Remote WinBox Login
- Introduction
- Requirements
- Instructions
- Revoking Transient Access
- Confirming that the temporary credentials were set up on the router
In this guide, we will show you how to securely access your MikroTik router using WinBox even if it is behind a NAT firewall.
Introduction
When you add a MikroTik router to our platform, we automatically configure a secure tunnel to the router. This tunnel is referred to as the Management VPN.
Our system allows you to gain temporary access to the router using this tunnel. Access is granted by generating a temporary username and password that you can use to log in to the router using WinBox or SSH. The credentials are short-lived and are automatically revoked after a configurable period.
This feature is called Transient Access, and it is generally available to all users.
Requirements
To access your MikroTik router using WinBox, you need the following:
- A MikroTik router that is connected to the MikroCloud platform.
- The WinBox application installed on your computer.
- Both the router and your computer must have an active internet connection.
Instructions
Step 1: Log in to the MikroCloud Portal
Log in to the MikroCloud portal at https://portal.mikrocloud.com.
Step 2: Navigate to the Site Page
In the main menu, click on Sites to navigate to the site page.
Step 3: Select the Site
Click on the site that contains the router you want to access.
Step 4: Access the Transient Access Tab
Once the site page loads, click on the Transient Access tab.
Step 5: Generate Transient Access Credentials
Click on the Add button to generate login credentials.
The options have the following meanings:
- Full Access:
- Enabled: User has full access to the router.
- Disabled: User has read-only access.
- Allow RFC1918:
- Enabled: User can connect from a private IP address (e.g., 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12).
- Disabled: User cannot connect from a private IP address.
- Allow From CIDR:
- Define the IP address range that can connect to the router using the credentials.
- Defaults to the IP address of the user generating the credentials.
- Specify the range if creating credentials for someone else.
- Validity Duration:
- Set how long the credentials are valid (default: 2 hours).
- Access Type:
- Choose the type of access: WinBox or SSH.
Step 6: Copy the Credentials
Click on the Credentials button to obtain the login credentials. Copy and paste it into the WinBox login prompt.
Copy the endpoint, username, and password to the WinBox login prompt. The endpoint in this case points to the regional server where the management tunnel is currently terminated.
The username and password are generated for this specific session and will expire after the configured duration.
That is why it's not blurred out in the screenshot.
Revoking Transient Access
It is possible to revoke transient access credentials before they expire. To do this, click on the Revoke button in the transient access tab.
Once the revoke button is clicked, a job is queued to revoke the credentials and the NAT teardown is initiated on the regional server.
Confirming that the temporary credentials were set up on the router
When you generate transient access credentials, an asynchronous job is queued to set up the credentials on the router. This job needs to be executed before the credentials can be used to log in to the router. Transient access makes use of express execution, so the credentials are usually set up within a few seconds.
It is possible to check the status of the job by clicking on the Orchestration Logs tab on the site page.
Was this page helpful?