dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet
i am gonna advice you with something
allow accessing webfig online from ur network only not global
Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.
/ip firewall filter
add action=accept chain=input comment="Accept related/established from internal networks" connection-state=\
established,related in-interface=!ether1-gateway log=yes log-prefix=gateway-accept-est-rel-internal
add action=accept chain=input comment=\
"default configuration - Accept inbound related/established" connection-state=\
established,related in-interface=ether1-gateway log=yes log-prefix=accept-inbound-rel-est
add action=accept chain=input comment="Accept inbound for SSTP VPN" dst-port=443 in-interface=ether1-gateway log=yes \
log-prefix=accept-inbound-SSTP-VPN protocol=tcp
add action=accept chain=input comment="Accept inbound L2TP/IPsec VPN" dst-port=1701,500,4500 in-interface=\
ether1-gateway log=yes log-prefix=accept-inbound-l2tp-ipsec-vpn protocol=udp
add action=drop chain=input comment="default configuration - drop unsolicited inbound WAN traffic" in-interface=\
ether1-gateway log=yes log-prefix=drop-inbound-unsolicited
add action=accept chain=input comment="Accept broadcast traffic from internal networks" dst-address-type=\
broadcast,multicast in-interface=!ether1-gateway log-prefix=accept-input-bcast/mcast
add action=accept chain=input comment="default configuration - accept icmp on all interfaces" protocol=icmp
add action=accept chain=input comment="Allow MGMT access from internal networks" dst-address=172.16.0.30 dst-port=\
22,8291 in-interface=!ether1-gateway log-prefix=mgmt-accept-internal protocol=tcp
add action=accept chain=input comment="Accept DHCP on all interfaces" dst-port=67 log-prefix=log-dhcp protocol=udp
add action=drop chain=input comment="drop and log all inbound traffic not matching previous rules" log=yes \
log-prefix=drop-and-log-input
/ip firewall address-list
add list=management-servers address=192.168.0.0[b]/24[/b]/ip firewall filter
add chain=input src-address-list=management-servers action=accept/ip firewall filter
add chain=input in-interface=YourWAN action=dropadd action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services1 dst-port=21,22,23,69,80,443,8080 \
in-interface=YourWAN protocol=tcp
add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services2 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services3 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
src-address-list=@Services_Phase2
add action=drop chain=prerouting src-address-list=@Services_Phase3YesIf i do not specify ports in the rule does it just apply to all ports?
Just names of access lists who are created by firewall rules. You can change names whatever you like.What is phase 1, 2 and 3 services?
One more note, as you see there are no DNS rules involved in this rule-set. You need to take care of that also.
chain=input action=drop protocol=udp src-address-list=!DNS in-interface=WAN dst-port=53 log=no log-prefix=""dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet
WAN interface targeted to router itself on port 53 .
This is useless. The addresses will never repeat them. Read up on how DDoS works. These are disposable victims of trojans and other bugs, cameras, infected PCs etc.
Yes you Makes perfect senseYou will never be able to firewall each "bad" IP individually. The reverse approach is much easier - drop everything and allow only yourself and only on non-standard ports. Implement multiple layers of security if needed, but again - drop everything first.
When even you say that, small wonder that so many users get confused about that!We can't know that. WAN is the one where your ISP is plugged in
Potentially, yes. I agree that this is normal operation for me too. I found this when dst-nat rules were not working when I set them to ether1 but did work when set to the pppoe interface.So ur saying i should have set to ppoe
You can, but this shouldn't be necessary if configured correctly.Or i can try to set for both?
The best thing to do is for you to try to connect to your Mikrotik from an external internet source (mobile data maybe?) and test access.
Is it? I can't tell just from the name. It could be a local test network. Also, I can't be sure that if his connection drops, that his router becomes open to whatever other connections that can reach his router at that moment. You should probably have some basic rules on the interface itself as well.when you have a PPPoE interface, as he has, and it is the link to the ISP.
