this port specification. Always make sure that you have the latest version downloaded from the Mikrotik web site.
You can repeat these steps multiple times if you have several Booster devices inside your hidden network, by simply changing the destination port each time; 8293, 8294, etc.
Need help with your Mikrotik Configuration projects? As an authorised Mikrotik Consultant, we are available to assist on short term or contract basis. Contact us for more info.