guys and it is possible to hack into network if computer with NAT and RDP possible connection would be turn off? becasue if computer is turned off, port will be closed, so .. if any bot will try my network, it wont receive response

guys you are awesome :) I've read links which you gave me and I have this BIG HEAD from it :D :D ok, nevermind, I need to study little bit more .. but it's is possible simple do this? : - allow remote access only from one IP (via RDP) - drop everything else, that noone even can see login mikrotik pa...

thank you guys! I promise, that I will read all of your links and study it properly, but tomorrow, today is quite late :) but I did this: /ip firewall filter add chain=input action=accept protocol=icmp add chain=input action=accept dst-address=127.0.0.1 this I didnt add, because "expected end o...

Instead of nickeling and diming the OP, Just to to this link and choose Option/Para B. - https://forum.mikrotik.com/viewtopic.php?t=182373 Besides that, this tells me you dont really know what the firewall rules do and need to learn more before adding rules from the default. DANGER add chain=input ...

ICMP is not only used for "PING", but also for PMTUD... read this:
https://en.wikipedia.org/wiki/Path_MTU_Discovery

- ok, I've learnt something new, thx

why should I use ICMP? I dont get it :) And with your rules of course I cannot use RDP or VPN, at least one I need .. Of course RDP computer will be turned on only when I need to .. so maybe this one? /ip firewall nat add action=dst-nat chain=dstnat dst-port=1570 in-interface=ether1-gateway log=yes ...

rextended - I understand, but have no idea what should I delete

should I use only "add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes" or what exactly do you think please? and be aware I am kind of newbie ..

own3r1138 - thank you! I will read those and what else should I use instead of PPTP?

also why forward chain you don't trust your LAN side? - I do, this is maybe my mistake thx, I will correct it


rextended - sure, but you know, more secure is not so bad thing I think

Hello guys, I've had quite simple question, but .. I have static IP and I've create VPN for myself and RDP connection to network (I know this is not very secure, but I will use this very rarely and most of the time this computer will be off), and the question is .. how should I secure mikrotik more ...

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two. And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS. But I do not know if using ...

Yes it will be slower, if enabled. But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem but I think I need to do it, dont I? Because as I wrote, I need to create separate VLANs on each port of switch (or port isolate) or maybe I dont understand what you wro...

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info? If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware. so it means network will run slo...

yes, but I would like to use mikrotik switches, but thx :) IMHO MikroTik switches are toys... but of course they are cheap. I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance. You could investigate that. yes, but I cannot us...

There are standard solutions for this in switches. E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc) but as...

Hi I would think that this will depend on the setting: are the networks / devices in these networks isolated or to they share same spaces port isolation might provide more guarantees from security point of view vlan are more flexible kind of port isolation dictates complexity of configuration: on r...

Hello guys, I need to create network with MIKROTIK RB4011iGS+RM and few Mikrotik CSS326-24G-2S+RM. But I need to separate each LAN connections from each other and I am wondering if better solution would be creating as many VLAN as many active connections or just simply port isolating, what would mik...

Then you simply leave Hardware Offload enabled for Port 2.

- I've did, but it didnt work .. but I will try again, thx!

yeah! looks like working, thx!

but it is possible to configure one port (e.g. 2) for access all over network?

Hello, I have RB951G-2HnD and I'd like to isolate port, but have no luck and dont know why. Here is my configuration (what I've changed in default conf): /interface bridge settings set use-ip-firewall=yes /ip firewall address-list add address=192.168.88.10-192.168.88.255 list=block /ip firewall filt...

Hold the reset button about 5 sec, until ACT LED starts flashing. If holded for 10 sec or more and LED stays lit or turns off, it's too long.
https://wiki.mikrotik.com/wiki/Manual:Reset

yes, I HAVE TO hold it and release when it's blinking .. I've learnt something now, thx!

Hello guys, I've been doing some experiments, but after that I cannot connect to my router in any way again. I've tried winbox, but I cannot see router at all. I've tried to default reset it, but without any luck as well. It looks router doesnt do default reset at all (I've used this method: https:/...